GovWare Focus: Collectively Raising the Bar on Cybersecurity
While cyber attackers are unencumbered by budgets, every CISO is stuck with one.
The astute quip by moderator David Siah Yang Meng, Vice-Chairman of the Asia Pacific Executive Council of the Cloud Security Alliance, at July’s GovWare Focus epitomised the daunting challenges that CISOs face today.
On one hand, security leaders must constantly school themselves on the latest threats and attack vectors, even as they work tirelessly to shore up defences against a plethora of traditional threats including phishing, software vulnerabilities, and legacy systems.
On the other hand, they must also juggle real-world resource limitations in terms of retaining talents and team upskilling, while at the same time ensuring that business leaders and the Board are kept up to date at a strategic level.
And of course, there is that annual budget to see to, too.
Strength in collaboration
Budgeting woes aside, CISOs must fend off cyber adversaries who are highly proficient in their chosen fields. Indeed, as noted by Ian Lim, Field Chief Security Officer, Japan, at Palo Alto Networks, cyber attackers could pull off the same attack on multiple victims.
“One of the advantages that attackers have is that they're able to do the same attack on different companies in the same country, different government agencies, and then different countries across the board,” explained Lim.
One possible defence is automated information sharing. He said: “One way to take away that advantage is through collective defence. And the idea is if you attack one person in this country, the whole country knows about it, you can't use that attack again.”
Lim wasn’t the only speaker who brought up automation. Speaking on the same panel, Andre Shori, the APAC CISO at Schneider Electric, said: “Automation is going to be huge and key in terms of being able to respond very quickly. The windows have gotten much, much, shorter. We need to utilize technology as much as possible to speed up our responses.”
It turns out that an intelligence-sharing collaboration already exists among automotive companies in Germany, according to an executive from a government agency who chimed in during an exchange.
With compliance generally seen as a “stick”, perhaps industry players should consider banding together as part of a synergistic cooperation to proactively – and collectively – raise the bar on cybersecurity.
Setting the basics right
The majority of attacks rely on techniques that are known, with some as old as a decade, says Rene Thorup, the APC Practice Lead at Foundstone, Trellix.
“I think we forgot about the basics. We are putting in a lot of new, fancy things and the technology is evolving very, very, fast. And we kind of forget about the old things we have in there; it’s all about the new things. But we’re not focusing on the basics such as securing our network,” he noted.
He cited the reverse shell as one such example: “Instead of trying to break in, an adversary does an attack on the user inside the network [and] communicate out like a normal workstation from inside the network. And we’re still not dealing with it very well.”
And even some “old” attacks can become an issue due to how swiftly an attack can unfold.
“From the moment that hackers breach your network to when they start encrypting is around 40 minutes. If you’ve not automated your response, you will probably have issues detecting and responding to a ransomware attack,” said Thorup.
The former CISO who stepped down from his role as a CISO to “get technical” again has plenty of stories to share. One anecdote stood out as Thorup talked about how “there is always one” legacy system just waiting to be exploited.
Drawing from his experiences leading red teams, Thorup spoke of this network he came across as having “nothing” to breach and akin to being secured by an “ex-Russian hacker”. And then he found it. An old, forgotten virtual machine once used as a test server. And the rest, as they say, was history.
“From the moment that hackers breach your network to when they start encrypting is around 40 minutes. If you’ve not automated your response, you will probably have issues detecting and responding to a ransomware attack.” – Rene Thorup, Foundstone APC Practice Lead, Trellix.
A perpetual learning journey
The cybersecurity community is a globally connected one, and major regulations and developments in key parts of the world can be felt around the world.
To give CISOs an up-to-date view of the just-published National Cybersecurity Strategy Implementation Plan (July 2023) by the United States government, Dr Yuriy Bulygin, the CEO and Founder of Eclypsium, was invited to share his take with the security leaders in the room.
Bulygin elaborated on the key pillars of the U.S. national cybersecurity strategy, highlighting how substantial effort is being poured into developing a government-wide architecture based on zero trust principles. He also fielded various questions from the floor.
In response to a query about liability in a cybersecurity breach, Bulygin noted that our sheer dependence on SaaS applications and cloud-based services means that the U.S. government has taken an approach to shift the liability for breaches from external technologies away the end-user to the organisation producing the technology.
“Taking into account that it's not possible to eliminate all vulnerabilities. If a company that is producing that technology, whether an application or device or something else… has not done anything to secure their technology, then they're going to be held liable.”
Our July GovWare Focus closed off with a fireside chat with Ng Hoo Ming, the Advisory & President for Cybersecurity & Governance Chapter ASEAN Chief Information Officer Association (ACIOA), who shared the key cybersecurity considerations for regulators and key stakeholders in Singapore.