Axis Co-Founder and CEO Dor Knafo, Synack CEO Jay Kaplan and Robert Harajevic explains how the pandemic has heightened cybersecurity risks and what, exactly, companies should do about it.
What’s the core piece of advice you would give to organizations right now looking to secure their company assets?
Continuous security testing is key. Organizations that test early and often — ideally during the development process, long before making a website live or deploying key digital assets — are simply more secure. They’ll be able to find and fix dangerous software vulnerabilities quickly, before malicious hackers can take advantage of them to infiltrate networks and inflict untold harm. It’s simply not enough to just scan for vulnerabilities or rely on a small number of the same pentesters. That’s not an effective or reliable way to secure a network. It’s essential to carry out testing with a larger, more diverse crowd of researchers with different skill sets who can work together on a managed and secure platform that employs smart technology to discover different types of software vulnerabilities. If organizations don’t take a proactive approach to security — and test their assets with an offensive mindset — they put themselves at risk at a time when cyberattacks such as SolarWinds are becoming even more sophisticated and costly.
How has the work-from-home amplified organization’s susceptibility to phishing and ransomware?
The rapid shift to remote work throughout the pandemic has led to more rapid digital transformation and an entirely new hybrid style of work. For some people and organizations, remote work just makes the most sense even when we’re all vaccinated. The pandemic also meant that the hospitals, banks and government agencies had to rely more on apps and internet tools to conduct their work and serve the public. This opened up more lucrative targets for hackers who found cunning ways to compromise remote networks and tailor phishing campaigns to steal employees’ sensitive credentials. We’ve always relied on emails, but now it’s the only way some organizations share proprietary information. That’s why the recently discovered Microsoft Exchange zero days were so alarming. Hackers want access to our emails and are finding new ways to break into systems. All of this means employees need to be smarter, need to take proactive steps to train workers and stress test remote networks with an offensive mindset. That’s always the best defense.
In what ways has artificial intelligence impacted the cybersecurity industry?
AI and machine learning are a blessing and a curse when it comes to cybersecurity. On one hand, tech advancements make it possible to increase the speed and scale of testing and to use automation when hunting for the most common vulnerabilities. But hackers use these tools, too, to increase the speed of attacks, to break passwords and evade common cybersecurity software. That means human creativity and ingenuity remain critical. Security researchers are now able to harness AI in an effort to weed out software flaws. Developers can use it to design better programs to eliminate problems in the first place. Smart technologies also make researchers faster, freeing up time to focus on harder problems. Ultimately, however, it takes the skill and creativity of best researchers to find the most dangerous vulnerabilities and help fix them so bad guys don’t find them first. Humans still design software so it will take humans to make it better.
What do you see in store for the industry 5 years down the road?Cybersecurity threats are getting worse. Criminal hackers are becoming more sophisticated. There’s a global cyberconflict happening right now that will become worse before we find the solutions to make it better. At the same time, every nation is becoming more digitally dependent. That means cybersecurity companies need to work faster, scale more, be more nimble and be able to provide on-demand services and intelligence organizations can utilize to become more secure. Security companies need to deploy the most skilled researchers where they are needed most. Unfortunately, there’s a shortage of cybersecurity talent. That means we have to use models such as crowdsourcing so as many organizations as possible can take advantage of the best researchers. We can make the world more secure by combating the problem with creativity and ingenuity and by tapping the crowd for answers.
Co-Founder and CEO, Axis
How has data security become more important or changed with the rapid increase in today’s “work from anywhere” environment?
Data security has become even more important with the “Work from Anywhere” movement.
Organizations have traditionally used VPNs to connect workers from anywhere and from any device to company resources so they can do their jobs. The issue is that these old technologies aren’t secure and they don’t do a good enough job of protecting applications and data. They are also clunky to use and highly complex to deploy and manage. Axis Security solves these issues by providing a simple, more secure way to do this; a way that isolates applications from the network and grants each user access only to the data and resources they require. With Axis, each time the user is vetted and their usage is limited based on their profile and device. And, what’s more, user privileges can be instantly revoked, if there is suspected suspicious behavior.
What do you see as the number one threat to organizations right now? If companies want to keep up with hackers and breaches what’s the single best method, they can employ to protect their organizations?
The best way for organizations to protect themselves is to throw out all of their old thinking about the network being the perimeter that requires protection. With the cloud, a whole digital era has been ushered in and, in turn, new ways to secure corporate resources (applications, databases, etc…) and data is key, and it starts with a Zero Trust model. Zero Trust operates on the principle that no one is trusted – not even employees; all users must be verified all the time. Users only gain access to specific isolated company resources required to do their jobs, and they cannot gain access to the entire corporate network, thereby reducing risk. Gone are the days where the network is protected but, in reality, users can roam freely, leaving an organization open to data loss or theft.
