TRANSCRIPT New Trends in Security Threats Advice for CSOs on what they need to be asking their security vendors and how to protect against security threats
Executive Summary Recently Dark Reading sat down with Leo Taddeo, Cryptzone CSO and Former FBI Special Agent in Charge of Special Operations. They discussed new trends in security threats, if adversaries are becoming more sophisticated, why prevention not detection strategies are needed and the evolving security threat landscape. Leo also discussed what drew him to Cryptzone and how we help customers prevent adversaries from exploiting weak points within an enterprise. Read the transcript of the Dark Reading interview to learn more on: The evolving cyber-threat sophistication from Nation States Why the public cloud (AWS, Azure, etc.) provides security advantages Skills CSOs need to succeed What CSOs are asking their security vendors to provide 2
As a former FBI agent, what are you seeing as some of the new trends in security threats lately? I think the breakout trend is the activity of nation states today. Not even 10 years ago, we knew that nation states were developing the capability, but it was a tool that they had in their arsenal but were not willing to deploy. Now we see, in many cases, nation states are the most active adversary and are experimenting with new tools, techniques and new ways of influencing US policy through a cyber-attack. I think what s also troubling is that criminal groups are adopting the same tools and techniques and the gap between deployment by a nation state and deployment by a criminal group, in terms of time and quality, is shrinking. What drew you to Cryptzone? During my time at the FBI we investigated a number of intrusions. Many of those involved stolen credentials and the bypassing of perimeter detection tools. I was drawn to Cryptzone because the technology was more of a hardening-the-interior approach which made it harder for the adversary to do lateral movement, reconnaissance and escalate privileges. I wanted to be involved with a technology that was making it harder for the adversary rather than trying to find the adversary. Let s discuss adversaries and nation states becoming more of a threat than they had been in the past. Are they also becoming more sophisticated? Certainly. We see nation states, some of the top players being Russia and China, moving from traditional malware tools to attacking the human element within an organization, to attacking the supply-chain. So it s not just the ones and zeros part of an attack that s sophisticated, it s also the development of exploitations of other weak points within an enterprise. What does Cryptzone do to help customers with that kind of attack? Cryptzone is an enterprise gateway. We secure the user and the interior of the network by creating a close-binding between a user and the assets within a network. So, through robust authentication, meaning username, password, multifactor authentication, and some other attributes of the endpoint, things like time, date, geo-location, we check who the user truly is. And it s very hard to spoof all of the things that go into a digital identity. We then create an encrypted tunnel to the assets that are protected. Once in the tunnel and connected, the user cannot move laterally away from that asset. So we prevent lateral movement on a network segment. The focus for Cryptzone is prevention, not detection? Well, we see ourselves as providing both prevention and detection because we also have a very robust logging feature. So by logging user activity and by monitoring user activity, we also have a detection function. But we see our primary role as maintaining the integrity of the network rather than trying to pick up signatures or defend the perimeter. 3
We talked about the changes in the type of threats that customers are seeing and a little bit about the sophistication. What about complexity? It s a complex and daunting job, for many of the people we ve spoken to, to defend against some of the threats out there. If you look at some of the most sophisticated actors, they are deploying malware that studies the network and the network defenses. In addition, inside the malware are built-in techniques to avoid detection. They are searching for sensitive applications, they are testing defenses and adapting to those defenses, so if you have a behavior analytics tool on your network the most advanced malware can detect that. The behavior analytics tool is there and will determine what activity will trigger an alert. They then do things that won t trigger that alert. There s a huge evolution in enterprise IT and that s the move to the cloud. What advice does Cryptzone, do you, have for customers who have moved to the cloud, might be working with Amazon Web Services, etc. What would you tell them? We think there s great benefit to moving to the cloud, and we think there are great security benefits to moving to the could but it has to be managed properly. The traditional threats that face an on-premises infrastructure also are pointed against cloud infrastructures so you are not only facing traditional threats like insider threats and application access vulnerability and application vulnerability, you re facing some new threats including the employees of the cloud service provider. Now, many of the biggest cloud service providers are very good at security. So, it s a buyer beware, it s a shared responsibility between the cloud service provider and the tenant and it s something that security professionals need to understand as they migrate to the cloud in order to gain those efficiencies. I was going to tease you a moment ago when you said cloud is a security advantage and I was going to say that I don t really ever hear anybody say that, but now I m thinking, let s talk about that. What do you mean by that, why is cloud a security advantage now? Most companies say, or they maybe have stopped saying it as much oh my god we ve got to be careful about moving to the cloud, everybody is going there. But, still it has that stigma of being a security threat. That s understandable. In a