- Andy Nallappan, CIO of Broadcom
- Troels Oerting, Chairman of the Centre for Cybersecurity at the World Economic Forum
- Usama Fayyad, world renowned data scientist and former CDO of Barclays
- Lakshmanan Chidambaram, President of North America Business, Tech Mahindra
- Atiq Raza, Chairman of Virsec and former President of AMD
- Rajiv Singh, Sr. Vice President & Head, Global Cybersecurity Business, Tech Mahindra
Rajiv Singh: Thank you for joining our webcast today on the topic of making cyber security a priority during a global crisis. My name is Rajiv Singh from Tech Mahindra. And we have a very distinguished group of speakers today whom I’ll introduce shortly.
The purpose of this webinar is to share experiences, advice, and best practices from each of our panelists of our security challenges during these really difficult times.
Although this is not a technical discussion we will also talk about how Tech Mahindra and Virsec have partnered to deliver unique solutions that can help with many of these challenges by automating security and making critical applications self defending.
So let me introduce our distinguished panelists. Andy Nallappan is a VP and CIO of Broadcom, an industry giant in the semiconductor infrastructure and software fields. Broadcom has also made significant investments in security both internally and externally. Thank you Andy.
Troels Oerting has a fascinating background in global security issues. He is the chairman of the Center for Cyber Security at the World Economic Forum and is speaking with us today from Geneva, Switzerland. Troels has a background in law enforcement and cyber crime and was the CISO at Barclays. Thank you Troels.
Usama Fayyad is renowned data scientists and former chief data officer at Barclays. He is the CEO of Open Insights, a data strategy and technology design firm and has broad experience in IT and security. Usama has a PhD in engineering from the University of Michigan and has published over 100 technical articles on data mining and hosts over 30 patents. Welcome Usama.
Atiq Raza is a semiconductor industry pioneer who started multiple companies, became the president of AMD and as a serial entrepreneur has built many successful security companies from inception to large scale. Thank you Atiq.
Last but certainly not least is Lakshmanan C. Almost universally known as CTL. President of North America business Tech Mahindra. CTL heads Tech Mahindra’s North America enterprise business verticals comprising of banking and financial services, insurance, manufacturing, retail, CPG, travel, aerospace and defense, healthcare, life sciences and transportation, logistics and hospitality.
Thank you very much for this distinguished panel. So let’s get started. I would request Troels you take the first question which I have and I’ve been waiting to do this for a while. So Troels what security concerns are top of mind for business leaders and CISOs during the COVID crisis?
Rapid Digital Transformation Impacting Security
Troels Oerting: Thank you much for inviting me first of all to this great panel but also very important discussion. I think there are many things on CISOs’ mind right now and I don’t think it’s easy to take one or two things out. But I’ll try anyway.
I speak to more than 200 CISOs every second week in my capacity, started pandemic alliance and I attend a number of meetings and I’m trying to extrapolate from all of these discussions what is the most important thing that we see. First of all three months ago it was unprecedented for me in my whole lifetime. I’ve never seen you close down a globe completely, everybody, all countries, travel, everything. And you have in a very, very short time to move people in order to survive workwise to work from home online.
So we actually in three months have been transforming three years of digital transformation very, very fast. And of course this has not gone without any security implications. So I think that you see first of all that the concern is that you have moved around one billion workers that were unprepared from an office environment to home. You have moved them to unprepared tools at home, their own routers, their own Internet systems. And you have done that without any processes or policies to guide them. And I think this is still a huge challenge for the CISO. That’s the first one.
The second one is that with this much broader attack surface you of course would expect a bit more crime and we have seen an uptick in what I call mainstream crime. What I think my colleagues are more concerned about is that the criminals are actually trying now, because they were just as taken by surprise as we were when this happened. So they are now trying to find new avenues and routes into our systems. I don’t think we have seen anything yet compared to what they are planning that will try to exploit this new attack surface and possibilities.
And then last but not least, I’ve seen that some of my colleagues are very, very concerned about the ability to monitor the insider threat and also the ability to respond with their response team. We haven’t really trained to do this online. We always meet in the boardroom. We make plans and people go out and things like this. This is not possible anymore so I think this is the third consideration that I’ve seen.
Rajiv Singh: Thank you very much Troels. I think that was a very insightful piece of information that you shared with us. I’m sure this is something that we’ll all try to learn and figure out how to deal with it on an ongoing basis. It’s there to stay as we all realize. CTL, what do you think of all this?
The COVID Impact
Lakshmanan: Thank you. Thank you Rajiv and as I’ve said, I think this is a very important topic. Cyber security has always been important in the last many years and COVID has just brought a magnifying glass on top of this whole thing. And this of course is top of the mind both to us and our customers. Many of our customers have been pursuing digital transformation initiatives for the last many years. What does this mean? This means increased connectedness, intelligence, and automation. But the balancing factor has always been security. It’s important to build digital transformation on the foundations of a robust enterprise security. In many ways COVID has kind of accelerated this digital transformation process. What happened like Troels said in months has now been reduced to weeks.
And what we’ve seen enterprises do in their eagerness or the necessity to relate to this new reality, they will offer shortcuts. And this kind of increases the risk exposure. Finally the other trend that was in play and accelerated by COVID is the need for more automation primarily to reduce the costly manual labor that’s involved with legacy security solutions. We have to move to solutions that are more focused on the core enterprise applications illuminating false alarms. And also how do we make these applications self-defending by themselves? These are all now areas of great focus and attention.
Rajiv Singh: Thank you CTL. I mean this is a lot of wealth of information from the different enterprise markets that we have been addressing and I think this really echoes the fact that there is a transformation that is underway at this moment in the world of cyber security. And I see that would be there to stay for a long time to come.
Moving on, I would request Andy. Andy what do you think with the rush to enable remote workers during COVID and for the foreseeable future? What new enterprise security concerns have arisen?
