‘Ransomware is top of mind right now’

News Desk -

Share

Rabab Zehra, Executive Editor at TECHx spoke with Aaron Cockerill, Chief Strategy Officer, Lookout, to learn how some of the most seasoned CSOs/CISOs have fought cyber threats in the Middle East and around the world. Check out the article below to see how Lookout addresses cyber threats.

TECHx: What are the most pressing cyber concerns that keep coming up in your conversations with customers?

Aaron: The biggest challenge that customers are facing is how to ensure that their data is protected now that they’ve moved entirely to the cloud. The transition to the cloud was already on prior to COVID and those efforts have since been accelerated. Now organizations are retroactively looking to update how they went to the cloud or assessing their new risk posture as it relates to having most of their infrastructure in the cloud. 

Data Loss Prevention (DLP) is a good example – when app services and data are on-premises, organizations typically had tools like DLP to monitor whether sensitive data was leaving the organization or coming in from external sources. But now that organizations have moved to cloud-based apps, that DLP capability is no longer being used. So customers have had to come up with a new way to monitor where their data is going in the cloud. 

TECHx: What are some of the cyber threats we are seeing now that we have moved to a remote workforce?

Aaron: Bad actors are zeroing in on endpoints, apps and data being outside of the original corporate perimeter. In fact, there’s a plethora of threat intelligence reports about how.  Bad actors have moved from trying attacks on p-infrastructure to trying to attack endpoints, apps and data that are outside that perimeter. 

For example, many companies have had to move apps and servers that were behind a firewall, into the cloud (IaaS environments) and run them so they are internet accessible, but many of these apps and servers weren’t designed to be internet accessible and moving them outside of the perimeter introduces vulnerabilities that weren’t there when they were inside the corporate perimeter. Many server attacks these days leverage RDP; something that would not have been possible had the servers been behind a corporate perimeter.

The same is true of endpoints, although the way an attack occurs tends to be less around gaining access to RDP and more frequently involving phishing and social engineering to gain access and move laterally to critical infrastructure and sensitive data. 

So the attack surface has changed – instead of looking for vulnerabilities inside the organizations’ perimeter, we are now looking for vulnerabilities in servers in the cloud and on endpoints that are no longer protected by the perimeter. But what has not changed is what the bad actors are seeking and it is very much focused on data. We hear a lot about ransomware, but what is not well understood yet, in the broader sense, is that ransomware typically is only successful when the bad actor has considerable leverage and the leverage they obtain is always through the theft of data and then the threat of exposure of the data – what we call double extortion. 

TECHx: Hybrid work culture is now a reality; how are you protecting your own remote workforce from potential cyber threats?

Aaron: Just as with most organizations, remote workers were the exception rather than the rule for Lookout a few years ago. At that point, our IT team pieced together point products that provided visibility and control to ensure that we were enforcing Zero Trust across our small remote force.

During the pandemic, however, we quickly realized remote and hybrid work was here to stay. To cut down on the complexity created from managing multiple point products, we went ahead and took a unified platform approach to securing both our offices and remote workers. 

With our IT and security infrastructure centralized into a single platform, we now have access to telemetry from across our organization in one place. We’ve integrated this platform with endpoint security and have built-in native abilities like User Entity Behavior Analytics (UEBA) and Data Loss Protection (DLP) to see how users are interacting with data and how sensitive the data is that they’re accessing. And because our platform is unified, we can write and enforce granular policies based on user behavior, endpoint risk posture and data sensitivity across all cloud apps in one place without the need to double efforts. 

We actually helped a large construction company with this approach and ended up stopping a ransomware attack. Prior to the incident, the customer collaborated through Box to upload design documents that partners would download to use for construction. When the partner’s system got infected, we saw that the partner machines were downloading files in bulk from Box, encrypting and renaming the files, and then reuploading the files to their original location. With the controls in Box alone, the construction company had no way of quickly detecting or controlling these activities. By enforcing policies based on user behavior, endpoint risk posture as well as data sensitivity, they were able to protect their data without hindering productivity.

TECHx: The human factor remains one of the most serious threats to an organization’s cybersecurity; in light of this, what kind of security training should employees receive?

Aaron: No matter how robust your security system is, there will always be the human element – and these folks need to be educated. The aim of Zero Trust, then, is to create technology that minimizes the extent to which a human can interfere. 

Some of the areas that require the most security awareness are threats such as social engineering and phishing. Although these are relatively low-tech attack methods, they remain the primary way for attackers to gain access to corporate resources. 

With so many of us desensitized to the influx of texts and emails from vendors and bad actors alike, it can be difficult to discern whether these messages are legitimate or not. Because of this, it’s critical that every employee knows the common red flags to look out for when receiving a text or email that requests for sensitive information as well as the best practices for securing their online accounts. 

TECHx: What in your opinion is the best strategy for CIOs to implement if a data breach occurs in that organization?

Aaron: Quite honestly, most organizations that I speak with today have already had a breach. And as a consequence, they now have very good processes set in pace to address how to respond to future attacks. That being said, for the few organizations out there that have not been breached and are not experienced in this, I would say the most important thing is to run tabletop exercises — undertake a full red hat assessment of how you could be attacked, likely results and what you would do for a response. 

I do want to make one point here. Ransomware is top of mind right now and I would encourage readers to review and assess recent high-profile breaches and what they will find is that (a) the theft of data is central to almost every breach and (b) that those breaches resulted in multiple lateral movements that went undetected. So if we continue to focus on endpoint management, infrastructure management and vulnerability management as a way to address cybersecurity, we will continue to miss these types of attacks. We need to look at data exfiltration and detect threats using lateral movement detection techniques as opposed to malware detection techniques.

TECHx: What would you consider the most important skills a modern CISO should have?

Aaron: Almost all the CISOs I talk to are eminently technically qualified for what they do – most have spent the majority of their careers in this space and are very passionate about the technology of threat detection and how to protect infrastructure. 

I believe the biggest skill that’s important, and that we have not grown up with, or that we have to go out and seek, is actually less technical and more business-oriented and communications oriented. It isn’t difficult for a CISO to explain to the CEO the need for cyber. But as soon as you go one click down from “we need cyber” to discussing how much to spend, what to spend it on and why you might want to do certain things (e.g. fake and test a potential ransomware exploit), that is where the modern CISO needs experience in building business cases around the need for cyber and being able to effectively communicate and articulate it to the CEO and the board.

TECHx: What advice/tips would you give to other CISOS in light of the current threat landscape?

Aaron: I would suggest CISOs focus on two areas. One is a follow-on to what I discussed earlier in terms of developing skills around communicating the business value of cyber. CISOs should get experience talking to senior execs with as much brevity and at a level that the executives can understand. 

The other recommendation would be to spend more time talking with peers. At Lookout, we run roundtable discussions with customers and prospects and also host advisory groups and at each of these gatherings we make it a point to allow attending CISOs to talk among themselves. For a CISO, having that ability to share insights, experience and build a network of peers is essential to being effective.  


Leave a reply