|
TheNFAPost Podcast
|
Australia and India are the countries with the highest volume of cyber attacks across APAC, though almost all APAC countries have seen ransomware incidents.
In an interaction with N V Vijayakumar, FireEye CTO and Asia Pacific Vice President Steve Ledzian says it is better to put in security measures before your own organisation becomes a victim at a time when cyber attack In APAC region is getting to be a more sophisticated problem.
How are you looking at the cybersecurity opportunity in the Asia Pacific, specifically in India, as there are rising cyberattacks, especially during this pandemic era? Can you give us some insight on your experience and also how the market is behaving?
it’s very apparent to everyone, from private organisations to those in government that the cyber problem has continued to grow in escalation as a global problem.
Certainly, India is not excluded from that, as of late, the country has been witnessing its share of cyber attacks. We’ve seen that the ransomware threat has become more in terms of volume, victims, specifically across the Asia Pacific region. Australia holds the number one spot for ransom threats and India is at number two position.
Ransomware, the way it is traditionally called, is malware that comes into your system and encrypts your files so that you can’t access them.
That went on for a number of years and threat actors were collecting a certain amount of ransom fees, to release the decryption keys. What we see happening now is that they’re not stopping it, just encrypting the files before they encrypt the files, they steal that information and they threatened to make that information public.
In some ways, for a lot of businesses, that’s worse than having a service disruption, through encrypted files. We just looked at the number of postings of victim organisations that have had their stolen data, posted publicly on what we call the shaming sites, where, the threat actors publicly post that stolen data. We see India in the number two spot, in terms of the number of publicised victims in that way. The problem is getting worse, it’s getting to be a more sophisticated problem.
It’s getting to be a more impactful problem and we’re seeing the ransoms being paid skyrocket in their prices. So, it has certainly evolved quite a bit over the last year and, we don’t see it stopping anytime soon.
As far as malware attack is concerned, India is on the second spot. Can you give me some more light on the current state of affairs and how it is really going to pan out going forward? What are the precautions, both organizations and governments should take to contain it?
It used to be really a malware-based problem, but today attackers are stealing data first in order to do that, they need to find that important data on their servers in the organization in order to do that, they need to break into the networks. It is useful to think of ransomware, not just as malware coming into your network. It is useful to think of ransomware as a remote intruder coming into your network, who has interactive access to the victim organization. You frame the problem that way in your mind, that will direct, well, how do I try and defend myself against this type of attack? It is much more than just defending yourself against malware.
You need some breach detection and response capability, some intrusion detection and response capability. And, today a lot of organisations have turned, to technologies like EDR endpoint detection and response, NDR network detection and response, XDR extended detection response. I would say most importantly, MDR managed and response, and a managed detection response service is trying to notice those intrusions quickly and interrupt them before those threat actors have an opportunity to impact the business or to deploy that ransomware.
You would be surprised by how long it takes organisations on average, just to spot that an intrusion has happened in their environment in Asia Pacific, we measure that it is 76 days, about more than two months, just to notice that there is a remote intruder in the network. And so that is low-hanging fruit. That is a significant opportunity to reduce that to something much more manageable.
That is what managed detection and response solutions aim to do. Let me add just, one more point at, Mandy and we respond to victims of cyberattacks, and so all types of cyberattacks, whether it be ransomware or some other form of cybercrime or cyber espionage, and over the last year, we have seen about more than a quarter of the incidents that we are responding to are ransomware threats. We have had a lot of learnings from those victims once we’ve, restored the victim organisation, those victims ask us, tell us what we need to do so that we never have to go through this again.
And, we give them advice like, well, if you had this in place, and if you had this configuration in place, if you have this policy in place, if you have this technology in place, you would have been a lot less, a lot less likely to suffer this attack. What we have started doing is taking that advice at rather than offering it to organisations who have been a victim, we take that same advice and offer it to organisations who have not yet been a victim. It becomes proactive advice, before there’s an incident and we call that pre-mediation and, we’ve published maybe, Belinda can share a link with you on a ransomware, protection and containment strategies, which offers some of this advice to organizations who are concerned about the risk that ransomware poses, and would like to do something, above and beyond what they’ve already done to increase their resilience to these kinds of.
Security has to be tackled via a multi-layered approach, spanning from their networks, end point mobile devices and cloud. In India, we have organizations that are growing exponentially without proper security fabric in place, especially startups. So, can you give me some light on, how these organizations should start from the beginning itself to take on all these kind of challenges in the security landscape?
Yeah, so you’re right. Organisations are at a business level, heavily adopting digital transformation. That’s good because it makes their businesses more efficient, but at the same time, it increases their attack surface, right. We’re using more technology means there’s more technology to attack and that’s to the advantage of the attackers. So it’s really under, it’s really important.
