Meetings at Spaceport America, Virgin Galactic’s human spaceflight headquarters, and common work interest on suborbital space tourism got the innovators together to work on their idea of solving the cybersecurity challenge through innovation. In a virtual interaction, the Co-founders of Fraisos spoke to Minu Sirsalewala, Editorial Consultant at CISO MAG, and shared their mission, vision, and solution, as it appraises a non-traditional IPO as its next growth step.

Fraisos is a U.S. based company founded in 2017 through a Department of Defense Small Business Innovation Research (SBIR) Program. It believes it discovered the solution to the government’s cybersecurity challenges based on its next-generation cyber-defense innovation.

Also Read: Rags to Riches! The Evolution of Ransomware Operators

A common love for innovation and technical expertise in semiconductors, computer science and hardware engineering, mathematics, physics, electrical engineering, and U.S. Government programs brought the three founding members, Dr. Lindsay O’Brien Quarrie, Dr. Lawrence John Dickson, and Robert Montgomery Fryer, together to collaborate and offer solutions to cybersecurity challenges.

Dr. Lindsay O’Brien Quarrie, the Chief Executive and Technology Officer (CETO), articulated, “The challenges basically come from an excess of complexity, allowing communication to penetrate to places where it isn’t supposed to. The solution we came up with is to impose simplicity and force communication to happen only with those communication partners as intended by the actual needs of the program. We have devised a way to apply a simple old technology from the 1980s, called Communicating Sequential Processes, the Best Way of Doing Parallel Programming. A book that I published in 2014 described a very simple approach to it, using standard software. And, it gives you a hardware-software equivalent if applied correctly.”

Elaborating on the technique, Quarrie shares that this technology fits in well with the current scenario due to the hardware-software equivalent. The software can be made to behave exactly like an isolated piece of hardware communicating through a point-to-point link; it’s one intrinsically subordinated operating system.

On the software side, it is like putting a wrapper around your system, monitoring the communications, and restricting the communication – both internal and external.

“The advantage here is that when there are updates and a new version releases, there is no need to look at the binary code of the program. The solution will ensure that there is no access to the actual kernel of the device, and any attempt at execution of non-approved activity will be denied,” explained Quarrie.

Lower Cost Cyber Defense

There is a direct cost implication when there are version upgrades, there is a restriction and futile costs are avoided both on upgrades and security. The system has the intelligence to identify which upgrade is required and what app needs to be on the system, thereby ensuring no communication from within, which could open a window and make the system vulnerable to any cyberattack.

The isolation approach is about securing the critical parts of the system by controlling the access in a simplified way. This allows securing the system at multiple levels without compromising its performance and efficiency. As a result, it reduces cyber defense’s total implementation and maintenance costs by avoiding version skew.

The Solution

The products and service offerings include defined systems, formally and physically verified cyber defense (maps to physical reality) for embedded systems, smartphones, tablets, laptops, desktops, industrial controls, medical devices, and all embedded systems that boots and their associated systems. Quarrie opines, “We deal in realism, and run counter to the trend of abstraction and avoidance of detail. This enables us to be strong in the whole area of computer programming and design that has ‘gone fallow’ due to an increasing monoculture of trendy, ultra-abstract languages. We can step in wherever necessary, to get a tight grip on a device’s actual behavior (100% of the time, not just 99%). This includes strict security in the age of ransomware.”

Math and the Physical Sciences provide many ways to look at a large array of problems. These basics, plus a large dose of innovation, often illuminate an approach outside the mainstream and where new opportunities can be found. This is true, especially since technology provides many new tools to apply to old problems.

A Quantum Proof cyber defense, based on realism — rejects the abstraction trend and insists on verifiable, simple, predictable device behavior. “Components in our designs communicate according to explicit protocols which are exposed and not hidden, thus imposing restrictions that make security and predictability possible and understandable.”

Mission and Vision

Dr. Lawrence John Dickson’s book, Crawl-Space Computing (Amazon, 2014), is inspired by the classic computing paradigm, Communicating Sequential Processes (CSP), its implementation in the language OCCAM, the 1980-1995 era Transputer chip, and the product series. This is the basic premise on which the three members built their solution, with a mission for the consumers to take back control of the computer and the embedded systems. The consumer is the custodian and true owner, versus the hacker owning you.

A property that is central to all their design: Hardware-Software Equivalence (HSE), means that it is formally verifiable that software written in this way is equivalent to hardware devices communicating by point-to-point data-passing channels. (It is related to Rushby’s separation kernels but more general.)

This opens up a massive variety of design approaches that behave predictably. As overly-abstracted devices run into walls of failure and malware, our mission is to uphold this ‘countercultural’ alternative that can solve the same problems clearly and understandably. HSE allows us to devise approaches that combine an outer CSP-type structure (the Finite Resource Allocator, or FRA) with inner ring-fenced nodes using standard computing tools (the Intrinsically Subordinate Operating Systems, or ISOSs), thus giving a shortcut to understandable effectiveness and explaining the company name FRAISOS (Finite Resources Allocator Intrinsically Subordinated Operating Systems).

With a vision to create a niche in the cyber security market, Fraisos is actively building its customer base with targeted research and production projects, emphasizing government customers, especially military and local government, protecting cities, municipalities, large and small businesses.

Quarrie emphasizes, “We have a simple, common-sense approach and tools. Predictability, reliability, and security of complex computing devices have been failing around the edges, and our approach solves this and makes clear the reason why it is solved.”

With a professional market evaluation of $155.1 M from Foresight Valuation in Silicon Valley, Fraisos’s principal investor is Space Sciences Corporation, from the research and development domain.

The current reality is that hackers can penetrate through these existing methods because the existing approach consists of layers and patches with holes for gaining access and are mostly “whack a mole.”

Quarrie echoes, “We are innovative by opposing complexity, where we try to make things more simple, not more complex. A system can be as complex as they like, but when they get to the outside world, they get to it through a very simple interface and a well-defined way of communication that’s been known since the 1980s. For example, take any classic car — we can still do a complex task without computers. But the task gets subdivided into simple components that interact with each other in a well-defined fashion. And that’s the path we’re taking. And there’s a lot of room for that path to be taken in the future.

Complexity causes disaster, and a lot of rocket ships have blown up. Fraisos believes in going ‘Back to the Future,’ and essentially being future proof at the same time.”

———————————————————————————————

References

Multiple Peer reviewed Formal Verification Proofs and acceptance Validated by IEEE Computer Society, COPA 2021, NSA, DoD.

Competitive SBIR awards Phase I and Phase II.

Follow-up in the N152-087 (Secure Electronic Kneeboard Across Multiple Security Levels on COTS Devices).

Founders of the new IEEE Concurrent Processes Architectures (IEEE COPA) and Embedded Systems group stepped in when CPA went offline due to COVID-19 and published a peer-reviewed conference proceeding in 2021.

Disclaimer

Views expressed in this article are personal. The facts, opinions, and language in the article do not reflect the views of CISO MAG and CISO MAG does not assume any responsibility or liability for the same.

About the Author:

About the Interviewer

Minu Sirsalewala is an Editorial Consultant at CISO MAG. She writes news features and interviews.

More from Minu.

The post Harness Your System, No More a ‘Whack-a–Mole’ appeared first on CISO MAG | Cyber Security Magazine.

CISO MAG got in touch with Amit Jaju, a Senior Managing Director with Ankura Consulting, to discuss these challenges.  It was startling to learn from Amit that global temperatures will increase by two degrees by 2024 due to crypto mining activities. You will be amazed to learn how much power is consumed for every cryptocurrency transaction when the blockchain ledgers are updated. Amit offered some suggestions for crypto exchanges during our discussion to protect user wallets. He also suggests what regulators and governments can do to protect consumers.

Amit leads the Data & Technology Segment at Ankura Consulting in India. He has over 17 years of experience in forensic technology consulting covering data analytics, cyber, e-discovery, software licensing, and information governance. He has created market-leading solutions around financial crime, cyber incident response, analytics, and software licensing and delivered engagements for global and Indian clients in over 20 countries. His experience spans multiple sectors, including Financial Services, Information Technology, Pharmaceuticals, and Media & Entertainment.

He has led many complex global data analytics engagements, including implementing and managing enterprise-wide fraud and AML monitoring solutions for banks and implementing terrorism monitoring over the internet for defense services. He has delivered sanctions diagnostics, and investigation engagements across Europe and the Middle East for large US sanctions matters and has developed a sanctions analytics platform to deliver end-to-end sanctions diagnostics and monitoring.

Before joining Ankura, Amit was a Senior Managing Director and India head for FTI Consulting, Partner with Ernst & Young for nine years as Head of Forensic Technology in India and Markets. He was responsible for setting up and leading Forensic Technology in EMEIA. Before EY, Amit was the Forensic Technology lead at KPMG in India for five years. Previous to joining the Big Four, Amit worked with a boutique information security consulting firm.

Edited excerpts from the interview follow:

We have seen a lot of illegal crypto mining activities around the world in countries like Iran, Venezuela, Malaysia, the UK, Kazakhstan, and the U.S. Tremendous computational power is required for Bitcoin mining, which even leads to power outages directly impacting electricity prices. Are there any studies to back this? What impact will this have on the environment and resources like power?

That is a very important point, and it is getting missed out in many conversations around crypto. I think this is one of the most important points on adopting  crypto and the blockchain itself. A few months ago, I made a LinkedIn post to initiate a conversation with my network on this aspect. One study said that just with crypto mining, the global temperature will shoot up by two degrees centigrade by 2024. That is two degrees in two years, and it is a significant increase.

A Cambridge Institute study says that around 0.5% of global electricity production could be utilized by crypto mining. That is roughly the annual energy utilization of small countries like Sweden or Malaysia. That is how bad it is. And when you look at carbon emission, we have some data points, but of course, it needs further verification. I see a trend in terms of where all the numbers are. So, just for larger countries where a lot of this mining is happening, for instance, in China, they say that 130 million metric tons of CO₂ is the net contribution.

