Hi, good morning, good afternoon. Welcome to our webinar today. I'm John Tolbert, Director of Cyber Security Research here at KuppingerCole. And today I'm joined by Dirk Wahlefeld, who's Head of Pre-Sales at CYFIRMA.
Welcome, Dirk. Hi, John. Just a quick view.
Yeah, welcome from my end as well. Looking forward to this, I hope, very informative session today, and hopefully we can share some good insights.
Yes, our topic today is on Maximizing Cyber Security Investments During Economically Turbulent Times. I think we can all agree times are quite turbulent. But before we begin, a little bit of logistics information. Everybody's muted centrally. There's no need to mute or unmute yourself. We will be doing a couple of polls during the session this morning, and then we will take a look at the results of those polls during the Q&A session at the end, which we will have a Q&A session at the end.
And if you have a question, there is a control panel for GoToWebinar, and there's questions blank, and you can type those questions in at any time, and we will take them at the end. Lastly, we're recording this, so both the recording and the slides should be available in the next day or two. So I'm gonna start off and talk about, you know, a little bit of background on the current cyber threat landscape and the need to shift back to looking at prevention in some cases. And we'll also look at the MITRE ATT&CK Framework.
Then I'll turn it over to Dirk, and then we'll take the Q&As after the poll results. So what does the current cyber threat landscape include?
Well, all sorts of things, most of which you've probably heard about in some form or another, and whether it be ransomware, different kinds of cybercrime, fraud, data breaches that involve PII or intellectual property trade secret theft. So ransomware, that's been in the news for years now and continues to be a, you know, something that we hear about, something that we definitely don't want to happen to us.
You know, when you think back on the history of ransomware, yes, it's been around for quite a while. You know, some of the biggest attacks that started, you know, in 2016, 2017, you know, that spread across multiple industries.
You know, they've locked computers, they encrypted drives, they encrypted, you know, network shares, which was, you know, a big difference from, you know, how it started out with, you know, going after individuals. But I think the cybercriminals realized there was more money to be made by attacking organizations, and that's what they did.
But, you know, we've seen a change of tactics too, where it used to be screen lockers, then encryption, you know, still happens, but there've also been some, I don't want to use the word innovation with cybercrime, but, you know, they've also done things like create destructive wipers, which kind of look like ransomware, but they're not really trying to extort money from an organization. But they do, in many cases, render organizations' computing assets inoperable. There've also been cases where, instead of encrypting, they just steal information and threaten to leak it.
That's a more recent development in the last couple of years. So, you know, ransomware is a big rubric, but there's lots of different tactics and procedures that are used under that.
And, you know, they're targeting all sorts of workers, and unfortunately, we've heard a lot about hospitals, healthcare providers that have been hit very hard over the last couple of years. Same thing with state and local government agencies and small to medium-sized businesses. I remember five, 10 years ago, people in SMEs thinking, well, you know, we're not big enough to attract the attention of cybercriminals.
Well, every organization is a target today, regardless of industry. And, you know, ransomware can affect more than just a single organization. There have been a couple of high-profile attacks from a couple of years back, like Colonial Pipeline, where, you know, technically they said it didn't actually enter their operational technology environment. It was contained within the IT system.
But, you know, out of an abundance of caution, that shut down the pipeline for, you know, close to a week, I think it was. And that, you know, supplied fuel to a large part of the US, which had follow-on effects to the broader economy.
So, you know, ransomware does not necessarily contain itself to the initial target organization. You know, we've also seen attacks against the software supply chain, where, you know, downstream members of the software supply chain have become infected because of, you know, a supplier. So ransomware definitely has a potential for spillover well beyond the initial target.
So, cybercrime, breaches, and data thefts. Again, just about any kind of organization can be targeted.
Obviously, finance banks are, you know, highly targeted for cybercrime because that's where the money is. But when we noticed in the, like, during the pandemic, government agencies were often targeted as well. Those that were providing some sort of economic assistance or unemployment, they were hit hard by cybercrime. Employment, they were hit with tons and tons of fraud. Same thing for, like, mobile network operators, travel and hospitality, gaming.
And then, as I mentioned already, you know, healthcare providers and insurance companies. So cybercrime, and of course, individuals as well. But cybercrime has been, you know, on the rise for years and years.