Andy Nallappan: There are a billion people now working from home, right? There are three challenges. One is there are people who are not used to working from home the way they used to work from work, not security aware. They’re not technically savvy.
The second one is the apps. They are not quite ready or secured enough to be accessed from the remote home. And there are the devices, which are not hardened to access the applications from the home. There are three things there, right, the people, the devices, the apps. So what happens is this impacts the productivity and the whole protection. The productivity from phishing, from ransomware. Now they lock down the devices. That’s a lot of the concerns now that we have.
Second one is everybody using SSO, single sign on, now and everybody is using mobile phones right now. Mobile conferences for collaborations, the multi-factors, the emails. Mobile phones are used much more to access the work assets than ever before. With all this now, it’s much easier for spammers and hackers. They use SMS to steal the credentials. If they steal the credentials they can get access to the jewels, which is the ERPs and our customer data or critical applications. So we’re focusing to protect the productivity as well as the assets. And then last but not least is the applications not meant to be accessed remotely through VPNs, because of the architecture. And how do you safeguard and harden that access. Those are the areas we think that are more risky.
Rajiv Singh: So do you see this – Andy I’m very interested to know. Do you see this to be a manageable situation at this time or do we seem to be still in the maturity of learning? What’s your take from this.
Andy Nallappan: It’s been about three months now. Good thing is everybody is focused on security, putting in a lot more focus. Even on the boards, they’re asking how prepared you are with the COVID-19 security. The awareness is there. That’s the good thing. We are all learning. There are technologies available. We can quickly deploy those technologies in either the monitoring or hardening or the multi-factors. There are a lot of other avenues we can put there to safeguard. That’s why we don’t see a widespread security panic. So every CIO, every leader now, they are CISOs. They’re all putting a lot of focus there.
Now we’re all learning. It never ends. We must always keep up with this. The biggest thing is all the hackers, they always work from home. For them it is not something new. What’s new is all the workers went home. That has made it easier for the hackers to get in there. And we are learning. It’s getting better. The good thing is we live in a time where technology is available, easy to deploy and there are ways to protect it and also change the behaviors.
Rajiv Singh: Thank you very much. It was so insightful. Atiq for your comments, we’ve been hearing about the perimeters disappearing. It’s been there for a while has been spoken about. But most security is perimeter based. How would we change our security approach in such a situation?
Atiq Raza: The perimeter is not really disappearing but I think the speakers that have gone ahead have described what is happening. In reality if you take a look at forensic information it’s showing that there has been a rise of cyber-attacks during this period while everything is locked down. Partly it may be because everybody is sitting in front of the computer. They aren’t going out. So they have more time to do their mischief. The second thing is that there are also international tensions that are occurring. And those international tensions are now exacerbated as restrictions are being placed on either intellectual property or defense information or even pharmaceutical research.
So intellectual property, money and critical information relating to nation states is where all the attacks seem to be aimed when I take a look at the forensic information that is being accumulated. Now how does it manifest itself? And that’s basically where all of you are aware that if somebody is launching an attack, they’re already aware of the perimeter security that’s there.
The most dangerous attacks that are occurring according to the data even as recently as a few weeks ago that I saw coming out of synopsis, 85 percent of the attacks are getting past this perimeter security. So where they’re aimed is they’re aimed at the application. And they’re trying to get and manage that attacks close to the application as possible.
Some of the noise that is created by the false positives upstream, there is effectively behavioral analysis and guesswork that is going on whether it’s using AI or not using AI. AI makes it better but it is not perfect because the training set of broad attacks is not a representation of what’s going to happen. So the application has to be protected because that’s the final stage where the attack manifests itself and that’s why we think that that is the most important area, which has to be properly protected against cyber-attacks.
Rajiv Singh: And Atiq do you see this really getting appreciated by the industry overall as an area that is of growing concern, or do you see that there is still a lot of lack of awareness about how severe this is? How would you quantify that?
Atiq Raza: I think the awareness has gone up dramatically. I mean if I just take a look even two years ago when you talked about application security, most people thought it meant just removing the vulnerabilities. But now even if you remove all of the vulnerabilities, you know today and the next day, there are hundreds and hundreds of new vulnerabilities that are discovered. You cannot use vulnerability patching as the means to protect because there constantly are new software packages that are coming out that have innate vulnerabilities in them.
Rajiv Singh: And given that this is kind of almost like a pandemic situation that you eventually probably will see. But do you see that there is a kind of understanding of what is the right way to address it. And how would you describe that for the benefit of a lot of our participants here? What is the right way to measure the success of how you defend in such a situation?
Atiq Raza: So basically Virsec was born around that concept. It was born around the concept which at one time I thought was very forward looking which is how do you basically prevent the most sophisticated attacks that manifest themselves at the last stage your execution of code occurs.
Now when we basically started talking about it two or three years ago, the awareness of those kinds of attacks was not that great. Today you can have an attack come in through exactly the circumstances that Andy earlier described and Troels earlier described which is there is a web interface and at the web interface the user is interacting with the way the asset is designed. And that web interface is open.
Even if you have password protection, a person can drop whether it’s an actual state, nation state or a hacker can drop a script into the user ID field that becomes a program that is persistent and searches for the vulnerabilities that can be exploited. Eventually the more sophisticated ones get very close to where the application starts executing. And we basically develop the tools in order to prevent that from happening. So we’re not just looking at techs and we’re not just looking backwards at what happened in the past to developer training set. We actually are exercising our tool to comprehend and immediately protect against the attack no matter how late just before it starts the execution.
Rajiv Singh: Thank you very much Atiq. Usama, I would like to hear from you, your views on this interesting topic.
