BTEX 2023: Overcoming Cybersecurity Challenges in Today’s Environment

Vince Mammoliti, Head of Channel Engineering at Check Point, answered the first question. “One thing we (at Check Point) recommend is following the Gartner cybersecurity mesh methodology. In the past, most people have done best-of-breed. What we are recommending is a consolidation and an aggregation of these services. When we start talking about multicloud, that even adds more complexity as we add in the agility, the quickness of response and for the security to actually adapt. We are educating people on choosing more security maturity. And what does security maturity bring in? It's a consolidation and actually aggregating and leveraging your threat intelligence, your threat hunting, your incident response to take more of a holistic approach and actually add security as it is.”

Robert Weiland, who leads the incident response team at Sophos, cited the increasing cloud demands organizations deal with. "In terms of what companies need to worry about the cloud environment, I think it's a lack of, or trying to keep pace, expertise-wise, with all the demands of the cloud. And then, secondly, whenever you're spinning up more cloud, you're going to have to punch holes in your firewall. You're going to increase your attack surface.”

Weiland also described a recent case that illustrates the importance of thinking from the inside out. “We recently had a customer who was being infiltrated by a ransomware threat actor. Their domain admin credentials got compromised. And then, they were able to use that to get into the Office 365 tenant. And they did that because they were coming from the corporate IP address. So, when they were thinking about the cloud, they weren't thinking about the need to protect from the inside out. They were just thinking, protect your data in the cloud, protect on-prem, but not thinking that their own on-prem could actually be a place where that could launch.”

Peter Scheffler, Sr. Security Solution Architect at F5, answered by describing a recent distributed denial-of-service (DDoS) attack he helped mitigate. “We had some threat actors attacking government resources because of an event that happened in our parliament about a month ago. What we were able to do with this customer was to provide a level of information to them so they could quantify the attack and define how we could mitigate it. Under about 18 hours from the time that their site went down to the time they contacted us, we had them back up and running to be able to provide the visibility and be able to provide the information that they need to be able to mitigate it. But also, and that's very important, to be able to get the site back up and going.”

Scheffler also stressed the importance of not only reacting rapidly but also following a long-term plan that improves visibility during the aftermath. "You have to understand what the long-term plan is and understand what the next step is going to be, how you are going to be strategic. It's all fun and games to be reactionary at three o'clock in the morning, but we have to be able to provide visibility, and we have to be able to understand what that drift was. We made those changes, but what were those changes? Do we all remember exactly what we did at three o'clock in the morning? It was crucial to document that in a runbook or a Terraform environment.”

Derran Guinan, Sr. System Engineer at Veeam, stated Veeam helps in three main ways: ensuring fast and secure backup, providing monitoring analytics and through orchestration.  

“Veeam is a platform solution. We have a solution that ensures fast and secure backup and recovery. We want to make sure that our backups are encrypted. We want to make sure that we provide the ability to store the data on immutable storage. Even when we're covering our data, we want to be able to scan those backups and make sure that components of ransomware or malware, other parts aren't in them or if they are in there, let's clean them before we actually do the restore,” said Guinan.  

Then he continued. “Second, we want to provide monitoring analytics to be able to understand the whole backup environment: it could be best practices identified, it could be security, it could be anomalies (for example) ‘we saw all of a sudden for one-month backups ran and they were 1 percent growth and then, all of a sudden, one day it went to 80 percent growth. Why?’ Maybe there's a good reason for it. Maybe it's something malicious.”

Guinan closed his answer by stressing the value of orchestration. “Thirdly, we want to provide proven orchestration. Again, anything that's manually done today is probably going to fail or not be as fast as we need it to be today. So, we want to make sure things are completely orchestrated.”

Avi Mergui, Presales Security Expert at Fortinet, explained how companies are consolidating their services by sticking to trusted vendors. “The way we see it at Fortinet is that the stack is evolving. You can't just have your next-generation firewall not communicating with your other devices. Your switch has to be in line, your access point has to be in line. Your users that are connecting from different places have to be able to access apps in an appropriate way. And what we're seeing now is a consolidation, companies are picking trusted vendors and they're buying more from them when it makes sense because you have an approach where you have that single pane of glass, you have all that visibility.”

