Australia and India are the countries with the highest volume of cyber attacks across APAC, though almost all APAC countries have seen ransomware incidents.
In an interaction with N V Vijayakumar, FireEye CTO and Asia Pacific Vice President Steve Ledzian says it is better to put in security measures before your own organisation becomes a victim at a time when cyber attack In APAC region is getting to be a more sophisticated problem.
How are you looking at the cybersecurity opportunity in the Asia Pacific, specifically in India, as there are rising cyberattacks, especially during this pandemic era? Can you give us some insight on your experience and also how the market is behaving?
it’s very apparent to everyone, from private organisations to those in government that the cyber problem has continued to grow in escalation as a global problem.
Certainly, India is not excluded from that, as of late, the country has been witnessing its share of cyber attacks. We’ve seen that the ransomware threat has become more in terms of volume, victims, specifically across the Asia Pacific region. Australia holds the number one spot for ransom threats and India is at number two position.
Ransomware, the way it is traditionally called, is malware that comes into your system and encrypts your files so that you can’t access them.
That went on for a number of years and threat actors were collecting a certain amount of ransom fees, to release the decryption keys. What we see happening now is that they’re not stopping it, just encrypting the files before they encrypt the files, they steal that information and they threatened to make that information public.
In some ways, for a lot of businesses, that’s worse than having a service disruption, through encrypted files. We just looked at the number of postings of victim organisations that have had their stolen data, posted publicly on what we call the shaming sites, where, the threat actors publicly post that stolen data. We see India in the number two spot, in terms of the number of publicised victims in that way. The problem is getting worse, it’s getting to be a more sophisticated problem.
It’s getting to be a more impactful problem and we’re seeing the ransoms being paid skyrocket in their prices. So, it has certainly evolved quite a bit over the last year and, we don’t see it stopping anytime soon.
As far as malware attack is concerned, India is on the second spot. Can you give me some more light on the current state of affairs and how it is really going to pan out going forward? What are the precautions, both organisations and governments should take to contain it?
It used to be really a malware-based problem, but today attackers are stealing data first. In order to do that, they need to find important data on the servers in the organisation. They need to break into the networks. It is useful to think of ransomware, not just as malware coming into your network but as a remote intruder coming into your network, who has interactive access to the victim organisation. You frame the problem that way in your mind, that will direct, well, how do I try and defend myself against this type of attack? It is much more than just defending yourself against malware.
You need some breach detection and response capability, some intrusion detection and response capability. And, today a lot of organisations have turned, to technologies like EDR endpoint detection and response, NDR network detection and response, XDR extended detection response. Most importantly, MDR managed and response, and a managed detection response service is trying to notice those intrusions quickly and interrupt them before those threat actors have an opportunity to impact the business or to deploy that ransomware.
You would be surprised by how long it takes organisations on average, just to spot that an intrusion has happened in their environment. In Asia Pacific, we measure that it is 76 days, about more than two months, just to notice that there is a remote intruder in the network. And so that is low-hanging fruit. That is a significant opportunity to reduce that to something much more manageable.
That is what managed detection and response solutions aim to do. Over the last year, we have seen about more than a quarter of the incidents that we are responding to are ransomware threats. We have had a lot of learnings from those victims once we’ve, restored the victim organisation, those victims ask us, tell us what we need to do so that we never have to go through this again.
And, we give them advice that if you had this in place, and if you had this configuration in place, if you have this policy in place, if you have this technology in place, you would have been a lot less, a lot less likely to suffer this attack. What we have started doing is taking that advice at rather than offering it to organisations who have been a victim, we take that same advice and offer it to organisations who have not yet been a victim.
Security has to be tackled via a multi-layered approach, spanning from their networks, end point mobile devices and cloud. In India, we have organisations that are growing exponentially without proper security fabric in place, especially startups. So, can you give us some light on how these organisations should start from the beginning itself to take on all these kinds of challenges in the security landscape?
Organisations are at a business level, heavily adopting digital transformation. That’s good because it makes their businesses more efficient, but at the same time, it increases their attack surface, right. We’re using more technology means there’s more technology to attack and that’s to the advantage of the attackers.
If you are a startup that is just building a Greenfield, network infrastructure, very likely you’ll be doing that using cloud technology. So, security in the cloud is quite a bit different than it is on premise. So it’s important to understand those differences. And, there’s a lot of focus on this idea of zero trust of architecting, right from the beginning, additional security checks, in place such that if there is an intrusion somewhere there’s segmentation in place, there are checks in place.
It’s not that once an attacker breaks in, they have free reign, they have additional hurdles to overcome before they can impact the business. Zero trust model, quite important for the startups who are eagerly adopting new cloud technologies, and in the space of heavy digital transformation.
Nowadays lots of clamour happening around cyber hygiene that organisations should practice, so that, they can also escape from untoward security breaches. As far as the security priority of an organisation is concerned, what are the basic parameters should they put in place for cyber hygiene?
