Hi, good morning. Good afternoon. Welcome to our webinar today. I'm John Talbert, director of Cybersecurity Research here at KuppingerCole, and today I'm joined by Jerk Feld, who, head of presales at sma. Welcome, Dirk.
Hi, John. Just a quick, quick view. Yeah, welcome from my end as well. Looking forward to this, I hope. Very informative session today, and hopefully we can share some good insights.
Yes, our topic today is on maximizing cybersecurity investments during economically turbulent times. I think we can all agree times are quite turbulent, but before we begin, a little bit of logistics information. Everybody's muted centrally. There's no need to mute or unmute yourself. We will be doing a couple of polls during the session this morning, and then we will take a look at the results of those polls during the q and a session at the end, which we will have a q and A session at the end. And if you have a question, there is a control panel for go to webinar and there's questions blank, and you can type those questions in at any time and we will take them at the end. Lastly, we're recording this, so both the recording and the slides should be available in the next day or two.
So I'm gonna start off and talk about, you know, a little bit of background on the current cyber threat landscape and the need to info, the need to shift back to looking at prevention in some cases. And we'll also look at the minor attack framework, then I'll turn it over to Dirk, and then we'll take the q and as after the poll results. So what does the current cyber threat landscape include? Well, all sorts of things. Most of which you've probably heard about in some form or another, whether it be ransomware, different kinds of cyber crime fraud data breaches that involve PII or intellectual property trade, secret theft.
So ransomware that's been in the news for years now and continues to be a, you know, something that we hear about. Something that we definitely don't want to happen to us. You know, when you think back on the history of ransomware, yes, it's been around for, for quite a while, you know, some of the biggest attacks that started, you know, 20 16, 20 17, you know, that, that that spread across multiple industries. You know, they locked computers, they encrypted drives, they encrypted, you know, network shares, which was, you know, a big difference from, you know, how it started out with, you know, going after individuals. But I think the cyber criminals realized there was more money to be made by attacking organizations and that's what they did. But, you know, we've a change of tactics too, where it used to be screen lockers, then encryption, encryption, you know, still happens.
But there've also been some, I don't like to use the word innovation with cyber crime, but you know, they've also done things like create destructive wipers, which kind of look like ransomware, but they're not really trying to extort money from an organization, but they do in many cases render organizations computing assets, inoperable. They've also been cases where instead of encrypting, they just steal information, threaten to leak it. That's, that's a more recent development in the last couple of years. So, you know, ransomware is a, is a big rubric, but there's lots of different tactics and and procedures that are used under that. And you know, they're targeting all sorts of organizations. Unfortunately, we target a lot about hospitals, healthcare providers that have been hit very hard couple years. Same thing with state local government agencies and, and small medium size businesses. You know, I remembered five, 10 years ago people in SMBs thinking, well, you know, we're not big enough to attract the attention of cyber criminals.
Well, every, every organization is a target today, you know, regardless of industry and, you know, ransomware can affect more than just a single organization. There have been a couple of high profile attacks, you know, from a couple of years back, like Colonial Pipeline where, you know, technically they said it didn't actually enter their operational technology environment. It was contained within the IT system. But, you know, out of an abundance of caution that shut down the pipeline for, you know, close to a week I think it was. And that, you know, supplied fuel to a large part of the US which had follow-on effects to the broader economy. So, you know, ransomware does not necessarily contain itself to the initial target organization. You know, we've also seen attacks against the software supply chain where, you know, downstream members of the software supply chain have become infected because of, you know, a supplier. So ransomware definitely has a, a potential for spillover well beyond the initial target.
So cyber crime breaches and data thefts, again, just about any kind of organization can be targeted. Obviously finance banks are, you know, highly targeted for cyber crime because that's where the money is. But when we noticed in the, like during the pandemic, government agencies were often targeted as well, those that were providing some sort of economic assistance or unemployment, they were hit with tons and tons of fraud. Same thing for like mobile network operators, travel and hospitality gaming. And then as I mentioned already, you know, healthcare providers and insurance companies. So cybercrime and of course individuals as well. But cybercrime has been, you know, on the rise four years and years. And again, we've seen innovation and techniques there as well. You know, when you think about data breaches, there have been, you know, a couple of attacks against social media providers where lots of personal information was acquired by fraudsters. You know, some of these data breaches have been over a hundred million user records each up to a billion, which is significant. And you know, there are many statistics that talk about cyber crime depending on which agency or collecting, collecting organization there are. But it's, it's clear that cyber context, billions and billions out of the global economy every year.