Visibility is a key benefit consolidation offers, continued Mergui. “We're seeing a lot of alert fatigue where people are getting a crazy amount of alerts and often ignoring them. You could have ransomware in your environment and you would never know because it hasn't been encrypted yet. It's just there probing, waiting. We're seeing a big move towards a consolidated approach where all the products talk to each other in a meaningful way so you don't have that gap of data. You have to have that full layer-seven application visibility because if you don't have that, you're basically a sitting duck waiting to be attacked.”

According to Ali Afshari, General Manager, Security at Cisco, there’s a marked gap between small, medium and large organizations. “The answers are different at an enterprise level, at a small level or at the mid-market level. We deal with large organizations. They have lots more budget, a lot more dollars to spend. And then there is a gap between the mid-market and small organizations where the same IT person that takes care of your firewalls is also responsible for your email and your backup. So there's definitely a big gap. How do you address the gap? You address it by integrating the threat knowledge inside of every product.”

Afshari also argued that threat research is a big differentiator when it comes to security products. “When you buy a product, you're not just buying software, you want it to be always updated. You want the latest threats to be updated on it. So, threat research becomes a major differentiator of any security organization out there. And I'm sure everyone will get up there and say, ‘We have the best and the brightest.’ We all try to do that. I think there is a bit of ‘This is my info.’ And I think a better job of sharing between different organizations. But at the end of the day, I think when you buy a security product, you want that threat intel inside of that product itself, because the threat actors are changing all the time. And you want to make sure you have that. And that's where you need to address it.”

Once all panelists answered their individual questions, Wiens closed with a question open to any panelist willing to answer it.  

Sophos’ Robert Weiland stated that Sophos put their telemetry at the service of their customers. “We (at Sophos) have a lot of telemetry. And I think kind of the philosophy that we have is Cybersecurity as a Service or cybersecurity delivered. We utilize that telemetry as part of something called ‘the early warning system.’ We understand that we don't necessarily put it back onto our customers to say, ‘Here's the threat intel and be aware.’ But if we see things like detection, do we see things happening in that environment, we can reach out to that customer and say, ‘Hey, it looks like you've got a problem here. There's something going on.’ Maybe our confidence wasn't high on that, but we want to let them know it looks like there’s something going on.”

For his part, Fortinet’s Avi Mergui mentioned that their focus is on collaboration because it’s more likely to defeat threat actors. “Threat intel is very important. I don't doubt that each of the companies here has a tremendous footprint in terms of that. But it's what you do with that information. We collaborate with even our nearest competitors. Because if you're not sharing, then the attackers win. We're the defenders, right? Yes, we all want to make sales. We all want to be profitable and all that. But in the end, if you're not communicating and sharing the lessons learned, you're not as valuable as somebody that does share that information and collaborates and provides.”

Veeam’s Derran Guinan also chimed in by saying that testing backups are a cornerstone in their practice. “One thing I keep finding across new people I talked to daily, talking about data protection, is testing your backups. So many people end up having a situation where something bad happens. It could be cybersecurity. It might not be. And they go to use their backups and guess what? Right. They failed. And we always say, ‘Well, did you test them?’ And they weren't tested. So, this can all be automated within a product. At Veeam, we do automate this, where we can fire up domain controllers at night, mount the backups, check everything against everything we do, and check it against custom scripts. And that's to make sure that when bad things happen, the backup is there, and it can be recovered.”

Lastly, F5’s Peter Scheffler talked about the current maturity state of automation and how organizations shouldn’t rely entirely on a graphical user interface (GUI) yet. “When we look at a lot of organizations, we as vendors promote automation and orchestration. Then you ask somebody about what tools they use. And you get a blank stare, (and they reply) ‘We've got some scripts to do this. We've got some scripts to do that.’ I think we as vendors need to continue to push that, yes, a GUI is a comfortable place to be, but it's not a scalable way to do business. It's not a scalable way to react to things when things go bad.”