What is Zero Trust and what should organizations know about it?
Zero Trust is a model by which no user is trusted. It has been borne out of the need to protect enterprise systems as legacy technologies become obsolete and attacks become more sophisticated. Zero Trust is centered on the belief that organizations should not automatically trust anything inside or outside its perimeters and instead must verify anyone and anything trying to connect to its systems before granting access and then continuously monitor each session for any anomalous behavior.
What have you prioritized in the development of your product? How is ease of use at the forefront?
Axis Security’s Application Access Cloud was built to be simple and fundamentally more secure than complicated legacy technologies like VPNs. We are focused on making it really easy for organizations to adopt a zero trust model for secure remote access with fast deployment, ease of use for both the end user and the IT department, automatic scalability, high performance and reliability. We deliver granular, secure, managed access that removes the complexity of legacy access solutions and scales easily as needed, eliminating performance issues that constantly plague VPNs. Axis minimizes risk by isolating and protecting vulnerable applications while enabling users such as employees and partners to be productive and connect from anywhere with any device at any time.
How do you expect the cybersecurity industry to change in the next 5 years?
Within the next 5 years, the traditional network as we know it will no longer define access between users, devices, and applications. It becomes only basic plumbing and a lot of that even goes away as companies orchestrate all of their IT needs around the cloud. Secure access to resources and data will be logically defined and controlled with a zero trust approach and a secure access service edge to accelerate secure cloud access to applications, data and services. Zero trust access will be at the heart of security protection, and the old ways of doing things will be no more, along with the network perimeter.
You’ve experienced significant growth since starting your business. What advice do you have for others starting a tech business?
My co-founder and I started Axis Security with a mission to solve a security problem that we think is critically important — delivering secure remote access solutions that are more secure and easily deployed than what’s currently available. We made sure to do our due diligence before launching our company which turned out to be an invaluable move. We sought input from chief information security officers at 50 different companies and discovered that they actually had two huge remote access issues to address — security and complexity. Creating a company to solve an industry problem with a differentiated product has allowed our business model to take off quickly. I would encourage others on this journey to set goals, believe in yourself, in your concept and to follow your dreams.
Founder and CEO, Herjavec Group
How has the work-from-home amplified organizations’ susceptibility to phishing and ransomware? Given your expertise in the space, what’s the best piece of advice for organizations facing these attacks?
Prior to the massive shift to nearly 100 percent of employees working from home, organizations had tiered policies for their security defenses against attacks like ransomware and phishing. Most organizations could divide their employees into two groups: One, the employees that held down the fort, working from the office inside a fairly well controlled network; and two, the road warriors that were seen as higher risk mobile employees (which was on average 20 percent of an organization). The pandemic brought entire organizations into the high-risk category and not all security practices and policies scaled to the challenge.
Organizations have to reassess their security toolbox. A hybrid workforce requires stronger protections, including next generation endpoint protection, email gateway monitoring, cloud access, and secure internal gateways. In a perfect scenario, these tools would be deployed company-wide, logging to a Security Information Event Management (SIEM) platform and be monitored and managed 24/7 with expert-level analysis and response.
The other important piece of a good cybersecurity practice is to educate your first line of defense — your employees. Keeping cybersecurity top of mind for them is key. Employees may be very distracted in their new work surroundings, with kids home from school, lack of structure, shared environments, etc. It’s easy to make a mistake and open that malicious email or download an infected file. In my opinion, this is the perfect time to ensure diligence and precaution in the remote work environment. Test your teams, send out training quizzes, and share the results so everyone can learn from the outcomes going forward.
Below are 10 tips on how to spot a phishing scam:
- Phishing emails often have spelling errors and poor grammar in the subject line and body of the message.
- Phishing emails are known to contain hyperlinks with malicious URLs that lead to fake websites. Hover on hyperlinks to check them out before you click.
- Phishing emails often contain hyperlinks with URLs that lack security certificates. These URLs begin with http:// and not the secure [https://]https://.
- Phishing emails are known to have generic greetings such as “Dear Online Banking Customer.”
- Phishing emails will sometimes sound legitimate — i.e. stating that they’ve noticed suspicious activity or login attempts on your account, or that there’s a problem with the payment information on your account and products or services will be withheld from you.
- Phishing emails almost always want you to click on something, for instance, to update your payment details, or access the latest information on COVID-19.
