Sikov -

Why security validation matters

FireEye’s top executives in Asia-Pacific discuss the benefits of security validation and offer their take on the region’s cyber threat landscape

Unlike traditional security tools, security validation platforms subject organisations to potential threats that they could face, in a bid to discover the weakest links in their cyber security strategy.

At the end of it all, organisations receive quantifiable evidence of whether they could have been breached and how effective their security controls are. So promising is the technology that FireEye paid $250m for Verodin last May to bolster its portfolio of security products and services.

In Asia-Pacific (APAC), FireEye sees the potential of security validation in helping organisations inject some quality assurance into their security practices, particularly when it comes to cloud security as more important workloads and data are moved to the cloud.

In an interview with Computer Weekly, Steve Ledzian, FireEye’s APAC chief technology officer, and Subhendu Sahu, its vice-president of commercial sales, offer their perspectives on the threat landscape in the region, the benefits of security validation and why APAC firms had been reluctant to take up incident response and threat intelligence services.

How has FireEye’s business been doing in Asia-Pacific and what key trends are you seeing in the region, particularly in the areas you are strong in?

Sahu: APAC has always been one of the biggest contributors of growth for our business, particularly in Greater China and India, where we’ve seen even higher growth rates. We’ve kept investing in the region and we typically take a portfolio approach in terms of our solutions and the markets we play in.

At the same time, we see rapid adoption of cloud across the region. A few years ago, some companies in industries such as financial services would push back when offered a cloud option. But we’ve started seeing regulatory authorities not only allowing the use of cloud, but also actively encouraging financial firms to embrace a cloud model. Today, we have more customers looking at a cloud consumption model.

Ledzian: Over the last four years, some organisations have been hesitant to step into the cloud, but we’re seeing cloud adoption accelerating here in APAC. There are new challenges with cloud, though, particularly around the visibility needed to really understand what’s happening in the cloud and to secure cloud environments.

Security validation tests the effectiveness of your security controls, whether those are software, appliances or cloud-based controls. It’s almost like quality assurance
Steve Ledzian, FireEye

It’s not necessarily the same processes for on-premise environments, so there’s a little bit of a learning curve around data leakages where organisations unintentionally expose data to the public. It’s not that the cloud has been hacked, but the improper configuration, controls or policy settings around data. Organisations need the right processes to secure the cloud and are looking at new tools to do that.

What do you think needs to be done from an industry perspective to address cloud security issues? There’s no doubt that the cloud suppliers are doing their part. Even governments have stepped in with cloud security standards. But it seems that there’s been a hodgepodge of efforts by industry and governments to put band-aids on cloud security problems that crop up every now and then.

Ledzian: I would say you want to approach it from a couple of different areas. Obviously, we want to strategically review what you need to do to be secure in the cloud, so if you think you’re doing a good job, then you hire an organisation that can assess your cloud security and validate that you’re doing everything necessary to properly secure that data in the cloud.

Security validation extends not just to cloud, but to on-premise environments as well. It’s quite different from traditional security tools, which look for malware, intrusions or breaches. Security validation tests the effectiveness of your security controls, whether those are software, appliances or cloud-based controls. It’s almost like quality assurance.

A lot of assumptions made in cyber security are about how safe you are and what level of protection you have. Sometimes, those assumptions don’t hold in security validation, which exposes assumptions that are incorrect, giving organisations the opportunity to address security gaps.

For example, many organisations call up their vendors to ask if they are protected against a type of attack or vulnerability. Security validation allows those organisations to test that attack in their environment safely and get quantifiable evidence – not just a spoken answer – of whether that attack is prevented. Those are things that vendors may be struggling to answer because everyone’s environment is a little different.

Sahu: To add on, one of the interesting aspects of this industry is that whenever a new threat actor or threat model surfaces, the industry has historically tried to throw a product or solution at it instead of trying to find out whether or not existing investments are effective.

Maybe you have the capability to stop some of those new threats. All it would take is proper “instrumentation” to turn the dials a little right or left in your existing infrastructure. We typically see good return on investments coming out of these conversations. In some cases, you don’t even require new investments – you could relocate or even switch off some old and obsolete assets that are no longer delivering value.

What sorts of tools are required in security validation?

Ledzian: What it’s trying to do is very different from other security tools. It’s not trying to identify malware; it’s not trying to identify attacks. Instead, security validation has its own library of attacks that spans the spectrum of what you would see in the Mitre attack framework, so they’re not just pieces of malware. Was there lateral movement, reconnaissance or post-exploitation techniques that attackers use? It has a library of attacks that can be executed safely within the environment through production security controls. And connected to those security controls are things like firewalls and endpoint controls. It’s essentially asking, “did you see this attack?”, to give you quantifiable evidence of how effective your security controls are.