I talked to a friend of mine running a carbon credit trading company. It is a listed company. I was surprised by the numbers he gave me. And very few know about these numbers. Look at it in terms of a single cryptocurrency transaction. You are running complex mathematical calculations to validate that transaction. This requires tremendous computational power, which consumes a lot of power. In terms of energy consumption, if you do a Bitcoin transaction, it uses the equivalent power to process two million standard credit card transactions. That is the energy it takes to watch up to 160,000 hours of YouTube videos. So, imagine YouTube servers running and consuming all that energy. You have to watch 160,000 hours of video for one Bitcoin transaction because you need certain numbers of confirmations to validate a transaction at the end of it. This transaction will replicate across all ledgers at the end of the day. So, by the time that replication happens, that is the amount of energy it will use. In simpler terms, it is equivalent to 70 days of the total energy that a typical U.S. household will consume for one Bitcoin transaction.

What impact could this have on the energy resources of a nation? How do governments address this?

I think we need to at least start talking about the problem. Awareness related to the environmental impact of cryptocurrency and crypto mining is not at the forefront. We need to discuss it, get different experts to provide their opinions, and formulate some policies. You must create a framework around it and involve the experts. For example, if you need to identify illegal crypto miners who use hundreds or thousands of machines for illegal crypto mining, you need to use data analytics for that. In Venezuela, for instance, they have a history of illegal miners, and because of this, they had a power crisis. So, they used data analytics to identify 100 miners and take legal action.

We need regulation and then analytics. I know India has a draft bill on cryptocurrencies. It will be interesting to see whether crypto mining is addressed in it — or is it just about trading cryptocurrencies, because mining itself is an important piece. This is especially true for India, where most of our power gets generated from non-renewable sources. Today, we are fast moving towards renewable sources. And I have seen that a lot of miners go towards colder regions. That is because less cooling is required, and it is a very thin margin kind of enterprise. So, if you can reduce your cooling bill, that is a lot of savings. It is generally concentrated towards colder regions of the world where they do that. I think governments need to proactively address this through various means.

Cryptocurrency Exchanges are the new attack targets for hackers. A recent example is BitMart, which lost approx. $150mn in cryptocurrency assets. Attackers had stolen a private key and compromised two of the exchange’s hot wallets on the Ethereum (ETH) blockchain and the Binance smart chain (BSC), making off with approximately $150 million worth of assets; in a “large-scale security breach.”

What can the exchanges do to protect themselves and their users? What do users need to do to protect their Hot Wallets? Since these are not centrally regulated, what kind of legal provisions are in place to enable the exchanges to penalize attackers when they are traced? We have seen how the big exchanges were brought down completely, and some went out of business overnight. And that is the weak link; crypto exchanges do not make only trades, but they are quasi custodians of your wallet, and they have access to your wallet because your private key is stored with them. It is on the blockchain, though. It is impossible to offer 100% protection for exchanges, because cyber is an area where you always have to plan for contingencies.

But I am reading more about the zero-trust model, which I think is valuable for exchanges. It is often an insider attack, or the attack vector is within the company, which gets exploited. It could be an employee or vendor who has access to maintenance. Or perhaps a developer writing the code for the trading platform has intentionally created some backdoors. There are incidents where ransomware hackers pay employees a commission of up to 20% to run a file on the server. You can never rule out insider involvement.

To address this, you need to look at independent custodians; for our capital market exchanges, we have CDSL (Central Depository Services Limited) and NSDL (National Security Depository Limited) as independent custodians of our DMAT accounts. That is where our shares reside. So, these independent custodians will ask us for an OTP verification for the transaction – and not the exchanges. Similarly, we could have independent custodian firms as custodians of the wallets. There could be a model where the offline wallets are with the end customer. And the offline wallet could automatically sync with the exchanges. So, the exchanges are not keeping your coins or tokens.

The offline wallet (cold wallet) could be backed up to a USB pen drive, laptop, or phone. It could be on a piece of paper. You could print out certain words, and that is your coin. So having a tiered approach to storing these coins is more secure. On the other hand, having all your coins with the exchange is risky because they also have your private key.

So, to strengthen their defenses, a zero-trust model with independent custodians, plus a hybrid wallet model, also de-risks the exchanges. Of course, that will result in some disruption to their business models. For example, some exchanges deposit your coins for an annual percentage return. This may not be possible in such cases, but the risk is far higher for an exchange that has your wallets online with them (hot wallets).

Are you suggesting a mix of cold and hot wallets? What else could be done to ensure resiliency and minimize downtime due to code vulnerabilities being exploited?

Yes, hybrid wallets. You have the wallet at the exchange keeping the user data, but then it gets transferred T +1 or end of the day to the user’s wallet (cold wallet), which resides with them offline. Both cold and hot wallets could be used during a trading session.

I think trading platform resilience is very important. That is always the case, with capital market exchanges or crypto exchanges. Trading platforms are high-frequency platforms, so you have millions of texts transmitted in one second, resulting in an order getting placed. The coding of that must be robust to facilitate the performance. But at the same time, looking at it from a security perspective is very important. It is about making sure every source code or application developed is reviewed thoroughly by multiple parties. Changes should be tracked from a security perspective, not just a functionality perspective. If something goes down, they should revert to the older version to ensure that the exchange runs. Crypto exchanges run 24×7 unlike our captive market exchanges, which shut down in the afternoon or the evening. Market exchanges have time for maintenance and upgrades. But that is more difficult for crypto exchanges since they run 24×7. So, they must have backup environments. And it’s slightly complicated, but by ensuring that the trading platform is thoroughly checked, they can provide defenses to implement two-factor at every stage. And when you implement a zero-trust model, a lot of that gets addressed.

What do you see as the big trends coming in 2022? What are the opportunities that exist?

I closely monitor the developments around quantum computing. Some companies are very close to building a retail version of a quantum computer. Whenever such a computer is available, it will transform this space overnight.

I also look at the zero-trust model and how it is evolving because I think that is a very good model to address all the challenges we face with our existing perimeter security and access control model.

I am also looking at the personal data protection regulation and the new challenges and opportunities that it will create. Compliance is a challenge for corporations trying to protect their data assets. It is also about individuals knowing their privacy rights and options if that data gets stolen or compromised.

There are opportunities too. The multinationals will have to build an infrastructure within India to address all the data-related challenges within the country (data residency). There is a huge demand for workforce and technology components, which India can address because we have a lot of talent. But we must see how different sectors adopt it. We already see financial services adapting to data localization, even though some companies take longer. I am seeing this with other industries such as pharmaceutical and life sciences, from data privacy and data confidentiality perspectives. Here they will focus more on protecting their IP and their data within the country. I see the measures they must put in place because these companies also deal with sensitive personal information of many people.

Take hospitals, for instance. Many U.S. hospitals have been impacted by ransomware in the past two years because they have sensitive personal data. Hackers know that they will not benefit much if they attack a steel company. But hospitals have critical data on which they rely for their operations, so the risks are higher.

In terms of technologies, we will see more use cases for blockchain. It will be used for transmitting documents and maintaining integrity, which is crucial.

Cybersecurity and forensics will also use blockchain. If you have an evidence chain of custody logs, how do you maintain the integrity and authenticity of that data? This is most important when something goes wrong. The insider threat is an area where companies will not trust a user because they are employees. They have to look at a customer, a vendor, or an employee, and observe how they behave. Based on that, they will profile the person and then create rules and access controls around the person’s behavior. Machine learning will play a key role because it is a rule-based analysis, and it cannot be done manually. All of this will be machine learning-based with human input for authorization. We will see more use of machine learning and artificial intelligence in cybersecurity. This is a space to watch out for.

About the Interviewer

Brian Pereira is the Editor-in-Chief of CISO MAG. He has been writing on business technology concepts for the past 27 years and has achieved basic certifications in cloud computing (IBM) and cybersecurity (EC-Council).

More stories from Brian

The post ‘Illegal Crypto Mining is a Huge Drain on a Nation’s Power Resources’ appeared first on CISO MAG | Cyber Security Magazine.

CISO MAG was invited to visit Trend Micro’s cozy Mumbai office in December 2021. On this visit, Brian Pereira, Editor-in-Chief, CISO MAG, met Nilesh Jain, Vice President, Southeast Asia and India, Trend Micro, and Vijendra Katiyar, Country Manager, India & SAARC, Trend Micro. In an hour-long interview they spoke about the company’s achievements and plans for India. They also discussed security challenges and how organizations can cope. 

Edited Excerpts from the interview follow:

How was the year 2021 for you in terms of business performance? 

Nilesh Jain: We had unprecedented growth this year (2021), and we just published our financial results for Q3; we outperformed what we forecasted. We did an upward correction on the forecast for the rest of the year. We recorded 11% year-on-year growth and significant growth in our SaaS business (double-digit), so retention is good. All the regions, including the Americas, Japan, Europe, and EMEA, performed tremendously well.

This growth is due to multiple reasons. Firstly, digital transformation has increased budgets for enterprises to invest in cybersecurity. We have been seen as a frontrunner for most cybersecurity technologies. In early 2019, we invested in XDR, the next generation of cross-generation detection and response capabilities. And we immediately saw the results. We had tremendous growth in the XDR product in America, Europe, and EMEA. Then we started acquiring new logos (new customers) across verticals. Many customers are looking to switch over from the struggling vendors, who probably can’t catch up.

RELATED PODCAST

Episode #19: Digital Transformation and Cybersecurity

What kind of transformation is happening with the cloud, and what (security) challenges does it raise for business?

Nilesh Jain: Cloud is getting more complex because suddenly you are trying to take a journey in six months or one year, which otherwise would have taken four or five years. Because of the pandemic, you have been forced to do something very quickly while your employees are working from home. Your competitors are born in the cloud companies, and you started competing with those players who never existed before. Business models change. There are born in the cloud companies, Internet companies, new business model companies. 

Look at any domain, whether it is FMCG, retail, or the financial sector — the people we are competing with now have an IT background. The promoters of Fintechs and e-commerce companies are all IT people. So, technology started building competition for the so-called “legacy enterprises,” which were never seen as competition. I’m using legacy in a very positive way; I would call these “stabilized enterprises.” But stabilized enterprises who thought they could do this digital transformation project in three or four years never had that time. 

