Sapsiwai - Fotolia
Hardly a day goes by without coming across yet another study that puts the Asia-Pacific (APAC) region in pole position in global cyber threat rankings.
In 2016, emerging countries in APAC were among the top 10 with the most malware infections, and the proportion of ransomware attacks aimed at enterprises and individuals in the region was the highest globally.
So what should enterprises make of this seemingly ominous threat landscape? Computer Weekly sat down with LogRhythm CEO Andy Grolnick in a wide-ranging interview to get his views on the state of cyber security, what enterprises need to do to protect themselves, and the role of security information and event management (SIEM) systems in mitigating cyber threats. Here are his answers to our questions.
APAC has been in the news about being a hotbed for cyber attacks. What do you think are the key reasons for poor cyber hygiene among businesses and individuals in the region? Is it just a case of poor awareness, or is there more to it?
Grolnick: I think cyber attacks are global in nature and no one is immune. I don’t see attacks as a regional thing, although how affected a region is depends on the maturity of organisations and how much they are investing in cyber security infrastructure. Countries and regions that are more advanced have invested in people, processes and technology to be more cyber resilient. In Asia, there is a need for more investment in cyber security technology and processes.
What are your thoughts on small and medium-sized enterprises (SMEs) being the weakest link in cyber security?
Grolnick: It depends on the SMEs, the industry they are in and who they are connected to. For example, law firms are highly targeted by cyber criminals because they have data about clients. They may have the credentials to get into a large bank and financial information that could be used in stock trading.
We are seeing a lot of awareness and attention on cyber security among law firms. Large organisations such as banks must anticipate all the different vectors, think about their attack surface from a breadth and depth perspective, and tighten control over all the suppliers they work with. That won’t be foolproof, however, so it is important to use advanced analytics and machine learning to detect things such as anomalies in access, such as the same credentials being used to log in to a network from two separate locations three hours apart.
Andy Grolnick, LogRhythm
The more connected a country is to the global digital economy, the more susceptible it is to cyber attacks. To well-connected economies like Singapore, Australia, South Korea and Hong Kong, the stakes of falling prey to cyber attacks are much higher. How can governments and businesses in these countries develop greater resilience, as falling back on paper-based processes when critical systems and data get compromised is not an option?
Grolnick: It’s a balancing act. Exerting too much control over IT systems will compromise the user experience, while going the other direction will increase the chances of cyber attacks. This requires maturity and sophistication in implementing cyber security measures, and requires investment in the right systems, processes and talent. Your chances of succeeding in protecting yourself will then be much higher.
The Singapore government had made a high-profile decision to limit internet access to shared internet terminals for civil servants. While this is not a sure-fire measure because employees can still receive potentially malicious emails on their email-only work machines, it seemed draconian to some people, even though some financial institutions have had similar measures in place for years. What are your thoughts on this?
Grolnick: Every government and organisation is trying to figure out the right balance. I can see the perspective of why the Singapore government has put that policy in place – to reduce the probability that the bad guys can get in and cause damage. It’s analogous to what’s going on in immigration policy across the world right now, where governments and societies are rethinking how strict and how close or open they want to be. But how do you find that balance between convenience and security?
My understanding is that the Singapore government will provide dedicated machines for people who need access to the internet for their jobs, so it’s not a complete cut-off from the internet. It’s a balancing act, and regardless of where you sit on that continuum, there’s a reality that the bad guys will get in and can’t be stopped. The next line of defence would be monitoring as well as analytics to detect anomalous activity in the network. That’s still going to be needed whether or not you shut off or restrict access to the internet.
Read more about cyber security in ASEAN
- Cyber security has enabled Asia-Pacific organisations to enter new markets and deliver services in new ways.
- Lab facilities have been established at Singapore’s Republic Polytechnic through partnerships with RSA Security, Palo Alto Networks, Trend Micro and Ixia.
- Palo Alto Networks’ Singapore headquarters will house sales and support staff, as well as security analysts from Unit 42, the company’s threat intelligence team.
- Governments in Southeast Asia are considering setting up a regional equivalent of Europol to help fight cyber crime.
Some cyber security circles have claimed that SIEM technology can’t keep up with the pace of cyber security and is effectively dead. Do you agree?
Grolnick: I’d say it’s the opposite. The SIEM market has been evolving over the years and is very healthy. Otherwise, we wouldn’t be growing as fast as we are and we wouldn’t be seeing the number of customers coming to us with projects around SIEM, log management and security analytics.
There are several factors to this. The increase in the number of threats and breaches, and the sophistication of cyber attackers, have gained a lot more visibility among C-level executives, who are posing tougher questions to IT security people. One of the fundamental things about security is to be able to collect, organise and analyse huge volumes of machine data, such as security logs, so you can see threats and the indicators of threats. At a basic level, that’s what SIEM does.
However, SIEM technology has grown significantly over the years, with capabilities such as user behaviour analytics, machine learning and security orchestration that were not in earlier SIEM products. It has been a very vibrant and competitive market that is almost going through a Darwinian weeding-out process. You will hear suppliers in behavioural analytics saying in their marketing activities that SIEM is dead, but then you’ll also see them offering log management and other capabilities that customers want.
The suppliers that have evolved and adapted to the sophistication and growing volume of threats are the ones that have done really well. If you look at Gartner’s Magic Quadrant for SIEM, the leaders are LogRhythm, Splunk and IBM. None of the products from the leaders existed in 2005.
Andy Grolnick, LogRhythm
How is LogRhythm ensuring that its SIEM technology continues to remain relevant not only to chief information security officers, but also to the boards of companies around the world where cyber security is becoming a top priority?
Grolnick: We are investing heavily in analytics capabilities, so you can detect threats using the right analytics techniques and ask the right questions. We are also investing in machine learning techniques to do more advanced detection, look for anomalies and profile user and network behaviour.
Another area is security orchestration and automation so that security teams can address threats all the way from initial detection to response. They can collaborate and have all the evidence they need in one place. That is very important for the efficiency of security operations.
We have also completely revamped our user interface based on HTML5 technology. We have also added network and endpoint sensors to provide more context for the analytics, so you know what the network traffic looks like and the processes that are running on the endpoints. These are the areas we have invested in to keep ourselves relevant.
Some of those areas are also being tackled by the likes of Malwarebytes and Carbon Black. Where does LogRhythm’s platform stand vis-a-vis products from suppliers that focus on a specific area, such as endpoint security?
Grolnick: Think about our platform as “central intelligence” where we’ll take data feeds from security point products such as Carbon Black, with which we have tight integrations. We take their alerts and logs from operating systems and applications and we add our network and endpoint sensors. All that data is analysed on our platform. We are the foundation for the SOC (security operation centre), which will also make use of Palo Alto firewalls and Carbon Black’s platform.