traditional enterprise you could build a perimeter and protect your resources by putting them behind it. We ve seen that that no longer works, a perimeter is hard to define and harder to defend. What cloud offers is shared resources for getting security right. So if you re talking about, for example, physical security, the large cloud service providers are very careful about how they secure the physical structure that houses your servers and other resources that you deploy in the cloud. Things like employee screening, patching, vulnerability management and updating operating systems and software, if done collectively by a dedicated cloud service provider, will deliver more efficiencies on the security side. I think cloud can be a game changer. We ve had a hard time creating a deterrent for the adversary because it is low risk high profit. I think cloud can start to change that equation. You re a former FBI agent. You re now a CSO. You ve seen the role of the CSO from both sides. Are there any bits of advice you might offer having seen the security threats from both sides? What kinds of skills do CSOs need these days? 4
Well CSOs have to be excellent communicators, above all. They have to be able to communicate the value that they and their team bring to an enterprise. That s their first and foremost obligation when talking to the C-suite or to the board. You have to be able to demonstrate that there not only is a threat, but that your team is deploying the tools necessary to mitigate the threat according to the appetite of the company. So I think first and foremost communication is a top level skill that you need to have. Beyond that, of course there s an understanding of the tools and how they overlay to create a layered defense. That goes into the technical skillset of a CSO. More and more CSOs are leading bigger teams and integrating with other business lines so CSOs are increasingly becoming business-enablers above all. In fact you say communicate and business enablers and one of their primary responsibilities now, especially, is being able to communicate to the board. So it s okay I need to explain to the board what we re doing that s going to help preserve our business, keep us out of trouble, etc. What sorts of advice would you give about their communication with the board specifically? The CSO has to understand the business, what drives the business, what s of value to the business and from that point of view translate value that the team and the budget brings. Without an understanding of what is driving the business and how the different divisions within a business interoperate and complement one another, and how the business process is enabled by IT in general, I think a CSO would be at a great disadvantage trying to communicate security value. Beyond understanding the business a CSO needs to understand how that organization intends to grow; it s not a steady state. So, enabling a defensive posture that works today is falling down on the job. One has to be able to predict where the company is going in order to predict the security requirements for the future. As that FBI agent you used to be, you were around the world all the time communicating with all sorts of actors, you kept on top of what was going on in the security community. How, as a CSO, are you doing that? That s a great question. It s important to maintain contact with your professional network. Having a baseline of best practices and experts to turn to, being able to call someone in a pinch is critical. I would advise this as well, if you re in a highly regulated industry like finance or energy, you need to have a close connection to the regulators. You need to have someone to call when you have a question about compliance or about a security issue that you re concerned about. And of course you need to have someone s number in the FBI or secret service in case you have an incident and need to call law enforcement. My final question is what you are hearing from Cryptzone s customers, either here or over the past six months or so, what are they saying to you hey we need you to start looking into this for us or we would love it if you could help us with this kind of a situation? That s a great question. So security is one benefit that CSOs are looking for, the other benefit that s almost as important is a reduction in complexity. There are many tools out there and many of them overlap. It s necessary for a new approach to reduce that complexity to be adopted. No one s going to add another tool to the toolbox because it requires people to manage and integrate it. What CSOs are looking for are tools that can replace existing defensive measures with simpler tools that provide transparency, ease of management, ease of adoption and integration into existing infrastructure. Leo thank you for joining us here on the news desk it s been fun I enjoyed talking with you. That was Leo Taddeo he is the CSO of Cryptzone. 5
About Cryptzone Cryptzone reduces the enterprise attack surface by 99% with its secure network access solutions. Using a distributed, scalable and highly available Software-Defined Perimeter model, Cryptzone protects applications and content from internal and external threats while significantly lowering costs. In cloud environments including AWS and Azure, Cryptzone provides user access control, increases operational agility and improves the ability to meet regulatory and compliance standards. More than 450 companies rely on Cryptzone to secure their networks and data. For more information visit www.cryptzone.com. Learn more about AppGate network access software that reduces your attack surface by 99% while significantly lowering costs. Americas +1 888 272 2484 EMEA & APAC +44 118 900 1236 www.cryptzone.com sales@cryptzone.com Copyright 2016 Cryptzone North America Inc. All rights reserved. Cryptzone, the Cryptzone Logo and AppGate are trademarks of Cryptzone North America Inc.,or its affiliates. Microsoft is a registered trademark of Microsoft Corporation in the United States and/or other countries. All other product names mentioned hereinare trademarks of their respective owners.