Secondly, cloud adoption increased fast. New services were introduced in a short time. For instance, AWS launched as many new services (120) in the past two years as they previously launched in 10 years. Suddenly, the complexity of managing services and different threats come up because those services were not expected or explored. An organization lacks the skills to deal with all these new services, and it does not have a complete understanding of cloud architecture from a security perspective. And that’s why hackers can break into systems. It is because you lack the skills to protect those systems. 

About the challenges. On the one hand, CIOs and CISOs are moving quickly to support business functions. Then they realized that security was left behind. So, that is one challenge we have seen. When employees started working from home, the second challenge was that the perimeter they built up for security was not there anymore – firewall and the IPS (intrusion prevention system). They are not working within those perimeters anymore. The endpoint moved away from the office, and servers in the local data center moved out of the office (to the cloud). Within your office environment and network, you have adequate security measures, but these are no longer relevant. Critical data has now moved to the cloud, and your endpoint computing has moved to the home. That’s why the biggest concern for CIOs and CISOs biggest is how they can still get centralized visibility (like before the pandemic). 

Vijendra Katiyar: No company was prepared for 100% work from home. The CISOs and CIOs we spoke with said the first problem was providing the assets (laptops). And when employees started accessing corporate applications from home, that posed a big risk to the corporate infrastructure since they were not adequately protected. Standard security policies for home users were not yet implemented. And it became a challenge to protect those endpoints and personal devices. The applications had to be protected. And that became a challenge because the applications are hosted in the cloud. And this is the reason for adopting zero-trust architecture and SASE (Secure Access Service Edge). 

CISOs were now asking how to do all this to secure applications and endpoints. They were wondering how to introduce more controls without compromising user flexibility. At the same time, we do not want to put in too many controls because security should not be considered a hindrance. We should ensure that the right access is given to the right individual. 

To summarize, the cloud has new challenges because of the very fast adoption and complexity of services, which leads to a lack of security understanding. And they wanted centralized visibility of what’s happening on their virtual network. These are the two major challenges we have seen for CISOs in the last two years.

What security advice would you give to businesses transitioning to the cloud and adopting emerging technologies like IoT, blockchain, and AI/ML?

Nilesh Jain: I have three pieces of advice. One, do not do digital transformation or cloud adoption for the sake of it, or just because someone else has done it. Please do not do it because it is popular, and you want to keep up. Because if you do that without careful consideration, you are bound to fail.

Two, look at your business objective. Cybersecurity is more about business objectives and more proactive than reactive. Understand where your business is trying to go. Understand why you want to do something.

Third, which facet of your business do you want to transform first? If you want to go the B2C way, you want to engage with customers in very different ways or create a different delivery mechanism. You want to pass on the cost advantage.

So, understand what it is that you are trying to do. Get your business priorities right.

There is a lot of virtualization going on. Even desktops are being virtualized with VDI. It is going towards the data center. I see the whole responsibility of security shifting to the cloud service provider. How are you working with data center providers? Because the infrastructure is not on-premise anymore. It’s on the cloud. That’s where the data and applications reside – which need to be secured. 

Nilesh Jain: We don’t have to worry about that because we have been providing data center security for many years. Today, the endpoint includes both: servers and clients. So, this question should not worry people who thought an endpoint would always remain an endpoint.

We always had custom design server security for a reason; it was designed to protect the data centers. The only thing that changed is that they started moving from the private cloud to the public cloud or using a hybrid cloud. New services emerged. We moved from legacy applications and shifted to the DevOps side. In this scenario, 20% – 30% of large enterprises use Kubernetes containers, which are more serverless. We know this game very well, so we don’t have to catch up. I mean, we don’t have to learn because we know how server applications work. We know how the data flow and data movements happen. That’s why we have been leaders with almost 30% global market share for Server Security. We started working with AWS way back in 2011 – 2012 when we were still teaching the world about cloud computing. Because of this, our learning curve gave us very good anticipation of what’s coming next, and we have been able to build a product, which is future ready.

So, while everyone was talking about shift-left, which is the DevOps side, we already had DevOps security for reasons there. Deep security was primarily deployed on-premise, on the virtualization security side – and we quickly shifted back to DevOps. We changed the entire architecture of our product to make it DevOps ready. And because of this, we have host-based security; we have file storage security; we do cloud cluster management; we do cloud-native application security; we do Kubernetes security. And that’s our USP.

Here’s what’s happening today. CISOs are offered one dozen different solutions for Kubernetes security. They are told to buy this, but they need a different solution if they are going serverless. If they are going on file storage, they must buy something else. And this goes back a few years when, for endpoint, you had to buy different solutions and load it up on endpoints, which is not practical. Instead, we offer comprehensive cloud security, which does everything. It is all integrated, all bundled into one customer solution.

We believe customers should not buy a product. They should buy a partner. If you happen to choose the right partner, you don’t have to keep on scouting for the right products. Your partner does it for you. We are building everything that they will require through integrations. And we work with most of the cloud services: Azure, Google, AWS, and do the integration.

There is always going to be the question about ROI in Security. Earlier, ROI was more on qualitative terms. Now you define it in quantitative terms and see how much impact it has on business. When customers deploy Trend micro’s Cloud One, we can immediately show tangible results. And if you use it over, say, five years, we will be on that journey with you, and you do not need to re-architect your cloud security posture. The same product can scale up to your future needs. So, we protect a lot of manpower efforts and customer investment.

Let’s talk about your investment in Cloud One data centers. How much are you investing? How does this fit in your India plans? 

Vijendra Katiyar: I won’t put a number on it. Of course, it is very important and relevant to us. We see a lot of interest in the cloud from both private enterprise, government, and public sector companies. Many of our customers are from the banking sector, the financial vertical, regulated by different bodies. So, data sovereignty and data residency become very important. If you want customers to adopt cloud services, you must address this.

When customers move from on-premises to the cloud, you need to think about how to secure their infrastructure. How do you ensure that the journey is smooth without worrying about those security concerns? So, one of those critical initiatives was to have a Cloud One data center hosted in India. The platform is hosted with a cloud service provider in Mumbai. It is offered to any customer, any enterprise in India, or to the government. Very recently, the government introduced a data privacy law. It released guidelines for data residency. While this applies to certain verticals, we see it also coming to other industries that are not so regulated. They will also start insisting on data sovereignty.

So, it made a lot of business sense to support our customers to ensure that we are there to secure their applications, servers, and workloads in the cloud if they are using any of the cloud service providers.

Where do you see the biggest potential in India for your solutions? And how are you going to address that market? 

Nilesh Jain: In India, the biggest potential has to be unleashed from the SMB and mid-enterprise markets. They yearn for an SOC operation at affordable pricing. One can provide that affordability only through a locally delivered ecosystem. It calls for local SOC partners who can deliver that value at economical value. And that is what we are delivering. We can unleash the potential today through XDR. But it’s been adopted only by a few large enterprise customers who have multi-million dollar budgets and some compliance to fulfill.

The biggest potential lies in the mid-market — SMB or lower pie of large enterprises. And that’s a potential that we are trying to unleash by creating a comprehensive service delivery at much more economical prices. For that, we need to have SOC partners who can do a much better job.

We are working with SOC partners and integrating our products there, scaling them up. The backbone of that SOC is still Trend Micro Vision One. It can consume data and information and respond. It is based on Trend Micro’s Vision One engine. And then, we can not only respond on Trend Micro products by leveraging SOC partner capabilities but also on third-party products. Customers don’t want to depend on only one product; they want best of breed on endpoint and server from Trend Micro, but for CASB, they might prefer someone else; for firewall, they may opt for another vendor. That’s why we must support the customer through an SOC. If you are to be successful in XDR, you must learn to work with an SOC partner. Yes, some large enterprise customers, like the large banks, have their own internal SOC and may not need an external SOC partner. We can work with their internal teams as well.

What is your vertical focus for India? How many customers do you have in India?

Vijendra Katiyar: BFSI is number one for us, and there is also a focus on digital-native companies. We have formed a business vertical focusing on the cloud, which will work with many digital-native companies whose entire business is born in the cloud. We have been working with a lot of other enterprises, especially in manufacturing, pharma, and IT/ITES.

Nilesh Jain: In 2021, we gained 120 customers in India. But in the last two years, we acquired nearly 300 customers. These are mid-enterprise to large customers. There was a surprising surge in SMB in the last two years. So, we might invest more into the SMB business and scale it up.

And we work closely with AWS. They open many accounts that we might not even have visibility into. But customers who adopt AWS would like to partner with us.

How do you serve the government and public sector? 

Vijendra Katiyar:  We have a very strong government team that focuses on central and state government. One area where we see a lot of potential is Smart Cities. We have participated in many leading smart city projects to make smart cities more secure.

Defense is another area, and we built a team to focus on this sector. It’s an important sector for the government, and the sector is seeing a lot of cyberattacks. We know that there are guidelines, policies, and government initiatives being digitalized, and we want to help the government securely do this. We are working towards that.

The post ‘Rushing into Digital Transformation Creates Security Challenges’ appeared first on CISO MAG | Cyber Security Magazine.

In an exclusive interview with Pooja Tikekar, Sub Editor, CISO MAG, Richard Bussiere, Technical Director for APAC at Tenable, discusses the fundamentals of IT and OT and the security challenges posed by the IT-OT convergence.

Bussiere is the Technical Director for APAC at Tenable. Based in Singapore, he is responsible for evangelizing the criticality of cyber hygiene and vulnerability management as a continuous process to enhance an organization’s security posture.

Bussiere is also responsible for Tenable’s operational technology offering in the region, consulting with operators of critical infrastructure to bolster their defensive position.

Bussiere holds five patents related to networking and network security. He is also an active participant in the Institute of Electrical and Electronics Engineers and Internet Engineering Task Force working groups.

Edited excerpts of the interview follow:

In the last couple of years, disruptive technologies in the realm of information technology have seen rapid growth. IoT is among the most-hyped technologies that could reshape the way companies operate, especially after COVID-19 and with the increased adoption of 5G networks. What is the layer of complexity that active IoT adoption adds to cybersecurity threats? How does it broaden the attack surface for organizations?