And again, we've seen innovation and techniques there as well. You know, when you think about data breaches, there have been, you know, a couple of attacks against social media providers where lots of personal information was acquired by fraudsters.
You know, some of these data breaches have been over 100 million user records each, up to a billion, which is significant. And, you know, there are many statistics that talk about cybercrime, depending on which agency or collecting organization there are but it's clear that cybercrime takes billions and billions out of the global economy every year. So last year, Aliaz ran a survey about what are the top concerns that executives have with regard to cyber threats. And not surprisingly, ransomware and data breaches topped the list. And I think it's a very valid concern.
So with that in mind, I'd like to ask you, what types of cyber attacks are you most concerned about? Is it ransomware? Is it software supply chain? CEO fraud or business email compromise?
I mean, phishing, spear phishing are very, very prominent vectors that are used still today. Is it the loss of intellectual property? Or data breaches that might involve the loss of data? Or loss of PII, which, you know, could result in fines as well as reputation damage. So we'll give you a few seconds to fill in the poll here.
So yeah, okay. Well, thank you. We'll take a look at that again, as I said at the end. So now let's look at MITRE ATT&CK. MITRE ATT&CK is a framework for how to conceptualize the different tactics, techniques, and procedures that attackers use when conducting some sort of attack.
You know, the MITRE ATT&CK framework, full details are on their website, that the header is a link to the MITRE ATT&CK framework. Feel free to take a look at that.
You know, I break this up into the prevention and detection phases with a little overlap with, you know, reconnaissance here. But, you know, when you look at these phases, you've got recon, you know, this is trying to gather intelligence on targets or potential targets. Resource development, that might be understanding how an organization might be exploited and developing an exploit or buying an exploit if an attacker needs to do that. Initial access is getting into that environment. It could be, you know, a VPN account or some other unsecured remote access.
Execution, often this involves malware still. This is, malware is useful by cyber criminals to take over machines. Once they do that, they want to persist. They want to keep that foothold. They also need to escalate privileges because user accounts, hopefully if you design your IAM system right, regular user accounts shouldn't allow too much access, but privileged accounts, service accounts, those are the keys to the kingdom. So privilege escalation needs to happen for an attack to be successful. And they do that to be able to evade defenses.
Turn off anti-malware, delete logs, cover up the tracks. They can also use credential access for other machines. Then they'll want to go look for data, decide what it is that they want to exfiltrate. Lateral movement, of course, is involved to be able to search all the relevant machines or images in an organization. Then they collect that information into some staging point, do the C2, and then exfiltrate, take it out, and then impact.
You know, there have been cases that, again, kind of masquerade as ransomware, but it could have been an APT operation where the cyber criminals intended to steal the information anyway and then detonate ransomware when they leave to kind of throw the investigators off the trail. So what I did in the second half of the chart is try to list some typical tools. It's certainly not an all-inclusive list, but different kinds of tools that could help with each phase. So on the reconnaissance side, we see things like ASM, attack surface management. I'll talk more about that in a minute.
Secure IAM, identity and access management. Email security, both of those are important for both the reconnaissance and the resource development and initial access phases, being able to prevent attackers from actually getting in and taking over an account in the first place. We always also recommend multi-factor authentication. It's a good way, especially for, you know, remote access accounts, VPNs, things like that. MFA is an absolute must these days.
You know, that falls under, you know, the broader category of zero-trust network access, the principle of least privilege. You know, always verify, properly authenticate and authorize access to any resource inside an organization. So zero-trust and MFA are good ways to help prevent that. ASM and endpoint protection, detection and response. EPDR typically is, you know, predicated mostly on anti-malware plus other functions to help prevent the execution of malware.
And, you know, through the rest of the chart, we see a lot of the DR tools, these are the detection and response tools. Endpoint protection, detection and response, that is endpoint security plus EDR, NDR, network detection and response, XDR, extended.
That's, you know, including endpoint network and some other cloud-related functions. So those things are, again, are focused on detection and response, which are needed for most of the rest of the different TTPs that you see across the attack chain here. But for privilege management, you know, privilege management can help deflect times when privilege escalation is happening, as can endpoint privilege management.