If you’re a, say a startup that is just building a Greenfield, network infrastructure, very likely you’ll be doing that using cloud technology. So, security in the cloud is quite a bit different than it is on-premise. So it’s important to understand those differences. And, there’s a lot of focus on this idea of zero trust of architecting, right from the beginning, additional security checks, in place such that if there is an intrusion somewhere there’s segmentation in place, there are checks in place.
It’s not that once an attacker breaks in, they have free reign, they have additional hurdles to overcome before they can impact the business. Zero trust model, quite important for the startups who are eagerly adopting new cloud technologies, and in the space of heavy digital transformation.
Nowadays lots of clamour happening around cyber hygiene that organizations should practice, so that, they can also escape all this kind of untoward security breaches. As far as the security priority of an organisation is concerned, what are the basic parameters should they put in place for cyber hygiene?
Well, maybe to start, you need a very good patching process, right? So a lot of these attacks come through the exploitation of vulnerabilities and, good patching programs can help to reduce that risk. Now, there are threats like zero-day vulnerabilities, where even if you’re fully patched, there’s still a risk, but we see threat actors, who use these older and are still successfully using them.
It is really important, to have those patches in place. The challenge for organisation is that the number of patches they need to manage is often overwhelming. It’s good to take an intelligence led approach and understand which of these vulnerabilities are actually being exploited in the wild.
What is the real risk level of these vulnerabilities? What are the requirements to be able to successfully exploit the vulnerabilities? Is there a proof of concept exploitation available, and use that intelligence led approach to prioritize your patching because patching, while it, you put it in the category of hygiene and maybe you think hygiene or things, which are easy and quick to do, acting is often not easy and quick. It does. It requires a lot of effort. It is a continuous process, there is new vulnerabilities every day. There’s a lot that goes into a successful patching prop program and having an intelligence led approach can help that program be optimal in setting into priorities.
In context, you should also understand that India is more inclined towards an app economy because apps are widely being used across the country. In such kind of a context to what individuals users should be taken care of to keep away from all these kinds of untoward incidents?
I think you have to look at it at two angles. There is the risk to the app and then there is the risk of whatever the app is talking to on the backend. It’s a classic client-server architecture. Okay. So let’s take one at a time. If we start with the app, you know, the app stores will do what they can to make sure there aren’t threats in apps, mobile devices will have checks in place, to let you know, if that app wants to do things that could potentially be malicious, maybe turn on your microphone or access your photos. It’s important for individuals to pay attention to the permissions that they give apps and what they’re allowing apps to be able to do, but also to make sure that they’re downloading apps from trusted sources.
A lot of times apps that don’t come from official app stores, could have malware embedded in them or may pose other risks. That I would say is, some considerations from the end user point of view, from the other side, the server side or the backend side, it is all of the classic cyber security concerns, right? If you are, if you have a company that deploys an app, very likely that app may require a log-ins or identities of some sort. You’re going to be collecting identity information, personal, possibly personal information of your users and storing that information over time and to really important that you protect that information, right? And it’s not that the threat actors are necessarily going through the apps to access that information. They’re going to attack the backend infrastructure.
We have seen this happen in the headlines across a number of, providers over the past, and then large swaths of the customers of that service end up having their personal information, stolen. And, and often those companies then have to do something to either notify the impacted individuals and maybe take some corrective action, like provide credit monitoring or identity theft monitoring services. And, those attacks happen in all the classic ways. It’s important to have strong email security, strong network security. It’s really the enterprise that the attacker is attacking in those instances. Those attacks happen both from a cyber crime motivation as well as a cyber espionage motivation.
There is a lot happening around encryption technology and customers are saying it can safeguard our assets. What is, the new things Vajra is doing on that? Can it solve other problems to a full extend? what are the other technology advancement happening, around the globe on encryption technology?
There is a thinking that if the data is encrypted, then it’s safe, right? Because the attacker can access it. It is, it’s encrypted, it’s inaccessible. So, as long as my data is encrypted, I don’t need to worry about cyber attacks. I would say that is not a good way to think about the problem. Encryption is good, it is helpful, but it, in no way stops a hundred percent of the attacks. There’s different types of encryption.
A lot of operating systems now have, encryption on by default, but that encryption, what it’s really trying to do is, provide protection against a specific attack, where someone physically accesses your laptop and rather than logs into your laptop, just removes the hard drive, connects the hard drive to another computer that they have administrative control on, and then accesses your files. You hear encryption, it’s that specific use case that encryption most commonly is protecting against and not any use case where there’s a remote attacker who is breaking into your network and stealing your files. Now there’s different types of encryptions that help in those cases as well. Even those types are not a hundred percent effective.
