For this purpose, the organizations should apply a systematic approach.
“AI-empowered solutions will become a vital part of an organization’s security architecture and teams”, says Mr. Mo Cashman, senior director for the EMEA region at Trellix.
Covid “taught” organizations many lessons about the need for resilience. It can be achieved with adaptability and systems thinking – the approach needed to deal with complex threats, including cyber threats. The transition to a resilience outcome can begin today by moving away from an approach that is based solely on the prevention of cyber threats, said in an interview Mo Cashman, senior director for the EMEA region at the US company Trellix. In the interview below, we are talking to him about the complex landscape of cyber security in the context of global crises, the role of artificial intelligence, and the human factor.
Mr. Cashman, when McAfee and FireEye merged, the new Trellix company focused on detecting and responding to threats using XDR powered by artificial intelligence and automation. It’s like you got ahead of the wave, because today, nearly two years after that merger, artificial intelligence is a mainstream topic. Is effective cyber defense even possible without artificial intelligence (AI)?
AI presents several key challenges for cyber defenders. Malicious actors will leverage AI technologies to create more effective cyber-attacks like phishing and undetectable malware. AI also creates new attack surfaces, such as data sets, for actors to corrupt and may open organizations up to increased risk of intellectual property theft without proper security controls. However, we also see many positive ways AI can improve cyber defense. It can empower security analysts with better investigation guides, automate the creation of cyber defense playbooks to identify a new attack method and address talent shortages by augmenting security teams with additional capabilities. Trellix has used AI in its EDR and XDR threat detection solutions for several years. While effective cyber defense involves much more than using AI or Machine-Learning capabilities, as global cyber threats evolve at a scale faster than human teams can manage, AI-empowered solutions will become a vital part of an organization’s security architecture and teams.
At a recent Trellix event in Sofia, you stated that the current approach to cyber security needs to be reconsidered. What dictated this conviction of yours about the need for change?
It’s about having a business resilience outcome for an organization’s cyber security program. Covid taught organizations a lot about the need for a resilient mindset in people and business. Resilience has adaptability and systems-thinking as key design pillars. It’s the approach needed to tackle the complex threats, including cyber threats, organizations face today. The shift towards a resilient outcome can begin today by moving away from a prevention-only approach to cyber threats. Organizations can start adopting a systems-based approach to their cyber security protection architecture. For example, protecting against ransomware requires organizations to have email, endpoint, network, data protection, SecOps, employees, and executive leadership working together as a system with an outcome of organizational resilience against that type of threat. Zero Trust and XDR are also great examples of systems-based security architecture design thinking to help organizations adapt faster to any new threat.
“Organizations are facing the need to build resilience in the context of escalating cyber threats. They should be adopting Zero Trust as their security architecture guidelines.”
Employees today use a variety of communication channels – e-mail, instant messengers, chats, etc. However, according to a study by Trellix, e-mail remains the number one source of cyber-attacks. Why is this traditional channel so vulnerable and convenient for attackers?
Email remains the essential business application for organizations everywhere, as well as the top initial access vector for many cyber-attacks. I believe email over other collaboration apps remains more vulnerable and attractive to threat actors for several reasons. First is simple availability. Active corporate email addresses are easily obtainable by attackers. Employees expose their business email addresses on social media, such as LinkedIn, to access free Wi-Fi in the airport, professional publications, or any number of online services. Attackers can obtain those verified email addresses through hacks or purchase them through other cybercriminals. The verified email, combined with other information, helps them create very effective spear phishing emails. This leads to the next reason, insufficient security controls. In my opinion, email protection has taken a back seat in recent years as organizations focused on other areas, such as endpoint security. They have relied on built-in spam and malware protection in their workplace productivity suites or cloud service providers to cover email-borne security threats. Those suites are less effective against advanced phishing and business email compromise techniques employed by attackers today. This leaves organizations with a thin line of defense and continued exposure to sophisticated ransomware attacks. Finally, it’s the human factor. People are checking email on mobile devices, communicating on three or more apps at one time, and have less time to examine content that might be suspicious. Organizations must have a robust employee training program that focuses on recognizing and reporting phishing. Attackers will leverage the easiest and most reliable entry points to achieve first entry. As long as email usage remains high and security weak, they will continue to exploit this channel. Expect this trend to continue.
Trellix espouses the concept of “living security” – technology that learns and adapts to protect customers’ operations. How do you implement it in practice? Is your XDR platform a panacea in the fight against cyber threats?
