Senior Instructor at SANS Institute says EDR is not enough amidst complexity of the threat landscape

Kevin Ripa, Senior Instructor at SANS Institute, spoke to CNME Editor Mark Forker at GISEC 2024, in which he says security teams have to stop playing the blame game, he explains the difference between traditional ransomware attacks and ones powered by AI – and how a lack of synergy can severely impact the security posture of an organisation.

Kevin Ripa is one of the most respected IT professionals in the global cybersecurity ecosystem.

In a decorated and distinguished career, his company Computer Evidence Recovery Inc, has provided consultancy services to multinational corporations, law enforcement agencies, governments and the general public on areas such as data recovery, malicious code removal and incident response to name just a few.

He is also a Senior Instructor at SANS Institute, and he was present at their booth during GISEC 2024, which was held at DWTC from April 23-25th.

CNME managed to secure an exclusive interview with Ripa in an effort to explore and examine in more detail some of the pressing issues trending in the cybersecurity space.

We kickstarted the conversation by talking about the role being played by AI in a new form of ransomware attacks.

There has undoubtedly been an increase in AI-powered ransomware attacks, and Ripa explained how AI-powered ransomware attacks differ from traditional ransomware attacks.

“An AI-driven ransomware attack is really no different from a normal one, except that it is crafted better. These attack vectors aim to socially engineer their target into clicking on them. In the past you would have to look out for spelling errors to identify a spam message. Now that AI is being used to generate these emails the grammar is perfect, making it easier to deceive the victim. AI-driven ransomware is also adaptable to its environment, and has the potential to recognise the security measures that are in place and bypass them,” said Ripa.

A report recently commissioned by Help AG shows that when it comes to vulnerabilities in cybersecurity, the human factor remains one of the most prevalent causes of attacks.

With sophisticated technology being developed to better protect data and assets, it surely must be demoralising for security experts that the human error remains one of the best gateways for hackers to penetrate systems and databases.

However, Ripa believes there needs to be a shift in mindset from security professionals, and declared that for far too long users have made been to be scapegoats for frailties and bad practice when it comes to cybersecurity.

It’s a multi-faceted approach, and we believe too much attention is being spent trying to educate the users on cyber hygiene, we need to move away from these buzz phrases that blame the wrong people for the problem. Our users in the computer space have been the scapegoat for far too long. I don’t disagree that cyber-education is important, but I don’t think that we can place people in front of the most advanced piece of equipment designed for human consumption, and expect them to know how to use it securely. At the end of the day, it is the job of our defenders and security apparatus to determine what happens after the user clicks on a link,” said Ripa.

The critical importance of having a robust security posture has been something that has been championed by many security experts, and Ripa explained how the lack of synergy between an organisation’s human expertise, processes and technology adoption can affect an organisation’s security posture.

“Security needs to employ a multi-layered approach once an end user has been targeted as a vector for infiltration. We need to put in place additional layers of defense after a user has been infiltrated, such as identifying the type of document a user is trying to open and notifying them that it may be abnormal. Changing the mindset of management is also a critical factor, too often they do not allow security to do their job because it gets in the way of convenience. A mindset shift needs to occur at the upper levels of business in order to promote better synergy throughout their operations,” said Ripa.

The dial of the conversation then moved on to the topic of how security teams can better differentiate between common threats and targeted intrusions in an incident response scenario.

Ripa said that when it comes to prevention, the cybersecurity ecosystem simply has to do a better job of what he called baselining.

“If you have a dedicated and properly deployed security team and defences in place, then those common attacks should never pose a real issue because they are so predictable. This would then allow teams more time to focus on the targeted attacks, which are very difficult to counter. On a preventative level we need to do a better job of baselining, which is where security teams establish the normal parameters of a user’s working hours and determining whether or not they work from home. With this information, the minute the team sees these systems being accessed outside of these hours it should be blocked immediately. In a ransomware example, the average users access 35-45 files a week so the moment it hits 70 you should lock down the account and stop any services trying to operate it,” said Ripa.

Ripa reiterated the importance of security teams defining what their ‘normal’ actually looks like.

“Response scenarios are all about learning what your ‘normal’ looks like and then defining the correct response should it ever become abnormal. That covers the preventative side of things, but we must also consider the incident reaction element. Reaction comes down to two main factors, training and experience,” said Ripa.

Ripa concluded a fascinating conversation by stating that EDR on its own is not adequate enough in repelling the complex security threats that currently exists.

“Lately we’re seeing a lot of technology being sold in the name of emergency detection and response or EDR, but these days the adversary is so complex that EDR alone is not enough. We need to use EDR alongside orchestration, which is what we expect to see versus what we are seeing, and the automated response that should go along with it. For example, some of today’s ransomware goes from infecting the vector to full compromise in five hours or less. In a big enterprise a human will never be able to respond to that in time, whereas orchestration allows for early detection and the elimination of false positives,” concluded Ripa.

Previous ArticleNext Article


The free newsletter covering the top industry headlines