Lari Luoma has over 20 years of experience working in the fields of security and networking. For the last 11 years, he has worked with Check Point Professional Services as a security consultant helping customers worldwide implement the best in class cyber security. He is a subject matter expert in hyper-scalable security solutions.
1. In your line of work, what are the top cyber security concerns that keep coming up in conversation?
Many organizations have a mix of different vendors and technologies that do not always work together or can cause problems because they have all been installed inline. Making changes in one vendor can cause unexpected issues on another vendor’s technology, causing traffic outages. Availability is one of the key components of CIA triad that we, as security professionals, should be concerned with. Having a single pane of glass, consolidating and automating security operations would significantly improve your security posture.
2. Would you recommend a prevention-first based framework to CISOs, and if so, why?
Absolutely! If your security devices are in detect mode, it is like watching in a monitoring room when someone steals your goods, but no one is there to prevent it from happening. In the best case, you will get some blurry videos and can only hope that law enforcement will catch the thieves one day. However, with prevention, you have guards in the store and have the most valuable items behind locked doors. Using a similarly strategic mindset, you should protect your data. With the prevention-first framework, you can sleep at night without needing to worry about someone stealing your data. They could try, but the system would prevent it automatically and record data for you that will help in catching the criminals.
3. How does a prevention-first approach better support security objectives than detection alone?
When the attack is prevented, it will not enter your network at all. If you still get infected by malware, you can prevent it from activating and isolate the infected machines for faster remediation.
4. For organizations that are newer to cyber security, what are key ways to drive security prevention initiatives?
A. Understand the key assets you need to protect most
B. Automate as much of your security operations as possible
C. Prevent users from downloading and opening malicious links and files
D. Segment your network to prevent malware from spreading
E. Handle cloud security in the same way as you would on-premise. Native cloud security controls are not enough to effectively protect your environment.
5. What are the top ways to advance security prevention initiatives within established security configurations? What should the CISO of a high-profile decades-old organization work on?
- Review and optimize your firewall rules. In old environments, it is typical that there are many rules which were initially created as temporary rules 10 years ago, but they are still there. Rules might also be too open.
- Consolidate all of your cyber security into one pane of glass
- Upgrade your security infrastructure and make sure it has the latest patch levels installed
- Use IPS instead of IDS
- Users are the easiest attack vector. Protect them from phishing and getting malware.
- Enable multi-factor authentication to your internal services
- Automate whatever is possible to automate
6. What have you seen in the real-world that can speak to the value of prevention?
We have seen several successful ransomware attacks in the last couple of years. An attacker usually gains access because users have clicked a malicious link or opened a malicious document. After the infection, the malware has collected a lot of sensitive information from the organization’s internal systems and sent it to the criminals. Eventually all of the organization’s critical data has been encrypted including the backups. All of this could have been prevented by blocking users from clicking malicious links or opening infected attachments, preventing command and control connections to known C&C servers by segmenting the network and automatically isolating infected hosts.
7. Given the nature of ransomware, is prevention perhaps overly optimistic?
No, it’s not too optimistic. A few simple rules:
- Prevent users from launching ransomware through the accidental opening of malicious files or accidental clicking of malicious links
- Patch your servers and applications
- Use IPS
- Block connections to known C&C sites
- Use multi-factor authentication to internal services
- Establish SOC and use security operations platform that immediately detects infections and isolates the infected machine
- Use anti-ransomware in users’ endpoints
- Segment networks to prevent malware from spreading east-west
- Take regular backups of your critical data and store them in a separate security controlled segment
8. What should technology leaders know about circumnavigating prevention-related stumbling blocks?
Many leaders are worried that the prevention-first technologies would cause a lot of false positives and legitimate traffic outages. The number of false positives can be minimized when planning the deployment well and making sure that the applications and network support it. You should recognize your older non-standard applications that might cause false positives. Asymmetric routing in your network could also be a cause for issues etc.
9. How can cyber security prevention and detection complement one another, if at all?
A security incident must first be detected before it can be prevented. XDR/XPR (Extended Detection/Prevention and response) are good examples of this. Based on AI technology and cross-correlation, XDR/XPR delivers automated prevention and prevents attacks from quickly expanding within your environment.
10. How is Check Point pioneering innovation when it comes to prevention-first security?
Check Point Horizon is the next-generation prevention-first security operations platform (XDR/XPR) designed to simplify SOC team operations and automate prevention of cyber incidents. Horizon XDR/XPR takes action when it sees an event – like malicious e-mail, and correlates the events over time and across your security estate so that you can stop attacks.