Every single added device increases the threat surface as it provides an additional vector for attack. Couple this with the fact that many IoT devices are designed to a low-cost point, meaning that the processing power and level of testing from a security perspective is frequently not up to the mark. Finally, the internal components of IoT devices often are derived as “white box” solutions from a single vendor; hence they will have the same security vulnerabilities. We saw exactly this with the Mirai botnet in 2016.

The second issue is 5G, which brings “more and faster” – more things connected at higher bandwidths. So, we have the fact that we are increasing the value of the networks by making them faster and adding more things to it, which increases the “value” of the network to an attacker. The confluence of 5G and wide use of IoT naturally leads to a large population of vulnerable devices.  Managing this enhanced risk will become a challenge.

Intelligent devices are now being indirectly connected to critical infrastructure and controlled/monitored through secure remote access. These intelligent devices serve as the eyes and glue by which future smart city initiatives will be linked together. Information from these intelligent devices will be fed to the cloud for processing and analysis, or fed to entities such as utilities directly for real-time decision-making. This means that malicious manipulation of vulnerable IoT devices may lead to incorrect information being fed to users and decision-makers of critical infrastructure, creating an indirect attack vector. Furthermore, this introduces new portals for an attack due to the convergence of IT and OT operations.

While IT manages data or the flow of digital information, operation technology (OT) is responsible for managing the operation of machines or physical processes. Could you explain the IT-OT concept in detail?

Let’s first establish a differentiating fact between IT and OT. In IT, the data is the product. In OT, the data itself is of little value – it is a means to control a physical process, the end result of the physical process being the product.

The convergence of the data side of the business with the operational technology side has revolutionized our critical infrastructure. This connectivity can remove the need for a physical person to be on-site to manually make changes, and instead use remote access to adjust settings whenever and wherever necessary. Beyond this, when we consider initiatives such as Industry 4.0, we introduce more real-time interaction between the machinery of production (OT) and external entities such as suppliers, customers, logistics, etc. Supporting such initiatives requires real-time information from the OT environment. Essentially IT-OT convergence improves efficiency, enables predictive maintenance, and reduces downtime. Unfortunately, the downside of this penetration of IT into OT environments exposes the OT world to more risks than in the past by introducing additional attack vectors.

In IT, data must be protected at all costs, whereas, for OT, the most critical aspect is to protect the operations of the business. Do you think incident detection and response in an OT environment is different from an IT environment?

The primary objective of IT security is to ensure that the confidentiality, integrity, and availability of data are preserved. Whereas in OT, the primary focus is the safety of life, limb and property, the availability of the process, and the quality of the output of the process. That said, the concepts of cybersecurity practiced within IT can have great value within the OT world. Consider the fact that OT environments are not only composed of programmable logic controllers (PLCs), but up to 50% of these environments consist of IT devices such as Windows and Linux computers that host Digital Control Systems (DCS) and an ever-growing inventory of Internet of Things. When deployed inside the plant, these devices can expose operations to the same threats and vulnerabilities that would be seen outside the plant. The reality in today’s converged IT-OT environment is that OT operators must learn and apply fundamental cybersecurity practices to improve and maintain their KPIs of Safety, Availability, and Quality.

Industry 4.0 is revolutionizing the global manufacturing landscape. However, the pandemic is telling of the fact that the manufacturing sector faces supply chain disruptions. How can the IT-OT merger counter supply chain attacks?

Maintain visibility across the board but understand how an attack against a partner or supplier could impact your organization. The solution to gaining this understanding is to have continuous monitoring and threat intelligence relating to the full supply chain and risk-based vulnerability management.

Prioritize inventory management by knowing whether suppliers maintain optimal cyber hygiene. This plays a vital role in identifying the threat landscape but given the huge number of suppliers, starting early on in a relationship is key.

Having an environmental baseline that includes accurate asset inventory, and an understanding of business processes, traffic flows and dependency mappings is essential to establishing where trust relationships exist and where a zero-trust model should be implemented. In doing so, business leaders can use zero-trust to ensure communications within supply chains are secure and from approved and trusted users.

It is important to identify who has access to privileged accounts and ensure the appropriate level of privilege is decided for each role within the organization. Implementing identity access management and encrypting all internal data can make it difficult for cybercriminals to establish backdoors to infiltrate during a supply-chain attack.

The manufacturing sector in India grew by 49.6% in Q1 2021, compared to a 36% drop in Q1 2020, indicating that it is one of the most attractive sectors for cybercriminals. How can manufacturers in India bridge the knowledge gaps arising out of IT-OT convergence? And how can the C-suite ensure the successful implementation of industrial cybersecurity?

The most significant thing that would help IT and OT teams work together effectively is education and mutual understanding. IT personnel must understand some fundamentals of operational technology, and similarly, OT personnel need to learn IT security essentials. These enablement exercises, in conjunction with cohesive and comprehensive business-driven security policies, will go a long way towards facilitating the necessary level of protection for business-critical production-oriented assets.

Business-level oversight and C-suite leadership enable both sides to collaborate effectively. Increasingly, organizations are taking senior, experienced engineers from OT business units and assigning them to support incident response within the security teams. This creates an environment where both IT and OT teams can collaborate effectively.

What are some of the security challenges posed due to the integration of IT-OT?

Melding IT and OT systems can create new attack vectors and surfaces. Since IT and OT environments are often interconnected, an attack originating from an IT network can move laterally to the OT environment and vice versa.

One of the biggest challenges that arise from convergence is that OT environments frequently have relatively obsolete and unpatched software present. This is an artifact of how OT needs to work. If a given system is functioning properly, then the tendency would be to leave it alone rather than take the risk that implementing the patch will cause an unanticipated malfunction. So, as IT and OT continue to converge, the legacy OT devices are exposed to risks that they were not exposed to in the past.

Apart from IT-OT, tell us your top three cybersecurity predictions for 2022.

• 5G will increase our dependence on digital infrastructure

5G rollouts in APAC will bring with them an exponential increase in our ability to interconnect intelligent devices reliably and at high speed. This will lead to a rapid acceleration of e-commerce and the emergence of intelligent cities and infrastructures. We also see intelligent devices being connected to utilities – for example, solar cells reporting to the operator how much power they are injecting into the grid. The benefits are very tangible, as are the enhanced risks. 5G increases our dependence on our digital infrastructures, amplifying the negative impact on society when this infrastructure malfunctions or is the victim of a cyberattack. As we embrace 5G, we must also carefully consider the resilience and security of the systems that will utilize this game-changing technology.

• The future of shift-left security is infrastructure-as-code

Now that cloud adoption has rapidly increased and organizations embrace the flexibility that cloud-native provides, it is vital to find and fix every bug before deployment. By the time software reaches run-time, it is already too late. That is why detection will move from reactive to proactive in 2022, as CISOs increasingly recognize that security teams do not have to wait for infrastructure to be created to discover and mitigate vulnerabilities in code.

• Colonial Pipeline set the table for improvement

Attacks like Colonial Pipeline made security tangible for non-security professionals. Every board of directors is now interested in knowing the cyber risk to their company. Stakeholders are more invested than ever, and Congress/policymakers are no exception. If the government and private sector acknowledge their shared priorities and work together toward a more secure world, 2022 will bring a promising climate for improvement.

About the Author

Pooja Tikekar is the Sub Editor at CISO MAG, primarily responsible for quality control. She also presents C-suite interviews and writes news features on cybersecurity trends.

More from the author.

The post “Melding IT and OT Systems Can Create New Attack Vectors and Surfaces” appeared first on CISO MAG | Cyber Security Magazine.

In an interview with, Gregg Ostrowski, Executive CTO at Cisco AppDynamics, Minu Sirsalewala, Editorial Consultant, CISO MAG, discussed how ransomware attackers and cybercriminals increasingly exploit vulnerabilities caused by gaps in rapid digital transformation. And how increased use of applications, driven by the pandemic, has changed the way application security is viewed. Security sits on top of the total application experience.

Ostrowski is an Executive CTO at AppDynamics, part of Cisco. He engages with customer senior leadership to help prioritize their strategy for digital transformation. Prior to AppDynamics, Ostrowski held senior leadership positions at Samsung and Research in Motion.

Excerpts from the interview follow:

Can you explain why Application Security has gained so much importance in the past year?

In the world we live in today, applications have become critical to our daily lives; they are critical to us and companies or organizations we work with. To help attract new customers, retain customers, and keep them happy, they need to create rapid development cycles. As they needed to innovate quickly, they started introducing different cloud technologies.

With the expansion of the existing infrastructure – which typically runs on premise – it has sprawled to include additional cloud components or additional dependencies for that application. So, what you’re seeing is a sprawl of the overall application topology or the application map that makes all these things work. With all these different dependencies and the need for speed to deliver applications, going with an application security approach or application first security really helps our customers stay ahead of the game and understand what’s happening from a security perspective across all the dependencies of that application. For companies looking to build rapidly, attract new customers and ensure the desired user experience, security needs to be placed in the application first type mentality.

This enables businesses to understand the application stack from a user experience, performance, and security perspective as security affects users more than performance, and a security threat is highly detrimental to the brand.

Is there something called beyond Layer 7 security? If so, what is it?

That is a really interesting question. The OSI, as we know, has 7 layers, and the 7th layer is the Application Layer; everything underneath is a dependency for that application all the way and goes down to the physical servers (Physical Layer).

I wouldn’t necessarily consider a layer beyond seven, but security must be the critical component of every step along the way. So, each piece is going to be implementing security. Be it Denial of Service (DoS) attacks or threat detection, or intrusion detection where application security comes in, it brings all the components together and allows full visibility of the entire layer from a security perspective. I wouldn’t call it beyond Layer 7; rather it is an evolution of how security fits into the overall OSI model.

How can we use Cisco Secure Application to detect and block threats in real time?

The AppDynamics — the product overall has an agent-based model that runs in the runtime of the application. We have included the security, the Cisco secure application within the runtime of the application. This enables us to analyze and understand what’s happening, not just for performance, but also how it is being ineffective by any kind of security threats or vulnerabilities.

