CISO on CISO Perspectives
Organizations across industries continue to grapple with the challenges of an ever-expanding attack surface and increasingly sophisticated cyberthreats. With many moving parts as well as social and economic changes affecting the threat landscape, it can be unpredictable. Fortinet’s FortiGuard Labs’ latest semiannual Global Threat Landscape Report, explores the top cyberthreat trends that occurred in 1H 2021. Fortinet Field CISOs Alain Sanchez, Joe Robertson, and Renee Tarun joined us to discuss how organizations across industries have been impacted by these threat trends, and what this means for them moving forward.
Renee - Ransomware is certainly top of mind. In fact, according to Fortinet’s FortiGuard Labs, ransomware levels remained high and increased steadily over the course of the year. The average weekly ransomware activity was, in fact, 10.7x higher than levels set one year ago. These ransomware attacks present threats to a broader range of industries beyond just healthcare, government, and the education sector. We are seeing these types of attacks on OT networks and organizations in sectors of critical importance, like we have seen with recent, high-profile attacks. In fact, Fortinet's global ransomware survey showed that many organizations are more concerned about ransomware than any other threat.
In addition to ransomware, we have seen a set of vulnerabilities in Microsoft Exchange Server that has caused widespread concern due to the number of systems impacted and the fact that attackers were actively exploiting the flaws before Microsoft issued patches for them on March 2. The flaws, which some referred to as ProxyLogon, posed a threat to organizations with Internet-facing Exchange servers that accepted untrusted connections from an external source.
Alain - There are two extremes of the threats that I hear a lot about these days; one is the sophisticated attacks such as swarm-based that can weaponize 5G and edge computing. These attacks require large amounts of processing power in both the execution and in the response. But also, I hear a lot about the other extreme, caused by a lack of basic cyber hygiene such as basic passwords or rudimentary authentication. The first category, although potentially very dangerous, represents a relatively small number of attacks, all extremely targeted and very little spoken of. The latter represents a much larger portion of attacks. This leads us to the importance of education as a way to rally the entire organization to the security cause and reduce resistance to the implementation of advanced authentication practices and more demanding security processes. Fortinet’s NSE Training Institute free Information Security Awareness and Training Service is a good example.
Joe - I deal with many industrial customers who are looking to protect their production facilities: factories, refineries, power plants, etc. Like with just about every sector, they are concerned about ransomware. However, as they are highly dependent on industrial control systems, supply chain attacks are also top of mind for them. In this environment, a “supply chain” attack also takes on a very literal meaning because most of these companies have long, multi-party supply chains for producing their products. These suppliers and partners often have links into the organization’s ERP and business process systems, so ensuring that all partners are as well protected as they themselves has become a big topic of discussion.
Alain - I would agree with ransomware being the biggest category of threat across many segments. However, I observe variations in the effects of the attacks across some verticals. Banking institutions are more subject to a type of phishing that aims at installing components that get hold of credentials and apply methods to move up the admin chain to later take control of larger portion of the information system. In retail, it seems that hackers are targeting large amounts of small transactions and cash—things that they will more immediately see the benefits of before the door closes. As customer databases grow in volume and in sophistication, like in online businesses or social networks, they get targeted by more organized organizations that would resell them to influence opinion rather than extorting funds directly.
Renee - The majority – 85% – of data breaches involve human interaction, according to the 2021 Verizon Data Breach Investigations Report. In addition, 50% of all ransomware attacks involve some form of social engineering like phishing. That’s why security awareness training needs to be at the heart of any cybersecurity strategy. You need to make sure all your employees get substantial training on spotting and reporting suspicious cyber activity and training on how to use technology securely no matter where they are operating.
In addition, you really need to have a full endpoint security suite that offers Antivirus, Web filtering, Application Firewall, Vulnerability scanning as well as SSL or IPSEC VPN for secure encrypted remote access communication to the corporate head end. An EDR solution can do real-time detection and remediation. Endpoints are often the first point of compromise, so you really want to mitigate threats on the endpoints as quickly as possible before these threats spread across your environment.
Alain - Organizations respond to the explosion of attacks by the rationalization of their defenses. Less is more when it comes to achieving advanced correlation between network and security alarms. And also, less is faster. Where we used to have a couple of weeks to analyze, we barely have milliseconds, and as super-fast edge technologies are emerging such as 5G, the time scale is even shorter. This is why leveraging a platform approach to cybersecurity is key—with a Security Fabric, organizations can improve visibility and control while simplifying the network infrastructure.
Joe - Renée has covered a lot of the important territory on this. I would add, however, that zero trust is another area that helps you protect yourself across the entire range of your environment. Zero trust essentially means “don’t make any assumptions.” The fact that a user is “inside the firewall,” does notmean you can do without further checks. In the case of industrial companies managing their suppliers, zero trust is an excellent way of ensuring that third-party users are authorized, have access only to the systems they need, and are continuously checked and rechecked to ensure their devices meet minimum standards of protection.
One other area where I see lots of activity is the interconnection of remote sites: factories, oil and gas fields, etc. Companies often view SD-WAN as a cost-effective solution for providing them with the data links they require for Industry 4.0 transformations. Often, they only think of SD-WAN in terms of networking, because using broadband access rather than MPLS links is far less expensive. However, by opening the production site to an internet connection for internal connections, you are also opening it to inbound probes – and attacks – by bad actors. So having built-in enterprise-grade security as part of an SD-WAN solution is critical. I tell many operations managers and CISOs that they must be involved in Secure SD-WAN decisions. Their business depends on it.
Alain - Yes, I agree with Joe. Zero Trust operates as a catalyst of the cyber hygiene of tomorrow. Instead of having disjointed security processes and products, the necessity for a real-time, context-sensitive authorization mechanisms under one same policy provides a scalable security framework. Security can be exercised anywhere, regardless of the device, location, and application.
Renee - In today’s environment, security teams need to be leveraging AI and automation as much as possible. Adversaries are fully aware of how our threat landscape is expanding and that we have limited resources. They try to use this to their advantage and are leveraging AI and automation in their attacks against us to increase the depth and breadth of their attacks, so we need to be proactive and fight fire with fire.
By leveraging AI-driven solutions, such as AI-assisted network access control, cybersecurity professionals can achieve clear visibility into every device accessing a network at any given time. AI and automated tools simplify network management across these environments and alert security teams to imminent threats and process an automatic threat response. AI, especially, can continuously shift through mountains of data collected from devices across the network to identify threats. It can also automatically investigate the influx of alerts that have traditionally required manual input from security teams, enabling them to make better informed decisions, create a more proactive and efficient security program, and be more cost-effective.
Alain - The human brain is just not fast enough, and its memory just not big enough to correlate millions of events happening in thousands of locations. In addition, what was malicious one year ago, such as encryption algorithms, can be perfectly legitimate as encrypted documents are natively generated by applications. So not only does the human brain get tired, but there is also room for human error. In this context, we need automation and AI to free humans from repetitive tasks and have our teams focus on mission-critical tasks and coming up with the next innovation. When you think how difficult it is to recruit a cyber professional nowadays, the last thing you want to happen is to see the person leave due to excessive stress.
Find out how the Fortinet Security Fabric platform delivers broad, integrated, and automated protection across an organization’s entire digital attack surface to deliver consistent security across all networks, endpoints, and clouds.