The Security Alarm Must Get Even Louder
Usama Fayyad: Yeah. I mean I think my colleagues on the panel have kind of raised the alarm but if you ask me the alarm is not loud enough. Meaning most security – and I live in both kind of the startup world and work with some of the largest enterprises in the world. So I see kind of the new and the old. Most large enterprises have made a super heavy reliance on the perimeter and all the resources, all the attention, all the analysis, all of that stuff goes there. And we’ve been talking for years especially if you live in the world of IoT, etc, where there is no perimeter and you need to worry about a different model.
So I’m a big believer that the only model that works. Now of course we have to use multiple. We still have to continue to invest in the perimeter protection if we can. We have to figure out how to defend and make it difficult for the bad guys to get in. We can use multiple methods like AI and try to kind of enumerate different situations and try to respond to them. But then the bad guys are using that. The only first principle solution in my opinion that will work in this world is you need your apps to be resilient and your data, frankly. And you need the apps in particular to be self-defending. Meaning I don’t know.
I’m working in a world when the perimeter is gone and the set of threats that we normally call unknowns now become kind of exponentially larger. And how do you function in that world? Well you need to function in a world where you know when an app is running, it’s not doing harm like Atiq was mentioning. And how do you do that? Well, you need to figure out a framework that basically says I can let these apps by themselves kind of raise an alarm, block, do whatever it is when they sense that something is wrong. And that’s a philosophy that hasn’t taken off yet in core enterprise and we need to move to that world both on the app side and of course in my world I have to worry a lot about data and the fact that many people don’t encrypt enough and all that good stuff.
But that to me is the fundamental approach. Effectively, a company like Virsec for example has that philosophy and as Atiq said we all thought they were ahead of their times. I think now the time is absolutely right.
And as Warren Buffet says when the tide recedes we will see who has been swimming naked. And I think right now a lot of CISOs are feeling like they’ve been swimming naked. And this is why it’s time to put a lot of attention into this idea of what is the resiliency of your app and what is the capability of any app in your system to defend itself.
Rajiv Singh: Clearly this is what I would still call it, disruption from a perspective of what others in the industry are still practicing from a practicing point of view. I’m sure there is a lot of merit that people would realize, there’s a realization that would spread across that this is the new way to go forward. Do you have any specific message that you believe as to summarize and say what you believe would be the right things for the CISOs and the CIOs in this entire space?
Usama Fayyad: You must have an answer to the following question. Assume you are compromised because almost 100 percent if you thought you were 10 percent compromised before, I really think you should go to an assumption that you’re 100 percent compromised now with all this new stuff. And it’s natural. Nobody is a genius. We can’t figure out how to move a billion workers to home, to a new environment and a new way of access without expecting compromises. So assume compromise.
The question every CISO must be answering today is how can I secure my apps in a way where I don’t need to kind of live in a world where I have to list every detected threat and try to respond to that detected threat? How do I achieve that resiliency and self-defense? And one of the approaches would be to kind of build adaptive systems around your apps. Another approach is to kind of do deep analysis approach to it and basically say normal apps must behave this way. The minute an app starts behaving abnormally we need to raise an alarm and even raise a block.
I mean some of the stuff we have seen historically is unlike many other systems for security that are notorious for very high alarm rates. At least the logical approach that comes from understanding how an app is behaving and when is it going off piece, so to speak is an approach that actually results in a lot less false alarms and many bench marks, zero false alarms. That sounds unrealistic but it actually makes a lot of sense. And we need to kind of move and start thinking about that world. How do we build these defense apps that don’t overwhelm us with false alarms and yet enable these apps to self-defend?
Protecting High Value Applications & Data
Rajiv Singh: Awesome. Thank you very much Usama. This question is for CTL. What kind of high value applications are enterprises trying to protect today if you could share your views on this?
Lakshmanan: Businesses today need to be more resilient and flexible and able to adapt to situations such as COVID. Every blink is a fertile hunting ground for cyber criminals. Reducing the attack surface is very important not only from a security and privacy perspective but also from a business continuity perspective. Opportunity to work from home exists today because of mobile computing, high-speed networks and collaboration solution. The restraining factor for businesses is how, across the spectrum, to open up while keeping secure the legacy back end systems and protecting sensitive data?
They’re not just concerned as one of the previous speakers said about just web attacks. They need to protect the entire application stack end to end. Tech Mahindra and Virsec are collaborating on projects to protect all of the connected systems and applications during run time. So this is going to evolve. We are going to learn as we go forward and it’s going to be an interesting journey.
Rajiv Singh: Thank you very much CTL. Andy to you, your views please on this.
Andy Nallappan: Sure. No. I completely agree. We need to protect the entire stack, not just the web tier. ‘Cause now we know one of the abilities that every layer in the application tier or the database tier all the way down. But there’s three applications in mostly three areas now. One is the transaction systems where you do a critical business process, your order management, your customer support, your forecasting, your shipping, your logistics, all the things.
The second one is you know the data is the crown jewel of the company now, the decision making. A lot of companies invested money on AI collecting so much data and so many decisions. That is big money now. No? To protect those decision systems and AI, those systems.
And for us the third one, now very critical, is we build with IPs which is the crown jewel for us. Also customer IPs. We design products for our customers and the pipelines in the future. And also you work with the suppliers IPs with the fabs and the manufacturers. So we have three sets of IPs we need to protect. So those are the critical crown jewels for us. So these things we need to protect all the way from the entry through web tier all the way through to database and all, data, and the rest. So those are critical for us.
Importance of Runtime Protection
Rajiv Singh: Well, thank you. Thank you very much. So Atiq to you. Could you explain the importance of run time protection because we’ve been hearing about this and it would be interesting to know from you. And is this what a RASP does?
Atiq Raza: Well, RASP was intended to eventually do exactly that. I think at Virsec we have realized that vision. And I think as both Andy and Usama said, you have to think not only about how the attack is occurring but where the attack is aimed. And eventually the attack is aimed at data. And so apart from everything else, one of the things that Virsec achieves is also to monitor the SQL layer, the layer which lies above the structure data below. So the moment we see something that is touching it, an attempt that is coming, that’s the last stage particularly in the path of an application order in attack accessing it. So you come down the HTTP path, you go through the interpreter.