And we do that by being able to pull in data from public resources and some proprietary resources that run a list of the current threats and vulnerabilities. So, there is a real-time alert pop-up with tracking that shows where the security threat is happening. We did an application stack, and once a threat is found, we can simply alert and send out a notification to the security teams and the application. And as a preventive measure, we can go down and block that component of the application from becoming more detrimental to the business. This enables both teams – the application teams and the security teams – to collaborate on how to really address the threat.

For example, if there is a web server that’s running a version 2.5 and the version 2.7 happens to have a threat, it can notify the customer that an upcoming version of one of your components of the application stacks has an upcoming vulnerability, so they can address it before it hits the production servers.

Prioritizing and classifying data is key to data management. How can organizations prioritize threats by business impact?

One of the key fundamental aspects of AppDynamics is being able to present it in the business context. We can use our AI capabilities to provide the insights to stack rank on how these threats are coming in and which is the most critical to the business, thereby allowing a window for the IT teams to know which ones to go out and fix.

A good example would be a payment service that affects multiple applications, as the way apps were built, multiple tasks are performed in a shared service type model. Most of these deployed applications run in a microservice-type architecture. So here, the payment services are the most valuable piece to the business, as it is directly tied to the business revenue. Using the AI, we can prioritize the detection and fixing of the threat for the payment service application in comparison to other threats that were coming in and were picked up by Cisco security.

How beneficial is the Static Application Security Testing (SAST) and Dynamic Application Security Testing (DAST) approach?

I think it is definitely beneficial. When one implements application security testing before the application goes to production, you are putting security in the process of your CI/CD pipeline. As security testing is done pre-production, the Cisco secure application monitors the application while it is running in production.

It is best to move through the scanning process while you are building the application, ensuring security is part of the CI/CD pipeline.

AppSec is a focus area for CISOs with the increasing incidents of data breach. How can DevSecOps help mitigate the security risks and enhance application security?

There is a need to start thinking and bringing teams together and collaborating amongst all aspects of the application development. I strongly believe CISOs need a seat at the table. When one goes through the development cycle, the DevSecOps model, you want to make sure that security is built into the application from the word go. The CISOs role is to look at what new advancements and capabilities need to be incorporated from the security aspect.

When an organization starts focusing on building applications that drive a high-end user experience and performance, the CISO ensures that the application is secure. Their role is not limited to ensuring the latest security technologies but also driving innovations or new user experiences along with security.

DevSecOps is a very, very strong growth trend in the industry. If organizations are not embracing it, it is highly recommended that they consider building some practice that helps with security within their DevOps.

Learnings from the Facebook outage?

This is truly an example of that anybody and everybody could be vulnerable. Though I have not been closely tied to the issue at Facebook, from what I have read and understood, there are multiple shared services and how their entire ecosystem was taken out. The sprawling IT infrastructure is causing the same level of concern for a lot of our customers, with multi dependencies and interdependence, neutropenic type environments where risk must be managed, completely or inclusively.

When you have multiple different applications running in a shared service environment, you do not know where to target first and resolve the issue. It is a combination of both performance as well as security; this incident is a validation of the efforts we need to put at viewing every single dependency of the application stack from a business and security perspective. This also includes the infrastructure that is running on-premise or cloud. Most important is to have the right tools and visibility to be able to do their jobs right.

Security recommendations or best practices?

A DevSecOps model is definitely a strong way of getting started. The second one is to ensure the CISOs seat at the table, when it comes to new innovations and new capabilities. Many organizations are working in silos and not communicating enough to focus on the same direction thereby impacting the business. You have the infrastructures team, the network team, the development team all working in silence. This delays delivery and leads to misalignment of the organization. Having everybody on the same page with a common goal for the business helps align your teams a little bit tighter for the greater good of all.

About the Interviewer

Minu Sirsalewala is an Editorial Consultant at CISO MAG. She writes news features and interviews.

More from Minu.

The post “Security is a Priority for Total Application Experience” appeared first on CISO MAG | Cyber Security Magazine.

In an interview, Brian Pereira, Editor-in-Chief, CISO MAG, and Jeffrey Kok, Vice President of Solution Engineers, Asia Pacific and Japan at CyberArk, exchange notes on current challenges posed to organizations for DevOps security, adopting security by design, and in integrating security into the CI/CD pipeline. Kok reveals strategies employed by his organization to work around these challenges. The interview concludes with a discussion on privileged access management and how PAM secures remote work environments that have questionable security defenses.

Kok has more than 17 years of experience in the cybersecurity industry. At CyberArk, he is responsible for working with various internal teams to qualify leads, identify business issues and drivers in any particular sales opportunity, and manage the entire presales and solution process of the business cycle.

Prior to joining CyberArk, Kok was Technical Consultant Director, Asia Pacific and Japan for RSA, managing a team of senior pre-sales engineers and technicians. While in this role, he built a strong and high-performing cross-regional pre-sales practice.

During his career he served in companies and institutions, including RSA, Cisco Systems, Nera Telecommunications, and the National University of Singapore (NUS). He holds a Bachelor of Applied Science in Computer Engineering from the Nanyang Technological University and a CISSP certification.

Edited excerpts from the interview follow:

Implementing DevOps requires close collaboration between various teams. But with most teams and people working from different locations during the pandemic, has this posed a challenge to the development process?

During the initial onset of the pandemic, development teams working in different locations were affected as many organizations, especially those in the Asia Pacific, were not prepared to work in remote settings. Most organizations needed time to adapt to this new change as, prior to the pandemic, developers would gather in a physical room and discuss ideas using a large whiteboard with colourful post-its. Now, organizations would need to provide access for remote workers to ensure the same level of collaboration.

Within a couple of months, most organizations successfully adapted. This is evident from the development of new apps and updates during the pandemic. For instance, the Singapore government made significant progress throughout the pandemic on its contact-tracing application, Trace Together, having released numerous updates and added functions to improve the user experience, as well as to reflect the latest vaccination status.

There has been much talk about “security by design.” But not many organizations are following this practice. Your comments please. 

I believe that the challenges with adopting security by design are global. The concept requires additional time and effort, which all adds to the cost for companies.

This is a common issue, especially for start-ups that tend to skirt around security needs in exchange for speed. These companies tend to introduce security during the later stage of the development to gain the competitive edge of launching solutions or updates before their competitors.

On the other hand, larger and more mature organizations tend to adopt security by design at the outset, as they understand the importance of securing their applications. For instance, the public sector and banks tend to put a big focus on this approach.

As for organizations that have been operating with legacy applications and systems designed decades ago, it does require an enormous amount of effort (and sometimes it is impossible) to re-architect and rebuild with an added layer of security. Companies looking for a refresh often adopt and partner with a proper security platform that can help them implement modern security practices. In this way, they have something that equates to security by design.

What is the biggest challenge with DevOps security? Is this challenge seen only in APAC or elsewhere in the world too?

Recurring low-level phishing and impersonation attacks set up by cybercriminals target developers who have high levels of access to credentials. Developers are preyed-on as they build critical software and are frequently given administrative privileges, which provide a valuable entry point to the rest of the organization, if compromised. Cyberattackers know this, and they aim to misappropriate admin privileges that could jeopardize the whole application environment. While enabling organizations to become more efficient and faster, the growth of DevOps has significantly expanded the attack surface.

CyberArk’s CISO View research shows that high-level DevOps engineers are constantly being hunted by cybercriminals due to having access to sensitive company assets. This illustrates that the credentials that DevOps teams use must be managed and secured in a centralized and controlled way.

When attackers are able to access privileged credentials, unrestricted access to DevOps pipelines, sensitive databases, and cloud systems become targets for abuse. This can result in data breaches and intellectual property theft.

What would be the way to get round this challenge? And how?

Firstly, the development team should start with securing the DevOps pipeline. If the pipeline is not secured, this means that companies have not put the correct security building blocks in place. On the other hand, if companies have security-as-code alongside infrastructure code — as part of the entire pipeline — they have a strong foundation.

Secondly, do not leave hardcoded credentials everywhere. Always make it dynamic, so that it reduces the risk of someone in the DevOps team stumbling onto an SSH key somewhere, effectively allowing them the keys to the kingdom.

Finally, use existing industry best practices, which are talked about frequently in conferences and events around the world. 

There is also a challenge of integrating security into the CI/CD pipeline. Security teams are slow to secure every part of the code and cannot keep up with the pace of DevOps. And this raises security risks during the integration stage. How are organizations getting past this challenge?

For companies with a CI/CD pipeline, it makes it easier for them to embed security best practices into their pipeline. Think of the pipeline as a train.  If this train is being created, and this train goes through different stations, a company can break down problems into many parts and address the security aspect in each of those stages of the pipeline, or each of those train stations. Companies should follow best practices on securing codes and validate them against the automated validation of the codes. Security must be integrated into CI/CD pipeline before DevOps move on to their operations.

Can you give us some recommendations for DevOps security?

Automatic rotations for secrets, passwords, keys, and certificates hinder cybercriminals from accessing DevOps tools and access keys. Moreover, this automation reactively informs security teams if and when a breach happens. Taking a proactive method to protection, using automation and programmability, will encourage collaboration throughout teams, accelerating innovation amidst companies’ evolving needs.

Here are some tips for DevOps security:

• Tightly working with Software Engineering and IT/DevOps will be beneficial for developers to protect their applications. Supporting the idea and understanding the importance of security should be the priority, and instilled early into Software Architects, Developers, and DevOps/IT Operations. Acknowledging that the extra process is not to decelerate the development work, rather it is to accelerate via simple integration points. Identifying security breaches before it becomes critical requires security teams to focus early in the development cycle.
• Remove all hard-coded secrets in code, DevOps tools, configuration files and scripts. It’s also important to never use default passwords. For example, some tools establish a developer default user to create projects.
• To bring most value, Privileged Access Management and secrets management for DevOps infrastructure should be integrated cohesively; one system to centralize all privileged accounts, secrets, and other credentials.
• The development, security, and operations teams could utilize security-policy-as-code for efficient and unambiguous communication. Security tests and scans are integrated in the CI/CD pipeline to routinely and continuously identify potential risks and security gaps. Thus, organizations can improve their security posture, at the same time maintaining DevOps velocity and scalability.
• Securing credentials used in DevOps tools and processes is not always straightforward, but one aspect that is a must is to automate this effort. Minimal human hands-on and manual work allows administrative overhead reduction and a reduction in errors.
  