So last year Allianz ran a survey about what are the top concerns that executives have with regard to cyber threats? And not surprisingly, ransomware and data breaches top the list. And I think it's, it's a very valid concern. So with that in mind, I'd like to ask you, what types of cyber attacks are you most concerned about? Is it ransomware? Is it software supply chain CEO fraud, or business email compromise? I mean, phishing spearfishing are very, very prominent vectors that are used still today. Is it the loss of intellectual property or data breaches that might involve the loss of pii, which you know, could result in fines as well as, you know, reputation damage. So we'll give you a few seconds to fill in the poll here.
See it? Okay, well thank you. We'll take a look at that again, as I said at the end. So now let's look at mire attack. Mire attack is a framework for how to conceptualize the different tactics, techniques and procedures that attackers use when, when conducting some sort of attack. You know, the Mitre attack framework, full details are, you know, on their website that the header is a link to the Mitre attack framework. Feel free to take a look at that. You know, I break this up into the prevention and detection phases with a little overlap with, you know, reconnaissance here. But you know, when you look at, at these phases, you've got recon, you know, this is, you know, trying to gather intelligence on targets or potential targets, resource development that might be understanding how an organization might be exploited and then developing an exploit or buying an exploit if, if an attacker needs to do that, initial access is getting into that environment.
It could be, you know, VPN account or some other unsecured remote access execution. Often this involves malware still, this is malware's useful by crim cyber criminals to take over machines. Once they do that, they want to persist, they want to keep that foothold. They also need to escalate privileges cuz user accounts, hopefully if you design your IAM system, right, regular user accounts shouldn't allow too much access. But privileged accounts, service accounts, those are the keys to the kingdom. So privilege escalation needs to happen for an, an attack to be successful. And they do that to be able to evade defenses, you know, turn off anti-malware, delete logs, you know, cover up the tracks. They can also use credential access, you know, for other machines. Then they'll want to go look for data, decide what it is that they want to exfiltrate lateral movement, of course is involved to be able to search all the relevant machines or images in an organization. Then they collect that information, you know, into some staging point, do the C2 and then exfiltrate take it out. And then impact, you know, there have been cases that again, kind of masqueraded as ransomware, but it, it could have been an a P T operation where the cyber criminals intended to steal the information anyway. And then detonate ransomware when they leave to kind of throw the investigators off the trail.
So what I did in the second half of the chart is try to b list some typical tools is certainly not an all inclusive list, but different kinds of tools that could help with each phase. So on the reconnaissance side, we see things like asm, attack surface management, we'll talk more about that in a minute. Secure IAM identity and access management security. Both of those are important for both the reconnaissance and the resource development and initial access phases. Being able to prevent attackers from actually getting in and, and taking over an account in the first place. We always also recommend multifactor authentication is a good way, especially for, you know, remote access accounts, VPNs, things like that. MFA is an absolute must these days, you know, that follows under, you know, the broader category of zero trust network access, the principle of least privilege, you know, always, always verify, properly authenticate and authorize access to any resource inside an organization.
So zero trust and MFA are good ways to help prevent that ASM and endpoint protection, detection and response. E P D R typically is, you know, predicated mostly on anti malware plus other functions to help prevent the execution of malware. And you know, through the rest of the chart, we see a lot of the, the DR tools, these the detection and response tools, endpoint protection, detection response, that is endpoint security plus E D R ndr, network detection response, XDR extended, that's, you know, including endpoint network and some other cloud related functions. So those things are again, are focused on detection and response, which are needed for most of the rest of the, the different TTPs that you see across the, the attack chain here. But for privilege management, you know, or privilege management can help deflect times when privilege escalation is happening. As can endpoint privilege management, I tdr kind of a new class, you know, identity threat detection or response.