You need a very good patching process. So a lot of these attacks come through the exploitation of vulnerabilities and, good patching programs can help reduce that risk. Now, there are threats like zero-day vulnerabilities, where even if you’re fully patched, there’s still a risk, but we see threat actors, who use these older and are still successfully using them.
It is really important to have those patches in place. The challenge for an organisation is that the number of patches they need to manage is often overwhelming. It’s good to take an intelligence led approach and understand which of these vulnerabilities are actually being exploited in the wild.
What is the real risk level of these vulnerabilities? What are the requirements to be able to successfully exploit the vulnerabilities? Is there a proof of concept exploitation available, and use that intelligence led approach to prioritize your patching because patching, while it, you put it in the category of hygiene and maybe you think hygiene or things, which are easy and quick to do, acting is often not easy and quick. It does. It requires a lot of effort. It is a continuous process, there is new vulnerabilities every day. There’s a lot that goes into a successful patching prop program and having an intelligence led approach can help that program be optimal in setting into priorities.
In context, you should also understand that India is more inclined towards an app economy because apps are widely being used across the country. In such kind of a context to what individuals users should be taken care of to keep away from all these kinds of untoward incidents?
I think you have to look at it at two angles. There is the risk to the app and then there is the risk of whatever the app is talking to on the backend. It’s a classic client-server architecture. The app stores will do what they can to make sure there aren’t threats in apps, mobile devices will have checks in place, to let you know, if that app wants to do things that could potentially be malicious, maybe turn on your microphone or access your photos. It’s important for individuals to pay attention to the permissions that they give apps and what they’re allowing apps to be able to do, but also to make sure that they’re downloading apps from trusted sources.
A lot of times apps that don’t come from official app stores, could have malware embedded in them or may pose other risks. Some considerations from the end user point of view, from the other side, the server side or the backend side, it is all of the classic cyber security concerns. If you are, if you have a company that deploys an app, very likely that app may require a log-ins or identities of some sort. You’re going to be collecting identity information, personal, possibly personal information of your users and storing that information over time and to really important that you protect that information. And it’s not that the threat actors are necessarily going through the apps to access that information. They’re going to attack the backend infrastructure.
We have seen this happen in the headlines across a number of, providers over the past, and then large swaths of the customers of that service end up having their personal information, stolen. And often those companies then have to do something to either notify the impacted individuals and maybe take some corrective action, like provide credit monitoring or identity theft monitoring services. And, those attacks happen in all the classic ways. It’s important to have strong email security, strong network security. It’s really the enterprise that the attacker is attacking in those instances. Those attacks happen both from a cyber crime motivation as well as a cyber espionage motivation.
There is a lot happening around encryption technology and customers are saying it can safeguard our assets. What are the other technology advancement happening around the globe?
There is a thinking that if the data is encrypted, then it’s safe. Also, if it is encrypted, it’s inaccessible. So, as long as my data is encrypted, I don’t need to worry about cyber attacks. I would say that is not a good way to think about the problem. Encryption is good, it is helpful, but it, in no way stops a hundred percent of the attacks. There’s different types of encryption.
A lot of operating systems now have encryption on by default, but that encryption, what it’s really trying to do is, provide protection against a specific attack, where someone physically accesses your laptop and rather than logs into your laptop, just removes the hard drive, connects the hard drive to another computer that they have administrative control on, and then accesses your files. You hear encryption, it’s that specific use case that encryption most commonly is protecting against and not any use case where there’s a remote attacker who is breaking into your network and stealing your files. Now there’s different types of encryptions that help in those cases as well. Even those types are not a hundred percent effective.
It’s not to say that encryption is bad, much like many of the things in security, the defensive controls that you put in place, be it encryption or multi-factor authentication or network segmentation. All of these things are helpful and good, but organisations shouldn’t have the misconception that any one of them on their own is a silver bullet against cyber attacks because that’s simply not the case.
Coming back to this 5G transformation, how FireEye is looking at new opportunities?
When we talk about 5G, so there is threats against the 5G protocol itself, but I would say the larger security threat is that 5G enables a lot more conductivity. We talked earlier about digital transformation and how digital transformation grows the attack surface will 5G will do that as well. 5G will enable, connections to the internet that we haven’t seen before, and that will grow the attack surface. That’s another security consideration that we need to think about when we talk about 5g now. We’re really aiming at a cyber resilience across any type of attack, whether it come in through Gg or a traditional wired internet.
By cyber resilience, I meant a combination of prevention technologies, which are doing their best to prevent intrusions into the network, whether that be an internet facing web server or an IOT internet connected device over 5G trying to, prevent those intrusions. But resilience goes further than that. It says that, no prevention is a hundred percent effective. It’s not really possible to stop a hundred percent of all cyber intrusion. That’s where the second half of resilience comes in. That is to notice quickly when prevention failures have happened and to resolve them before there can be any impact to the individual or the organisation.
Those two things together prevention along with detection and response are what gave you cyber resilience and FireEye offers products, services, and cyber threat intelligence that align across that cyber resilience.
FireEye is also known for leveraging machine learning technology, along with artificial intelligence to identify malware areas. Please explain about your company’s technological advancements?