How does PAM help in securing remote environments, with workers at home using personal devices?

With the rise in remote work, securing employee workstations is more important than ever. Employees are working from home offices with insecure “BYOD” devices on insecure home networks. Every single endpoint (laptop, smartphone, tablet, desktop, server, etc.) contains privilege by default. Built-in administrator accounts enable IT teams to fix issues locally, but they also introduce great risk. Attackers can exploit admin accounts, then jump from workstation to workstation, steal additional credentials, elevate privileges, and move laterally through the network until they reach what they’re looking for. Thus, companies need to adopt privileged access management (PAM) as privileged accounts, credentials and secrets exist across the remote workforce and need to be secured. Privileged access is the gateway to an organization’s most valuable assets and is at the core of nearly every major data breach.

Privileged access management solutions can also offer insider threat protection, helping to ensure activities occurring across the distributed network aren’t malicious and, if they are, enable security operations teams to take quick action. From internal privileged users abusing their level of access, or external cyber attackers targeting and stealing privileges from users to operate stealthily as “privileged insiders,” humans are almost always the weakest link in the cybersecurity chain. PAM helps organizations make sure that people have only the necessary levels of access to do their jobs and enables security teams to identify malicious activities linked to privilege abuse and take swift action to remediate risk.

A proactive PAM program could account for the comprehensive removal of local administrative rights on workstations to reduce risk. Implementing a comprehensive privileged access management program will allow organizations to effectively monitor where privileged access exists at every layer, understand which users (both human and non-human) have access to what, detect and alert on malicious or high-risk activity, and enhance overall cybersecurity.

——————————————————————-

About the Interviewer

Brian Pereira is the Editor-in-Chief of CISO MAG. He has been writing on business technology concepts for the past 27 years and has achieved basic certifications in cloud computing (IBM) and cybersecurity (EC-Council).

More stories from Brian

The post “DevOps Engineers are Constantly Being Hunted by Cybercriminals” appeared first on CISO MAG | Cyber Security Magazine.

Enter Pen testing-as-a-Service (PtaaS). Through PtaaS, it is possible to pinpoint vulnerabilities – like the ones exploited in the Nokia attack – and stop cybercriminals before they even have a chance to exploit them.

In a virtual interaction, Minu Sirsalewala, Editorial Consultant, CISO MAG, and Eric Brinkman, Chief Product Officer at Cobalt, discussed how identifying security vulnerabilities early is more important than ever. Brinkman also opined how PtaaS providers have become a critical component across all security programs.

As the Chief Product Officer at Cobalt, a PtaaS company, Brinkman leads product vision, enhancing the existing suite of offerings and identifying innovative ways to meet and exceed the needs of current and future customers.

Brinkman is a seasoned technology industry veteran with 15 years of experience driving and sustaining long-term product growth. Previously, as Senior Director of Product at GitLab, he founded the company’s first growth team, which evolved into a critical component of the company’s business approach. He built and managed product teams that innovated on widely successful GitLab product features and functionalities and developed new product areas such as Compliance Management, Design Management, Requirements Management, and Quality Management. Notably, Brinkman led the product team that secured GitLab’s placement on the 2020 Gartner Magic Quadrant for Enterprise Agile Planning Tools.

Excerpts from the interview follow:

What is the importance of preventive security measures? Can you explain why they have gained so much importance in the past year?

SolarWinds. Colonial Pipeline. Kaseya. Robinhood. Cyberattacks have been growing in frequency and intensity over the past decade, and they have only increased since the onset of widespread digital work. Now more than ever, organizations everywhere feel the pressure to implement comprehensive security strategies fast to avoid becoming the latest cyberattack headline.

The shift to, and complexities of remote work, have underscored the importance of proactive, preventative security measures. Organizations must know and secure their assets — only then can they find and fix vulnerabilities before an attacker breaches their systems.

According to a Cobalt survey of 600 IT security professionals, pen testing provides businesses greater protection against malicious attacks. In fact, 78% say that the more pen testing they perform, the more their organization’s attack surface decreases.

How is PtaaS changing the way DevOps manages security?

Security and software development professionals almost universally see pen testing as a vital component of the application and network security programs. However, few organizations can perform as much pen testing as they want or need due to budget limitations and inefficiencies in the traditional pen testing process.

The most common approach to pen testing today is engaging a third-party consulting firm with an IT practice to provide a pen testing team for a specific test project. These engagements provide valuable input, but security teams find them to be slow and expensive. Pen test-as-a-Service (PtaaS) has emerged as an innovative approach to cybersecurity threat detection and remediation.

PtaaS takes these benefits to the next level, allowing organizations of all sizes to manage a scalable, efficient pen test program with on-demand access to expert security talent and a modern SaaS delivery platform. PtaaS enables DevSecOps teams to secure their code faster, integrating security and development tools and real-time collaboration with pen testers.

How well is PtaaS integrated into the system as a best practice?

Organizations must stop viewing pen testing as a manual add-on to their security processes and instead integrate PtaaS into their technology stacks from Day 1, using it as a core component of their security systems. No one tool or tactic alone can provide the defenses organizations need to fend off cybercriminals; it takes a layered approach to create an effective security program.

PtaaS changes how pen tests can be integrated into the SDLC by allowing for programmatic access of vulnerabilities discovered during the pen test via native integrations or APIs to be placed in context with the teams tasked with fixing those vulnerabilities.

With businesses becoming more agile, how has traditional pen testing evolved to integrate with the complex technical environment?

In June 2021, Cobalt launched its public API that allows customers to easily integrate their pen test data into other tools within their technology stack, such as GitHub, Jira, and Slack, enabling streamlined workflows and a dynamic analysis of their security programs. This addition was a critical step in Cobalt’s mission to advance traditional pen testing by enabling teams to manage their data more easily and build a holistic view of their vulnerability and application landscape. This is just one example of how Cobalt is modernizing traditional pen testing.

What key factors are driving PtaaS adoption?

With a new cyberattack making headlines almost every day, organizations have never been more aware of the critical need for a comprehensive security strategy. No one is immune to cyberattacks; that is why proactive, preventative testing is critical for enhancing an organization’s security posture.

Business and security leaders are turning to PtaaS in droves because it offers a more efficient and cost-effective pen test process. They can closely monitor testing progress, as well as catch and remediate vulnerabilities quicker than ever before.

Also, depending on the industry that a company operates in, there can be varying degrees of mandates that require pen testing. PtaaS allows companies of all sizes to effectively meet these requirements.

What are the benefits of PtaaS?

PtaaS delivers all the benefits of manual pen testing in a unified platform with the added benefits of integrations and automation. As security threats continue to get increasingly more sophisticated, PtaaS offers a faster and more thorough process for security testing and vulnerability discovery.

Cobalt’s new “ROI of Modern Pentesting” report found that traditional threat detection, via a consulting firm, is no longer cutting it. Using old-school pen testing, most organizations (83%) test critical assets only annually, leaving notable gaps in their security posture for attackers to exploit. This could leave organizations vulnerable to attacks. PtaaS allows for more flexibility and lower costs, meaning organizations can test their assets more frequently, decreasing the risk of vulnerabilities going undetected.

Is there an overlap of the PtaaS model with the SaaS model?

Great question! Just as the name suggests, PtaaS is a modern approach to pen testing, implemented via the SaaS model. PtaaS allows for on-demand test scheduling, seamless integrations, and automated workflows. Its benefits also include direct pen tester collaboration and communication capabilities and more robust reporting.

Typically, what challenges do organizations face while adopting the PtaaS model?

I think one of the biggest challenges right now is awareness. Many organizations have yet to learn about PtaaS, so that education piece is crucial. Over the years, we have seen many companies do proof of concept contracts and then later expand and renew for multi-year contracts once they have experienced the benefits of PtaaS firsthand.

Could you share incidents where pen testing could have proactively identified and addressed vulnerabilities before a data breach ever occurred?

Finding vulnerabilities is important but fixing them is often where organizations with an immature DevSecOps culture fall short. Automated scanners typically throw off tons of alerts, but it can be overwhelming for a development team to know where to start, even if they were really motivated to fix them. Pen testing helps provide human judgment and can assist with prioritization. PtaaS is designed to integrate into the development process.

Checking your cybersecurity defenses regularly is imperative because it will give you the opportunity to pinpoint and prioritize vulnerabilities — like the ones we often hear about in the news — and the chance to stop cybercriminals before they even have a chance to exploit them.

About the Interviewer

Minu Sirsalewala is an Editorial Consultant at CISO MAG. She writes news features and interviews.

More from Minu.

The post “PtaaS Offers a Faster and More Thorough Process of Vulnerability Discovery” appeared first on CISO MAG | Cyber Security Magazine.

To discuss this further, Pooja Tikekar, Sub Editor at CISO MAG interviewed Chuck Brooks, President of Brooks Consulting International and Adjunct Faculty at Georgetown University. Chuck is a Technology Evangelist, Corporate Executive, Speaker, Writer, and a Government Relations, Business Development, and Marketing Executive.

With over 74,000 followers on LinkedIn, 16,000 followers on Twitter, and 5,000 followers on Facebook, Chuck has built a sizeable community on social media, where he regularly shares the latest happenings and updates from the cybersecurity industry.

He was named The Top 5 Tech People to Follow on LinkedIn. He’s among the world’s 10 Best Cyber Security and Technology Experts, by Best Rated; in the Top 50 Global Influencer in Risk, Compliance, by Thomson Reuters; the Best of The Word in Security, by CISO Platform, and IFSEC’s #2 Global Cybersecurity Influencer.

Chuck was featured in the 2020 and 2021 Onalytica Who’s Who in Cybersecurity as one of the top Influencers for cybersecurity issues and risk management. He was also named one of the Top 5 Executives to Follow on Cybersecurity by Executive Mosaic; the Top Leader in Cybersecurity and Emerging Technologies by Thinkers360, and Top Global Top 50 Marketer by Oncon in 2019.

Chuck has an MA in International Relations from the University of Chicago, a BA in Political Science from DePauw University, and a Certificate in International Law from The Hague Academy of International Law.