And then on the data side and exfiltration prevention, we see things like data leakage or data loss prevention tools that can, you know, do asset level tagging and prevent exfiltration either via, you know, the internet mail or even onto like USB drives. CASB is useful for similar functions for cloud products. And then lastly here, you know, really wanna prevent the exfiltration, again, E P D R, ndr, xdr D L P kinds of products. And then to, to mitigate that impact. There's disaster recovery and business continuity. So those are kind of a high level look at, you know, where I think some of the tools, again, this is not a complete list of tools that make up a security architecture, but thinking about how they align to the Mitre attack.
So we have thought a lot in recent years about detection and response. You know, we need to get, we don't wanna lose sight of the fact that prevention is very useful. It's often better to prevent an attack than to have to detect and respond to it. So, you know, when you think about security, the first tools that you know, came into existence in the cybersecurity field years ago were things like antivirus and firewalls. And they were explicitly designed for prevention. But as cyber attacks became more successful, you look at sort of an acknowledgement that, that that attacks happened because the attackers learned how to circumvent some of the prevention tools. It became an increasing emphasis in industry to develop those detection and response tools, which are incredibly important. And I would, you know, recommend those partly to, to every organization out there because we, we need them, but we also need to keep an eye on prevention. So this lets me introduce attack surface management, which is sort of a next generation approach to attack prevention. That, that goes a little, a little further out, a little bit earlier in the, in the stage to be able to not only do things like vulnerability assessments and monitoring, but collecting cyber intelligence and also looking at dark web monitoring and helping organizations put the big picture together. So both prevention and detection are really necessary to help deter cyber attacks.
So attack surface management, I I I think there are at least eight major functions that they should have. First up asset discovery and classification cuz you can't protect what you don't know you have. And that means also being able to monitor all devices, including IOT devices, IOT devices, and become commoditized. And many organizations use different kinds of sensors and things, you know, within their, within their enterprises is the monitoring of the dark web for both, let's say trade secrets and IP as well as leaked pii. You need to be able to do continuous vulnerability assessments. You know, the idea of doing some sort of pin test or vulnerability assessment like annually or semi-annually, but just get, you get too far out of date with that, it needs to be much more regular, continuous. Then there's compliance monitoring for various regulatory schemes as well as company security policies. All this information should be able to be analyzed automatically and then be able to present that information to sox security management and executives in a way that's tailored for each use. And then asn lastly, should be able to integrate with the rest of your IT infrastructure.
So I think these are, you know, not in any, they're numbered but not in any real priority order. These are things that can help, you know, be part of a good overall security architecture. Asm, attack surface management, E P D R, again, this is, you know, mostly, mostly thought of as endpoint protection plus the, the dr, you know, the anti-malware plus, you know, application controls, URL filtering and, and, and other, you know, detection and response capabilities. Zero trust architecture, we've talked about mfa, multifactor authentication, proper authorization for each resource access device. Posture checks, making sure that all the devices that want to connect to your network or your applications, you know, are properly secured themselves. Are they patched? Do they have anti-malware? EPD R clients? You can write security policies based on that data level security, because data is often what they're really after. So you've gotta secure not only the network, the application, the endpoint, but the data itself. Privilege management, email gateways, web gateways, again, so many threats come in via email, still fishing, spearfishing or other web-based threats. These are really critical parts of most organizations, security architectures.
So second poll. What do you find to be the three biggest challenges in implementing cybersecurity? Is it budget or lack thereof? Do you see that, you know, departments within your organization are siloed, meaning, you know, maybe you have centralized security, po centralized security policies, but there are maybe departments that feel like they operate independently or, you know, you may have a difficulty in spreading the budget around. Is it the skills shortage or do you have too many tools and find it difficult to manage a lot of different cybersecurity tools? And lastly, stakeholder management. Do you have the involvement of executives? So we'll give you a few here to go through. Again, the, the three biggest challenges is the budget siloed organizations, the skills shortage, too many other tools to, to manage or stakeholder management. Okay, so just a reminder, if you have any questions, feel free to type them into the good webinar questions or control panel questions blank. And we'll take them at the end. And now I'd like to turn it over to Dirk.
