There is no escaping the recurring news of devastating cyberattacks – not a week goes by without another high-profile hacking and another company scrabbling to repair the damage. With the attacks ever-changing, organisations are constantly scouting for the right strategy to keep threats at bay. Zero Trust has been on the radar of cybersecurity teams for many years, but it is currently in the spotlight more than ever. Chuck Everette, Field CISO at Virsec, discusses the benefits of a Zero Trust architecture, from implementation to patching vulnerabilities.
What common issues are we seeing with legacy systems and what challenges and costs are associated with supportive protection methods?
The big thing right now with legacy systems is just that: they are legacy. Organisations often become complacent once they have a system in place. Typically, security is thought to have a very heavy-handed set-up process and is disruptive to the company’s production, so these companies fall into the habit of having outdated protection, as it is easy. The problem is, with cyberthreats evolving at an incredible rate, you fast approach a point where it becomes exponential. Therefore, it is necessary to upgrade your technology. As such, when you procrastinate or refuse to update your systems, you become susceptible to attacks as your defences are designed to defend against extremely outdated landscape.
What are the consequences and impacts of cybersecurity attacks on an organisation?
When you’re attacked, it’s not just the financial consequences you’re facing, but also the penalties of your employees’ and customer’s’ inability to access your resources. And even more importantly, when you’re attacked, your reputation is put on the line.
Reputation is huge. Your clients, customers – even your employees – may lose faith in your company. They are concerned about whether you can protect them, their data and your intellectual property (IP). We have seen clients reporting tens of millions to hundreds of millions of dollars to lost productivity or data.
Would we call this a relatively new phenomenon?
Absolutely.
I like to consider it the ‘21st century mafia’, especially the ransomware side. Businesses can go out to the Dark Web and hire botnet companies to take down their competition, specifically on Black Friday or Cyber Monday. We see cybercriminal gangs and even some nation-states putting fake ads on Indeed and other websites, hosting for penetration testers and offering big bonuses if you get into organisations on their behalf. Essentially, these criminal organisations are hiring you to hack somebody, and you are unknowingly being paid for criminal activities.
What is Zero Trust and why is its implementation important to an organisation’s security?
Zero Trust has been the buzzword for the past three years. It’s locking down your systems and environments, only allowing your users to do specific tasks. Basically, you’re allowing them Zero Trust to go outside the bounds of their job description and not handing out admin rights to everyone. The days of employees downloading and accessing every piece of software on their laptops or PCs are over, now you are only required to install what you need to install.
Handing out admin rights gives hackers a foothold to get into the systems. It’s really locking it down, giving only relevant access to the server and taking all the other data sets away.
Looking at a hospital’s infrastructure for example, if someone doesn’t need to access it’s HIPAA requirements or PII data that needs to be kept confidential, you simply don’t allow access. Only doctors need to get to look at certain things or nurses need to look at certain things. X-ray technicians and others don’t need to be able to see certain histories.
What are the cybersecurity business benefits of a Zero Trust architecture and what steps can organisations take to protect workloads from zero-days and other unknown attacks?
The greatest benefit of Zero Trust is that when incidents come in, the damage will be minimised as the breach is isolated and contained.
When we discuss workloads we consider virtualisation, applications and data. Virsec is a prime example, of preventing that data becoming code. Stopping certain attacks from overflowing into other workloads or departments, by locking down access to users if they attempt to access unpermitted areas.
It’s about really locking down databases, creating a purpose-built structure where the applications can’t go outside of their bounds.
How does Virsec help organisations to radically strengthen their security program, stop attacks and eliminate dwell time with precise, continuous workload protection?
Virsec offers five different layers of protection with host and file protection at its core. By allowing whitelisting, we create a positive security model, by only allowing certain applications to run and behave a certain way. Any deviation of this behaviour is stopped by our intelligence. Virsec’s web protection, defends Java, PHP, Ruby on Rails, SQL injections, and we prevent those web applications from going rogue.
In terms of buffer overflow protections, we see that 80% of successful ransomware attacks today come from zero days. Typically, those attacks come from vulnerabilities within remote code execution, meaning they can execute a code at the binary level, change data to code and have free rein of a system. We [Virsec] prevent that from happening.
We also protect daily vulnerabilities. I did an analysis earlier this week, and found that a new CVE or vulnerability is reported every 20 minutes. That’s almost 27,000 vulnerabilities reported last year. Patching is extremely time consuming; you can’t patch daily or even on a weekly basis. Virsec gives the capabilities of providing you a stop gap and another layer of protection until those vulnerabilities can be patched. We also don’t allow somebody to come in and do a remote code execution through a vulnerability as it’s not productive behaviour.
We offer multi-layer security, protecting against zero days, new vulnerabilities, new forms of attacks, stopping what others can’t and also considering memory exploit and file protection.
What is the future of cybersecurity?
Cybersecurity needs to be adaptive. Typical security systems have adopted endpoint detection and response, as you can’t prevent the unknown. We must shift to a preventative model, meaning that we need to start being proactive rather than reactive, in which we wait for an attack to penetrate your systems and then react to clean and prevent the issue from going further.
We can easily prevent attacks with the newer technology available. It is critical yet simple that you’ve got to get in front of it and need to collaborate between security vendors by sending alerts and creating oversight. A great early warning system can offer high-fidelity alerts and stop it, then continue to communicate with other platforms on the incident for investigation.
Why do you think companies don’t take a proactive approach?
Right now, there are an estimated four to five million open security positions for security staff globally. In the US alone, it’s about 600,000. The security staff are inundated by alerts, something we call alert fatigue, due to being constantly reactive. It’s common for the sector to be short staffed which eventually results in losing security staff due to burnout and the decision to enter a less demanding field.
Also, due to there being such a shortage, companies have started ‘stealing’ employees by hiring away security experts from one company to another, with the promise of higher pay and better working conditions. The problem is that when your subject matter experts, who know your systems inside out, are being rehired elsewhere, they have been so busy that they haven’t had time to do their documentation. This then leaves you completely in the dark about what systems you have, what you must protect, and even what your processes are. When they leave, they take that knowledge with them.