It’s not to say that encryption is bad, much like many of the things in security, the defensive controls that you put in place, be it encryption or multi-factor authentication or network segmentation. Right? All of these things are helpful and good, but organizations shouldn’t have the misconception that any one of them on their own is a silver bullet against cyber attacks because that’s simply not the case.
·
Coming back to this 5G transformation, how FireEye is looking at new opportunities, because there is lot of changes will happen in that globe around products and services. How you are setting the context to how you are making your solutions and services a bit more, or proactive to take on this or emerging opportunity? hat is the trajectory for your solutions and partnerships that you are looking for?
I would say when we talk about 5G, so there is threats against the 5G protocol itself, but I would say the larger security threat when it comes to 5g is that 5G enables a lot more conductivity. We talked earlier about digital transformation and how digital transformation, grows the attack surface will 5G will do that as well. Right? 5G will enable, connections to the internet that we haven’t seen before, and that will grow the attack surface. That’s another security consideration that we need to think about when we talk about 5g now, to answer your question about what is FireEye doing against this, specifically, I would say that firearm is really taking a big picture approach, right? So we’re really aiming at a cyber resilience across any type of attack, whether it come in through 5g or a traditional wired internet.
By cyber resilience, what I mean is a combination of prevention technologies, which are doing their best to prevent intrusions into the network, whether that be an internet facing web server or an IOT internet connected device over 5g, trying to, prevent those intrusions. But resilience goes further than that. It says that, no prevention is a hundred percent effective. We, wouldn’t be ambitious to say that, law enforcement can stop a hundred percent of crime. And, and that’s how we should think about cyber threats as well. It’s not really possible to stop a hundred percent of all cyber intrusion. That’s where the second half of resilience comes in. That is to notice quickly when prevention failures have happened and to resolve them before there can be any impact to the individual or the organization.
Those two things together prevention along with detection and response are what gave you cyber resilience and FireEye offers products, services, and cyber threat intelligence that align across that cyber resilience.
The point is that FireEye is also known for leveraging machine learning technology, along with artificial intelligence to identify malware areas. So, please, throw some light on, these kinds of, aspects of your company’s technology advancements that is happening.
So, we have a data science team within FireEye and they generate machine learning models for a number of SU cybersecurity use cases. One of those use cases is in our endpoint security. It is a machine learning model to detect malware. We call it malware guard and, it last year won an award, from, the NAB war, which is related to the United States Navy. They put up a cyber challenge. It’s quite a good model when we talk about machine learning.
There’s two things to think about. There is the machine learning algorithm and the training, and then there’s the data set that you use to deliver that training. All right. Of those two, the one that is more important is actually the dataset.
This is why FireEye has such a strong, machine learning capability is because of all the visibility that FireEye has a, we call it the Mandy and intelligence grid that comes from the incident response work. We do, the network of sensors that we have deployed globally, the underground monitoring. We have quite an extensive collection and have been doing this, across FireEye and Mandy and for, over a decade now we’ve accumulated quite a large set of data.
That data is high quality data, which we use to train those machine learning models. That’s why those models performed so well. We’ve deployed them across our product sets like, endpoint security, network security, helix is our cloud-based SIM. And, but we also use it internally, for things like, attribution and correlating threat groups, threat activity and clusters against one another. There’s a lot of use cases for machine learning. It’s not just about all about finding malware and we’re pretty aggressively using it here at FireEye.
India is a country where we don’t have larger legacy system in place and because of that technology adoption is happening in a faster pace. Are you ready to set up some facilities so that R&D center or sandboxes in India?
Well, we already have an R and D presence, located india. It might not be, dedicated, exclusively to 5G. Certainly, we have a significant team, located in India, working on tough problems, right. Working on, R and D, as well as threat intelligence, collection and analysis.
Government is also grappling with a lot of challenges as far as security regulation is concerned, especially when there is external actors for cyber attack and garnering intelligence. Do you have any separate mechanism to engage with government to take it up systematically?
Yeah. I probably can’t speak to any specifics there, but let me speak in the general case so that, FireEye does a lot of work with governments all over the world. I can’t necessarily go into specific countries, but we engage them, by, supplementing their intelligence capabilities with our intelligence collection. We protect them with, the various FireEye technologies and, we have training arrangements. A lot of governments are looking to ramp up their own cybersecurity capabilities and are turning to Bahrain, Mandy, and, to help train them, in those areas.
Okay. Okay. I heard that a few of the Japanese companies are planning to set up, and, massive data centers india. In that context, do you believe, India can be an ideal country for, setting up data center, having their security system here or compared with the other Asia Pacific countries? what is the, level of mark that you will give to India?