Thank you John. And I think there was a, a really informative introduction to the today's topic, cybersecurity investments. I'm also pointing out that there are specific movements that there are innovation to a degree happening. And that has to be, that has to be acknowledged and that has to be incorporated into its own, into the own cybersecurity strategy to create some, a stronger cybersecurity posture. So what I would like to look at right now is how can cybersecurity investments be maximized in economically turbulent times. For that, I would like to first of all recap some of the challenges which, which John has pointed out. But there are also other aspects in, in, in our opinion, si fema, which we would like to highlight before I go into details. CMA is an organization, small organization, relatively young. We have dedicated ourselves to cyber threat intelligence, which means that we are helping organizations identifying pending threats way before they may happen.
That's an old shortage. What we do is on two different levels, we are looking at organizations identifying the weaknesses and their strengths. And on the other side, we're taking also the position of of threat landscape observation. And we try to bring this together, which we in my opinion do very well because we would like to bring the essence out of both worlds together to paint an exact picture of the organization's possible vulnerability and also the availability of mitigating activities. So cyber challenges, and I think the Anisa picture points it out very well. It is an assortment of specific cyber crime threats, which are floating around which we should take care of, either as a security practitioner trying to somehow secure the organization, but also us as the vendors and and advisors in that particular field. So what we figured out, what we found out is cyber crime in itself increases also during the recession.
It doesn't stop by any means. You can't point it out or you can't correlate it to a specific context saying it is because of a possible recession or is it despite a possible recession. Cybercrime just increases. And having, given the short introduction about SIFI and what we do, I think one of the demands we've identified on customer side is the lack of visibility, looking beyond the security parameters, which means that the, the, that many organizations are not able to identify any possible threat which is being arranged, prepared, enrolled towards an organization which is happening out of the secured, the monitored security parameters, their own IT infrastructure. Out of that, we can see that organizations are facing more risk than ever before. And I think that correlates with the cybercrime increase as well. What we also are, are identifying is out of the TTP analysis, there is no particular preference of threat to either go after a specific organization or to go after specific low hanging fruits in the terms of zero day exploits or other fairly new vulnerabilities, which are then out of the reconnaissance. Activities of of threat actors are correlated towards specific organizations.
Organizations are lacking awareness of their vulnerabilities and risk. So they usually, well usually maybe, but but more often are not fully aware of their own weaknesses, their own vulnerability. And with vulnerability, I'm not talking about the technological definition of a vulnerability, I'm talking about the organizational vulnerability, which can be of technology, of operational, but also of humankind. And therefore it is important for organizations to have a full picture about the possible vulnerability and the, and the resulting risk out of it. We're also identifying the execution is becoming more and more sophisticated. Threat actors need to take that particular sophisticated approach because we as the defenders, we are improving constantly our strategy and the execution of the strategy and therefore the threat need to be on top of that. Finally, it is some sort like, like, like the race between the, the, the rabbit and the hedgehog. And this is something we need to take into consideration. Threat actors are ruthless, they don't have any, any boundaries, they don't have any, any moral limits and therefore that has to be considered and that has, that has to be incorporated into the security strategy and execution of such. And therefore the strategies have to be more cohesive and more comprehensive.
And there are financial challenges, operational and function, financial challenges from an investment point of view, nowadays investments have to be reduced, investments have to be well thought, certain investments have been pushed back. That's one aspect. Another aspect is right now, due to the variety of TTPs of different attack methods, of different intrusion points and intrusion capabilities, the variety of execution of knowledge of expertise requires individual aspects to be covered in terms of the cyber cybersecurity and cyber defense strategy. And that results into silo offerings and silo solutions being implemented. And this is added cost added at a cost for a simple reason. You need to have the manpower to operate these platforms, these solutions, these products. And you need to also have the manpower to correlate each of these silos into one big picture where you need to take all these individual puzzle pieces and try to correlate it down and, and and, and try to understand what is the landscape picture for me now, what was it and what will it be?
And that results also into long implementation cycles with a obviously delayed roi. The silo solutions, they create complexity and I also create another security gap. And that is in, in our opinion, important to understand. So we've, we've, we've been introduced by John to a tech surf surface management. A tech surface discovery in our terminology is exactly one of these perspectives we take towards an organization. So we look at an organization from a hacker's perspective, we try to find out what is the vulnerability from a technological standpoint of that particular organization, the exposed IT infrastructure, what it is made of, what assets are available, what's the inventory of these assets and how can that be broken down into a specific vulnerability correlation. That's one aspect. What we also do with the attack surface discovery is we are putting another focus on forgotten it, shadow it and third party manage it.
