New and emerging cyber attacks have become a big challenge for many organizations of different sizes. Carbon Black is an organization that is dedicated to cyber security and which leverages the power of big data and analytics to help solve challenges that companies may face. Their newly introduced predictive security cloud platform aims at transforming cybersecurity in order to deliver next-generation cloud-delivered security solutions which could essentially protect organizations from the most advanced threats.
Telecom Review interviewed Carbon Black’s Head of Security Strategy, Rick McElroy at GISEC where he spoke about cybersecurity and how to take steps early on in the attack that could help not only minimize damage but also prevent future attacks from happening.
What are you showcasing here at GISEC and why GISEC?
We believe in the investment in the market as we have had 300% growth year over year in this market and we have lots of big customers so part of that is making sure we’re available for them.
We have also launched a number of product offerings over the last year and the last few months so making sure that people are current on the offerings is key. We did a number of sessions at GISEC to bring that education out and help people mature what they’re doing and of course we launched our global threat report as well which has been great.
Could you tell me more about the global threat report which you published this year?
Our global threat report is comprised from our partners. We give our technology, our hunt tool away to incident responders that work on all the major breaches in the world. Chances are, when you see a major breach, our technology has been deployed to figure out what happened and we aggregate all of that data. So what does that mean? You see a lot of threat reports that come out like Semantic and Horizon, and you’ll hear things like ‘the attackers were on the network for 200 days or a year or two’. We feel like our data gives us the ability to answer the ‘whys’ behind that. So like what were the attackers doing? How did they get into these systems? How did they go unnoticed? We then try to disseminate the information out to the community so people could build better defenses against it.
Did you find anything new in your report this year which you didn’t find last year?
I wouldn’t say new, but there are some alarming trends. Certainly a 32% increase in destructive attacks. A destructive attack could be anything from wiping logs on an end point, deletion of backups, deletion of the system itself, or actually taking the system out; it has been pretty concerning. For organizations out there, they’re not only going to need to make sure that they have the visibility to see those attacks and prevent them, but they’re also going to need to make sure they have got backups and that they’ve tested their restoration process in the event that they do get hit by a ransomware or a destructive attack, they can return the state of that system back into production.
Could you tell me more about the role you’re playing as a company in the digital transformation?
We believe in security by design. We have had a number of conversations with existing customers about prospects and then do a lot of educational talk on how to build that future and do it securely; there’s a number of different ways to do that. There are technologies to help companies ensure that as they’re writing codes, those codes are checked for vulnerabilities and those vulnerabilities don’t end up in consumer products or new mobile apps.
We are also big believers in having the right visibility in what the attackers are doing. So being able to understand the attacks that would hit that platform and being able to build the visibility into that can allow you to see the attacks sooner.
Most technologies out there are waiting for the executions of the attack, which is either a cyber criminal or a hacker taking your data out of that environment. Our technology and philosophy is we should push that way upstream, then because there’s a number of different things that attackers do along the way that inevitably end up with them being breached so if you build your defense with that in mind, you’ll see the attacks sooner and you’ll see them before the impact actually hits your data.
In your opinion, how should organizations address the growing global threat landscape and how can they restore balance after an attack?
Assume you’ve been breached. If you start to build your defenses with the assumption that someone is already inside your systems that would lend itself to things like what we call threat hunting. Threat hunting is a proactive practice where humans go out in data and look for the indicators of compromise and the patterns of attack because a lot of the technology out there isn’t detecting this stuff. We know it’s not detecting or stopping it because last year registered the largest number of records that were breached and the year before that also saw the largest number of records breached. So year over year, we are exceeding the previous year in number of records breached.
Therefore, that tells me teams don’t have time to tune the solutions that they have and in a lot of cases the solutions they do have are not catching that stuff. If you can build a threat hunting practice that proactively goes out there and searches for these things your data sets and collect the right data that actually drives a number of different changes in your program.
Sometimes you’ll find bad actors and things you didn’t know about and then sometimes you’ll just find gaps in current controls or what you’ve deployed like maybe you need better segmentation in your network or maybe you do need to buy a better product. But in either case, if you make the assumption that you’ve been breached, you’re going to start to build your defenses differently. Instead of building them from the outside in, which is what most companies do, I start at the firewall and then I get to the end point.
We believe that data lives on end points, it lives on laptops, servers and desktops and that’s where you see the huge rise in dissipation of bad actors so companies have to make sure they’re proactively going through that.
Could you tell us about what ‘Island hopping’ is?
Island hopping is actually a term that came from WWII. So it is what the US marines and navy called the campaign to get to mainland Japan from the US. Our planes couldn’t fly that far, our boats would have been at risk so what they did was take an island at a time to end up in a position to end the war.
In a very similar sense in the cyber world, this is what is happening. So you have major corporations and major brands that have supply chains and we are all interconnected. So we may do business with a supplier, we all rely on clouds and all of that good stuff to provide our services, so what attackers understand is this company may be spending a lot of money, has good people and good technology, it’s very expensive to attack them directly, way less expensive to go after their supply chain. So what you’ll see attackers do is go after these smaller supply chain providers, get into their environments, learn about how they do business with a large organization, and then leverage all of that along with things like business to business VPNs which are hard to inspect that traffic and you genuinely trust it because it’s a partner of yours that you paid to do business with and then they pivot into that network.
What we’ve seen is that 50% of the attacks that were investigated used leverage island hopping as a way to get into these brands. So for organizations out there, the big take away from that is that it is going to be bout brand protection and sometimes to protect their own brand, they may need to think about extending services out to some suppliers who can’t afford to do that and in the states we’ve certainly seen large entities do that.
Lots of security companies out there do recognize this trend in island hopping but for us, I think it’s the first time we’ve been able to get data from hundreds of instant responders out there, so our hunt tool was deployed over 500 times in the last year and when you look at that data set we can say that a lot of that other stuff isn’t correct because the bad is still landing on the end points.
Malwares and cyber attacks, are still occurring so why would I believe that a technology vendor that is looking at everything through their own optics for data, this is independently sourced from multiple companies from across the globe, so we feel like it represents a better sense of actual truth out there on what’s occurring.
What are the problems and gaps in the industry with regards to cybersecurity at the moment?
There’s a ton. I would say we don’t have enough people, that’s the largest problem that we have. Even when we do find people we still have a huge problem because the few people that we do have work long hours and they’re not taking vacations. A recent survey by NOMENET showed that most CISOS across the globe are working more than 40 hours a week, they’re working weekends, and so what that’s leading to is a 38% decrease in the industry of people who just quit and go do another job. That’s number one, number two is funding. You still see organizations out there and governments that are under-investing. So I think those two coupled together are a massive problem.
On the technology side, they haven’t really adapted to the way attackers have been working. So that’s something that organizations are going to need to do, is to be able to test and validate the solutions in a way that drives them to be better.
What do you hope to achieve by the end of 2019?
It would be great to achieve our vision, which is creating a world safe from cyber attacks. But I think for our organization along with delivering best of breed technology that really makes the job of the defenders easy, that’s really what we’re trying to do. It’s to simplify security operations, so that with less people you can do more. I think personally, for me, a large part of that is getting out and educating people on the realities and what we call the cyber truth; essentially cutting through all this noise that happens at conferences and really try and get with defenders to help them.
A big part of my role is helping organizations and defenders understand how they’re doing security operations, work on maturing that then add things like automation and orchestration.