So if it has gone through the interpreter and it looks like something that was looking like data being entered but actually was code masquerading as data. And then eventually after the interpreter it actually touches the SQL layer. Then something is wrong or something is right. So at that point if it is an insider or an outsider, we can ask for a second factor or an end factor if two factors have already been exploited. And we can make sure that the data when it has been touched is protected. So that’s another layer of protection that Virsec provides because these attacks eventually as Andy was saying are aimed at where the assets reside which are of value whether it is intellectual property, whether it is money, whether it is customer information.
All of these are exposed across the entire industry now. Whether you go into pharmaceuticals, now you see we are putting restrictions on access to advanced pharmaceutical information. We are putting restrictions on access to advanced semiconductor information. Nation states that are being left out are trying to find ways in as well as insiders themselves see the value of such assets, whether it is money or whether it is data relating to industries.
Even in the governmental area and the defense infrastructure, there is far greater awareness of these attacks occurring. And basically Fire Eye monitors forensics and if you go and take a look at Fire Eye’s data, it has grown dramatically higher in the number of attacks that are occurring and the complexity of attacks that are occurring. And you can really hypnotize yourself looking at those attacks that are occurring on an ongoing basis. And they have increased dramatically during this COVID timeframe.
Rajiv Singh: It’s interesting because coincidentally, the NIST 853 security controls have been published, the new draft that’s been around for a while is coming some times. And do you see that this is directly addressing that as complying to that and actually is very timely? Do you think it’s a very timely kind of situation for the solution to be available to meet such kind of requirements?
Atiq Raza: Well, I think it’s late for NIST to recognize now. I mean Troels and Usama have been talking about it for a while. Andy became aware of it also a while ago. So I think it is about time that NIST wakes up and makes it a compliance requirement. When you take a look at all of the major attacks that have occurred over the last year that got past all the existing cyber security, there was a reason why they got past it all.
Rajiv Singh: Yeah.
Atiq Raza: For this exact reason, these cyber attacks don’t manage themselves until they are in runtime very close to execution.
Rajiv Singh: Very interesting. Very interesting. Thank you. So another question here with the complexity of applications, there’s been a big increase in vulnerabilities discovered. How do businesses keep up with this? And I’m very curious to know because I’m sure everybody understands the magnitude of this problem now. We’ve established that on this discussion. How would a business typically be able to keep up with this?
Atiq Raza: So the reason they’re happening is because there is a great desire for more and more applications. And the number of applications that are coming out are increasing dramatically in number. So how does an application get put together? There is a user interface which is normally an interpreted language. And then there is basically the algorithms that do the hard work, the heavy lifting and they’re in compile code. So as these are put together, people pull a lot of these from existing libraries and those existing libraries have been sitting around for a long time. So they have innate vulnerabilities that are already there and new vulnerabilities as new algorithms are being added, particularly as AIs become very heavily used in algorithmic analysis of data, which Usama know everything about, is also going up dramatically.
As these are used, there is a fan-out effect into the applications of the number of vulnerabilities. And no matter what you do, new vulnerabilities will be coming out. That’s what you see in the NVD database and now all the new databases that are coming out from MITRE, etc, they show a constant increase of vulnerabilities day by day.. So you have to have runtime protection for that reason because no matter what vulnerability patching you do, tomorrow there are new ones.
Rajiv Singh: Yeah. And Usama, would like to hear from you on this.
20,000 NIST Vulnerabilities
Usama Fayyad: Yeah. Look. You mentioned NIST and being late. Well, NIST today published 20,000 vulnerabilities per year. Right? Now think about the world. You’re a CISO and you’ve got this long list here.
By the way the root cause of it is application stacks are getting more complex, significantly more complex. And with complexity, you create all sorts of holes in all sorts of places where bad stuff can happen. How do you respond to it? Well, the traditional response has been let’s patch our systems. Let’s wait for that software maker to release a patch and let’s deploy the patch. The Verizon DBIR database basically says we have about six months expectation in terms of lag between a vulnerability being known and it being addressed through a patch.
Actually we have observed and Troels and I have been speaking for about five years now about the whole myth of the zero day vulnerability and the fact that we call it zero day. But that vulnerability has been sitting there probably for six to twelve months before even being known, i.e., bad stuff could be happening without you even realizing it. And then you’ve got the next six months. So that’s a year and a half window. I mean in Internet time, that is ages.
Think about six months ago it was a different world. Right? Look at us today. So that kind of existence, I call it a mad existence. And this is why I mean early on I got very excited about companies like Virsec who actually take a different approach. We take an approach that says well, maybe it’s impossible to live in a reactive world or too slow to live in a reactive world. How can we in a proactive world where we at least know when something wrong is beginning to happen and catch it right when it begins to happen?
Atiq Raza: That’s a very important point that Usama just made. There is a library called new library for C which is used universally. Zero day which was when Google actually pointed out a vulnerability in that library. For eight years that vulnerability was there. That’s before zero day.
Rajiv Singh: It’s incredible. It’s incredible. And I think this area has become a challenge in many ways and I’m glad that we are addressing this at a time when it’s most needed to be.
So the other thing that I’d like to request Andy to tell us is what are the challenges in protecting the legacy applications that you see. Because I’m sure there’s a lot of legacy applications out there and how do you address them? How do you address the challenges keeping this in mind?
Andy Nallappan: Sure. One of the things is all the legacy applications right now is it is not going to go away. Right? We’ve been talking of Internet having been there two decades. We’ve been talking about digital transformation for a decade. So what we’ve done is using digital transformation, we’ve dressed up all the legacy applications nicely using the digital cover up so they’re easier to access. But the job is still running on those legacies. That’s how many companies including the home-grown applications or whatever. It’s not going to change it.
