How the pandemic impacted cybersecurity with Sashank Dara

Kevin Montalbo

Welcome to Episode 50 of the Coding Over Cocktails podcast. My name is Kevin Montalbo and joining us from Sydney, Australia is Toro Cloud CEO and founder, David Brown. Good day David!

David Brown

Hi, Kevin!

Kevin Montalbo

All right. Our guest for this episode is a seasoned cybersecurity technologist and expert, with over 18 years of extensive experience in cybersecurity R&D. He got his PhD in cybersecurity from the International Institute of Information Technology - Bangalore in applied cryptography and threat intelligence. He is co-inventor of five U.S. patents (and 3 IETF drafts) in the areas of cloud, Sashank DaraN, and NFV security. He’s also the author for several REST API Security liveProjects for Manning, which we’ll be having a giveaway of on our Toro Cloud Twitter account, so make sure to stick around for that.

Joining us today for a round of cocktails is Dr. Sashank Dara. Hi Sashank, great to have you on the show!

Sashank Dara

Hi Kevin! Hi David! My pleasure.

David Brown

It’s nice to have you join us. Thank you for joining us today! Let's jump straight into it. We all know that cyberattacks have been increasing in their frequency and sophistication. Do you have any statistics on what it's costing organisations on a global basis?

Sashank Dara

Yeah. So, it's quite unfortunate to see that the cyberattacks can be devastating for organisations. And fortunately, we are having more data points of late to emphasise the need and spread awareness. So, in a recent study, the average total cost of a data breach increased by nearly 10% to 4.24 million - the highest ever recorded. 

David Brown

Wow. And that’s the average cost for an organisation?

Sashank Dara

Yes, that's an average cost. And see the aftermath;  60% of the small companies closed within six months of being hacked. Now the first order is the monetary loss. The second order is the number of people losing jobs. 

David Brown

So, obviously with a cost like that, as you say, many small businesses wouldn't be able to deal with such a significant cost. People are losing their jobs. That's costing an average of $4 million dollars for a cyberattack. So, we must be talking about many billions of dollars per annum on a global basis.  The transition to remote working and the challenges associated with doing business during COVID, did that increase or reduce an organisation's exposure to cyberattacks?

Sashank Dara

...cloud security is a shared responsibility model.

Definitely, transitioning to remote working has increased exposure to cyberattacks. So, let's take a brief pause here and understand what the remote working challenges are, then we can get to the impact on the organisation due to cyberattacks. So, when overnight the lockdowns happened, then IT teams had numerous challenges in transforming their work practices to remote working. Employees had to work with any device to set their home, meaning lesser or no controls before the IT teams could procure and send their new laptops or desktops so that they can work remotely from their homes. 

And certainly IT teams had to expose their internal networks, internal applications over public internet that were otherwise well protected within their corporate network. This is why very poor region configurations are by our cloud services and the like, right? So services that are never exposed before are suddenly exposed to the internet with mediocre or poor confrontations. And the third point is the haphazard eruption of cloud services. Everyone wants to move to the cloud because of these transformations in the overall environment with little or no expertise. 

This resulted in numerous misconfigurations. Right? So, the myth is that the cloud is secure. But the reality or the fact is cloud security is a shared responsibility model, where the organisations adopting the cloud are also equally responsible for the services they're using. 

David Brown

And of course that's a good point because we use public cloud providers ourselves at Toro and the networking and configuration thereof is largely your responsibility. So, they provide the infrastructure-as-a-service. But the way you configure that service is totally up to you. So, you're seeing that a lot of people don't have the expertise to configure those services and resulting in security vulnerabilities in the applications they're deploying to the cloud.

Sashank Dara

Absolutely. And there's a fourth important point here: pandemic phishing campaigns. People are under extreme pressure due to the pandemic itself and the moment you see campaigns related to donations, campaigns related to fake news, campaigns related to something that happened due to the pandemic in the context of deploying phishing campaigns. So, already people are emotionally charged up due to this pandemic and they're gullible to clicking more URLs that they should not be opening at all. 