And these are very interesting situations. I come out of meetings with customers when we're looking at the results and the data when we do this at tech services called re. And they identify the one art asset with the coin that was a test run of a web application three years ago, why is it still operational? Why is it still online and still accessible, which means for three years it's completely out of the security policy execution and that is something which needs to be understood. And this is where we are then also looking forward to work with organizations to help them uncover all these little gaps. Vulnerability intelligence is the extension of vulnerability management. And this is now another silo, which is interesting because using the inventory out of the tech surface management, out of the tech surfaces covering correlate this to the known and well non-documented vulnerabilities is one part.
What is missing is the visibility and the knowledge about the actual execution usage of these vulnerabilities. And that is important to understand brand intelligence. Now we're turning away from these technological shortcomings into business and operational shortcomings and, and risk where we are encouraging our customers to also look at what is happening outside of an organization regarding the organization. What kind of malicious activities are happening in preparation to execute a campaign, an attack, what kind of malicious infrastructure components are available outside of the security parameters in the context of an organization. These are all indicators and that needs to be uncovered as well as digital risk discovery, trying to find out what has happened already, what data, what, what, what content has been leaked, what has been been shared, where is it detectable, what leak credentials are out there, everything which is a result out of a breach or a hack can be another risk for future activities by threat actors.
And then alternatively, also allowing a wider scope about any activities, the situational awareness, everything. What what what nowadays has been done is very focused and very narrowed down to the organization itself. But if you are, for instance, a telecom provider, you would like to know what is happening to other telecom providers in the world and, and you would like to know more about all these details if they might have been in trouble. You would like to understand the, the reason for the trouble and the context of the trouble because that allows you to relate back into your organization, where are our shortcomings, which we haven't identified yet. So what is it that I can do to prevent and prepare myself better and to protect my organization better and cyber intelligence at all.
That is something which is highly recommended to look at, which means that by observing the threat landscape and by correlating all these observation results to build a very precise picture of the threat situation, which means that security practitioners, defenders are able to understand the various precise situation with a noise reduction, with a, with a, with a decrease of false positive results, et cetera, to allow them to be very focused on any kind of activity to improve security. What are the recommendations? Our primary recommendation at all is you need to have senior management buy-in and their engagement. So how does that work? So first of all, you need to have it because senior management and, and, and upper management is definitely the ones who give you the budget Yeah. Who sign off an investment. So how to, how to make them aware of the necessity.
We found out while having all these conversations with, with customers that in certain cases senior management does not fully understand the impact of cyber threat towards an organization. They think it's still an IT issue, that there is a server down, that a user can't lock in. All these kind of, of, of, of very simplistic views. What does it mean in in, in reality? And this is something which can be widely discovered on the media. Every week organizations have to shut down business for a period of time, they're not able to operate and that results into financial burden, extreme financial burden. And that is for a simple reason, senior management or non-security responsible in roles within an organization should have an understanding that actually the company, the organization is in a competitive situation with threat actors. The competitive situation is about the data and the intellectual property.
Because the organization is using the data and the intellectual property for its own economical benefits, it's for the company's success or failure, and therefore they have to rely on that threat. Actors are actually after the same for the same objective financial benefit in most cases, but they have a different methodology, a different tactic, how to achieve that particular objective, which is of a criminal nature. But that has to be understood that there is a competition and therefore it is important for senior management to understand that if this particular data, this intellectual property is at a particular risk, it also has to be understood that there is the necessity to identify its own vulnerability, its own strengths and weaknesses. And there was accept as said before, not only as a vulnerability itself in a traditional definition, but also from a technological, from an operational, from a human standpoint.
How does that work? Our recommendation is to use a holistic approach. Nowadays the internal landscape is mostly under control there either the, the, let's say three Ps, people, processes and products in place, which allows organizations to control everything from an internal perspective. What is missing is the overall visibility and understanding of the external fat landscape. I wouldn't say it's a black hole, but there are some specific huge gaps of knowledge, information of understanding. And due to this, the opportunities for risk mitigation are missed. Now, when we think about an impending threat about the enrollment of an attack threat, actors have to spend a lot of effort and time in preparation. Reconnaissance. One of the keywords out of John's presentation, reconnaissance is the analysis of a potential victim. And this is an exercise which is executed over weeks, multiple times. And all these exercises, they leave traces, they leave evidence. And this is something which we are able then or we should be able to uncover, which we recommend. And also to analyze, not only to analyze, but also to correlate, to make or to create a picture of clearance towards an organization about this external situation.