The world has this perception that legacy applications, nobody is interested. Nobody is going to come after. Nobody knows what it is. That perception has to change because now you have exposed these applications to access outside your perimeter because your developers, everybody is going to sit outside to access the code which is hidden in your digital transformation order. So it’s important to do it. It’s very hard to keep the patching of the stuff because of the constraints of the legacy architecture. So it is putting the focus that saying hey, your legacy architecture can be targeted, can be easily hacked into as one, understand the order. And come up with ways to protect the data.
There are ways to do it. You need to harden the end point which access the code and have applications, solutions like Virsec do it, monitor at the processor levels, packet levels. So there are ways now to protect your code legacy. So the summary is you have to focus on these legacy applications are meant to be accessed within the firewall, the code architecture of them. Now that is not the case.
So change your security landscape for these applications, hardened from the entry point, entry devices to all the way to the end the processor levels, network levels. So that’s my view on how we should protect the legacy. Because it’s going to stay with us forever. We thrive on it. We have mainframe businesses that we like. So we want our customers to protect it because it’s going to stay forever.
Rajiv Singh: Absolutely. I think this is a challenge for a lot of organizations around the world. So Troels, what would be your advice to how to deal with this problem?
COVID on Top of Digital Crisis
Troels Oerting: Again, I don’t think there are simple solutions to be honest. I think this is a complex question and unfortunately cyber is one of the areas that we do not have simple solutions or one silver bullet. But what I think you can see is that we have a crisis inside the crisis so to say.
So we have COVID on top of another digital crisis. You’ve seen for the last three months that the majority of CISOs went through three stages of work. The first one was to stabilize what was going on. Then the second was to normalize. And now we are in the third stage where we are trying to optimize. We had to optimize much, much faster than we thought we should do because the world has changed. There’s dependency on this.
Why are we speaking now about this? Because we have need. Right? Nobody can meet so the dependency of the tools are extraordinary. Thirdly I think that everything will be connected. Everything will be sensing and everything will be intelligent in the future. And we will not go back to the days before COVID. This is the new normal guys, and this is what we have to address and what we have to also see if we can find a solution so we can also demand security, privacy, and integrity because these are key for building trust.
And one of the things that we need I think here is to give some kind of – instead of trying always to sell fear we are protecting hope. We are trying to say that we can help the good guys and actually achieve things with the Internet. We can do this with systems that are actually solutions that focus on what is happening during code execution instead of before and after.
This is what we see in Virsec because we talked about applications. I just looked into one of my old presentations showing that in the last four years we have built more applications than in the 40 years the Internet has existed. That simply gives you without any doubt the reason why we need to do something about this challenge. I don’t think it’s the only silver bullet but that’s a silver bullet you simply need to have. And that’s why I think it’s important that we have this discussion today.
Last let me say one thing is that sometimes I think we miss the discussion about how do we help the majority of companies which are not the size of Google and Microsoft. In Europe, 99.7 of all businesses are small medium enterprises with less than 250 employees. They are the backbone guys. They don’t have a SOC. They don’t have big CISOs with a huge payroll. They are ordinary guys just trying to survive. I think systems like the one that we are discussing today can actually help them without ripping them off. That’s also a way of helping the society to drive through this crisis and take full advantage of the digital transformation. Thank you.
Rajiv Singh: I think that’s a very interesting point that most nations today have small businesses which are actually the backbone of the economy. Almost every nation I would say. Not most, every nation. Isn’t there something with a kind of scale at which we’re dealing with this problem and a gap between capability and what’s expected to defend against the nature of this problem? Is this something you see as widening? And how does one really address it? Troels I mean your views really could help us.
Troels Oerting: I think that you will see that there will be a problem. I also see now during the COVID crisis that even though the CISOs see more vulnerabilities and a broader attack surface, the CFOs will tell them if they come with new requests to buzz off. You don’t get any money now. We are just trying simply to make the business survive to see if we have a business on the other side of this crisis and then you can come back. So I think really it’s also about how we prioritize, how we maybe create alliances where we share. I think sharing is caring. The bad guys are sharing a lot of intelligence. Why can we not do that and help each other?
Because this is the only way forward, guys. If we want to do this we cannot work in isolated silos repeating the work. We need to do this in a way where we can bring forward the best practices. So we are trying at the World Economic Forum to create these alliances where we share and then at least try to be where we should be.
We will never be able to deal with crime that originated from nation states. We will be for organized crime that are just trying to steal a dollar. They are not going to spend $2.00 to steal $1.00. They are trying to do that in the easiest way. So again if you have good cyber hygiene you’re actually well off.
Rajiv Singh: Do you see that there is a kind of a different trend in the way cyber crime is going to be looked at in the days to come?
Troels Oerting: The problem with cyber crime is that it’s risk-free crime. I’m a former police officer and I’m the first one who actually has to tell you that we’re not catching anybody, right? So criminals, they’re looking at three perimeters. They’re looking at profit investment and risk. And there is a low investment, high profit, and no risk here because we don’t arrest anybody.
We are the first and the only line of defense is actually the businesses until we find a way where we can work together with law enforcement. And with all the political tensions that we have, this is probably not going to happen in the next ten years. So we are back again with scratch. So we are back in the room and we need to find solutions that can help the businesses thrive and surge.
And the only thing we can do that is by utilizing let’s say the wisdom of the crowd to have events like this. This is a good tool. You should use this. This is a waste. This is where we should share. This is how we should do this. Usama and I talked about many, many times during the WannaCry. I had an organization where I could see that there were two patches coming from Microsoft, every day. So I just put them in the long road and I would patch them after six weeks.