So, due to these factors, remote working due to the pandemic also impacted the speed of response. What happens in case of an attack? How do IT teams remotely respond to such attacks? This increases the time to identify and contain the data breaches. At organisations with greater than 50% remote work adoption, it took an average of 300 days to identify and contain the breach.

David Brown

300 days?

Sashank Dara

300 days.

David Brown

Wow. The issue was long gone after 300 days.

Sashank Dara

Absolutely! And you can see the gravity of the situation here. Even the people are impacted. The workforce. IT teams that are working around the clock to upkeep the systems that are impacted due to the pandemic. So, all this has a compounding effect on identifying and containing a data breach. 

David Brown

Yeah, that makes a lot of sense. I guess the IT teams weren't prepared to deal with these kinds of situations with remote working and as you say, accessing their data over public networks and remote VPN connections and those devices which they didn't have control of. People are using their own computers and laptops. Has maturity grown since then? Are you finding that the IT teams are now better equipped to deal with these situations? 

Sashank Dara

So I would say both yes and no. Yes, because in the last one and a half years, there are definitely a lot of lessons learned. Almost every organisation's business continuity plans, disaster recovery plans, remote working plans are being tested to the maximum. Okay? But smaller and medium organisations who cannot put effort into such a business continuity, disaster recovery kind of infrastructure, they needed to reinvent themselves, innovate how they can continue their businesses despite these harsh conditions. 

David Brown

So, what are the most common challenges that companies are facing today with cybersecurity? Is there any particular style of attack which they're facing?

Sashank Dara

Okay, so modern attacks in general, under normal situations are quite hard. Defense is quite hard. On top of it, the way modern businesses are operating, say things like remote or hybrid working, hybrid working makes it much more complex by the way. Remote working has its challenges but hybrid working has much more complexity in order to protect [against] hackers on the cloud. Lack of expertise makes all these things much more complex. 

So securing IT infrastructure from cyberattacks, things like how do I control all these assets? How do you know which is a complete asset, whether it is a software asset or hardware asset? How do I identify their cyber hygiene? As we said, things like the laptops and desktops at home also immediately got connected to the internet and started being used for work. How do we know the hygiene of those systems? How do we  identify these gaps and risks on a continuous basis? How do we ensure that adequate controls are there? How do we prioritise? So, all these are the challenges.

David Brown

Where are the attacks coming from though? Are they coming from  vulnerabilities in firewalls? Is it coming from security vulnerabilities in these devices which are coming inside the internal networks through that hybrid working environment, these phishing attacks? Where are we seeing the majority of these attacks?

Sashank Dara

So let me put this into two broad categories. Okay, the first category are the bad people continuously scanning the entire internet. Attackers trying to see where the loophole is, whether there are any insecure versions of softwares being exposed, whether there are any remote desktop protocols being exposed or whether there are poorly configured services being exposed. And you know, this set of people who are counting this list are kind of trying to find the weak points in an infrastructure. 

The other set of people are targeted attacks. These are very, very difficult to combat. The targeted attacks understand they don't go after everyone. They have a limited set of organisation types or industry types they want to go after. Right? For example, they find loopholes in healthcare systems. They know that healthcare systems are vulnerable due to the pandemic or the power sector or the public infrastructure, the government infrastructure. 

They are targeting such sectors and going after them to identify who the people working there are, what kind of roles they are. Can we do spear phishing targeted emails to them? Either pandemic or non-pandemic change. Because there's a lot of new age attacks on social engineering and especially targeting people like, say, CEO fraud or business email compromise and these kinds of things. These are attacking the human minds and the gullibility of people in order to get into their networks. So, those are the two broad things. And both are equally dangerous. 

David Brown

I'd like to talk about the management within an organisation and how we're dealing with cyberattacks from the management and board perspective for that matter. Start off with the Chief Information Security Officer, what's the role of this position?

Sashank Dara

So, “the see-so or the sigh-so”, depending where you are in the world, the Chief Information Security Officer is an executive responsible for the organisation's overall information and data security. It's a senior role that needs both technical and business sentiment and he or she has different responsibilities. But I would say it's a very senior position who will try to bridge the gap with the C-suite executives and board members and downstream with the IT teams, ensuring the overall cybersecurity of the organisation. 