ITDR, kind of a new class, you know, identity threat detection and response. And then on the data side and exfiltration prevention, we see things like data leakage or data loss prevention tools that can, you know, do asset-level tagging and prevent exfiltration either via, you know, the internet, mail, or even onto, like, USB drives. CASB is useful for similar functions for cloud products. And then lastly here, you know, really want to prevent the exfiltration, again, EPDR, NDR, XDR, DLP kinds of products. And then to mitigate that impact, there's disaster recovery and business continuity.
So those are kind of a high-level look at, you know, where I think some of the tools, again, this is not a complete list of tools that make up a security architecture, but thinking about how they align to MITRE TAC. So we have thought a lot in recent years about detection and response.
You know, we need to get we don't want to lose sight of the fact that prevention is very useful. It's often better to prevent an attack than to have to detect and respond to it.
So, you know, when you think about security, the first tools that, you know, came into existence in the cybersecurity field years ago were things like antivirus and firewalls, and they were explicitly designed for prevention. But as cyberattacks became more successful, you look at sort of an acknowledgment that attacks happen because the attackers learned how to circumvent some of the prevention tools.
It became an increasing emphasis in industry to develop those detection and response tools, which are incredibly important, and I would, you know, recommend those heartily to every organization out there because we need them. But we also need to keep an eye on prevention.
So this lets me introduce attack surface management, which is sort of a next-generation approach to attack prevention that goes a little further out, a little bit earlier in the stage, to be able to not only do things like vulnerability assessments and monitoring, but collecting cyberintelligence and also looking at dark web monitoring and helping organizations put the big picture together. So both prevention and detection are really necessary to help deter cyberattacks. So attack surface management, I think there are at least eight major functions that they should have.
First up, asset discovery and classification because you can't protect what you don't know you have. And that means also being able to monitor all devices, including IoT devices. IoT devices have become commoditized, and many organizations use different kinds of sensors and things, you know, within their enterprises. There's the monitoring of the dark web for both, let's say, trade secrets and IP as well as leaked PII. We need to be able to do continuous vulnerability assessments.
You know, the idea of doing some sort of PIN test or vulnerability assessment, like annually or semi-annually, that just get, you get too far out of date with that. It needs to be much more regular, continuous. Then there's compliance monitoring for various regulatory schemes as well as company security policies. All this information should be able to be analyzed automatically and then be able to present that information to SOCs, security management, and executives in a way that's tailored for each use. And then ASM, lastly, should be able to integrate with the rest of your IT infrastructure.
So I think these are, you know, not in a, they're numbered, but not in any real priority order. These are things that can help, you know, be part of a good overall security architecture.
ASM, attack surface management. EPDR, again, this is, you know, mostly thought of as endpoint protection, plus the DR, you know, the anti-malware, plus, you know, application controls, URL filtering, and other, you know, detection and response capabilities. Zero-trust architecture. We've talked about MFA, multi-factor authentication, proper authorization for each resource access. Device posture checks, making sure that all the devices that want to connect to your network or your applications, you know, are properly secured themselves. Are they patched? Do they have anti-malware EPDR clients?
You can write security policies based on that. Data level security, because data is often what to really after, so you've got to secure not only the network, the application, the endpoint, but the data itself. Privilege management. Email gateways, web gateways.
Again, so many threats come in via email, still phishing, spear phishing, or other web-based threats. These are really critical parts of most organizations' security architectures.
So, second poll, what do you find to be the three biggest challenges in implementing cybersecurity? Is it budget or lack thereof? Do you see that, you know, departments within your organization are siloed, meaning, you know, maybe you have centralized security policies, but there are maybe departments that feel like they operate independently or, you know, that you may have a difficulty in spreading the budget around? Is it the skill shortage, or do you have too many tools and find it difficult to manage a lot of different cybersecurity tools? And lastly, stakeholder management.
Do you have the involvement of executives? So, we'll give you a few seconds here to go through.
Again, the three biggest challenges is the budget, siloed organizations, the skill shortage, too many other tools to manage, or stakeholder management. Okay.
So, just a reminder, if you have any questions, feel free to type them into the GoToWebinar questions, control panel questions blank, and we'll take them at the end. And now I'd like to turn it over to Dirk. Dirk Vanden Heuvelen.
