Marty Edwards, VP, OT at Tenable, tells Anita Joseph how ransomware attacks are becoming all-pervasive and how Tenable is closely watching the threat environment, in order to help organisations prioritise vulnerabilities that are being exploited the most.
Ransomware is taking centre stage today, so what’s your take on the ransomware attack scenario in the region?
Ransomware is certainly becoming one of the predominant threats that we face these days. Everybody has talked about and focused on the nation-state aspects of cybersecurity for far too long, and now we see the shift towards highly organised criminal organisations. I am extremely concerned because I think criminals always go where they can make the most money and critical infrastructure is a very attractive target for them. I think they’re going to continue to pivot and target organisations where they can make the most money.
Is the critical infrastructure of organisations being actually affected by rampant ransomware attacks and what can organisations do if they find themselves the target of a ransomware attack?
Before the convergence of IT & OT networks, all the operational technology – the computers that actually operate your factory or operate your water treatment facility or your power grid or refinery or what have you – were predominantly isolated or air gapped. But that’s no longer the case. For business reasons we’ve interconnected these different networks, and you have to be very concerned with the detection of ransomware or detection of any kind of security threat, no matter what network it’s on.
I would say that if you find ransomware on your network, then it’s almost too late to be testing your backup and restore procedures. You should have a plan and you should anticipate a worst case scenario, for example that you’re going to be infected with ransomware. So, make sure that you have your backup and recovery plans, plus your disaster recovery plans, in good shape, and regularly test them. I can’t believe how many people take backups of their data, but they never test restoring them. So, the way I describe it to people is that you should treat it no different from anticipating a fire — for example, in your server room. If you have a fire in your server room, and it destroys your computers, how many days does it take your business to get back up and running? Ransomware should be no different, and we should have a plan in place to limit the damage and recover quickly.
What do you think is the biggest challenge that organisations in the region face in the fight against ransomware. Why does this happen and how does the challenge come about?
It’s complex, and I think that there’s no easy answer. Some organisations do an extremely good job at proactive cyber security measures to try and combat things like ransomware. But then you have other organisations that perhaps haven’t even started with a basic level of security. I wouldn’t want to paint any organisation as being good or bad. Ransomware is evolving in complexity and we are seeing increased instances of Ransomware as a Service – this means you have experts that write the actual code, but then they sell that as a service to some other criminals that may not have the cyber skills, but are more efficient at moving money and targeting organisations, or getting that initial system foothold. So, they’re all working together, and that means they’re bringing the best of the best to the fight. As defenders, we have to counter that with the best of the best, as well.
How does Tenable step in to help fight ransomware in the region?
It’s multifaceted. First and foremost, the majority of ransomware is based on known and existing vulnerabilities. So, if you have a good programme in place to detect where your assets are vulnerable, then you are in the position to prioritise these to fix the highest priority ones first. We do this for you – we watch the threat environment and we help you prioritise which vulnerabilities are being exploited the most. We do that everywhere in your IT network. And in your OT environment, we also have threat detection capabilities. So, we’re actually monitoring all networks and we can tell you if we see threats in any area.
Are businesses doing enough to address the issue? How do you see the whole ransomware ecosystem playing out?
It’s no longer sufficient to just have a standalone security product inside your Operational Technology environment, or a standalone security product for vulnerability management, or a standalone security product for active directory security management, and so on. We need to get all that information into the same place, so that it can be analysed to give you a holistic picture of what’s happening from a security standpoint on your networks. These converged networks are complex and they’re connected in ways that many organisations don’t even understand, until we help them through that journey.
And so, I think that you need to partner with a security provider that can give you a broader view. This ransomware threat is not going away. Fortunately, our governments are holding diplomatic discussions on international law enforcement and are trying to do better at holding criminals accountable for their actions. But I think it’s such a lucrative environment right now, that it’s only going to get worse. In fact, we haven’t seen the worst of it yet.