Datatechvibe spoke with Tim Erridge, Head of Palo Alto Networks’ Unit 42, EMEA, about the detection methods for understanding fraudulent activities, training programmes organisations can use to keep their workforce alert and balancing the Zero Trust journey with the speed of the mission for enterprise leaders.
“Hybrid working is here to stay, so business leaders must learn and implement best practices and train and educate employees on how they can work safely remotely. There needs to be more dialogue, communication, and transparency within the business to avoid preventable human error and simplify cybersecurity at all levels,” said Erridge.
Excerpts from the interview:
Tell us about your journey
I started in cyber straight out of university, coming in with more academic curiosity and scientific training, as opposed to a purist IT background. I started as an ethical hacker, doing penetration testing of networks, progressing into application security when the dawn of online retail was driving an explosion of website functionality.
This developed an attacker mindset on how to break things or seek to circumvent intended security measures. Sadly, this was also a driving force amongst threat actors, and I found myself in the middle of the first decade when major cybercrime started to boom. We saw media storms surrounding significant breaches at global brands. So, I transitioned from being a red teamer to help clients’ blue teams defend against such attacks. In doing so, I gained experience in building and leading incident response teams and helping mature security operations across various sectors and geographies.
I recognised that the most crucial factor in developing sustainable security capabilities is working with an organisation. This led to evolving my approach by building experience in thinking strategically.
I focused on how cyberattacks manifest as operational risk, and worked across risk advisory teams, threat intelligence, security architecture and resilience, and recovery projects to support better business alignment and integration. These have developed a breadth and depth of expertise across most disciplines within cybersecurity today.
What are a few detection methods for understanding fraudulent activities?
The increase in cyberattacks across industries and geographies has convinced organisations of all sizes to embrace detection and response. However, detecting attacks is only half the battle. Security teams must investigate alerts and assess the “who, what, when, why, and how” to determine the appropriate action. Faced with a shortage of cybersecurity professionals, security teams need to break down silos and simplify incident response, or they will struggle to prevent successful cyberattacks.
A new approach is required to solve today’s security operations challenges – one that will ease all stages of security operations, from detection and threat hunting to triage, investigation, and response. This new approach requires the following three integrated capabilities working together to lower risk and simplify operations:
- Great threat prevention: Highly effective prevention allows you to stop everything you can – the majority of attacks could have been blocked automatically in real or near-real time – without manual verification given prior intelligence. Underscoring the need for consistent, coordinated prevention across all your digital assets.
- AI and machine learning: With the growing amount of data collected, your analysts shouldn’t be forced to analyse or correlate data to identify threats manually. You need machine learning and analytics to learn the unique characteristics of your organisation and form a baseline of expected behaviour to detect sophisticated attacks.
- Automation: Analysts need actionable alerts with rich context and investigative details to quickly confirm attacks. They should also easily understand the root cause of attacks without needing years of experience.
Coordinating these three integrated capabilities across all critical assets, including networks, endpoints, and clouds.
What kind of training programmes can organisations use to keep their workforce alert and quick to act in the face of a breach?
For CISOs of major organisations who now have large, distributed workforces, data flow management has never been more essential. The use of corporate and personal connected devices is now intertwined as work and home environments merge into one, but it exposes businesses to new cybersecurity obstacles that require a joint response from everyone. So it must start with setting a security-minded culture from the top, but one that enables the business to succeed in its primary objectives, not hinder it.
Some best practices include:
- Security incident simulations and rehearsals: The best time to learn is under friendly fire and not during a live incident. So, taking a threat intelligence-led approach to determine the most credible scenarios your organisation would face and then running drills to simulate these not only means your staff gains critical experience and awareness, but you also test your detection and response capabilities and identify any potential gaps as opportunities to improve.
- IT teams and WFH employees must join forces: Best security practices must be in place from the beginning. IT teams and business leaders must implement seamless security for their WFH employees and provide education to ensure the bar is raised for home cybersecurity hygiene standards.
- Educate staff at all levels on the dangers of poor password discipline: Using different passwords for different accounts and devices – personal and corporate – is a starter. According to the 2022 Unit 42 Incident Response Report, in 7 per cent of cases, weak password security practices contributed to threat actors’ ability to further their objectives (e.g., default password, blank or empty password, easily guessed or brute-forced password).
Hybrid working is here to stay, so business leaders must learn and implement best practices and train and educate employees on how they can work safely remotely. There needs to be more dialogue, communication, and transparency within the business to avoid preventable human error and simplify cybersecurity at all levels.