Okay, so the CISO has different responsibilities, like the cyber risk and cyber intelligence, to keep abreast of the developing security threats, helping the board understand potential security problems that may arise from other acquisitions or big business moves and the overall security architecture and operations. It could be planning, buying, rolling out security, hardware, software, making sure the IT network infrastructure is designed with best security practices in mind. 

The security program management and governments, for example, keeping ahead of security needs by implementing the programs and projects that mitigate these risks and ensuring the compliances, the regional and global regulatory compliance from a cyber perspective are being adhered to. So these are different responsibilities of CISOs.

David Brown

And you mentioned that the CISO is either reporting to senior management and or potentially the board. So, these topics are increasingly being discussed at the board level. How are boards getting involved in cyber risk management?

Sashank Dara

...in the last few years especially, cyber risk management became an essential in the overall enterprise risk management for organisations.

That's a very good question. So, on one hand there is a rise of cyber attacks and subsequent losses. On the other hand, the board needs to understand whether their organisation can get attacked as well. So, in the last few years especially, cyber risk management became an essential in the overall enterprise risk management for organisations. And the board is more interested to know, “Is our organisation cyber resilient? Are the cyber practices fully aligned without risk appetite?” That's very important to see, because each organisation has an appetite of how much risk they can take and how much investments they can make in the cyber. 

And are we planning and forecasting appropriately for that particular sector? That's again very important, that in their sector, are they able to forecast appropriately? And what's the biggest cyber attack? Is it external? Is it the nation-state attackers? Is it random attackers on the internet, or is it from the internal – insiders, depending upon their industry type? And the nature of the business, the threats vary. The degree of the impact varies. So, these are a couple of questions that they will be interested to know from the C-suite executives and the CISO’s role is to provide these data points to the board.

David Brown

Can you share with us some of the key risk management pillars that IT security teams alongside the board should have in mind when it comes to cyber security? 

Sashank Dara

Okay, so as I say, the cyber defense is hard but let me break it down into four simple pieces so that teams can understand. What are those risk management pillars? So, it all boils down to four steps. First, you need to identify what are all assets that have been used to conduct business. It could be office given assets, it could be laptops, desktops, servers, business services in the cloud, on premise, whether there are personal devices where you know the phones and things like that. Because if you don't understand our asset landscape, we cannot protect. We don't know what to protect. So, asset management and classification. So, once we identify these assets, in the same step we need to classify them as to how important these assets [are] and what kind of data or what kind of the services they are. Does it have customer data? Does it have intellectual property? Does it have financial data and such? 

So, the asset management classification is the first bucket. I would say the first pillar is asset management classification. The second pillar is identifying the cyber hygiene of these assets, like continuous assessments. What are these assets like? What do they run? What are the operating systems? What are the packages, libraries? Are there any gaps in the configurations? Are there any known weaknesses? And what are the risks that are managed from such gaps? So, identifying cyber hygiene is important. 

The third one and the toughest one is prioritise, prioritise and prioritise. Obviously with the given time, resources, energies and mental banquet and resource banquet, we can only address a few of such gaps. Now, in those fewer ones, how do we get to the first top 10% or 20% of the issues that we need to prioritise and solve? So, that's that's very complex piece. But there are recent advances and we can use advanced technology to prioritise. 

And the fourth one is how ready we are, how fast we can act, whether it is regulation, whether it is response to those risks that we have identified. So, to summarize, the four pillars are asset management and classification; identifying the cyber hygiene of these assets; prioritising these gaps; remediation and response for the vulnerabilities. So,I would say these are the four important pillars for the continuous management of IT risks.

David Brown

It's interesting because you didn't mention, for example, human process. So I understand that some of the large scale attacks we've had recently have been where they've got an employee to click on some email, a phishing email for example, and they've given away a password and provide, unknowingly, access to some internal systems for a data breach. So, how important is education and the business process within the organisation?

Sashank Dara

It's a combination of people, process, technology that will enable all these four pillars to work efficiently.

That's a very good question. So, these four pillars which I have just mentioned cannot be solved with technology alone. Okay? We need to have the right people, awareness. You need to have the right processes in place and the right technology. It's a combination of people, process, technology that will enable all these four pillars to work efficiently. 

