Ashwin has been in cyber security for well over 15 years; holding various positions from post-sales delivery and implementations engineer to pre-sales team leader. He is a senior cyber security thought leader with extensive solution experience. As a member of Check Point’s Office of the CTO, Ashwin is a regular keynote speaker at global cyber security events, sharing real-world stories and security research to demonstrate the critical importance of striving for cyber resilience.
In this dynamic and in-depth interview, Ashwin Ram discusses strategies around prominent cyber security challenges. From evaluating the efficacy of your cyber security infrastructure to how you can reduce the cost of a data breach within your organization, this interview provides premium security insights.
What are you seeing in terms of attack trends around the world?
I remember being shocked at the number of cyber attacks Check Point had identified when I first started paying attention to attack trends about a decade ago. Unfortunately, these trends have shown no signs of slowing down. This year we see that organizations in the US have had to deal with a 70% year-over-year increase in cyber attacks. In EMEA, as of May 2021, our telemetry data shows that the average number of attacks that an organization faced per week reached 780, representing a 97% YY increase. Meanwhile, in APAC, there was a 13% increase in business-focused cyber attacks since the beginning of the year, with 1,338 weekly attacks per organization.
Alarmingly, the world has seen an incredible 93% increase in ransomware attacks in the last 6 months. What worries me is that threat actors have updated their strategy for ransomware attacks to now include monetizing the victims listed within the stolen records. We’ve dubbed this new evolution in ransomware attacks “triple extortion.”
The first case of this was witnessed against the Finnish psychotherapy clinic Vastaamo, where 40,000 patient records were stolen as part of a ransomware attack. The threat actors first demanded a ransom for the stolen data and another ransom for the encrypted systems. However, for the first time, threat actors also started reaching out to the users within the database; in this case, patients. Hackers demanded a ransom from them. The cyber criminals threated to publish the patients’ therapy notes if the patients didn’t pay up.
The C-suite and board members must be made aware of these cyber trends. They must also support CISOs in their cyber security programs as well as accept frequent updates to cyber resilience strategies. The simple fact is that cyber criminals are changing their strategies frequently.
Can you share a bit about the Poneman Institute’s 2020 Cost of a Data Breach Report?
The Poneman Institute has brought to light the top attack vectors used by threat actors to compromise over 500 organizations between August 2019 and April 2020. They have also done a fantastic job of identifying various factors that impacted the cost of these breaches.
To identify the factors that impact the cost of a breach, the Poneman Institute used an accounting method called activity-based costing. Within this framework, they discovered that the global average cost of a data breach is around $3.86 million USD. This cost is actually a little bit less than the cost of a data breach in 2019. However, don’t let that fool you; the report highlighted a growing divide in the cost of breaches between organizations that maintain strong security postures and those that have a limited cyber security maturity level.
CISOs and business executives should use the findings within this report to prioritize controls and processes within cyber security programs; firstly to take action on key focus areas to prevent highly impactful attacks, and secondly to ensure their program is geared towards reducing the cost of a breach in the event that a cyber attack was successful.
Many of the findings from the 2020 Cost of a Data Breach Report are in-line with the findings from the Check Point Incident Response Team. The attack vectors used by cyber criminals, is exactly what we see at Check Point.
One of the very interesting insights from our Incident Response team was that many organizations had deployed security controls to address the key vectors, however post breach analysis revealed that those security controls weren’t very effective. Attacks were successful due to misconfigured security policies or configurations that were not in-line with vendor best practices, or security controls that simply weren’t effective in identifying and preventing the threats. This is why it is important for organizations to evaluate the effectiveness of controls. I always encourage organizations to regularly re-evaluate the effectiveness of their deployed controls and processes.
How much time does it typically take for an organization to identify and contain a breach?
It depends on the industry. For example, the healthcare, public sector, entertainment, retail consumer and the industrial sector all average more than 300 days when it comes to identifying and containing a data breach!