Are SASE and Zero Trust the key for manufacturers grappling with IoT?
As digital transformation continues to accelerate alongside the explosion of online connected devices like smart sensors, smart appliances, and smart buildings, the attack surface is exponentially expanding due to the unsanctioned and over-privileged devices being implemented across industries.
With this combination of tremendous change coupled with the need for availability and operational resilience, information security teams working within manufacturing require a modern approach to security that fits these significant shifts.
This is where SASE and Zero Trust can help within the broader context. Zero Trust is a strategic approach to cybersecurity that secures an organisation by eliminating implicit trust and continuously validating every stage of digital interaction. When users connect to a SASE solution, it provides always-on, consistently secure access to your applications, data centre, factories, clouds, and IoT environment.
A modern, holistic approach to security, such as Zero Trust, enables manufacturing operations to meet these challenges proactively for higher levels of security, reduced complexity and increased operational resilience to minimise downtime and disruption to the business. Adopting this approach also helps limit the blast radius of any compromise of IoT devices and helps stop the threat actors from being able to pivot and spread their attacks into corporate networks and systems.
How can enterprise leaders balance the Zero Trust journey with the Speed of the Mission?
ZTNA 2.0 ensures the investment is focused upfront to enable Zero Trust to be set up appropriately. This means security teams can focus on more complex challenges as they can trust that Zero Trust will verify and validate at all stages, so they don’t need to – with no exceptions getting through. Any attempt to do something the user doesn’t have the authority to do will be blocked. This allows teams to focus on other areas of detection and response rather than abuse of over-privileged accounts.
Automation is key for securing and managing Internet of Medical Things (IoMT) devices. How?
Securing and managing the Internet of Medical Things (IoMT) is a critical concern for providers and patients because security vulnerabilities in these devices can potentially expose sensitive patient data and put lives at risk.
Every stride must be taken to implement such critical devices in as secure a configuration as possible, ideally within a Zero Trust environment and under the vigilant watch of security operations teams. The inevitability is that research will discover new and additional vulnerabilities, flaws and implementation weaknesses that could degrade their security posture and thereby pose a significant threat.
It is unrealistic to think that security or IT teams have the resources necessary to monitor all of these devices across their network for who or what is trying to access them, what actions are being taken, and what might impact these be. Organisations need to implement proactive monitoring solutions that combine highly scalable cloud architecture and machine learning to identify threats and vulnerabilities, analyse the behaviour of network-connected devices and not only provide real-time alerts to security teams about anomalies but automate taking the necessary courses of action to mitigate the impact as well as learn any crucial lessons to better detect and respond to future similar attacks.
The ideal healthcare operation methodology relieves network security and clinical teams from the day-to-day burdens of securing and managing these devices. By constantly assessing device risk and then applying positive risk reduction activities that are prioritised and automated, organisations can begin reducing their attack surface. Connected medical devices can be sustainably secured by automating this entire lifecycle, from threat intelligence to mitigation – and continuously incorporating learnings to evolve their resilience.
How do you measure the success of digital transformation?
Over the last several years, companies have had to adapt to a changing landscape – moving quickly to remote work, meeting new customer expectations, and accelerating digital transformations. Although that period of change has been fraught with challenges, it’s created a unique opportunity for IT departments to shape their organisations’ future.
A successful digital transformation has enabled a sustainable change that brings speed and agility to organisations’ businesses, enabling them to evolve within their market context and survive new selective pressures such as the pandemic. Security is, therefore, a key component of digital transformation as cyberattacks threaten to undermine or eradicate commercial advantage and erode trust. If customers do not trust you with their data, they will not do business with you. For keeping products and the enterprise secure, organisations need to examine how they can best incorporate security into every step of their digital transformation to win customers’ trust and business.
Security should be perceived as an enduring component of the digital transformation journey, enabling the sustained evolution of the organisation by preserving its ability to continue operating while withstanding the scrutiny of adversarial cyber threat actors. This resilience is critical as a survival trait and must not be overlooked.
One piece of advice for technology leaders.
As business enablers in security, we must start embracing new technology to combat cyber asymmetry. The attackers only need that one success, whereas we need to be successful in thwarting every attempt by every adversary. This is a tough and complex challenge, and we must embrace intelligence-led automation to make the best use of our scarce resources, be more agile in mitigating defences and provide us with a force multiplier that can help redress the balance in the face of such constant pressure.
If you liked reading this, you might like our other stories
Seven Skills For AI-ready Supply Chain Professionals
Why AI Still Needs A Human Touch