Cybersecurity, digital investigations, and eDiscovery will never be the same. Market uncertainty and changing consumer behavior have increased cybercrime and fraud, while remote workforces are redefining network perimeters, opening new avenues for hackers to access private and sensitive data.
In a brief interaction with Augustin Kurian from CISO MAG, Anthony Di Bello, VP of Strategic Development, OpenText, talks about how the pandemic has accelerated market changes in cybersecurity and the use of VPN for remote employees among several others. Anthony leads a team of market development directors driving OpenText strategic direction within information security, data discovery, legal, analytics, and AI/ML software markets.
Edited excerpts from the interview follow:
While many rushed to adopt cloud during the pandemic, it threw up new cloud security issues. This was attributed to misconfigurations, and over- or under-provisioning. What do you think will happen on the cloud security front? How will technologies like threat intelligence and AI help secure cloud applications and services?
The first step organizations need to take that relies heavily on virtualized and containerized infrastructure is ensuring logging capabilities are not only deployed but also turned on. For example, Kubernetes requires the deployment and configuration of the Google Cloud Operations suite (formerly Stackdriver) to take full advantage of the information logged within Kubernetes clusters. Once logging is properly configured, that information then needs to be fed into a security analytics platform to take advantage of use cases such as machine-learning-powered threat hunting. Through this process, organizations can detect anomalous or malicious activity originating from the containerized environment.
According to research from OpenText Webroot, 63% of web-borne malware and 15% of phishing attacks are delivered over cloud applications. The number of enterprises and small-to-medium businesses using cloud-based applications for file sharing, data storage, project collaboration, and more skyrocketed during the pandemic and will continue to grow. As cloud applications become more prevalent, organizations must balance application use with security, or face regulatory & compliance issues, data loss, and security breaches.
Actionable threat intelligence is critical to help secure cloud applications and services. Threat intelligence provides data around three major areas of concern within cloud applications or services: which services are being used within an organization? How are the applications being used? And what are the security reputations of these applications or services? Threat intelligence services help organizations enforce data-centric security policies to prevent unwanted interactions with cloud services and associated applications. Threat intelligence can also help organizations supplement the information they already have on which cloud applications pose security or compliance risks, as well as identify user actions within these applications.
There is still a huge chunk of organizations that fail to fully discover privileged accounts while many do nothing at all to discover these accounts. How worrying is this trend in the age of remote working and what can be done to counter it?
This is a major concern. Organizations need to implement technology or retain services to discover privileged accounts across the enterprise and this is no small task. For a large enterprise, simply understanding what and where all the systems, applications, and cloud services are, and identifying the associated user/admin accounts is a daunting task by itself.
An earlier EC-Council survey pointed out that 1 in 3 employees don’t use VPN to connect to the company network while working from home, escalating vulnerabilities emerging from insider threats to sharp levels. Why do you think there is such a trend even after increased knowledge about cybersecurity globally?
The use of VPN, over slower consumer internet connections, can slow down a device. Particularly when that device is streaming multiple audio and video feeds while presenting from any number of applications, as is typical when conducting meetings from the home office. Employees want to get their work done in the most efficient way possible… if a simple fix to a slow computer is working disconnected to VPN, it’s an easy choice for… 1 in 3 employees. This highlights the need for host-based security controls that do not require the device to be behind the firewall to ensure a level of security.
Many a time, recruiters are unable to recruit knowledgeable or skilled personnel to deploy their security automation tools. This is a major hindrance to a good cybersecurity posture. Do you think there is enough stress on the need for security automation programs?
There is plenty of stress on the need for security automation. An entire technology category has emerged to address this (Security Orchestration, Automation, & Response), and most security vendors focus heavily on API development. What’s lacking is clear, rational guidance on how and where to focus initial automation efforts. Trying to “automate all things now!” can be overwhelming for smaller infosec and security operations teams. We suggest teams first conduct a threat modeling exercise to help focus efforts on where the biggest gains can be made, then identify processes where lots of “heavy lifting” is done manually. Think automating the capture/collection of memory triggered to a particular alert category. This both abstracts away the need to perform “collections” and provides security teams more actionable intelligence from endpoints seeing the state of a device exactly when an alert was generated. Such basic automation also accounts for the typical attacker work schedule, which is typically nights and weekends.
When it comes to malware detection and protection, several companies are relying on signature-based malware monitoring. What are the challenges in using signature-based malware monitoring?
You miss 100% of threats that don’t have a signature. How long did SUNBURST go unnoticed? HAFNIUM? These are clear and present examples of why relying solely on signature-based monitoring is an incomplete solution.
What are the plans for OpenText? What is the status of integration of Carbonite/Webroot solutions since the acquisition last year?
We continue to look for every opportunity to bring Carbonite and Webroot products to our OpenText enterprise customers, and this includes OpenText itself. Last year, we adopted Carbonite backup on every OpenText endpoint to help protect our entire workforce as they shifted to remote work environments. At the same time, we have been able to bring OpenText solutions and services to the Webroot managed service provider (MSP) community. We also have deeper integration between EnCase Endpoint Security and BrightCloud Threat Intelligence; we’ve integrated File reputation and in our upcoming 21.2 release, we will be bringing URL and DNS reputation feeds into EnCase Endpoint Security. Carbonite and Webroot continue to help OpenText bring comprehensive cyber resilience solutions to the enterprise, MSP, business, and consumer markets.
About the Interviewer
Augustin Kurian the Assistant Editor of CISO MAG. He writes interviews and features.