Thank you, John. And I think that was a really informative introduction to today's topic, cybersecurity investments. Also pointing out that there are specific movements, that there are innovation, to a degree, happening. And that has to be acknowledged, and that has to be incorporated into the own cybersecurity strategy to create a stronger cybersecurity posture.
So, what I would like to look at right now is how can cybersecurity investments be maximized in economically turbulent times? For that, I would like to, first of all, recap some of the challenges which John has pointed out, but there are also other aspects, in our opinion, as CIFIRMA, which we would like to highlight. And before I go into details, CIFIRMA is an organization, small organization, relatively young. We have dedicated ourselves to cyber threat intelligence, which means that we are helping organizations identify impending threats way before they may happen. That's an old shortage.
What we do is, on two different levels, we are looking at organizations, identifying the weaknesses and their strengths. And on the other side, we're taking also the position of threat landscape observation, and we try to bring this together, which we, in my opinion, do very well, because we would like to bring the essence out of both worlds together to paint an exact picture of the organization's possible vulnerability and also the availability of mitigating activities.
So, cyber challenges. And I think the Anissa picture points it out very well. It is an assortment of specific cyber crime threats, which are floating around, which we should take care of, either as a security practitioner trying to somehow secure the organization, but also us as the vendors and advisors in that particular field.
So, what we figured out, what we found out is, cyber crime in itself increases also during a recession. It doesn't stop, by any means. You can't point it out, or you can't correlate it to a specific context, saying it is because of a possible recession, or is it despite a possible recession? Cyber crime just increases.
And having given the short introduction about CIFIRM and what we do, I think one of the demands we've identified on customer side is the lack of visibility looking beyond the security parameters, which means that many organizations are not able to identify any possible threat, which is being arranged, prepared, and rolled towards an organization, which is happening out of the secured, the monitored security parameters, their own IT infrastructure. Out of that, we can see that organizations are facing more risk than ever before, and I think that correlates with the cyber crime increase as well.
What we also are identifying is, out of the TTP analysis, there is no particular preference of threat actors to either go after a specific organization or to go after specific low-hanging fruits in the terms of zero-day exploits or other fairly new vulnerabilities, which are then, out of the reconnaissance activities of threat actors, are correlated towards specific organizations.
Organizations are lacking awareness of their vulnerabilities and risk, so they usually, well, usually, maybe, but more often are not fully aware of their own weaknesses, their own vulnerability, and with vulnerability, I'm not talking about the technological definition of a vulnerability. I'm talking about the organizational vulnerability, which can be of technology, of operational, but also of humankind, and therefore, it is important for organizations to have a full picture about the possible vulnerability and the resulting risk out of it.
We're also identifying the execution is becoming more and more sophisticated. The threat actors need to take that particular sophisticated approach because we, as the defenders, we are improving constantly our strategy and the execution of the strategy, and therefore, the threat actors need to be on top of that.
Finally, it is some sort, like the race between the rabbit and the hedgehog, and this is something we need to take into consideration. Threat actors are ruthless. They don't have any boundaries. They don't have any moral limits, and therefore, that has to be considered, and that has to be incorporated into the security strategy and execution of such, and therefore, the strategies have to be more cohesive and more comprehensive, and there are financial challenges, operational and financial challenges. From an investment point of view, nowadays, investments have to be reduced.
Investments have to be well thought. Certain investments have been pushed back. That's one aspect. Another aspect is right now, due to the variety of TTPs, of different attack methods, of different intrusion points and intrusion capabilities, variety of execution of knowledge of expertise requires individual aspects to be covered in terms of the cyber security and cyber defense strategy, and that results into silo offerings and silo solutions being implemented, and this is added cost. Added cost for a simple reason.
You need to have the manpower to operate these platforms, these solutions, these products, and you need to also have the manpower to correlate each of these silos into one big picture, where you need to take all these individual puzzle pieces and try to correlate it down and try to understand what is the landscape picture for me now, what was it, and what will it be, and that results also into long implementation cycles with a obviously delayed ROI. The silo solutions, they create complexity, and they also create another security gap, and that is, in our opinion, important to understand.