If we look at the average across all industries, it takes organizations 280 days. Sadly, this statistic no longer shocks many security professionals, and this is a problem because it means that our industry is now conditioned to accept this timeframe. You don’t need to be Einstein to work out that the longer a threat is in your environment, the more damage it can cause. The more advanced adversaries will try to understand their victims’ businesses first; they will move laterally from one part of the organization to another, trying to really ingrain themselves within critical systems like Active Directory. They will also try to understand key business processes, including 3rd party interactions.
The Poneman Institute’s study found that the longer it took to contain a breach, the more it costs organizations in the long-run. In 2020, for example, breaches with lifecycles of longer than 200 days cost roughly $1.12 million USD more than breaches found and contained in under 200 days. This is another reason as to why cyber resilience strategies must focus on implementing tools and processes to reduce the breach lifecycle.
How can organizations evaluate the effectiveness of their security controls and security policies?
There are a number of ways to evaluate the effectiveness of security controls and policies. Let’s focus on security controls first. Evaluating the effectiveness of security controls in a vendor bake-off is one option. However, this requires the right level of skilled security staff, time and it can be costly. An alternative option is to review independent tests by various 3rd parties. I recommend reviewing only 3rd party independent tests that have not been commissioned by a security vendor.
In addition, evaluate the number of security vulnerabilities each of your security controls has had over the last 5 years, and the time it took for the vendor to address these vulnerabilities. You want to understand the sense of urgency with which your vendor addresses potential security holes in their product. Remember, the time taken to remediate these vulnerabilities is the time your organization is exposed to cyber attacks. This is why a Vendor Management Program is essential. Penetration testing and red team testing must also be part of the evaluation processes used to validate security effectiveness.
In my days as a Professional Services Consultant, I’ve reviewed many security policies and configurations for organizations of all sizes, and it always amazed me as to how poorly security policies were configured, even in large enterprises. It’s critical that organizations have programs to reinforce the importance of security principles, such as the principle of least privilege, encryption, default deny, whitelisting, blacklisting and so on. Many years ago, I evaluated the security deployment of a very large service provider in Asia. This provider was attempting to build an IaaS platform. With no training, and very limited understanding of how the Check Point solution worked, they decided to bypass key elements that provided automatic validation of security policies. One of my findings revealed that the security policy they had implemented by mistake allowed anyone to access every resource their customers had deployed. This was a horrific security oversight, resulting from the security team not having the right level of skills.
The security team only tested to see if applications were available from the outside. They didn’t validate whether or not the deny rules were effectively configured. This is why organizations must have the right level of skilled staff and follow best practice. Even the best tools in the market won’t prevent simple attacks if they’re configured improperly. I also recommend, implementing a security policy lifecycle management program. In addition, leverage tools that can automatically review security policies and make recommendations to ensure security best practices are continually recommended or enforced.
As a threat prevention strategy, CISOs must ensure effective security controls are deployed to firstly prevent phishing emails, and secondly prevent corporate credentials from falling into the wrong hands. Both of these technologies exist, and I urge security program owners to spend time and understand how these controls can be deployed in their specific organization.
As CISOs and security program owners, a key question to address is, ‘Does our governance and assurance team have a process to validate these types of security oversights?’
Tell us about how organizations can enhance their social engineering threat prevention strategies?
Time and time again, we’ve witnessed social engineering and phishing attacks leading to hundreds of thousands of dollars in losses. According to the Poneman Institute, the number one attack vector utilized by cyber criminals is compromised credentials. In other words, organizations failing to prevent corporate credentials from falling into the wrong hands. It’s essential to implement effective anti-phishing controls.
One of the shortcomings in many cyber strategies centers around mobile security. With so many of our users now accessing and processing corporate resources on mobile devices, CISOs must have a strategy to prevent users from being phished through endpoint and mobile devices.
An interesting trend reported by the Check Point Research team last year was just how quickly cyber criminals changed their phishing campaigns based on the various stages of the pandemic. Initially, we saw criminals use the coronavirus-related confusion in communities as a theme for their phishing attacks. When some governments moved towards introducing stimulus packages, criminals quickly adapted their strategies to take advantage of this new theme. The main message here is that cyber criminals are updating their phishing campaign rapidly to take advantage of the ‘news of the day’, so security awareness trainings must also be updated often. CISOs must focus on ensuring that users are educated on these new phishing campaigns; providing phishing campaign examples from two years ago will not be as effective as providing current campaigns.
