Virtualization Technology News and Information
VMblog Expert Interview: Open Systems Discusses Cybersecurity, MDR Solution Advantages, Cyberattack Evolution and More


With everything that has been happening in the cybersecurity landscape in 2021, VMblog reached out to industry expert Dave Martin, Vice President, Extended Detection & Response at Open Systems, to learn more about the latest in cybersecurity challenges, Managed Detection and Response (MDR) solutions as a preventative measure for cyberattacks, what CISOs should be doing now, and more.

VMblog:  What are the biggest cybersecurity challenges facing mid-size or mid-maturity enterprises?

Dave Martin:  Enterprises currently face a perfect storm of three significant challenges that impact the effectiveness of their overall cybersecurity efforts. These challenges are:  
  • Too many tools: On average, enterprises deploy 45 cybersecurity-related tools on their networks, which typically results in CISOs and IT teams acting as systems integrators in order to stitch together such large toolsets. But they're not systems integrators and consequently tools are commonly misconfigured, leading to gaps in coverage that bad actors can - and often do - exploit. Compounding this, managing these patchwork toolsets actually reduces the time CISOs and their teams can devote to identifying and containing threats.
  • Not enough resources: A recent study found that that 57% of organizations have unfilled cybersecurity positions. What's more, less than half of cybersecurity applicants are sufficiently qualified for these positions, further perpetuating the problem. The talent shortage means there are fewer expert eyes monitoring for, and responding to, potential threats, making it easier for attackers to find their way into a company's system and remain undetected.
  • An increased attack surface: The combination of consumer broadband connectivity, cloud services and employees using their own mobile devices has enabled millions of employees to work remotely throughout the pandemic, but at the cost of dramatically increasing companies' attack surfaces. With so many endpoints making so many remote connections, companies are being inundated with alerts. Though the overwhelming majority are false positives, the sheer volume of alerts makes it harder to identify the actual threats hidden among them.

Though companies are struggling to improve their security postures to defend against increasingly dire threats, they haven't been able to overcome these challenges, which contributed to a 6X increase in cyber-attacks on cloud environments since the beginning of 2020.

VMblog:  What is the #1 thing that makes companies vulnerable to cyberattacks?

Martin:  Mismanagement and misalignment of cybersecurity tools is the #1 thing that makes an enterprise vulnerable to attack. According to Gartner, more than 99% of the cloud breaches that occur through 2025 will be the result of preventable misconfigurations or mistakes. The best approach is for companies to stop the practice of simply buying more tools and look to solutions that allow CISOs and their teams to truly focus on identifying and containing threats as early as possible in the cyber kill chain. Ideal solutions will allow companies to: 
  • Consolidate around a single security platform to eliminate the coverage gaps inherent with a complex patchwork of point solutions that is hard to configure and manage
  • Leverage platforms that allow them to maximize their existing cloud and security stack investments, such as Microsoft's E5 security suite that comes with Azure Sentinel
  • Quickly recognize and contain new threats through a combination of human experts, artificial intelligence and machine learning that enables the security platform to adapt and learn as attacks evolve

VMblog:  What should CISOs be doing differently to protect their company?

Martin:  Effectively mitigating cyber threats is hard. It requires a far more strategic approach than simply detecting and responding to alerts. CISOs want the right cybersecurity posture to enable their company's business outcomes, not drown in alerts. This requires CISOs to bridge the silos of IT and security and go beyond detection and alerting, to mitigation, prevention, and resilience - delivering true cybersecurity maturity improvements.

However, it won't be possible for CISOs to accomplish this if they don't first free themselves from the endless and time-consuming task of integrating, configuring, and maintaining a complex collection of security tools so they - and their teams - can focus on the effort.

As part of this effort, CISOs need to determine if this can be accomplished entirely in-house or if they should engage a partner. For the majority of mid-size companies, working with a partner will likely be the best solution, as many lack the resources and expertise to do it alone.

Of the various security services currently available, the best overall choice for most companies will likely be a Managed Detection and Response (MDR) service. However, CISOs will need to carefully evaluate potential providers to ensure the one they choose can truly meet their needs. Key characteristics to look for in an MDR service provider include:   
  • No new tools required: Rather than requiring additional investments in new tools, the MDR service should take advantage of the tools customers already have; maximizing their coverage and capabilities.
  • Enterprise-grade 24x7 protection: Providing this level of round-the-clock protection requires the MDR provider to have multiple security operations centers (SOC) that are distributed globally and which are manned exclusively by cybersecurity experts - no entry-level staffers.
  • Increase security posture maturity: The MDR service should go beyond detection and response to proactively assess attack surfaces and prevent intrusions. This will increase the overall maturity of customers' security postures, leading to substantial improvements in finding, containing, and remediating breaches.

VMblog:  What can a company do to improve its response time should it get attacked? 

Martin:  The best way a company can improve its response time is by employing a team of security analysts to constantly monitor for potential threats - the sooner breaches are detected the sooner they can be responded to.

Due to limited budgets and the shortage of expert cybersecurity talent, the majority of mid-size companies will find that engaging an MDR service provider is the fastest and most economical way to achieve the necessary levels of monitoring and responsiveness. 

