Much has changed since the inaugural e-Crime Congress in London twenty years ago, not least how cybersecurity is perceived.
It’s an important topic that is now not just on the boardroom agenda but has a seat at the table as part of the C-suite. The general consensus at this year’s event, however, was that this awareness needs to go even further in order to permeate the organisation.
Human security
In her session entitled ‘Building the UK as a global responsible cyber power’, BAE CISO, Mary Haigh, explored the problem of sharing expertise and argued it needed to be regarded as a scalable resource. She said it was down to the private sector to use training and mentorship to upskill staff, particularly in light of current skills shortages, and that this could significantly increase cyber resilience. She also thought that the C-suite needed to become more vocal and promote responsible cyber practices.
But for Ed Bishop, CTO and co-Founder of Tessian, the human is still the weak link in the chain. In his session, ‘Why human layer security is the missing link in enterprise security’, we heard how 31% of all external attacks originate from phishing emails. Training exercises that aim to educate staff and stop phishing attempts aren’t working, he insists, and this means that as the organisation expands, so too does its attack surface. To counter this, Bishop proposed “human layer security practices” whereby a unique security identity is assigned to each employee that automatically detects and prevent threats. This uses human communication patterns and behaviour to continuously improve the security reflexes of personnel over time.
Where the risks lie
The way we work is also changing and Jonathan Lee, Senior Product Manager for Menlo Security, thought cybersecurity must adapt to the new paradigm. He said employees now spend 75% of their time in a browser and this has a knock-on effect when it comes to defence with the firewall is no longer as relevant as it once was.
In his session ‘HEAT attacks: Examining the next class of highly evasive, adaptive web threats’, Lee explained how HEAT attacks are designed to evade current methods of detection. HTML smuggling, for instance, sees malicious files generated by HTML Javascript at runtime, which means that scanning the benign code by the secure gateway detects nothing (it’s also possible to delay the code execution until after this inspection). Such techniques mean it is increasingly commonplace for legitimate websites to be compromised and used to host malware, rendering IP reputation detection useless.
Another practice on the rise is the creation of malicious websites that use longer and more specific search terms, warned Lee, which effectively propel them to the front of search engine results. Botnets are then used to generate traffic and keep them there, enabling these sites to ensnare unsuspecting users who then become infected with malware
The deperimeterisation of the enterprise and remote working has effectively seen us become hyperconnected, claimed Raghu Nandakumara, Head of Industry Solutions at Illumio. This, compounded by a rise in more targeted attacks such as ransomware, is making cybersecurity more challenging, leading 59% of cyber professionals to agree that the job is getting harder. The feeling overall was that security needs to identify different dimensions of risk and dedicate more effort to dealing with high-risk threats that can have serious consequences.
Ransomware has exploded during the course of the pandemic, with the Ransomware-as-a-service industry now estimated to be worth in excess of $1bn. Oakley Cox, Director of Analysis at Darktrace, said in his talk ‘Stopping Ransomware with autonomous response’ that the average dwell time of ransomware is 10-12 days and that enterprise is struggling to deal with these attacks because it’s not responding at machine speeds in real-time using AI.
Cox suggested that self-learning AI may hold the answer because it has the ability to pull data from the entire digital estate and doesn’t need to rely on baselining or historical data. No longer bogged down by precedents or prescribed response paths, this AI can respond quicker based purely on any unusual behaviour present in the business data, reducing triage time by up to 92%.
In reaction to these and other pernicious threats, we’ve seen the rise of the concept of Zero Trust, which effectively treats all access requests as suspicious until proven otherwise and enforces the concept of least privilege to restrict access. Nandakumara pointed to the federal mandating of zero trust by President Biden in the USA and suggested it must become the de facto approach, denying access by default and only allowing access once a request has been verified by a method such as multi-factor authentication (MFA).
But Haigh suggested that, while the responsibility for managing risk is shared across all strata of society, the role of government is to create and promote cyber standards that drive risk reduction rather than endorse any one approach. It was a topic further explored in the ‘Getting regulation right’ panel session in which the participants declared the private sector is reluctant to engage with officials because regulations are seen as punitive. It was suggested more collaboration was needed and that rather than being controlling and supplier prescriptive, regulations should be outcome-based and focus on what the sector is trying to achieve.
Cloud considerations
The hot topic in another panel session – ‘CISO priorities for 2022’ – was cloud security. Asked if concerns over cloud security had been exaggerated, the panel said no, but they had been misconstrued; it’s not that the cloud is less secure but that it requires a different approach. The main risk comes from user error, such as misconfiguration, the lack of visibility and the ephemeral nature of the cloud that can see data security treated more casually
Understanding and managing what is in the cloud remains a major challenge, particularly given that responsibility remains a grey area. (Many are still determining whether securing data in the cloud falls under the remit of the Cloud Service Provider or the business). As a result, businesses are now more sensitive to data being put into SaaS solutions, with teams looking for more ownership and control by demanding full access rather than just a cloud administrator account.
The panel also referred to the rapid pace of change and the problems this is causing, such as contracts with SaaS vendors and CSPs becoming unfit for purpose before the contract expires.
Such issues are driving the need for greater visibility in the cloud and cloud-native security solutions. At our own session, ‘’Observability: A data-driven approach to cloud security’, we explored what makes cloud challenging to secure and the need for an organisational approach to security, as outlined in our blog
Adopting a pragmatic six-step process such as this can increase control in a number of ways. Conducting an inventory of assets, for instance, as part of a Cloud Security Assessment can give instant insights into what sits in the cloud and how it is secured. Cloud Security Posture Management (CSPM) can allow misconfigurations to be detected and even prevented by spotting instances before code is spun up into infrastructure as code (IaC). And perpetually monitoring the cloud using automated cloud-native solutions can alleviate the skills shortage that is currently seeing teams suffer from a lack of cloud knowledge and expertise.
We saw particular interest in the cloud-native technologies we offer from C3M while we were at the show but were also asked about Cribl’s abilities to manage data more efficiently in data analysis platforms and how Threatstatus can hunt for compromised credentials and help head off lateral attacks. If you’d like to explore any of these technologies or to discuss the issues highlighted above, do reach out to us.