Additionally, the culture of an organization plays a vital role in determining the effectiveness of their social engineering threat prevention strategies. Having the CEO and the entire C-suite champion cyber security is critical. A good way to test the effectiveness of your security awareness program is to ask random, non-cyber security staff, about who is responsible for cyber security in your organization. If the response is “everyone is responsible for cyber security,” you have a good culture going.
How can organizations reduce the cost of damage caused by phishing attacks?
Once a phishing attack, or any attack for that matter, has successfully breached your security defense, it is vital that the threat is remediated as soon as possible. This can help reduce the cost of damage. As I mentioned earlier, the number of attacks in every region has gone up, however I’m sure the size of most cyber security teams hasn’t matched that same level of growth. The reality is that no matter how large SOC team are, they will struggle to match the increased workloads. Many of the SOC teams I’ve spoken to are struggling to investigate and chase down every security incident. In fact, in the recent ‘Tale of Two SOCs’ report, commissioned by Devo, 78% of SOC analysts reported that working in SOC is very painful. Three out of four SOC analysts reported that increased workload is the #1 reason for burnout. This increased workload means an increase in repetitive, mundane tasks, which increases the time it takes organizations to identify and contain breaches. This is why automating security controls and incident response processes is so important.
I highly recommend investing time in understand how Security Orchestration, Automation and Response (SOAR) platforms can help automate most of these processes. I also recommend that CISOs work with HR, and leverage a key matrix to demonstrate the struggles of SOC teams to the C-suite, and to build a case for investing in security automation tools.
According to the Poneman Institute, the number one factor in reducing the cost of a data breach is testing and validating an incident response plan. Actually, just having an incident response team goes a long way in reducing the cost of a breach, according to their findings.
With the majority of the world now working remotely, it’s vital to protect endpoints. Making sure your endpoint security can automatically prevent threats that start with phishing attacks and lead to ransomware must be on the top of every CISOs agenda.
What other recommendations can you provide for organizations that broadly wish to reduce the cost of data breaches?
As I mentioned before, having an incident response plan is vital. Carrying out regular table-top exercises that include every member of the incident response team is important. The table top exercise must be done under “new normal” conditions, where not every member of the incident response team is in the same room. Incident response teams must include members of the C-suite, HR partners, the legal team, the PR team and the SOC team, at the very least. Testing an incident response plan is so important that in Australia the government is now considering a law to mandate that certain sectors report results from table-top exercises on a regularly basis.
Ensuring incident response plans are validated and fine-tuned by 3rd party incident response teams would be a wise idea, while red team testing, having an effective business continuity plan, and extensively using encryption to protect crown jewels, have all shown to significantly reduce the cost of a data breach. Security programs with heavy board involvement have also shown to be a major contributing factor in reducing the cost of a data breach.
Anything else that you’d like to share with the Cyber Talk audience?
Factors that increase the cost of a data breach are just as important, so let’s focus on that. According to the ‘Tale of Two SOCs’ report, SOC teams were asked ‘What makes working in the SOC painful?’. Fifty-three percent stated complexity and chaos in the SOC. Interestingly, the ‘2020 Cost of a Data Breach Report’ also revealed that complex security systems were the number one factor that increased the cost of a breach.
Cyber security program owners must understand that throwing point products to address security gaps is not the answer to an effective cyber resilience strategy. Organizations will do well to decide on a security vendor and to consolidate as many of their security controls as possible.
The second element that increases the cost of a data breach is when organizations get their cloud adoption strategies wrong. The Check Point Incident Response teams have worked on an alarming number of cases related to cloud-based attacks, and it is still surprising to see how many organization don’t have a way to visualize and secure their cloud assets. It’s essential that security program owners understand the pitfalls of moving to the cloud without appropriate visibility and controls, especially as organizations utilize serverless and containers, as breaches here are proving to be very costly. If you have a cloud adoption strategy, then cloud security posture management must be a non-negotiable.