John Shier, Senior Security Advisor, Sophos, tells Anita Joseph, Editor Security Advisor ME in an exclusive interview, how Sophos adopts a comprehensive, collaborative and innovative approach to cybersecurity.
How would you evaluate the global threat landscape today? What are the main areas of concern?
The obvious global concern is ransomware. Unfortunately, ransomware is often a symptom of an underlying security weakness. The reasons for ransomware’s success are varied and speak to a broader set of causes. We find ourselves in a world where many cybercriminals have specialized and offer their unique services to others. Some focus their efforts on initial access by breaching companies with weak security on their externally facing services. Others are skilled at phishing which nets them valuable network credentials. Both these groups can resell their ill-gotten information to other criminals who are skilled at hands-on attacks and data exfiltration.
We also see malware, mostly in the form of droppers, that provide this initial foothold and offer compromised hosts to other malware crews, like banking trojans. These banking trojans will, in turn, sell their access to ransomware crews once they have everything they need for financial fraud. Much of this world is automated, but it is supported by well-resourced criminals who have the time, money, and skill to deal with setbacks. What’s worse are the groups that offer everything-criminal-as-a-service to unskilled, wannabe-cybercriminals.
Taken together, all these different threats and threat groups make it so that defenders need to be on constant high alert for potential problems in their environment. Just because you stopped an Emotet infection doesn’t mean that Trickbot isn’t hiding somewhere else. An exposed service, like RDP, can quickly turn into an entry point for an attacker. Once inside, they may drop clues to their presence, but these must be detected and investigated by security analysts. Failure to do so can, and often do, result in a ransomware attack. In the end, a lot must be done right so that one small misstep doesn’t bring your company to its knees.
Multi-factor authentication, machine learning, application control-how can these technologies be effectively used to respond effectively to modern-day sophisticated cyber-attacks?
Protection technologies are particularly effective when they excel at a narrow set of capabilities. For example, application control allows administrators to divide applications into allowed and blocked. This simple division means we can authorize known-good applications from those we want to keep off our endpoints, thus reducing our attack surface. It doesn’t mean a “good” application can’t do “bad” things but at least now we have fewer applications capable of doing bad things.
Machine learning is designed to deal with large volumes of data and can identify hidden patterns. To that end, we use it for blocking the hundreds of thousands of threats we see every day. But, to take our first example, we can also use it to spot suspicious patterns in behavior. If a “good” application starts behaving badly, machine learning can override application control and provide a backstop for catching novel threats. This layering of technologies, each with a specialized focus, is key to protecting modern environments.
Multi-factor authentication (MFA) is another backstop to an existing technology. Password-only authentication is fine provided the passwords are unique, long enough, stored properly, and kept secret. Failing any one of those criteria can lead to unauthorized access. MFA has been designed to provide an additional layer of security for when those criteria aren’t met. Whether the failure happens to be password re-use, easily guessed or brute-forced, or disclosed by breach or subterfuge, MFA can stop an attacker dead in their tracks.
How can the security industry become collaborators and inventors to respond to evolving threats?
I’d argue that we’re already doing this, but it doesn’t mean we can’t do more. There are established groups, like the Cyber Threat Alliance (CTA), which aims “improve the cybersecurity of our global digital ecosystem by enabling near real-time, high-quality cyber threat information sharing among companies and organizations in the cybersecurity field.” Other groups such as industry focused ISACs can get more focused with industry-specific threat information and protection strategies. Constant sharing and communication are key to developing a robust cybersecurity industry that pushes itself to continually improve and innovate in the face of ever increasing and sophisticated attacks. At Sophos, we value diversity and sharing which is why we participate in groups like the CTA and contribute to ISACs. We believe that our knowledge will help others make better decisions about how to protect themselves. We also benefit from the knowledge of others, especially those that look at the threat landscape from a different angle. It helps provide perspective and context that is incredibly important in this multi-dimensional fight with cybercriminals.
How is Sophos helping companies stay cyber-resilient and minimize the impact of complicated hacking techniques?
Sophos helps companies fight cybercrime in a few ways. First, we provide companies with products that prevent threats and unwanted software from infecting your devices and networks. Next, we provide a managed service that continuously monitors customer environments for those that don’t have a security team, and a rapid response team to help companies who find themselves under active attack. Lastly, we provide insight into current threats and adversary tactics, and advice on how to best protect yourself through our various outreach channels.