So we've been introduced by John to attack surface management. Attack surface discovery, in our terminology, is exactly one of these perspectives we take towards an organization. So we look at an organization from a hacker's perspective. We try to find out what is the vulnerability from a technological standpoint of that particular organization, the exposed IT infrastructure, what it is made of, what assets are available, what's the inventory of these assets, and how can that be broken down into a specific vulnerability correlation. That's one aspect.
What we also do with the attack surface discovery is we are putting another focus on forgotten IT, shadow IT, and third-party managed IT. And these are very interesting situations. I come out of meetings with customers where we're looking at the results and the data when we do this attack surfaces discovery, and they identify the one other asset that was a test run of a web application three years ago. Why is it still operational? Why is it still online and still accessible? Which means for three years, it's completely out of the security policy execution.
And that is something which needs to be understood. And this is where we are then also looking forward to work with organizations to help them uncover all these little gaps. Vulnerability intelligence is the extension of vulnerability management. And this is now another silo which is interesting because using the inventory out of the attack surface management, out of the attack surface discovery, correlate this to the known and well-known documented vulnerabilities is one part. What is missing is the visibility and the knowledge about the actual execution usage of these vulnerabilities.
And that is important to understand. Brand intelligence. Now we're turning away from these technological shortcomings into business and operational shortcomings and risk where we are encouraging our customers to also look at what is happening outside of an organization regarding their organization. What kind of malicious activities are happening in preparation to execute a campaign, an attack? What kind of malicious infrastructure components are available outside of the security parameters in the context of an organization?
These are all indicators and that needs to be uncovered as well as digital risk discovery. I'm trying to find out what has happened already.
What data, what content has been leaked? What has been shared? Where is it detectable? What leaked credentials are out there? And everything which is a result out of a breach or a hack can be another risk for future activities by threat actors. And then ultimately also allowing a wider scope about any threat activities, the situation awareness. Everything what nowadays has been done is very focused and very narrowed down to the organization itself. But if you are, for instance, a telecom provider, you would like to know what is happening to other telecom providers in the world.
And you would like to know more about all these details if they might've been in trouble. You would like to understand the reason for the trouble and the context of the trouble because that allows you to relate back into your organization. Where are our shortcomings which we haven't identified yet? So what is it that I can do to prevent and prepare myself better and to protect my organization better?
And cyber intelligence at all, that is something which is highly recommended to look at, which means that by observing the threat landscape and by correlating all these observation results to build a very precise picture of the threat situation, which means that security practitioners, defenders are able to understand the various precise situation with a noise reduction, with a decrease of false positive results, et cetera, to allow them to be very focused on any kind of activity to improve security. What are the recommendations?
Our primary recommendation at all is you need to have senior management buy-in and their engagement. So how does that work? So first of all, you need to have, because senior management and upper management is definitely the ones who give you the budget, who sign off an investment. So how to make them aware of the necessity? We found out while having all these conversations with customers that in certain cases, senior management does not fully understand the impact of cyber threat towards an organization.
They think it's still an IT issue, that there is a server down, that a user can't log in, all these kind of very simplistic views. What does it mean in reality? And this is something which can be widely discovered on the media every week. Organizations have to shut down business for a period of time. They're not able to operate. And that results into financial burden, extreme financial burden. And that is for a simple reason.
Senior management or non-security responsible in roles within an organization should have an understanding that actually the company, the organization is in a competitive situation with threat actors. The competitive situation is about the data and intellectual property. Because the organization is using the data and intellectual property for its own economical benefits. For the company's success or failure. And therefore, they have to rely on that. Threat actors are actually after the same, for the same objective, financial benefit in most cases.
But they have a different methodology, a different tactic, how to achieve that particular objective, which is of a criminal nature. But that has to be understood that this is a competition. And therefore, it is important for senior management to understand that if this particular data, this intellectual property is at a particular risk, it also has to be understood that there is the necessity to identify its own vulnerability, its own strengths and weaknesses.
And those, as I said before, not only as a vulnerability itself in a traditional definition, but also from a technological, from an operational, from a human standpoint. How does that work? Our recommendation is to use a holistic approach.
