Trellix: The countermeasures are paramount in cybersecurity today

Interview with Michal Ostrowski, senior director of EMEA at cybersecurity company Trellix

The pandemic is over – but the threats to cybersecurity are not. Unleashed during the coronavirus crisis, virtual dangers not only do not subside, but also change dynamically. All sorts of organizations are targeted, but telecommunications companies, transport and shipping, as well as government agencies are of particular interest, said Michal Ostrowski, senior director of EMEA at cybersecurity company Trellix. He is one of the speakers at the regional conference on cybersecurity InfoSec SEE 2022, organized by the distributor COMPUTER 2000 Bulgaria on June 19-22 at the Lighthouse Golf & Spa Resort Bulgaria.

Trellix delivers adaptive, innovative cybersecurity solutions for businesses and organizations around the world, combining highly qualified McAfee Enterprise and FireEye teams. In fact, Trellix’s customers are 78% of the Fortune Global 500 companies. With 35 years of market experience, the company serves 40,000 customers, has a team of more than 4,000 employees and has annual revenues of 1.7 billion. dollars.

Cybercrime and cybersecurity rapidly evolved during the last 2,5 years. Which is the biggest cyber threat today? Is it external or is it internal?

It is still external. With so many various organised groups of hackers we have seen a huge rise of financially motivated hacking campaigns throughout the pandemic. Now, with the Russian aggression on Ukraine, Russian APT groups have become the most active among all nation-sponsored actors in the world.

Of course raising cybersecurity awareness should be a top priority for all the organisations both on the government and the commercial side, so definitely an unaware employee can become a threat for any company.

Inside Trellix latest report the vendor says “we are slowly moving out of the pandemic”; does that mean cyber-threats are lessening? Or are they just changing?

Unfortunately it only means that attacks keep changing. Hackers will keep attacking and they will adjust to any new situation. During the pandemic we have observed many financially driven attacks with Log4Shell being a perfect example of those. In parallel to the Russian military aggression, we have observed that in cyberspace, focus shifted to campaigns weaponizing cyberthreats against Ukrainian infrastructure but also against European government institutions and critical infrastructure.

In your opinion, what type of cyber threat would be the most influential (most destructive) post-pandemic? (e.g. DDoS, phishing, ransomware, etc.)?

Even though law enforcement agencies were quite successful taking down several ransomware campaigns recently, ransomware still poses great threat to any organisation and it’s destructive nature certainly puts it on a top-priority list for any company.

Most ransomware attacked sectors last year were business services, non-profit organisations and government institutions. Most popular ransomware families were Lockbit, Cuba, Conti and Ryuk.

Another threat that I would like to highlight is Nation-State activity. We have observed a huge increase of APT groups activities. Given the geopolitical situation of Bulgaria, those activities should be closely monitored and countermeasures should be applied. Activity of APT 29, in my opinion the most sophisticated group in the world had risen by over 30% at the end of 2021. Cobalt Strike, one of the tools used by nation-state actors has been observed twice as often as before for the last couple of months. Disruptive character of those nation-inspired activities can be seen in the fact that the most probable targets for APT groups have become telecommunication companies, transportation and shipping and government.

Which are the key takeaways from Trellix last threat report?

Given the rise in cyberattacks for the last couple of months and their variety I think it’s essential to implement countermeasure to minimise the risk of a successful attack. Organisations should take a close look at TTPs used by Russian nation-state groups to protect their environments from infiltration.
They should look for spear phishing attacks utilising shortened URLs of malicious domains, monitor for brute force activity, enable multi-factor authentication for every user without exceptions, watch for exploiting public-facing systems by checking CVEs, disable all ports and protocols that are non-essential to their business activities – especially those related to remote services, block open-source tools used in previously seen attacks like UltraVNC and similar.

All the steps mentioned above don’t require investments. They can be done by any organisation. Yet surprisingly many attacks still originate from the abovementioned sources.

Providing cybersecurity solutions today means a lot of investment in research. What part of the total budget of an IT-security company typically goes for R&D? Are ML&AI powerful enough to provide adequate cyber-defense today? How do you, at Trellix, use ML&AI to excel your IT-security offering?

The cybersecurity landscape keeps changing. Any company providing solutions in that space should put maximum effort into constant development of their portfolio. We have to be able to build a “living security” which means it has to be adaptable to a constant change.

An industry average is slightly below 11% to spend on R&D.
Machine Learning, Artificial Intelligence those are buzzwords used to describe a process where software is able to adapt on it’s own and make decisions based on given data. I strongly believe that even though machines will keep getting better and better in that process, there will be always need for a human interaction and a human decision regarding most important aspects of cybersecurity.

Trellix has been using ML technologies for a long-time, formerly both on McAfee and FireEye side. Those technologies are present in basically the entire portfolio of solutions. Given the amount of traffic that keeps rising, skyrocketing number of attacks and incidents, Trellix is using artificial intelligence to filter those alerts down to those that matter the most. One of the biggest challenges of modern cybersecurity is how to find that needle in a haystack. And we do just that – operating on big data we are able to correlate series of events and determine which are the ones that require immediate reaction and of course AI is iessential to achieve that goal.

As more and more pieces of our lives are becoming digital and data-driven (e.g. connected/autonomous cars, smart HVAC systems in buildings, etc), do you expect recent changes in the cyberthreats landscape?

We live in amazing times where technology helps us in every aspect of our lives: communications, transportation, healthcare, everyday living. Everything connected is already here – unfortunately with that come new threats which aren’t limited to the IT or OT infrastructure anymore. Anything that has a piece of software on it can be hacked. Whether it’s a car, smart home devices, surgical robots. That’s why we need to apply to concept of shift left security. Secure design has to become one of the elements of every “smart” device manufacturing process.

Recent surveys show that most organizations have already adopted a „hybrid cloud” strategy in terms of IT, which is the greatest security risk now that corporate data and processes „live” in hybrid-cloud environment?

I don’t think the cloud poses any other kind of threat than an on-prem infrastructure. The biggest challenge is to be able to protect data wherever it is – so to understand what is actually happening to my data in cloud or hybrid environments. Whether we want it or not we already live in cloud-first world.

The greatest risk of cloud is lack of visibility and control over data in that cloud. And that’s what cloud security should mostly be about.