So with this holistic approach, it is also important to understand that this is a continuous monitoring. The IT infrastructure, the organization itself is constantly changing, evolving new IT assets, released updates, upgrades, et cetera, et cetera. The threat landscape is also constantly evolving. These type of movements are as synchronous to each other and it is important to have that particular continuous monitoring and also this continuous correlation to synchronize these movements. This all brings down, this all brings down the, the, the, the effect to implement the cyber strategy on various levels, namely across people, processes and technology.
Our approach as IMA is to introduce organizations to external threat landscape management. What does that mean? Taking all of these silos as outlined before, attack surface discovery, vulnerability intelligence, brand intelligence, digital risk protection, situation awareness and and threat intelligence or cyber intelligence. That has to be something out of which we a, provide information to organizations consolidated, which allows organizations to operate predictive. I said before, threat actors, they have to spend a lot of time preliminary to a specific attack or campaign enrollment. And out of these signals which are out there with all the evidence, with all the indications, this is something where we can create a predictive picture. And out of this prediction we would like to enable and we are able to enable organization to be actionable, to remediate that particular risk before it comes to a peak. It is important also to have that particular information very personalized because nothing is more disturbing than noise or false positive information being relevant to specific information for specific organizations, giving risk indications so that you understand the severity of that particular information, why it is important to work on this now and not next week.
And also to be adaptive, to integrate into the given internal security measurements and also the internal threat management. With everything there is seam solutions, so are solutions, et cetera.
What we also provide is with ETL m, the integration into the operational business processes. And I think that is important. So first of all, I think it's, it's worthwhile to talk about the sourcing. So when we talk about threat landscape observation, we observed from threat, from from surface web, from deep dark web, but also out of other intelligence networks. There's one aspect. And then we take this information and correlate according to the context of our customers, of our organizations. And this is AI and ML based. With this analysis layer, we're able to give our customers the possibility for contextualized risk profiling very important is risk quantification. How important is a finding? How less important is another finding? It should be then actionable. With all these you are able to integrate with into other solutions, either into very specific solutions or very native integrations. And that allows them to ingest our information into the customer environment, very specific, very focused, and to seamlessly integrate into the processes.
So what are the recommendations generally? First of all, look at yourself from a hacker's view. Try to find out what, where are my weak spots? Where are my sweet spots? Why am I attractive to threat actors take this information to mitigate and remediate that particular risk. Having that information very precisely tailored, allows efficient and and effective operations and actions to, to improve the security situation. Further down the road, it is also important to understand who's your enemy? So why am I being targeted by whom? What is the objective? What are the TTPs, what is the his track history of these threat actors? What are their methods? This is important to understand because out of this information, you're able to also provide valuable information, valuable assets into the other aspects of your IT security operations. Blocking IP addresses, blocking URLs, package filtering, package inspection. These IOCs in regards to intelligence hunting allows a very proactive approach and very proactive results giving the security posture being improved drastically.
It gives you complete visibility about your external fat landscape. And I'd like to cut it short here. For the ones who are interested, please contact us. These are the two products with which we work. It is important to have a view, a consolidated view on these silos. I think in our, in our opinion, it is important to consolidate all these silos into one big picture and into one overall threat landscape picture, which allows organizations to be more precise and be better and well informed about their current threat situation. And we do this with attack surface insights. Not only taking the inventory of the attack surface, but also correlate toward vulnerabilities and other intelligence information. We also take care of anything which is happening in the context of the organization in the terms of social media and web exposure. Impersonation, one of the major threats. C F O fraud is a common terminology that is important to track and that also happens on other levels.