But my intelligence guy said that shadow broker suddenly had uploaded Eternal Blue and they were utilizing these patches so I knew I had to patch before it was weaponized. This knowledge I should have shared with others. We didn’t have a system for that. This is the second thing that we should have and then of course good tools and good heart and infrastructure.
Rajiv Singh: Do you see there will be a kind of a strengthening of sharing of intelligence given the kind of problem that we have right now and the learnings from the past? Do you see that is going to be more collaborative in the days to come?
Troels Oerting: I hope so. I think again the problem with sharing is trust. People don’t trust each other in our jobs. So you cannot have trust between 30,000 companies. You might be able to trust between 15. So it would be a number of smaller ones that you can do. You can have this sharing. But I think you will see that in all the meetings I’ve had I’ve never seen such an openness in these meetings that I hear about now. And when I get the summaries afterwards it is specifically what we should do together.
And this is what we should be afraid of. This is what we might not prioritize, this right now with the other thing. I see much more we’re in this boat together. Nobody else will help us so we have to do it. And I think that is also what we should promote in a way and then of course it will be done. Sometimes we’ll do well and sometimes we’ll do not so well. But I think that’s the way forward.
Rajiv Singh: Thank you very much Troels. Can we have some closing remarks here? We’ve had some excellent inputs come in and I’m thinking how much I gained today, learning from this wonderful panel. Request any of you to just take it up in your individual closing remarks please.
Lakshmanan: I’ll get started. We’re fortunate to be living at this time. I don’t mean COVID. We’re fortunate to be living at a time when digital technologies are sweeping the landscape. And in our businesses, earlier you had big projects and Andy alluded to it where he said spend $200 million. We’ll construct this Taj Mahal and it will produce fabulous results. Now no one has the patience or the time for it. And recently with one of the largest banks in North America we implemented a solution where a person could buy a $1.5 million home sitting on their porch and never having to visit a branch.
And what it meant was there was a free application bought on the Cloud but it had 26 different legacy integrations at the back end including with mainframes. It also interfaced with a third-party provider where you scan, you take a photograph of yourself and scan your driver’s license. It does 28 different fraud checks on you, right? And everything from filling an application in 30 minutes to fund disbursement in four days. And all this was done in 26 weeks.
I am turning back and saying if security gets compromised here, such great solutions that transform the way people live and work, people will start thinking twice. We all learned recently one of the large service providers at this May’s attack. And it’s really set the clock back for them. It can happen to everybody.
So I think the conversation we had today is very relevant. A lot of important points came out. And at the point where we believe in large transformations, you can’t have a vote on security. It has to be like the air we breathe. It has to be built-in, right? And so I think our transformation programs are based on a concept developed with our customers to bring in the right set and breed of technologies along with the people and the process for our customers specific to their environment. I enjoyed our conversation today and thank you everyone.
Q & A
Rajiv Singh: Thank you CTL. Thank you. Very helpful. There’s some audience questions. This is for Troels. Isn’t data the primary area that attackers are focused on today versus the applications?
In the Future, Hackers Will Pollute Data vs Encrypt It
Troels Oerting: I think that they have a number of focuses. I think you will see that applications will always be where you want to go, right? But you also have dependency. So you will see a revival I would guess of DDOS attacks in the future. Because they want to have an infliction of our ability just to use the Internet for communication, which we all are. So there will be a new attack vector. I also foresee that you will have an attack vector that we’ll look into. Right now, you encrypt data to blackmail companies. In the future, I think what you will do is you will pollute data instead of encrypting it.
And then you will send them ransomware and say you cannot trust your data and all your algorithms will fail because we have polluted your data. And do you want to take that bet or do you want to pay? And how do you make sure you haven’t gotten polluted? Again, that’s application security.
So I think there are a number of areas but they all seem to boil down to that you need to have basic security. Application security is one of them. And then you need to be a bit forward leaning and also consider how you will do them. I will then ask you to ask Usama about how will you then defend your data lake because he knows that data is the future. But how do you defend that part?
Usama: Yeah. And I think that’s a great point. Data is typically the final target. Apps are usually the gateway to get in.
So two things I want to remind everyone of. Number one is a lot of the meta data, a lot of the semantics to understand what the heck this data is, lives in those applications, are encoded in them, etcetera. So you have to protect both. And getting just the data by itself would create a very big puzzle for whoever stole that data to figure out what the heck this thing is.
The second part is I’ve been talking since I don’t know, my days at Yahoo in 2004. I insist on no data being persisted without being encrypted. How do you manage the whole key management problem, etcetera. And what blows my mind it’s now – I don’t know – almost 15 years later and most companies are still not doing these practices. Most companies are still not encrypting data at rest, not encrypting data in motion, getting sloppy about it, taking the shortcut. So this is a huge area that needs a lot of attention. It’s absolutely critical. The solutions are good. If you have very strong encryption with very good key management, you solve 60 to 70 percent of the problem. If you protect the apps, well, you solve the other 30 percent because you can’t get to that data.
Pandemic of False Alarms
In terms of a concluding thought, I just want to very quickly recollect in late 2014 when both Troels and I were sitting in Canary Wharf in that tall building. He comes up to my office and he walks in and he says, “Usama this is unsustainable. My guys are falling to their knees under these false alarms. What is going on? How do we fix this? You’re the data guy. What can we do here with AI or whatever?”
And what I’m saying here is, today if you thought false alarms were bad then — we do have a pandemic of data alarms today. False alarms, right? And the false alarms essentially make all your defenses useless because it’s basically Chicken Little saying the sky is falling.
So I learned a lot from Troels. And of course today I have much more to learn from him because he’s sitting in his global perch talking to 200 CISOs every week and having his hand on the pulse of what’s going on in security. But what I learned from him back then is as a policeman originally – as the guy who used to run Interpol. His intuitions were, ‘OK. Usama, you fix the technology side of it. Let’s build that data lake – we called it data fusion – that helps us reduce the false alarm rates and then helps the analysts, helps his SOC guys investigate very quickly to bring in the data.