While I believe that no one solution can ever meet all of an organization’s security needs, I do think Trellix’s “living security” design philosophy and how it’s built into the Trellix platform and XDR solution will help organizations detect and adapt to new threats faster. As an example of “living security,” Trellix XDR continuously correlates an organization’s logs against Trellix’s real-time threat intelligence indicators and organizes the incidents based on risk scores that are dynamically calculated based on multiple factors. This will help organizations detect and prioritize responses to the latest threats automatically. Additionally, organizations can leverage the same threat intelligence to check the posture of their endpoint and network security controls, which helps to adapt their protection and automatically reduce exposure to emerging threats. Finally, Trellix XDR leverages AI-enabled investigative guides, which helps analysts dynamically ask questions of mountains of data, greatly improving their ability to investigate cyber incident threats faster. These are just a few examples of how Trellix applies “living security’’ concepts to solve practical problems of advanced threat detection, investigation, and talent empowerment.
In recent years, the world has been jumping from one crisis to another. After the Covid pandemic came the war in Ukraine. These upheavals are undoubtedly affecting the cybersecurity landscape. What has changed in the approaches and objectives of cybercriminals?
The World Economic Forum explained that the post-Covid world of interconnected geopolitical, environmental, societal, technological, and economic crises has created a Polycrisis condition. In this current Polycrisis situation, seemingly unrelated crises interact, creating a complex global situation with outsized impact. Their 2023 global risk report identified cybercrime and cyber insecurity as a top ten risk. Cyber threat actors understand this situation and are adapting to further their goals. For example, Ransomware attacks are now a triple threat involving extortion, data destruction, or system disruption. We have seen attackers shift targets to smaller enterprises. In a recent Trellix blog, the data indicates that almost 50% of ransomware attacks were against companies with less than 500 employees. These attacks now impact a wide range of risk categories and affect businesses everywhere. Secondly, we have seen cybercrime groups such as Conti take sides in the conflict and publicly pledge support for the Russian government. This could lead to more attacks against critical infrastructure or government systems in NATO countries and Ukraine. And with the presidential elections in the US approaching fast, we can anticipate more information operations to influence public opinion to support candidates against additional Ukraine support. Finally, cybercriminals are increasingly targeting supply chains. Historically, these attacks were against smaller software supply chain companies such as SolarWinds. However, these attacks are shifting to large cloud service providers like Microsoft. This is an alarming trend and one that could undermine confidence in normally trusted providers.
Ransomware and phishing are the most frequently mentioned cyber threats. Does their dominance continue, or are there other types of cyber threats that endanger business and the public sector?
As mentioned above, cybercriminals have adapted ransomware capability and expanded their target range to include small businesses. With the current economic and geo-political uncertainties, organizations may not have the necessary budget to improve cyber defense capability, so it’s likely ransomware will continue to dominate for the next few years. However, there are other red flags to consider. In Trellix’s June 2023 Threat Report, we highlighted the growing threat from nation-state actors, with China dominating the scene. APT actors linked to China generated almost 80% of nation-state activity. Trellix anticipates China will grow malicious cyber efforts for the purpose of espionage, economic advantage, and disruptive activities against the US, Taiwan, and its allies. Regarding initial access vectors, phishing still dominates and is used in most Ransomware or APT attacks. However, rogue access through cloud infrastructure is on the ascent. The most dominant method here is through valid accounts. Organizations should focus on improving identity and access management programs as well as threat detection on anomalous account activity.
Finally, could you give some advice to organizations on how to better protect their environments and make them more resilient?
Throughout this article, we highlighted the need to build resilience in the face of escalating cyber threats set in the context of the world’s Polycrisis situation. Organizations should be adopting Zero Trust as their security architecture guidelines in an effort to build resilience. According to NIST, Zero Trust is an evolving set of cyber security paradigms that moves defense from static, network-based perimeters to focus on users, assets and resources. It’s very much a systems-based approach to security which supports a resilience outcome. Another practical step for organizations to take includes an assessment of their security operations maturity. The ability to proactively identify, hunt and respond to a security incident quickly is a key tenant of resilience and that function normally lies within their Security Operations Team. I believe XDR solutions and more effective use of threat intelligence should be part of any improvement plan. Finally, any talk of resilience must have a focus on people. A key mindset shift is not to talk about the “talent shortage or gap” but to focus on talent empowerment. Before looking outside of organizations, it’s important to first look at innovative ways to upskill your current talent through external or internal training, by leveraging automation and AI-enabled solutions, conducting realistic exercises, and mentoring.
The interview was conducted by COMPUTER 2000 Bulgaria – official distributor of Trellix for Bulgaria and North Macedonia.
___
If this interview is helpful to you read our blog for more interesting and useful content, tips, and guidelines on similar topics. Contact the team of COMPUTER 2000 Bulgaria now if you have a specific question. Our specialists will be assisting you with your query.
Content curated by the team of COMPUTER 2000 on the basis of news in reputable media and marketing materials provided by our partners, companies, and other vendors.
Follow us to learn more
CONTACT US
Let’s walk through the journey of digital transformation together.