Whether they work for an MDR service provide or are members of in-house SecOps team, the security analysts must be able to act swiftly after an attack has been identified and implement a cybersecurity incident response plan (CSIRP). CSIRPs provide well-documented guidance covering all aspects of bringing attacks to ground as quickly as possible and include comprehensive playbooks that address a variety of specific threats.

It's important to recognize that improving response time is a battle of inches and shaving off just a few minutes is well worth the effort, but it's not the only goal. Companies must also focus on reducing their attack surfaces and on improving their processes to increase their resilience to attacks.

VMblog:  Are there any industries more at risk for a cyberattack than others?

Martin:  All industries are at risk of a breach due to so many companies juggling too many tools, lacking sufficient resources and needing to protect dramatically larger attack surfaces due to the pandemic. However, some are more tempting targets for cybercriminals due to the types of data and assets companies in these industries collect.

Enterprises in industries that possess personal data, such as healthcare or higher education, are top targets as they typically have everything from social security numbers to personal health information, addresses, family member names and other data that bad actors can use determine passwords and answers to security questions. 

Other infrastructure-related industries such as utilities, energy, and telecommunications are at high risk because their operations are critical to the everyday operations of businesses, institutions, and individuals. Successful attacks on companies in these industries - or on the transportation, manufacturing and other companies that are critical to their supply chains - could very well impact the nation as a whole, not just the company itself. 

These industries may also be susceptible to killware, a type of malware for causing physical harm and possibly death. For example, bad actors could attempt penetrating the systems of a desalination plant to have it deliver untreated sea water in order to contaminate a city's fresh water supply. 

VMblog:  How is digital transformation and cloud adoption affecting the cybersecurity industry? 

Martin:  Digital transformation presents a variety of security challenges for companies as they have to account for both local and remote security solutions, in addition to the behaviors of individuals who could literally be working anywhere, not just the office. 

This is especially true with companies moving to the cloud. Digital transformation and cloud adoption both create a greater attack surface that needs to be protected. This poses a challenge when it comes to the early detection and containment of threats, which can hide amongst the huge increase in false positive alerts caused by large numbers of endpoints making so many remote connections.

Fortunately, cloud providers have long known that security is key to enabling cloud adoption and continue to improve their defenses and their platforms.  Microsoft, for example, is leveraging the cloud to create security stacks that are perfectly connected and aligned, and the company's cloud-based Sentinel SIEM provides centralized visibility of all data, behavior, and alerts, in one place.

VMblog:  How do you see the cyber-attack landscape evolving in the next year?

Martin:  The cyber threat landscape evolved rapidly and aggressively throughout 2021 and there's no reason to believe we won't experience the same in 2022.

In addition to more ransomware attacks, we may well see cybercriminals substantially increase their use of killware, which literally poses a life or death threat.

Additionally, we can expect bad actors to embrace AI in order to evade detection. AI and ML has taken the security market by storm over the past five years, and it's likely that in 2022 that cybercriminals will increasingly employ AI to attack the models within security software using adversarial techniques, and then put those outputs to use in malware to evade detection. 

There will also be further SolarWinds-style attacks in 2022 as bad actors target IT resellers and technology service providers as a way access the IT systems of their downstream customers. The primary methods the bad actors will employ include stealing login credentials through simple - but effective - tactics like password spraying and phishing, and adding malicious code to the resellers and service providers' software to create backdoors that provide access to downstream customers' systems. Companies should understand the level of security precautions implemented by their critical IT resellers and technology service providers and take appropriate actions. These include requiring their resellers and service providers to use two-factor authentication and other basic security measures.

Bad actors will continue their efforts to surveil and probe supply chains for points of weakness in 2022. Successful attacks have the potential to seriously impact the nation, so it's imperative for companies to improve their security postures.

These threats drive home the need for companies to employ 24/7 monitoring to identify threats early combined with immediate containment efforts to minimize the impact of breaches. Engaging an MDR service provider is a good option for those companies that lack sufficient in-house security capabilities.

VMblog:  What are the advantages/disadvantages for companies switching from DIY security using tools from multiple vendors to relying on a MDR service provider - doesn't this put all your security eggs in one basket? 

Martin:  As touched upon earlier, the inherent complexity of using multiple tools from multiple different vendors often makes it difficult to detect and contain threats early in the cyber kill chain. 

MDR addresses this by focusing on a narrower, more accurate set of signals, typically coming from the endpoint. Additionally, as a managed service, MDR frees CISOs and their SecOps teams from the time-consuming and laborious task of configuring and managing so many tools, allowing them to devote more time to other tasks.

That said, not all MDR solutions are created equal. For example, many MSSPs have rebranded themselves as MDR providers but continue their traditional practice of simply forwarding alerts to customers, which does not help matters.

A proper MDR service provider will help customers learn from these signals to determine the true state of their security postures in order to improve them. This is an ongoing process which requires customers to gain and maintain visibility into their potential attack surfaces, their critical assets, and their response capabilities. Companies should look for providers which can demonstrate these capabilities when evaluating their MDR options.


Published Thursday, December 30, 2021 7:29 AM by David Marshall
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
<December 2021>