Edited excerpts from the interview follow:

You’ve been named the Top Tech Person to Follow by LinkedIn. Would you like to tell our readers how you joined the cybersecurity industry and what your journey has been like as a leading influencer?

My journey as a cybersecurity expert and an influencer has been concentrated on four pillars: government, industry, media, and academia. In government, my journey in security first began as a senior legislative advisor to the late Senator Arlen Specter on national security, international, tech, and other issues. Next, I joined the Department of Homeland Security (DHS), where I was one of the first people brought on to help form the new agency. In my DHS role in government affairs, I had to keep abreast of policies, programs, budgets, and issues. But I also had to understand technologies to counter chemical, biological, radiation, and explosive threats (CBRNE), and learn about cybersecurity and interoperable communications. Back then, CBRNE was the prevailing concern, but homeland security quickly morphed into understanding cybersecurity threats from being digitally connected. I dove right into learning as much as I could on the subject matter and worked closely with leading experts from both government and industry from the outset.

After I left DHS several years later for the private sector, I kept my government networks active and continued to build my subject matter expertise on cybersecurity, technology, and policy. I served in executive roles relating to security for several major global corporations, including Xerox and General Dynamics Mission Systems.

The world of media has also been a passion for me as cybersecurity and emerging tech evangelist. I serve as a contributor to FORBES and a Cybersecurity Expert Advisor to Yahoo and The Washington Post. I am also the Visiting Editor at Homeland Security Today. In the last couple of years alone, I have written well over 200 articles and have been a featured speaker at dozens of conferences, events, and podcasts on homeland security, cybersecurity, and emerging tech.

In academia, I serve as Adjunct Faculty at Georgetown University’s Graduate Applied Intelligence Program and the Graduate Cybersecurity Risk Management Programs, where I teach courses on risk management, homeland security, and cybersecurity. I was an Adjunct Faculty Member at Johns Hopkins University, where I taught a graduate course on homeland security for two years. Teaching students who will be future leaders about cybersecurity is particularly gratifying.

In all, I enjoy being an influencer and sharing knowledge and insights on key issues, concepts, and policies relating to cybersecurity to everyone interested. What I want to accomplish as an influencer is to continue writing and speaking about the varied aspects of the topic and especially in educating others on how to help protect themselves. My advisory and board director roles with organizations and companies, and my role as a professor at Georgetown University are reflections of that passion and interest.

Cybersecurity has been a priority for most businesses; however, attack sophistication was amplified in 2021, and organized cybercrime groups profited due to the new normal of distributed work environments. Could you stress on some of the traditionally organized cybercriminal activities and their long-term impacts?

Several factors have transformed the cyberthreat landscape. Certainly, COVID-19 usurped the digital landscape and forced organizations to adapt to a remote working paradigm with little notice and preparation. Cybercriminals took advantage of security gaps and launched many successful attacks, and the number of breaches in 2021 has already surpassed the previous years.

Also, although it has been around for almost two decades, ransomware became a weapon of choice for hackers in the expanding digital landscape. The transformation of so many companies operating in a primarily digital mode had created more targets for extortion. And with the ability to get compensated in cryptocurrencies that are hard to trace, organized hacker gangs have taken advantage of the low-hanging fruit by exfiltrating data and holding it hostage to hospitals, municipalities, and critical infrastructure operators.

Another factor is the cooperation of cybercriminal gangs. They are being more collaborative and sharing both targets and sophisticated hacker tools on the dark web and dark web forums. There has been a consolidation of smaller hacker affiliates into larger hacker criminal families for a wide mix of attacks, including exploit kits, malware, and other coordinated activities, including hacking-as-a-service, and money laundering.

Also, threat actors, especially state-sponsored and criminal enterprises, have been investing some of their resources in emerging tech such as machine learning to employ more sophisticated means for discovering target vulnerabilities, automating their phishing attacks, and finding new deceptive paths for infiltrating malware.

Exploiting vulnerable supply chains has also been trending. Cyberattackers will always look for the weakest point of entry, and mitigating third-party risk is critical for cybersecurity. Supply chain cyberattacks can be perpetrated by nation-state adversaries, espionage operators, criminals, or hacktivists. Their goals are to breach contractors, systems, companies, and suppliers via the weakest links in the chain.

The bottom line is that as internet connectivity exponentially expands, so will the opportunities for attacks. Hybrid work environments, although more fortified, will likely still be successfully targeted by hackers who are collaborating and using sophisticated hacking tools. In the future, businesses and government must ramp up their capabilities to discover, monitor, and mitigate attacks, but that will not be an easy task.

Humans play a critical role in cybersecurity, and they’re often termed the “weakest link.” Cisco’s 2021 Cyber Security Threat Trends report reveals an alarming dominance of phishing attacks, accounting for 90% of data breaches. How can employers raise the bar in avoiding the exploitation of human behavior or psychology? And how can we have a better-integrated approach to security?

Humans certainly are the weakest link in cybersecurity. Usually because of negligence, but sometimes because of insider threats. The one consistent statistic I encounter every year is that phishing attacks account for most successful breaches. It is because phishing is easy to do for hackers, and it works. It used to be that you would get an email from a prince in a faraway land saying that he needs your bank account number to deposit funds. Now, a phish may appear to be a message from your boss, from a store where you shop, a bank, or even a friend. Hackers have come a long way in being able to mimic graphics and logos; they use social engineering to gain knowledge of your work, interests, and friend groups on social media platforms.

Companies can raise the bar by doing regular training with employees on how to recognize a phish. They need to teach the psychology of human behavior and where the vulnerabilities may lie in networks and devices from people. Gamification is a popular tool for that kind of training. Corporate programs need to include cyber hygiene to include strong passwords, multi-factor authentication, and incident response as a part of their operational mission. Also, if they must, they can restrict who has access to databases and sites on the interest via identity and access management tools. For insider threats, monitoring aberrant behaviors can work, but it is a challenge.

While on the topic, do you think businesses should assess employees’ security performance/awareness while evaluating other KRAs/goals? And would it help reinforce the human firewall?

I am a strong believer in accessing security performance awareness because a breach may have major consequences to a business legally and operationally. For many small and medium businesses, a breach could be fatal to their flow of commerce, reputation, and ultimately their future. Reinforcing the human firewall through access controls is also sensible. The more that your security team can control and monitor, the better the likely outcome.

What are some of the emerging technologies in security? Would these generate opportunities and create challenges?

We are proceeding in an era of “Malthusian” advances in science and technology, enabled by faster computing and ever-expanding data analytics. Those emerging technologies are significantly impacting cybersecurity. They include artificial intelligence (AI), machine learning, high-performance computing, cloud, edge computing, 5G, and eventually quantum technologies.

Computing systems that employ AI and ML are becoming more pervasive and critical to cyber operations and have become a major focus of cybersecurity research development and investments. Advanced 5G and wireless networks will benefit higher traffic capacities, lower latency, increased reliability, and enable processing and analytics in real-time. Edge computing strives to bring real-time computation, data storage, and operations closer to the device, rather than relying on a central location, avoiding latency issues. Technologies that improve capabilities for discovering, categorizing, monitoring, synthesizing, and automating the analysis of data are advantages in mitigating cybersecurity threats. Specifically, such tech can be used to bolster botnet detection and mitigation technology, data visualization tools, active malware protection, rootkit detection and mitigation technology, and incident response analytics.

Emerging tech can be a two-way street for good and bad. Artificial intelligence and machine learning can be used by hackers to automate target selection and more. Threat actors, especially state-sponsored and criminal enterprises, are becoming more sophisticated by searching for vulnerabilities and infiltrating malware by adapting (and automating), enabling machine learning, deep learning, artificial intelligence, and other analytic tools. SolarWinds was more than a wakeup call for those realities.

Also, the emergence of the Internet of Things presents special security challenges. There are an estimated 44 billion IoT endpoints today and trillions of sensors connected to those endpoints.  Hackers have many attack options and entries for inserting malware into such a large and unregulated attack surface.

In addition to my previous question on emerging technologies, what are some of the AI and ML trends in cybersecurity that we can expect in 2022?

The core of AI smart capabilities is rooted in its subcomponent of machine learning, ML. AI is largely used to protect networks as well as increase data security and endpoint security. There are some specific areas where AI technology will contribute to making cybersecurity smarter include:

• AI can provide a faster means to detect and identify cyberthreats. Cybersecurity companies will be using software and a platform powered by AI that monitors real-time activities on the network by scanning data and files to recognize unauthorized communication attempts, unauthorized connections, abnormal/malicious credential use, brute force login attempts, unusual data movement, and data exfiltration. This allows businesses to draw statistical inferences and protect against anomalies before they are reported and patched.
• AI will impact Incident Diagnosis and Response capabilities.
  While descriptive analytics provided by network surveillance and threat detection tools can answer the question “what happened,” incident diagnosis analytics address the question of “why and how it happened.” To answer those questions, new software applications and platforms powered by AI can examine past data sets to find root causes of the incident by looking back at change and anomaly indicators in the network activities
• AI will also enable better cyberthreat intelligence reports by analysts. Next year analysts will be able to use AI tools to generate automated cyberthreat intelligence reports (CTI). Cyberthreat intelligence reports provide the indicators and early warning necessary to better monitor unusual activities on a given network and detect more rapidly cyber threats.

AI and ML will be an enabler for cybersecurity for the foreseeable future. As the computational capabilities and digital complexity of global enterprises continue to grow, AI-powered tools and automation enablement will play an increased and integral role in keeping us cyber-safe in 2022 and beyond.

Tell us your top three cyberthreat predictions for 2022.