That’s an interesting question. I don’t know that I’ve given a lot of thought about that. Certainly the cloud providers already have data centers in, right. So we know it’s possible. We know that there is, a wealth of talent india to drive those data centers and to, be the people on the ground and drive the processes necessary to operate and secure those data centers. So, yeah, I, I don’t see why there would be any hesitancy of course. We need to think about, every country needs to think about, regulation and the regulations that, may put any restrictions or additional burden on the operation of those data centers. To be honest with you, I’m not on top of, the, any regulation, that would affect that, locally india.
I just want to understand the marketing aspects of products and solutions and services. Can you give me some light on that?
Share a certainly share on that. So, FireEye and Mandy, and, I would say, we’re a cybersecurity firm that is focused along three areas, leading technologies, to prevent and detect cyber attacks. We have the Mandian team, which, provides services in the area of incident response. So, to organizations who have been the victim of cyber attacks, as well assessments and consultancy services, as well as, an innovative platform, we call Mandy and advantage, which is a way to consume all of that expertise in the form of salt, a SAS delivered service or software. And, the third pillar is cyber threat intelligence today.
The intelligence problem has grown so big in order to really be effective. You need to be intelligence led just as a, a business or a military would make it’s an inform its decisions through intelligence organizations need to approach the cybersecurity problem in the same way. We operate at a scale and capacity for cyber threat intelligence, that rivals or what some nations are doing. It’s those three areas, that we’re focused on. And, I, I would say that a lot of the breaches that you see in the headlines, is responding to.
Again, I won’t go into any specifics there. But that information is very critical information. Everyone wants to know when there was a headline breach, what went wrong and what are the lessons there and how can they apply those lessons so that they aren’t a subsequent victim that, falls prey to the same technique from the attacker. That information, that learning that expertise is what FireEye, aggregates, and uses to protect its customer base. Okay.
Which are the four major business verticals facing massive cyber attacks across the globe, or if you come to Asher Pacific also, you can also give us some light on that.
Sure. Well, I have a couple of numbers. One of the things, firing and he does is we release a yearly report called M trends. This is all of the aggregate learnings and observations, that our incident response teams have had over the last year. We’ve been releasing this report for more than 10 years now, and it’s publicly available. We can, we can share a link with you. One of the things that report contains is the top targeted industries. And, so I’ve got it here in front of me. I’ll just share them with you. In the year 2020, we saw that the top targeted industry was business and professional services followed in number two by retail and hospitality. Third and fourth were tied together, which were the healthcare and the financial industries.
That was a global view for 2020, if you want an APAC, flavored view, I have that, but it’s with respect to ransomware. We saw ransomware most targeted, most heavily targeting the manufacturing industry in Asia Pacific followed by legal and professional services and number two, financial services. And high-tech tied for number three.
Indian context, we are also facing certain turns from certain nation-states are also, so are India being a country, which is also facing these kinds of cyber threats from nation states. Do you foresee a scenario which, India should take a cautious step? What should be the journey forward taking into the current status of, situation with our neighboring countries specifically?
Yes, absolutely. I think that’s a great observation, right? So you can, bucket types of cyberattacks, right? So one type of cyber attack is cybercrime, and it’s obviously, criminals who are doing that. Another type of cyber attack is cyber espionage. It’s the knee, as you said, the nation state, or sometimes we call them apt advanced, persistent threat actors. And, those two attacks are interesting to look at, they, and compare against one another.
It may seem the attacks of late have been a lot more frequent because of all of the ransomware attacks. Now, something that’s inherent in ransomware is that threat actors have to ask for money. They have to make their presence known, right. Because they’re making their presence known, you’re seeing all of these attacks come to light in the public cyber espionage and nation state attacks don’t operate that way.
In fact, it’s the opposite, those espionage actors, the nation state actors, they want to stay hidden. They do not want to make themselves known. And, I would say that, those attacks are often going undiscovered.
It’s really important organizations who are, think that they might be a target for a nation state, really have to ask themselves, could I be the victim of an attack without realizing it, because in many of the cases that we see that is often the case, it’s often the case for many days. In Asia Pacific, I think I might’ve mentioned to you already, it takes the average organization, 76 days to notice an intrusion and that’s, if they notice it at all. What should organizations do about this? Well, there’s a category of security service. Most of your readers will be familiar with a pen test where an attacker tries to break in, right. There’s another type of a category of service called a compromise assessment.
What the compromise assessment does is it’s like an internal health screening, a comprehensive internal scan that is looking for evidence of an intrusion or a breach. We’ve seen those be good measures to take, especially for organisations who think that they might be a target, for a nation-state threat actor.