But he also dragged me and dragged a whole bunch of banks who never worked with each other to create what he called the Cyber Data Alliance where they started sharing that data. That ability to share and mine what’s happening is important. Because if your neighbor is attacked, you’re next. You might feel good about it today. Guess what? Tomorrow your tide will recede.
So that approach of being pragmatic, of saying look, we will leverage the AI, we will leverage data and technology to reduce this pandemic of false alarm rates, is a big deal and we should think very hard about it. Because he would buy many, many expensive tools and all they would do is give him more and more false alarms. And then the team is just frozen.
Encryption and Keys
Atiq Raza: So there are two aspects. One I totally agree with Usama what he said that application is the gateway that is basically the road to the data. So encrypting the data will be extremely important. But if basically the keys themselves are stolen, then you have to know how to apprehend that possibility also because if it is an insider attack, that is possible. So the ability to actually look at what is happening at the core layer of the data and be able to alert the source in more than one way to verify that that source is legitimate is becoming very, very important.
Supporting Older Applications (32-Bit)
The second thing that Andy earlier mentioned and you mentioned also is that everything is interlaced with age. So you have legacy and modern data and applications all interlaced together. So we are discovering, even as we are basically interacting with the marketplace, that there are applications going back to 32-bit applications which have been retired by the original producers of those applications. But we still have to support them because they are being used. So we are doing that as we go along. And the way we avoid, at least in the case of Virsec, producing false alarms is that we actually do the apprehension of the attacks, not of the threats.
How you apprehend the attacks is when it manifests itself in the final stage. In compile code when it is actually trying to go in a direction different from the original code that was actually intended to execute, we can detect it in runtime. And the second area is that the interpreted code, which is in all the web applications like Python and Dark Net and JAVA, they have to first go through an interpreter. Then from the interpreter, eventually they attack the application layer. And if they see it happening, we don’t need to actually alert everything for anything that looks anomalous and create a threat alarm. So the difference between an attack and a threat if that is differentiated, then that becomes very important to reduce the total number of false alarms.
Rajiv Singh: Absolutely. Absolutely. There’s a question from the audience here. This is for Andy. What security issues should C level and boards be focused on during this crisis?
Andy Nallappan: So two things now. One is right now every company is trying to collect cash, right? They’re all after following up all these payments and collections order. There’s a lot of scams going on. And people are after getting into the conversation, trying to steal money. So focusing on making sure that your accounts payable, accounts receivable. That it’s all not getting phished or scammed. That’s one thing. They’re worried about it.
The second one is the whole disruption to the supply chain or customer support, which is critical. In many areas, demand is surging even though we have COVID-19 downturns there. We need to fulfill the orders then. So they are focused on those. We don’t need disruption from security perspective. And the third one is how do you protect the productivity of their employees there as well as the whole IP, no data leakage or whatever. So those are three areas they are focusing in.
What they’re expecting from IT leaders and CISOs is Hey, did you up the game on your monitoring? Are you monitoring enough that they’re catching it or looking at all this behavior risk? Behavior based risks, single signs ons, multi-factors? They are focusing on those, either on the monitoring or keeping up with the patches there. So the end outcome is the one, which should protect the cash and protect your supply chains and fulfill the orders and protect your IT.
Rajiv Singh: And is this something that you see as kind of situation that’s manageable or this is getting harder and harder to manage for you?
Andy Nallappan: It depends each company. What’s their capacity, they have an access to the tools and technologies and expertise there. I’m sure they can go and get help from the partners to do it. And some of the things you can easily do. Some things it takes time to do. But it is possible. It’s not impossible. You just have to go out and think out of the box and reach out to the partners to help you. Because sometimes try to do it yourself and you can’t scale and you can’t get it done quickly.
Are Global Governments Cooperating?
Rajiv Singh: Ok. Thank you. Thank you. Another question here for Troels. Are global governments cooperating enough to address these issues that we are discussing?
Troels Oerting: The short answer is no they are not. And I think it’s getting worse. And I think we will also all be affected, unfortunately. This is what we see in the World Economic Forum now. You see a polarization of the world into two polls, the US and China and then everybody else must try to fit their place between these two. And that will have a huge impact on what we are doing because they are both very big in the digital space. So we are entering probably a new digital cold time. It might not be really a cold war but a cold time. And that will affect also our work and how we can develop our security.
So unfortunately I’m not optimistic about this. We will keep on fighting and I will try to get the right people around the table. We have been able to have Russian and Chinese and American and European police officers in the same room at least. But it’s an uphill work. We need to continue that understanding.
We should never accept, never accept crime against ordinary law abiding people. That should be regardless if it’s a Chinese victim or American victim or Russian victim. We should not. What nation state does is a different matter. We can probably not deal with that, especially not now but at least we could look at the 80 percent of unwanted activity on the Internet that’s attributed to crime. But nobody does it right now so.
Rajiv Singh: Thank you. Thank you very much. So there’s another question here. Can we mandate product application security standards that companies must comply with similar to what’s being done with PCI compliance?
Atiq Raza: I would love it if that were the case because it would raise the awareness very rapidly. The NIST inclusion of RASP is important first step. RASP so far has. Basically it stands for runtime application self-protection. It basically originally just comprehended one layer of application which was the web layer of application. But application consists also of compile code. And we were the first company to come out and address both of them. So yes, the answer to that question.
Usama Fayyad: I think just a quick comment on this one coming from my experience with banking. Banks have their data systems and their data capabilities reporting, etcetera, broken for many decades. Their ability to manage capital was hampered for many decades because the data systems were wrong. Many manual approaches, all sorts of adjustments, right? Regulators actually forced the banks to revamp their data stacks, their approaches to capital reserves, their approaches to handling reporting and removing manual interventions. And that has resulted in much more robust organizations. I think that’s a great example.