We have a data science team within FireEye and they generate machine learning models for a number of SU cybersecurity use cases. One of those use cases is in our endpoint security. It is a machine learning model to detect malware. We call it malware guard and, it last year won an award, from, the NAB war, which is related to the United States Navy. They put up a cyber challenge. It’s quite a good model when we talk about machine learning.
There’s two things to think about. There is the machine learning algorithm and the training, and then there’s the data set that you use to deliver that training. Of those two, the one that is more important is actually the dataset.
This is why FireEye has such a strong, machine learning capability is because of all the visibility that FireEye has and we call it the Mandy and intelligence grid that comes from the incident response work. We do the network of sensors that we have deployed globally, the underground monitoring. We have quite an extensive collection and have been doing this, across FireEye and Mandy and for, over a decade now we’ve accumulated quite a large set of data.
That data is high quality data, which we use to train those machine learning models. That’s why those models performed so well. We’ve deployed them across our product sets like, endpoint security, network security, helix is our cloud-based SIM. We also use it internally, for things like, attribution and correlating threat groups, threat activity and clusters against one another. There’s a lot of use cases for machine learning. It’s not just about all about finding malware and we’re pretty aggressively using it here at FireEye.
India is a country where we don’t have larger legacy system in place and because of that technology adoption is happening in a faster pace. Are you ready to set up some facilities in India?
We already have an R& D presence, located in India. It might not be dedicated exclusively to 5G. Certainly, we have a significant team located in India, working on tough problems.
Government is also grappling with a lot of challenges as far as security regulation is concerned, especially when there is external actors for cyber attack and garnering intelligence. Do you have any separate mechanism to engage with the government to take it up systematically?
Yes. FireEye does a lot of work with governments all over the world. We engage them by supplementing their intelligence capabilities with our intelligence collection. We protect them with the various FireEye technologies and we have training arrangements. Many governments are looking to ramp up their own cybersecurity capabilities and are turning to Bahrain, Mandy, and, to help train them, in those areas.
A few Japanese companies are planning to set up massive data centers in India. Do you believe that India can be an ideal country for setting up data centers, having their security system here or compared with the other Asia Pacific countries?
The cloud providers already have data centers here. So we know it’s possible. We know that there is a wealth of talent in India to drive those data centers. Every country needs to think about regulation and the regulations that may put any restrictions or additional burden on the operation of those data centers.
Can you explain us about the marketing aspects of products, solutions and services?
We are a cybersecurity firm that is focused along three areas, leading technologies, to prevent and detect cyber attacks. We have the Mandian team, which, provides services in the area of incident response. To organisations who have been the victim of cyber attacks, as well assessments and consultancy services, as well as, an innovative platform, we call Mandy and advantage, which is a way to consume all of that expertise in the form of salt, a SAS delivered service or software. And, the third pillar is cyber threat intelligence.
The intelligence problem has grown so big in order to really be effective. You need to be intelligence led just as a business or a military would make. We operate at a scale and capacity for cyber threat intelligence, that rivals or what some nations are doing. It’s those three areas, that we’re focused on. Information is very critical. Everyone wants to know when there was a headline breach, what went wrong and what are the lessons there and how can they apply those lessons so that they aren’t a subsequent victim that falls prey to the same technique from the attacker. That information, that learning that expertise is what FireEye, aggregates, and uses to protect its customer base.
Which are the four major business verticals facing massive cyber attacks across the globe?
We released a yearly report called M trends. This is all of the aggregate learnings and observations, that our incident response teams have had over the last year. We’ve been releasing this report for more than 10 years now, and it’s publicly available. One of the things that report contains is the top targeted industries. In the year 2020, we saw that the top targeted industry was business and professional services, followed by retail and hospitality. Third and fourth were tied together, which were the healthcare and the financial industries.
What are the steps that India should take?
One type of cyber attack is cybercrime, and it’s obviously, criminals who are doing that. Another type of cyber attack is cyber espionage. The nation state, or sometimes we call them apt advanced, persistent threat actors. And, those two attacks are interesting to look at and to compare against one another.
It may seem that the attacks of late have been a lot more frequent because of all of the ransomware attacks. Now, something that’s inherent in ransomware is that threat actors have to ask for money. They have to make their presence known. Because they’re making their presence known, you’re seeing all of these attacks come to light in the public cyber espionage and nation state attacks don’t operate that way.
In fact, it’s the opposite, those espionage actors, the nation state actors, they want to stay hidden. They do not want to make themselves known. Those attacks are often going undiscovered.
It’s really important that organisations think that they might be a target for a nation state, really have to ask themselves, could I be the victim of an attack without realizing it. In Asia Pacific, it takes the average organisation, 76 days to notice an intrusion. What should organisations do about this? Well, there’s a category of security service. Apart from a pen test where an attacker tries to break in, there’s another type of a category of service called a compromise assessment.
What the compromise assessment does is it’s like an internal health screening, a comprehensive internal scan that is looking for evidence of an intrusion or a breach. We’ve seen those be good measures to take, especially for organisations who think that they might be a target, for a nation-state threat actor.