• Critical Infrastructure (CI) and supply chain will be targeted even more in 2022 (state-sponsored, cybercriminal gangs) with ransomware and malware attacks. CI is a high-profile target for both geopolitical and economic considerations for hackers. This CI includes defense, oil and gas, electric power grids, health care, utilities, communications, transportation, education, banking, and finance. Protecting CI Industrial Control Systems (ICS), Operational Technology (OT), and IT systems from cybersecurity threats is a difficult endeavor. They all have unique operational frameworks, access points, and a variety of legacy systems and emerging technologies. Protecting the CI supply chain in IT and OT systems will be a public and private sector priority. A special concern for the supply chain is Third Party risk and visibility of partners in the chain. Investment and risk strategies will expand in conducting vulnerability assessments and filling operational gaps with cybersecurity tools. Tools include Data Loss Prevention (DLP), encryption, identity and access management solutions, log management, and SIEM platforms.
• Despite efforts to attract workers to security and tech jobs, the qualified cybersecurity worker shortage will continue to pose major operational challenges. Both the public and private sectors are currently facing challenges from a dearth of cybersecurity talent. A report out from the firm Cybersecurity Ventures estimates there are 3.5 million unfilled cybersecurity jobs in 2021. 2022 is not showing any signs of improvement in hiring. 
• The Internet of Things (IoT) will pose a growing cybersecurity risk. IoT’s exponential connectivity is an ever-expanding mesh of networks and devices. IoT incorporates physical objects communicating with each other, including machine to machine and machine to people. It encompasses everything from edge computing devices to home appliances, from wearable technology to cars. IoT represents the melding of the physical world and the digital world.  They differ from conventional computers as they are highly specialized and usually small, both in physical size and computing capacity. A cybersecurity challenge of IoT is the lack of visibility and the lack of ability to determine if a device has been compromised and not performing as intended. The increased integration of endpoints combined with a rapidly growing and poorly controlled attack surface poses a significant threat to the internet of things. Protecting such an enormous attack surface is no easy task, especially when there are so many varying types and security standards on the devices. It will only get worse in 2022 as connectivity grows. 

Lastly, is there anything you’d like to add?

Thank you for allowing me to share some of my cybersecurity perspectives with your readers.

About the Author

Pooja Tikekar is the Sub Editor at CISO MAG, primarily responsible for quality control. She also presents C-suite interviews and writes news features on cybersecurity trends.

More from the author.

The post “AI and ML Will Be Enablers for Cybersecurity for the Foreseeable Future” appeared first on CISO MAG | Cyber Security Magazine.

As security threats progressively turn sophisticated and complex, cloud security and compliance continue to be the biggest pain points. An integrated approach and understanding security responsibility are key to building a robust cloud security strategy.

Minu Sirsalewala, Editorial Consultant, CISO MAG, interacted with Sanjay Manohar, Managing Director, McAfee Enterprise India, to discuss how securing the cloud in 2021 is becoming a business imperative for business continuity. Manohar also addressed the ambiguity around the shared responsibility model for cloud security, the DevSecOps approach, and the security and compliance requirements.

Manohar, as the Managing Director of McAfee Enterprise India, is responsible for driving accelerated adoption of McAfee’s cloud products, enhancing enterprise-centric product revenues, and improving customer satisfaction across the region.

With a career spanning over 26 years, Manohar’s expertise encompasses sales management and marketing domains across South-East Asia, China, and Asia-Pacific markets. He has in the past held leadership roles at technology giants such as Akamai, Oracle, and Dell at a time when cloud solutions had just begun reshaping the global IT industry. Manohar is a performance-oriented team leader and is committed to building and managing high-caliber teams, functioning in complex environments.

His core strengths include go-to-market strategy and execution, supplemented by his expertise in the areas of SaaS, enterprise software, and networking.

Manohar holds an MBA from the Bharathidasan Institute of Management, a Bachelor of Science degree from Bangalore University, and is an alumnus of the Rashtriya Military School.

Edited excerpts of the interview follow:

As more on-premise applications are moving to cloud, is cloud-native security enough to secure enterprises leveraging complex, hybrid, and multi-cloud environments?  How can cloud-native be made more secure?

There has been an increase in the adoption of cloud, driven by the pandemic, and enterprise cloud usage has increased massively. A large percentage of valuable corporate data is today on cloud. However, there has also been a substantial increase in cloud threats – according to recent McAfee Enterprise research, there were close to 366,000 incidents in India in Q4 2020, with 3.1 million attacks on cloud accounts worldwide!

To ensure effective cloud-native security, a top-down approach to IT security could be beneficial. As cloud-native applications gain prominence, companies have realized that merging the related security responsibilities with their central security teams is the way to go. This evolution is driving a shift from a project-team-led bottoms-up approach to a top-down approach for greater consistency across projects and environments. Apart from that, the automation of security practices via integration with DevOps could ensure that more cloud-native applications will be protected. The deployment of an integrated platform to protect cloud-native applications and infrastructure would make it more secure. Lastly, there is a considerable security maturity gap between cloud-native and non-cloud-native applications. As organizations gradually move to remote working and adopt IaaS and PaaS systems, an increase in investments — in both cloud-native security tools and employee training will go a long way in bolstering security and ensuring that cloud-native becomes safer to use.

Cloud misconfiguration exploits are the Achilles heel for cloud security. Public and open cloud storage buckets are unmonitored, add to it PET technologies (encryption, authentication) that are difficult to automate with unique protocols that each application requires. What cloud security solution is most effective?

By now, most organizations have realized that to ensure data security as they move to cloud, applications may have to be redesigned to become “cloud-native”. However, since cloud-native are continuously developed and deployed, and modern enterprises lack a way to measure cumulative risk, they are vulnerable to security breaches. Starting, March 2020, there has been a massive expansion in outsider assaults on cloud frameworks. The sort of assaults that agitators are following are recognizing the area of sensitive information, discovering how to take advantage of and taking advantage of weaknesses in programming to exfiltrate data.

What is the importance of security and compliance requirements such as data residency and administration access for adopting secured cloud technologies? Is it a driving force for the cloud security market?

Data residency and administration access are vital parts of cloud security for McAfee Enterprise. Depending on the industry an organization is in, it might have to comply with different regulatory frameworks. GDPR, PCI DSS, HIPAA, and HITECH are just a few compliance requirements that they must adhere to. While the ability to demonstrate compliance by meeting specific standards for business continuity and cybersecurity has become a necessity, it has also become a competitive advantage. Continuous compliance enables businesses to identify the risks and make sure they are never caught oblivious, while also being in position to detect, react, and recover from a disruption. Not just that, compliance also helps an organization keep away from the precarious monetary and reputational cost of resistance.

Read the full interview in the December issue of CISO MAG.

About the Interviewer

Minu Sirsalewala is an Editorial Consultant at CISO MAG. She writes news features and interviews.

More from Minu.

The post Continuous Development of Cloud-Native Apps Makes Organizations Vulnerable appeared first on CISO MAG | Cyber Security Magazine.

In an interview with Brian Pereira, Editor-in-Chief of CISO MAG, Le Nguyen Truong Giang, Global Security Operations Lead and Security Transform Consultant, outlines the various reasons why organizations let their guard down and fail to prepare for a cyberattack. He also offers recommendations on what to include in the incident response plan.

Edited excerpts of the interview follow:

Can you comment on the general state of cybersecurity awareness and state of readiness for a cyberthreat?

In the past, there were many statements like cybersecurity is a shared responsibility or cybersecurity in the workplace is everyone’s business. But most stakeholders didn’t know much about cybersecurity; they did not do enough to protect the business’ information assets. However, the increased volume of cyberattacks is a significant warning that every business is at risk of a cyberattack; they could be victims of a cyber attack or breach. As the result, there are collaborative efforts between government and industry to raise awareness about the importance of cybersecurity and to ensure that all stakeholders have the resources they need to be safer and more secure online. According to many data breach investigation reports, most cyberattacks were traced back to human errors. Obviously, CEOs, business directors, and managers want to keep their data safe or protect their business’ information assets against cyberthreats, so they have to educate their colleagues and create a workplace culture surrounding cybersecurity awareness.

In my opinion, most organizations have already acknowledged business risks related to cyberattacks; but they lack the ability somehow to identify, prevent, detect and respond to cyberthreats. They are facing many difficulties, not only due to limited budgets for technology investment, lack of well-defined processes for building and optimizing, and also skilled security personnel.

What are some of the common causes for a failure to prepare for cyberattacks? Should this be blamed squarely on the leadership?

There are some common causes for a failure to prepare for cyberattacks. Organizations fail to set a top-down strategy to manage cyber and privacy risks. They fail to apply a governance framework to implement and monitor their controls. Senior leaders fail to engage or support cybersecurity programs; they fail to identify areas to prioritize technology investments; they fail to recruit a cybersecurity leader who has a deeper understanding of the complexity of cybersecurity.

The person they recruit must be capable of leading a team and managing cybersecurity programs that align with cyber risks and business requirements.

Business leaders also fail to create a culture surrounding cybersecurity awareness that benefits the entire organization. Further, undefined or not so well-defined processes could be a recipe for failure as well.

Of course, we should not blame it squarely on the leadership because cybersecurity is a shared responsibility; cybersecurity in the workplace is everyone’s business. However, leadership plays a crucial role in creating a robust plan for countering a cyberattack.

What are the steps to prepare a robust incident response plan or IRP?

Even though each business follows a different incident response plan, all IRPs possess the same fundamental components as they go through the same six-phase process. Each of these phases deals with a few specific areas of requirement, which must be fulfilled to create an effective incident response plan for your organization. These phases or steps are preparation, identification, containment, eradication, recovery, and lesson learned.

For instance, IBM Security prescribes six steps to build a robust incident response function:

• Step 1 – Understand your threats, both external and internal
• Step 2 – Build a standard, documented, repeatable IR plan
• Step 3 – Proactively test and improve IR processes
• Step 4 – Leverage threat intelligence
• Step 5 – Streamline incident investigation and response
• Step 6 – Orchestrate across people, process, and technology

Source: IBM Security

To ensure the success of the plan, firstly, we must have support from C-suite executives or key stakeholders who can empower the incident response team to act quickly and confidently during a crisis. Secondly, we must define roles, responsibilities, and processes for incident responding. Lastly, we must have technologies and partnerships to enable autonomous and quick action.

About the Interviewer

Brian Pereira is the Editor-in-Chief of CISO MAG. He has been writing on business technology concepts for the past 27 years and has achieved foundational certifications in cloud computing (IBM) and cybersecurity (EC-Council).

The post Expert’s Take: Why Organizations Fail to Prepare for Cyberattacks appeared first on CISO MAG | Cyber Security Magazine.