David Brown

Right, that makes sense. So, what are the challenges associated with distributed networks, remote working? The expectation that customers and business partners have, this real time access to data, I'm imagining that there's so much data flowing in and out of the organisation through these remote workers and business partners and customers. We would need to use automation to create some sort of prioritised list and response to these, to these risk events. So, how can we manage and mitigate risk through automation?

Sashank Dara

So as you said, the faster the IT teams can respond and remediate the vulnerabilities, the more likely that it reduces the impact of cyberattacks. So, that's where automation plays a very, very important role. Now, if you break things down, there are [things that can be] fully automated, there [are things that] can be semi-automated. There [are things that] can be manual. These are the three buckets I would think of when it comes to automation. 

Okay, so both fully automated and semi automated ways, for example, how do we automatically push policies? How do we back systems? How do we alter certain rules? How do we isolate certain devices? How do we push firewall rules? All these come under this bucket of automation needs. So whether it needs integrating with the existing controls, whether it is building those glue components that can interact with different components or even getting or buying the products that have APIs exposed, for example, it becomes very, very important to take a strategic decision for their IT teams to buy or purchase products that are integratable with the ecosystem rather than silos and rocks.

With that said, we can automate only the tactical issues. We have to be very, very clear here. Only the tactical issues like patent systems and pushing policies can be automated but strategy gaps will still be manual. That needs careful thinking, planning and executing strategic mitigations and strategy controls and while planning for automation, it's very, very important for the businesses to avoid business disruption. The security team says, “Hey, block this part because it is insecure.” Now the IT teams can go and block it but there could be a business disruption saying, “Hey there's an ecommerce service that is earning revenue, it is currently blocked.” 

So, care should be taken that in case of business disruption, there should be enough pulling, that we have necessary measures in place to roll them back as built, understand what is the strategic measure there. Maybe move to a more secure service and things like that and then roll it back. So, automation is key. Both semi automated [and] fully automated measures are needed and in case something goes wrong, you know? To have measures to roll them back as well and redeploy them with a better approach. Hope this helps.

David Brown

Well, as I understand it, you co-founded a company called Seconize a few years ago and you're building next generation systems for automated, intelligent IT risk and compliance management. So, can you run us through some of the specifics a solution like yours would help facilitate this?

Sashank Dara

Yeah, so thanks for asking that. So, when we started the startup Seconize, there were numerous problems especially in managing these IT risks. There were point products, a lot of data flowing in and there's no way for the customers and organisations to put them all in some context and understand what it is like and get the big picture. That is where the four pillars I just described a couple of minutes ago… We, as a startup, were building cutting edge algorithms and a SaaS solution - a super simplified SaaS solution, the software-as-a-service solution to automate as much as possible from identifying the gaps, contextualising them and prioritising them and auto remediating them as well.

So, it's a full suite with respect to which assets they are managing. Before us, there were point products like, say, app risk identification or mobile app risk identification or cloud risk identification but that's simply overwhelming for the users in order to stitch it all together. Right now, we are pioneers in the space in building the holistic platform for both automating the IT risk management and also adhering to global and regional compliances.

David Brown

It sounds like you're right at the edge where companies need you most with an average cost of four million dollars a year. I wish you well. I know you are doing well and I wish you well in your endeavors at Seconize. Sashank, thank you for joining us today. How can the people listening to our podcast follow you on social media and the blog that you write?

Sashank Dara

So yeah, I'm on Linkedin and Twitter, the same name. So, there are no pseudonyms that I use on the internet so it's easy for you to find.

David Brown

So on Twitter and LinkedIn, it’s “Sashank Dara.”

Sashank Dara

Yeah, it’s “Sashank Dara.” So, I'm just a few clicks away if you want to follow, catch up, have these interesting conversations being in this domain for a while. So, I'm extremely passionate about this. So, feel free to reach out. I'll be happy to share my knowledge and learn from you as well.

David Brown

And your publisher, Manning, has generously offered us to give away some of your guides that you've written with them. So, for the listeners we will be promoting those on our social media thereafter. Sashanlk, thank you for your time today.

Sashank Dara

Thank you very much, David and Kevin. I really enjoyed the discussion.