Nowadays, the internal landscape is mostly under control. There are the, let's say, three P's, people, processes and products in place, which allows organizations to control everything from an internal perspective. What is missing is the overall visibility and understanding of the external threat landscape. I wouldn't say it's a black hole, but there are some specific huge gaps of knowledge, information, of understanding. And due to this, the opportunities for risk mitigation are missed.
Now, when we think about an impending threat, about the enrollment of an attack, threat actors have to spend a lot of effort and time in preparation. Reconnaissance, one of the key words of John's presentation. Reconnaissance is the analysis of a potential victim. And this is an exercise which is executed over weeks, multiple times. And all these exercises, they leave traces, they leave evidence. And this is something which we are able then, or we should be able to uncover, which we recommend, and also to analyze. Not only to analyze, but also to correlate.
And to make, or to create a picture of clearance towards an organization about this external situation. So with this holistic approach, it is also important to understand that this is a continuous monitoring. The IT infrastructure, the organization itself is constantly changing, evolving. New IT assets released, updates, upgrades, et cetera, et cetera. The threat landscape is also constantly evolving. These type of movements are asynchronous to each other. And it is important to have that particular continuous monitoring, and also this continuous correlation to synchronize these movements.
This all brings down, this all brings down the effect to implement the cyber strategy on various levels. Namely across people, processes, and technology. Our approach at SciPharma is to introduce organizations to external threat landscape management. What does that mean? Taking all of these silos, as outlined before, attack surface discovery, vulnerability intelligence, brand intelligence, digital risk protection, situation awareness, and threat intelligence, or cyber intelligence.
That has to be something out of which we A, provide information to organizations, consolidated, which allows organizations to operate predictive. I said before, threat actors, they have to spend a lot of time preliminary to a specific attack or campaign enrollment. And out of these signals, which are out there, with all the evidence, with all the indications, this is something where we can create a predictive picture. And out of this prediction, we would like to enable, and we are able to enable, organizations to be actionable. To remediate that particular risk before it comes to a peak.
It is important also to have that particular information very personalized, because nothing is more disturbing than noise, or false positive information. Being relevant to specific information, for specific organizations, giving risk indications, so that you understand the severity of that particular information, why it is important to work on this now, and not next week. And also to be adaptive, to integrate into the given internal security measurements, and also the internal threat management, with everything there is, CM solutions, SOAR solutions, et cetera.
What we also provide is with ETLM, the integration into the operational business processes. And I think that is important. So first of all, I think it's worthwhile to talk about the sourcing. So when we talk about threat landscape observation, we observe from surface web, from deep dark web, but also out of other intelligence networks. There's one aspect. And then we take this information, and correlate according to the context of our customers, of our organizations. And this is AI and ML based.
With this analysis layer, we're able to give our customers the possibility for contextualized risk profiling. Very important is risk quantification. How important is a finding, and how less important is another finding? It should be then actionable. And with all these, you're able to integrate with into other solutions, either into very specific solutions, or very native integrations. And that allows them to ingest our information into the customer environment, very specific, very focused, and to seamlessly integrate into the processes. So what are the recommendations generally?
First of all, look at yourself from a hacker's view. Try to find out where are my weak spots? Where are my sweet spots? Why am I attractive to threat actors? Take this information to mitigate and remediate that particular risk. Having that information very precisely tailored allows efficient and effective operations and actions to improve the security situation. Further down the road, it is also important to understand who's your enemy. So why am I being targeted? By whom? What is the objective? What are the TTPs? What is the track history of these threat actors? What are their methods?
And this is important to understand because out of this information, you're able to also provide valuable information, valuable assets into the other aspects of your IT security operations. Blocking IP addresses, blocking URLs, package filtering, package inspection. These IOCs in regards to intelligence hunting allows a very proactive approach and very proactive results giving the security posture being improved drastically. It gives you complete visibility about your external threat landscape. And I'd like to cut it short here. For the ones who are interested, please contact us.
These are the two products with which we work. It is important to have a view, a consolidated view on these silos. I think in our opinion, it is important to consolidate all these silos into one big picture and into one overall threat landscape picture, which allows organizations to be more precise and be better and well-informed about their current threat situation. And we do this with attack surface insights. I'm not only taking the inventory of the attack surface, but also correlate to what vulnerabilities and other intelligence information.