We started the conversation with cloud security. Just to make sure we’re on the same page, when you talk about cloud security, are you referring to public cloud? What if an organisation has a hybrid environment with heterogeneous on-premise systems? How would that complicate the overall security strategy that companies should be considering?

Ledzian: I think the journey that most organisations go through is that they start fully on-premise. The first step most organisations take towards the cloud is through some sort of cloud messaging system like [Microsoft] Office 365 or moving email infrastructure from on-premise to cloud. Beyond that, there’s infrastructure-as-a-service from Amazon Web Services, Microsoft Azure and Google Cloud. Organisations will start moving non-critical workloads into those types of cloud.

Once they’re comfortable, they will move more significant workloads into the cloud. It’s really a step-by-step process. There are very few organisations that are 100% cloud today. So, I think you’re right – most of them are going to be in some state of transition or hybrid protection. They still need to worry about security on-premise and, of course, they need to worry about all the new challenges that come with securing cloud.

Are you able to talk about the potential implications of the rise in telecommuting, given the current Covid-19 outbreak? As more companies extend telecommuting to more employees, potentially expanding their attack surface, are they taking a reactive or proactive approach to mitigate the security risks?

Ledzian: I think the immediate security issue is the information around Covid-19 that is being used as phishing lures. Attackers can take information, make it look like it’s coming from an official source, and then weaponise that information.

Second to that is the issue you brought up around remote work. Certainly, organisations need to think carefully about the security implications of remote work, which brings challenges around visibility. Home networks will not be protected in the same way that organisational networks are protected. So, things like multi-factor authentication and encryption are very important. As we adopt remote work, we must make sure it’s done in a way that isn’t increasing risks to organisations.

We’ve talked a lot about threat detection and trying to plug the gaps. What about in terms of incident response? Do you think companies are paying enough attention to developing the capabilities they need to respond to an incident?

Ledzian: Certainly, there has been a lot more attention given to detection and response, instead of just prevention. But before you can respond to something – and this is something that’s often overlooked or taken for granted – you have to notice that it’s there. That sounds obvious, but in fact organisations really struggle to notice they’ve had a prevention failure or when there’s an intruder in the network. They sort of jump right into the response before trying to see how they can find a problem.

One of the interesting aspects of this industry is that whenever a new threat actor or threat model surfaces, the industry has historically tried to throw a product or solution at it instead of trying to find out whether or not existing investments are effective
Subhendu Sahu, FireEye

At FireEye, we have a metric called dwell time, defined as the time an intruder defeats prevention and enters the network until someone notices and responds. In our latest M-Trends report, the global median dwell time in 2019 was 56 days. APAC was very similar to the global number at 54 days. Those numbers are lower than the previous year’s, so it shows that organisations are doing better. But two months is still too long to have an intruder remain undetected in a network, so there’s more work to be done.

Are there any peculiarities in APAC that you see when it comes to incident detection and response capabilities, or in terms of the types of threat that companies in the region are facing more than others in other parts of the world?

Ledzian: I don’t know if I would say APAC is faced with certain threats more than other regions. But I would like to call out an interesting trend that we’re seeing with ransomware, which has been very similar to the opportunistic nature of spam over the last few years.

Attackers would throw out lots of weaponised messages containing ransomware, hoping that someone would open them, get important files encrypted and then ask for ransom. The attacker really didn’t know what machine they were landing on. The trend we see now is that ransomware doesn’t necessarily start as a weaponised email. It starts as an intrusion, much like a data breach, or wherever the attacker breaks into the network.

They gain a foothold into the network, find important business-critical servers and then manually deposit and install ransomware on one or multiple servers which are important for the business. In that case, they know exactly where the ransomware has landed, and they will ask for much more money. I think that’s an interesting trend that people need to pay attention to, because it means dwell times are also related to targeted ransomware, or what is sometimes called post-compromise ransomware.

Sahu: A difference in APAC is that we noticed over the past few years a relative reluctance to consider cyber security services and threat intelligence, which were seen as shiny new toys. But that has rapidly changed in last two to three years as people start to understand that they require incident response services and the need to buy intelligence to stay ahead of the curve.

Read more about cyber security in APAC

Read more on Hackers and cybercrime prevention

Data Center
Data Management