- Phishing emails are commonly sent from bogus email addresses containing a company name, for instance, rjohnson[at]mail.google.work masquerading as a Google employee. These types of tricks are getting more and more sophisticated though, oftentimes with just one letter or symbol out of place.
- Phishing emails are notorious for containing file attachments, which range from fake invoices to documents with hyperlinks to malware that will inject ransomware infections into machines.
- Phishing emails are designed to make people panic, such as threatening to close an account if the recipient doesn’t act immediately.
- Phishing emails often come from an employer’s CEO — except they don’t. When a hacker disguises themselves as a CEO, it’s called CEO Fraud. These messages are usually sent to employees with a request to transfer money to an unauthorized account.
How can organizations prioritize cybersecurity for their business and employees in a post pandemic world? What steps can they begin to take now?
Over the last year, we experienced a complete change to our every day. Almost overnight, enterprises sent employees home, supported by monitors, laptops, desktops, printers, and phones to be connected to unsecured personal environments. Phrases like “just get it done” and “do what you can to keep the lights on” became the mantras for many organizations and, unfortunately, security programs, as we did our best to grapple with the dreaded “new normal.” Frankly, it’s pretty incredible how smooth this transition was. But was it secure?
Prioritizing cybersecurity is not optional. It is your obligation as business leader to security your mission critical assets, your employee data, and your customer data. In order to do this you have to balance your security environment with preventative security measures and defensive security measures, which include gaining visibility across endpoints, regularly scanning your network, and leveraging third party support in the form of Managed Security Services (which includes managed detection and response and incident response services). You have to truly evaluate your tools, your visibility, and your degree of control to understand how to build your security plan effectively.
There will be no shortage of projects and cyber initiatives to take on this year, but in order to ensure your enterprise network is protected as your team transitions to a hybrid work model, at Herjavec Group we recommend prioritizing these essential tasks:
- Asset inventory: Take inventory of all devices coming back to your network to ensure visibility of all endpoints.
- Test all devices: If you haven’t already deployed cloud-based Endpoint Detection and Response, do so. This will be the best way to identify and respond to any malware or compromises on all devices coming back to the office. Respond to any infected devices appropriately to ensure they are safe to return to the office.
- Quarantine devices that have yet to be tested or are infected: If a device is infected or hasn’t been tested yet, quarantine these devices on a network segment that is isolated to avoid total corruption until the device can be properly treated.
- Regularly test moving forward: Once your team is back to the office, continue to scan and monitor your EDR solution to ensure all devices remain safe. We highly recommend engaging Managed Detection and Response (MDR) support to ensure time to value, proactivity and automated blocks and updates.
What’s the core piece of advice you would give to organizations right now to securing their company assets? How can they place cloud and mobile security at the forefront?
Going into 2020, I asked my leaders what the foundation of security was, and unanimously it was “identity.” The last 12 months have proved that to be true.
Today, the security landscape looks a lot different than it did a year ago, especially with entire teams working remotely. As the perimeter disappears and organizations are experiencing (voluntarily or not) digital transformation, I firmly believe that Managed Identity is the answer to many of your security challenges, including cloud and mobile security.
Human beings, devices and applications all have identities. It is imperative that your enterprise has a way of detecting anomalous behavior across all three categories. Remote work “at scale” has certainly complicated this effort. People are logging on at all hours of the day, their kids are using their corporate devices, personal emails are being accessed, you get the picture. One of the most frequent questions we get from our enterprise clients is, “how do I keep my data and my employees secure now that we have deployed cloud operations?” We tell them to focus on identity — who is accessing your environment, at what time, from where, and for what reason. But take an adaptive approach, with behavior as the driver in your analysis.
Adaptive authentication recognizes behavior patterns at the user and device level, triggering security incidents when anomalies occur. The user is prompted to authenticate, and the security baselines continue to adapt based on those responses. At Herjavec Group we believe that analyzing and identifying behavioral anomalies is a key component to advancing your security posture because behavior is where risk, vulnerability, and identity converge.
For companies managing cybersecurity in an effective and protective manner, what do you believe have been the pillars of their success?
You have to strike a balance between proactivity and defense in your security program, including elements like strong identity governance, privileged access policy, endpoint protection, cloud controls, gateway controls, managed security services, threat hunting and intelligence, and incident response.
Additionally, one of the key elements organizations need to have is a benchmark of current detection capabilities, measured against their industry peers and industry-specific threats. At Herjavec Group we suggest using the MITRE Attack Framework, and encourage our customers go through regular threat modelling exercises in order to benchmark their security posture for continuous improvement.