We also take care of anything which is happening in the context of the organization in terms of social media and web exposure. Impersonation, one of the major threats. CFO fraud is a common terminology that is important to track and that also happens on other levels. Dark web exposure. How prominent am I? Is my data, are my assets, have any kind of assets? How prominent are they exposed in dark web? And then also having a look at what has already happened.
Sometimes we come into situations where it's too late, but still organizations need to understand why that particular data breach has happened so that we can track back and mitigate that particular loophole. And one of the very important aspects is third-party observation, third-party risk monitoring. You have close connections with vendors, with customers, with partners, with suppliers. You have technical integrations. And you would like to make sure that these are not any kinds of backdoors into your IT infrastructure.
Your security, of course, you might be top-notch, but on the other hand, your supplier is very, very relaxed on that. And that opens a door. That's a potential risk. And this is something you would like to find out.
With that said, I would recommend to apply ETLM across the whole organization with all there is, just to make sure that you have a security posture, that you have transparency on your threat situation, that you're able to serve other objectives of your organization, that you collaborate, for instance, with, let's say, identity and access management, with marketing, with HR, with sales. All these can benefit out of a profound ETLM platform with its information and data. Having that said, thank you very much so far. And now let's open the Q&A.
Well, thanks, Dirk. Yeah, we'll take a look at the poll questions here in a second, but I wanna go back to something you said a few minutes ago that I thought was really, really interesting. Sometimes I do think management is not quite aware of the potential impact of a cybersecurity event. You think about something like ransomware, it's not akin to a server going down. I know of cases where organizations have been down for months. Let's say two months. Can your organization afford to have employees sitting around for two months doing nothing?
Cyber threats are existential threats for some organizations, and I think it's important to keep that in mind. Absolutely.
I mean, there are recently given examples of that. The bankruptcy of the bike manufacturer over in Germany. They simply couldn't afford to pay the ransom. That's basically it. They couldn't pay the ransom and they couldn't keep up the operational costs for their own business. And that's the financial burden, which is the risk to the organization. It's an immediate financial burden, which you haven't put into your budget planning, simply spoken. And that puts the risk to the organization. And it takes years for organizations to overcome and recover out of these situations.
And regardless if that's a ransomware attack or it's a malware attack, taking down business of an organization costs by day one. For sure.
So yeah, let's look at the poll results. Number one, what types of cyber attacks are you most concerned about? Looks like data breach, loss of PII. Number one this time around with software supply chain. Ransomware, not quite as important. And CEO fraud, business email compromised didn't get any votes this time around. Okay. Any thoughts, Dirk? Yes. I would be concerned of ransomware attacks because that aligns with the financial objective of threat actors. Because that is something where it's just carpet bombing into the cyberspace and out of response, potential victims are identified.
That's it. The PII loss and data breach is obviously also something which is important to be protected from and secure this. But this is not for every threat actor, a very prominent objective, put it that way. Because on the other hand, and this is something we've observed out of our observations as well is, when we look at the ransomware attack itself, we're first talking about the double extortion, triple extortion, now it's a quadruple extortion. So the ransomware is not only encrypting the files on site and then asking for a ransom for some payments to release the decryption tool.
It is also that these information is usually exfiltrated. So it's out of control of the owning organization. And the other one is that, I mean, it's like a butcher's job. To take a kettle and make all out of that particular kettle with all there is, with all the potential meat you can carve out, you can sell and you can produce further. And that happens with data as well. Once it's exfiltrated, it's been put on sale at a chunk. And further down the road, that particular data is then also very precisely analyzed. Looking for the oyster pearls, which can then again be placed to market. Yeah.
And that is the PII loss as well. So let's look at the second poll. 43 biggest challenges to implement, budget. And budget and too many tools take the top spots. With skill shortage and stakeholder management coming in quiet second.
Yeah, it will be interesting to understand what budget means to the ones who were responding to the poll. Well, I mean, we're talking about economic turbulent time. I would say that the amount of budget has probably decreased for them. Yeah.
Yeah, and therefore it's another reason to think about the current execution of the strategy to make sure if there is a potential to consolidate and to revalidate potential efficiency and effectiveness by maybe looking at another platform or stack which can be easily integrated. So let's look at our questions here. What are the top priorities for allocating limited cybersecurity budgets?