Dark web exposure. How prominent am I? Is my data, are my assets have any kind of assets? How prominent are they exposed in dark web? And then also having a look at what has already happened. Sometimes we come into situations whether it's too late, but still organizations need to understand why that particular data breach has happened so that we can track back and mitigate that particular loophole. And one of the very important aspects is third party observation, third party risk monitoring. You have close connections with vendors, with customers, with partners, with suppliers. You have technical integrations and you would like to make sure that these are not any kinds of back doors into your IT infrastructure. Your security posture might be top notch, but on the other hand, your your supplier is very, very relaxed on that and that opens a door. That's an that's potential risk and this is something you would like to find out.
With that said, I would recommend to apply e t l ETL M across the whole organization with all there is just to make sure that you have a security posture, that you have transparency on your threat situation, that you're able to serve other objectives of your organization that you collaborate, for instance, with let's say identity and access management, with marketing, with hr, with sales, all these can benefit out of a profound ET l m platform with its information and data. Having that said, thank you very much so far and now let's open the q and a.
Well thanks Derek. Yeah, we'll take a look at the poll questions here in a second, but I wanted to go back to something you said a few minutes ago that I thought was really, really interesting. You know, sometimes I do think management is not quite aware of the potential impact of a cybersecurity event. You know, when you think about something like ransomware, it's not akin to a server going down. You know, i, I know of cases where organizations have been down for months, it let's say two months. Can, you know, can your organization afford to have employees sitting around for two months doing nothing? You know, and cyber threats are existential threats for some organizations and I think it's important to keep that in mind.
Absolutely. I mean there are given, recently given examples of that, the bankruptcy of the, of the bike manufacturer over in Germany, they, they, they couldn't, they simply couldn't afford to pay the ransom that, that's basically it. They couldn't pay the ransom and they couldn't keep up the operational cost for, for their own business. And that's the financial burden, which is the risk to the organization. It's an immediate financial burden, which you haven't put into your budget planning. Simply spoken. Yeah. And that puts the risk to the organization and it takes years for organizations to overcome and recover out of these situations. And regardless if that's a ransomware attack or it's a malware attack, taking down business of an organization costs by day one
For sure. So yeah, let's look at the polar results. Number one, what types of cyber attacks are you most concerned about? Looks like data breach, loss of pii number one. This time around with software supply chain ransomware, not, not quite as important. And CEO fraud business email compromised, didn't get any votes this time around. Okay, any thoughts?
Yes, so I would be concerned of ransomware attacks because that aligns with the financial objective of, of threat actors because that is something where it is just carpet bombing into the cyberspace and, and, and, and out of response potential victims are identified. That's it. The PII loss and data breach is, is obviously also something which is important to, to, to be protected from and secure this. But this is, this is not for every threat actor, a very prominent objective, put it that way.
Because on the other hand, and this is something we've observed out of our observations as well, is when we look at the ransomware attack itself, we were first talking about the, the, the, the double extortion, triple extortion. Now it's a quadruple extortion. So the ransomware is not only encrypting the files on site and, and then asking for some, some for, for ransom, for, for some payments to release the decryption tool. It is also that these information is usually exfiltrated. So it's out of control of the owning organization. And the other one is that it's, I mean, it's like a, like a, like a butchers job to take a cattle and, and, and make all out of that particular cattle with all there is, with all the potential meat you can, you can carve out, you can sell and, and, and you can produce further. And that happens with data as well. Once it's exfiltrated, it's been on, put on for sale at a chunk and further down the road, that particular data is then also very precisely analyzed. Yeah. Looking for the, for the oyster poles, which can then again be, be placed to market.
And that is, that is the PII loss as well,
The second pole. What are your three biggest challenges to implement budget? Budget and too many tools take the top spots with skill shortage and stakeholder management coming in. Yeah, a second.
Yeah, it will be interesting to understand what, what, what, what budget means to the ones who were responding to the poll.
Well, I mean we're talking about economic turbulent time. The amount of budget is probably decreased for
Yeah, yeah. And, and therefore it's another reason to think about the, the current execution of the strategy to make sure if there is a, if there is a potential to consolidate and, and to, to revalidate potential efficiency and, and, and effectiveness by, by maybe looking at another platform or stack, which can be easily integrated.