And by the way when I was there we were all crying and complaining and the regulator is going to choke us to death, all of that stuff. It actually came up with some very regular requirements, very good requirements that ended up improving the business. I think cyber security, it is – I would use Atiq’s words, way too late. We need to do this with urgency. And I’m sure Troels would agree with that.
Troels Oerting: Yeah. I agree completely.
Rajiv Singh: Thank you. And there’s another question here. How should IT teams managing and patching apps be doing it, reporting remotely. How is it possible for them to do that?
Andy Nallappan: Let me take this one. There’s been no difference in patching applications whether you work from offices or work from home. No. You should do the same kind of patching work. One of the things is end devices. Many companies with the PC patching, they require that you need to be within the firewall or with the network to patch it. Now it’s available through the Internet for you to patch. I mean we’re more focused on patching right now. Now I know some of the applications you may not be able to patch them at the legacy site. But all other ones, there’s no difference. There should be more focus on it. Every constraint, every challenge should have a positive outcome too.
But one thing about this COVID-19 it does not only increase the awareness, nor increase the value for the IT and security. People used to feel like security is a roadblock. It’s a friction. It’s a complicator. Patching, it’s a tough one to do it. Now people are like not charging you for it. They want to do it. That’s a good thing. So we should do it. We should figure out a way to enable it. Basically you have to enable a team to patch it remotely. It is not rocket science so it’s easy. It’s just your policy, your mindset, your culture. That’s all it is. A lot of people say you cannot do it. If you have the aptitude, you can do it. It’s critical is my view.
Rajiv Singh: That’s great. Any advice? Any closing remarks Atiq?
Atiq Raza: I think the whole panel has covered a whole range of what is happening, what they’re facing. I think you pointed out that there should be much greater awareness. There’s still in cyber security what I see as a bimodal distribution of awareness. Either there is low awareness or very high awareness. I am hoping that the two modes actually merge and there is uniform awareness across the industry.
Rajiv Singh: Yeah, yeah. Uniformity is always going to be a challenge. How do you get that reform? Each one is trying to do his own way and from his own experiences. Yes. Andy, any closing remarks?
Andy Nallappan: I think one of the things is what we realized, the whole network was the weakest link. Corporate never bothered about it. I used to tell my people that when they called and said we don’t support your home network. It’s up to you. You have to fix it.
Now I’ve changed. COVID-19 came and I told my team. No, you cannot say that we don’t support it. Help them. Educate them how to protect it, how to improve the performance, how to secure it. So the home now has security awareness. It is the big thing around the COVID-19 which is critical. It’s important. I think all the corporations have to spend enough effort and time to help the employees to protect their home network which will eventually help all of us. That’s my view.
Lakshmanan: And so if I ask Andy how do you do that because employees all over the globe that they will be using different sets of routers. Is there any standard mandate that you’ve given which reaches everybody? How have you attacked that problem?
Andy Nallappan: It’s a journey. It’s going to evolve. Everybody is talking about it. That’s a good thing. Right? Now can we have a standard? It’s going to be hard. Right? It’s like a cell phone, right? There’s so many providers, so many devices, so many routers. But we want to come up with a policy, come up with guidance or even recommendations.
Who is best in your area and who gives you the better protection. Some of the tools, even semantic tools. We sell to some of our teleco providers. They give product services order. That’s why we want to give guidelines, policies. Choose a vendor who has all these checkmarks. Then you’re protected. Not only get better performance, better security.
That’s why we think that we all have to come up with by country, have a policy to choose the right one. People go for cheap and lower cost and they compromise all of this. So I say hey. Now it’s part of working from home, it’s part of your job. It’s important to protect your home network.
What kind of outreach you have, what kind of services you have, what kind of any protection. If there’s a protection at router level it’s much better than the protection on the device level. So those are the educations. Education, policy, recommendation guidelines.
COVID Is Raising Security Awareness
Troels Oerting: I think I would conclude if I may that from my point of view the good thing about the COVID has been that the recognition of the IT and security guys have reached another positive level. Everybody sees now in the companies that you need them around to make the business wheels still spinning. And I also think that everybody realizes that we cannot, on top of this virus, have another computer virus into our companies. So trust will be a competitive differentiator for the future.
And we all need to work together to minimize the threats towards trust. And one of these things is to work together and then have the right tools for the right solutions. And then I think we’re in business. And then I will stay and remain optimistic even though sometimes it is a difficult task in this world to continue to be optimistic. I’m a born optimist and I will also be that tomorrow. And humanity will survive the incident.
Usama Fayyad: Going against trolls in the show Game of Thrones, they talk about winter is coming. I would like to add by saying winter is here and a new way of life is needed. We need to adjust how we think about security, what is the perimeter, how do we protect our apps. It’s a new way of working and we must secure the IT infrastructure because now it’s essential for business more than ever.
Atiq Raza: So the last thing I can say is one of the things Virsec has been focused on is basically detecting and protecting at the last minute even in the presence of vulnerabilities. That is not to say don’t patch vulnerabilities because that would be an impossible task. But we avoid the exploitation of vulnerability, the equivalent of virtual patching. And that enables basic safety to be provided.
Rajiv Singh: Yeah.
Troels Oerting: We will prevail. No worries.
Rajiv Singh: Thank you very much. And if there’s any other questions, any last thoughts before we wind up. I think we’re close to the hour.
Troels Oerting: Thank you for organizing this. This was a very useful discussion. I took many notes and I will do some postings afterwards.
Usama Fayyad: Thank you so much for your time.
Rajiv Singh: Thank you very much. My pleasure meeting you all.
Atiq Raza: Thank you.
Andy Nallappan: Was a good discussion. Thank you all. Really enjoyed being part of the panel and talking to all of you. Thank you.
Lakshmanan: Thank you for running it.