Well, you know, we've talked about a lot of different kinds of tools. Many of them are sort of absolutely necessary. It is hard to prioritize one over another in many cases.
I mean, I think you've got, you know, basics that everybody needs, things like endpoint security, you know, email security, various detection and response, application security, you know, other things that I probably should have mentioned earlier that Dirk mentioned like SIEM and SOAR, you know, there are a whole integrated set of tools that need to be in place to really have an effective security architecture. Dirk, what are your thoughts on priority?
Yeah, I think I would center around the human being, to be honest. I mean, it's an odd statement, but it's still a weaker spot in the chain in a direct manner, but also indirect manner. The human being is the one who's using IT infrastructure, who's given access, who's given privileges or even administrative permissions. And then there is the technology underneath, which is also implemented. The architecture is developed and deployed by humans.
And then there is sometimes the situation where I think a revalidation of the architecture and strategy should be more often happening to make sure that, as you said in your presentation, MFA is so important, but so less deployed still. Yeah, the reliance on username and password is just, I mean, yeah, different topic to talk and rant about. But there is. And the human factor is also the one who's responsible for any kind of technological vulnerability as well. Thinking about procedures, processes, how to maintain, update systems on a regular basis, do the validation, revalidation, cross-check.
And that is also something which has to be taken into consideration as well. Yeah, very true.
Now, I wanted to ask you, since you guys are, have a look at the external threat landscape, what can you talk about with regard to initial access brokering? Well, initial access brokerage, yeah. It is a hot topic. Let's be clear on that. Due to the recent, what means recent? Due to the changes, how organizations operating nowadays and through the past three years of the pandemic, allowing employees, allowing users to operate from remote localities, having external access, moving out of the security parameters.
That also has opened a gate of interest for threat actors because with that, the IT infrastructure has obviously changed. Entries, gates into an IT infrastructure has been increased. VPN gateways, remote access gateways, and all there is. And with that, also the administrative and privilege execution of such access. And exactly these credential sets are high valued in the threat actor scene right now. There is a market for these high-privileged accounts.
And that is something which I, as an organization, would strongly take care of just to make sure that at least the high-privileged or privileged accounts are specifically monitored. Also from a threat landscape perspective, by dark web monitoring and dark web observations, just to make sure that none of these credentials or assets are somehow shared outside of my organization, out of my control and surveillance capabilities. And there's a huge market for that. And the money being paid for a set of these credentials is outrageous.
Yeah, we're talking about six billion numbers. Yeah, yeah, I think kind of going back to the question about what's the top priority when you think about privilege management. I should have mentioned BAM and EPM again. Those are important tools. It's hard to say what's the most important thing. It's like saying, well, I need to buy a car. What part do you want first?
Well, I'll take a steering wheel and a tire. I mean, really, you need to invest in all the different parts. And think about what are the threats that are most pertinent to your organization? And then emphasize the tools that can help mitigate those threats.
Yeah, and I think you're right. And your analogy with buying a car makes sense. It's not only the steering wheel which drives the decision, and gives also validation for a right decision. It's the combination and the assortment of the different objects at a car. And the same for cybersecurity. It's not that one particular approach, this one particular solution, this one particular process. It's a combination. And we talked, for instance, about PAM, or the privileged accounts to be secured.
It is not only that you need to have a PAM solution in place, which is for the internal threat landscape, obviously very important. It is also to apply the coding processes and procedures around the management of these PAM accounts. And making sure that this is also taken care of from an external threat landscape. And as said, nowadays organizations have too many gates towards the public. So actually the IT infrastructure is exposed more than it was three or four years ago. And therefore it's important to understand also from an external situation how important such things are.
And this is just one example. And there are other aspects to be considered as well, but also always with that multi-layered security and strategic approach.
Well, great. We're at the top of the hour. I want to thank Dirk for coming today and delivering some really good information. And thank everyone for attending.
Again, the recording and the slides will be available shortly. So thanks again, Dirk. Thank you. Thanks for having me. Thanks for this very informative hour. Looking forward for next engagements. Likewise. I hope you can join us at our next event. Thank you. Thank you. Bye-bye.