So let's look at our questions here. What are the top priorities for allocating limited cybersecurity budgets? Well, you know, we've talked about a lot of different kinds of tools. Many of them are sort of absolutely necessary. It is hard to, to prioritize one over another in many cases. I mean, I think you've got, you know, basics that everybody needs. Things like endpoint security, you know, email security, you know, various detection, response, application security, you know, other things that I probably should have mentioned earlier, the, the dirt mentioned like SIM and soar. You know, there are, there are a whole integrated set of tools that need to be in place to really have an effective security architecture. Derek, what are your thoughts on priority?
Yeah, I would, I think I would send, I would send around the, the, the, the human being to be honest. I mean it's, it's, it's an odd statement, but it's still a weaker spot in the chain in a direct manner, but also indirect manner. The human being is, is the one who's using the IT infrastructure, who's given access, who's given privileges or even administrative permissions. And then there is the technology underneath, which is also implemented. The architecture is developed and deployed by humans. And then there is sometimes the situation where, where I think a re-validation of the architecture and strategy should be more often happening to make sure that as you set in your presentation, MFA is so important, but so less deployed still. Yeah, the reliance on, on username and password is, it's just, I mean, yeah, different topic to talk and rent about, but, but there is, and the, the, the human factor is also the one who is responsible for any kind of technological vulnerability as well. Thinking about procedures, processes, how to maintain update systems on a regular basis, do the validation, re-validation crosscheck. That is also something which has to be taken into, into consideration as well.
Yeah, very true. You know, I wanted to ask you, since you guys are have a look at the external threat landscape, what can you talk about with regard to initial access brokering? That's
Well, initial access brokerage. Yeah, it, it is a hot topic. Let's, let's be clear on that due to the recent, what, what, what means recent through due, due to, to the changes how organizations operating nowadays and through the past three years of the pandemic, allowing employees, allowing users to operate from remote localities, having external access moving out of the security parameters. That also has opened a gate of interest for threat actors because with that, the IT infrastructure has obviously changed entries, gates into an IT infrastructure has been increased, VPN gateways, remote access gateways and all there is, and with that also the administrative and privilege execution of such, such access and exactly these credential sets are high valued in the factor scene right now. There is a market for these accounts, and that is something which, which I as an organization would, would strongly take care of just to make sure that at least the high privileged or privileged accounts are specifically monitored also from a threat landscape perspective. But dark web monitoring and dark web observations just to make sure that none of these credentials or assets are somehow shared outside of my organization, out of my control and, and, and surveillance capabilities.
There, there's a huge market for that. And the, and, and the money being paid for a set of these credentials is outrageous. Now we're talking about six, eight numbers.
Yeah. Yeah. I think, you know, kind of going back to the question about, you know, what's the top priority, you know, when you think about privilege management, you know, could have, should have mentioned, you know, Pam, 'em at EPM again, you know, those are important tools, you know, it's, it's hard to say what's the most important thing. It's like saying, well, I need to buy a car. What part do you want first? You know, well, I'll take a steering wheel and a in a tire. I mean, really you need to invest in, in all the different parts and think about, you know, what is, what are the threats that are most pertinent to your organization, you know, and then emphasize the tools that can help mitigate those threats.
Yeah, and I think you're right, and, and your analogy with, with buying a car makes sense. It's not only the steering wheel, which, which drives the decision and, and, and gives also validation for a right decision. It's the combination and the assortment of the different objects at a car. And the same for cybersecurity. It's not that one particular approach, this one particular solution, this one particular process, it's a combination. And we talk, for instance, about PAM or the privileged accounts to be secured. It is not only that you need to have a PAM solution in place, which is for the internal fat landscape, obviously very important. It is also to apply the coding processes and procedures around the management of these PAM accounts, making sure that this is also taken care of from an external fat landscape. As said, nowadays, organizations have too many gates towards the public. So actually the IT infrastructure is exposed more than it was three or four years ago. And therefore, it's important to understand also from an external situation how important such things are. And this is just one example and there are other aspects that you considered as well, but also always with that multilayered security and strategic approach.
Well, great. We're at the top of the hour. I want to thank Dirk for coming today and delivering some really good information. And thank everyone for attending. Again, the recording and, and the slides will be available shortly. So thanks again, Dirk.
Thank you. Thanks for having me. Thanks for this very informative hour. Looking forward for next engagements.
Likewise, I hope you can join us later next event. Thank you.
Thank you. Bye-Bye.