Jeff Schwartz is the VP of Engineering, North America, for global cyber security company, Check Point Software. He manages a team of 200~ engineers across multi-disciplinary fields, and he’s responsible for all security engineering resources across a $1 billion portion of the business in North America.
Over his 20-year career in cyber security, Jeff has consulted, designed, and overseen the implementation of the largest network security deployments across all industries, and throughout both the Fortune 500 and major government agencies.
Confronting the ransomware reality can be tough. In this interview, get the inside scoop from Vice President of North America Engineering for Check Point Software, Jeff Schwartz, who dives into ransomware trends as observed by security professionals, ransomware misperceptions, points of security improvement, ransomware isolation, analytics, and more.
Although attackers are exploring new ways to disrupt organizations, compromised computers, million-dollar payouts, and chaotic contingency plan executions do not have to be a part of your future. These insights can help you bring a new level of preparedness and resiliency to your organization.
Would you be able to provide a brief update on the state of ransomware?
We’re seeing more targeted and intensified attacks, perhaps of shorter duration, but the impact is as great as it’s ever been. What we’re seeing is that there are specific attack groups of threat actors, most of whom are quite sophisticated and very likely part of nation-state sponsored organizations.
Tell us about common misperceptions that you’re currently seeing in relation to ransomware?
The biggest misperception is that good enough security is good enough. While it’s true that some security is certainly better than nothing, there are two issues with this. One is that most endpoint solutions don’t provide thorough preventative and recovery capabilities when it comes to ransomware. And secondly, we’re seeing vast increases in ransomware across IoT and the internet of medical things, which are generally unsecured from ransomware.
How can cyber security professionals broadly improve ransomware protection?
So there are actually three areas that are important where organizations can produce better outcomes in relation to ransomware.
1. More thorough and strict adoption of zero trust principles. So, specifically creating containment zones around the smallest “atomic element” of what they would consider critical to contain and that can be operationally maintained. We see this as greater adoption of microsegmentation and things like smart NICs. The capability to provide host-level and service insertion-based inspections that allow for much more granular enforcement of security controls. Those are all very good things. And we’re seeing organizations adopt them. But increasing adoption is an important element there.
2. The second area is to leverage a service provider or some organization for managed detection and response or MDR. It’s important to have someone outside the organization that’s familiar with the environment and has an understanding of the infrastructure that can provide real-time or near real-time expertise in the face of an event.
3. The third area is around the use of better security solutions. I think there’s a perception of commoditization about some security capabilities in the market, While some solutions claim to provide ransomware recovery capabilities, many of them leverage a feature within Windows, called Shadow Copy, as the primary vehicle for restoration. The problem with Shadow Copy is that it’s the first process that ransomware looks to disable upon infection of a victim host. It would otherwise render these solutions completely ineffective In an organization of even moderate scale, a 1% difference in security efficacy can result in huge differences in operational outcomes. When you dig into the qualitative differences of the various solutions, organizations will find that better solutions do provide better security outcomes.
How can security professionals catch a ransomware attack before it starts?
This why better prevention is critical. Most organizations have relatively flat networks internally. This is an important factor in why attacks can so freely move across a network from one area to another. There are two characteristics of providing better preemptive enforcement (or prevention): 1. Many diverse engines are needed to provide inspection across mobile, endpoint, workload, cloud and network. 2. Better threat intelligence so those engines can provide thorough, accurate prevention without impacting “business as usual” traffic.
What role do analytics play in advancing ransomware prevention/defense and how can organizations leverage this?
So analytics are important, but predominantly in two areas. One, to find corner cases that wouldn’t otherwise be prevented by solutions that you’re already leveraging and two, to provide visibility in areas where more proactive preventive controls can’t adequately be implemented. So IoT is one example of this where having an on-device preventative control is very often problematic, especially in healthcare institutions, where the IoT device may be running outdated firmware that can’t be updated due to FDA regulations, for example. Being able to have analytics and visibility into areas where strict enforcement cannot be provided is critical.
What else needs to change in order for everyone to more effectively combat ransomware?
I think that continued vigilance and adherence to best practices -like zero trust and managed detection and response capabilities- and having a tested, validated backup and restoration process, solves a big piece of the problem. Of course, backups don’t address the fact that you were compromised; nor does it mitigate the source of that compromise. However, operationally, it gets you a resources to get back up and running more quickly.
The US is offering $15 million for information about the Conti ransomware group. Your thoughts?
This is a real-world example of what I mentioned earlier; specifically that attacks are appearing in a more intensified, directed fashion from sophisticated threat actors. We saw the same thing last year with Darkside Ransomware-as-a-Service attacks against Colonial Pipeline and the roughly 70 other compromised organizations. Dark Side went underground but reconstituted themselves and came back as Dark Matter. We anticipate that these types of attacks will continue and more than likely will increase and with these highly sophisticated threat actors.
For more cyber security insights from Jeff Schwartz, see CyberTalk.org’s past interviews. Lastly, to receive more cutting-edge cyber security news, best practices and analyses, please sign up for the CyberTalk.org newsletter.