In my role as Senior Product Marketing Manager and Security Advisor here at VMware Carbon Black, I have the opportunity and immense privilege to sit down with our many customers across the APJ region and discuss the state of their security efforts, as well as share best practices employed by their peers.
CISOs (Chief Information Security Officers), their Security Architects, and their SOC (Security Operations Center) teams are always busy defending themselves from cyber-attacks so the time they invest with myself, and the Carbon Black team is always deeply appreciated. We learn so much from each other, and after recently spending time with customers in Singapore I wanted to share the learnings with all of you as well. We are all in the fight against our adversaries together, and we’re all stronger when we work as a cyber community.
What I heard from the CISOs and their teams was both encouraging and sobering. Let’s start with the latter, setting me up for a good news ending to this State of Security report from Singapore.
Ransomware Defence is a Primary Concern
Perhaps not surprisingly, top of mind for organisations is ransomware. Whether the attack vector used by the ransomware criminals to gain an initial foothold is exploitation of unpatched vulnerabilities, novel malware, social engineering, or otherwise, Singaporean cyber teams are acutely aware that what will follow will be highly challenging to the continuity of business operations, and financially and reputationally impactful.
As a side note, ransomware payments are collectively on track to hit nearly $1 Billion USD in 2023, based on monitoring of crypto payments across the first half of the year. Click here to understand Projection by Chainanlysis. With that sort of financial return, it is no wonder that ransomware is a favourite flavour of attack, and one that will not recede while the return remains so lucrative.
What I learned in Singapore is that the SOC Analysts are well equipped to hunt for and respond to ransomware threats across their fleets of endpoints and workloads. They have also developed mature and well tested processes for managing incident response workflows from a technical perspective.
That said, there are (always) areas for improvement.
We know that ransomware is no longer simply a matter of data encryption and denial of system access. More often than not the attacker’s goal is to establish persistence and stealth. Prior to moving to the destructive and disruptive phase of data and system encryption they move laterally, searching for and then exfiltrating copies of the victim’s most sensitive data (usually customer related data). These stolen files are then used for additional leverage when demanding the ransom, as well as a secondary source of financial gain through the sale of stolen records.
Knowing that, it is critical that your ransomware defence strategy includes deletion of shadow copies of your most critical data. Organisations end up with these shadow, working copies of data as it they make it so much easier to perform various analysis, testing, and development tasks. However, having extra “shadow” copies of critical data also makes the defender’s job harder and the attacker’s job easier. Reducing the number of shadow copies, and limiting the scope of their content to only what is necessary eliminates targets for attackers to exfiltrate, and helps SOC teams focus on defending the crown jewels.
Encryption of data-at-rest also denies the attacker the leverage and financial benefit of stealing the data. Both reduction of superfluous shadow copies and data encryption need to be part of your overall technical defence strategy.
Ransomware is of course a financial problem, and one that is ultimately owned by the business. The buck stops not with the CISO, but with the other Senior Executives empowered to make decisions that impact the bottom line from a financial and reputational perspective. For that reason, it is a non-negotiable reality that desktop incident response fire-drills need to include the full gamut of decision-makers. Best practice is that this should involve the CEO, CFO, CMO, CRO, legal, and of course the CISO, and their respective teams. Only that way can these multi-disciplinary teams gain an appreciation of what decisions they will need to collectively and individually make when under the mortar fire of a live ransomware attack.
Cybersecurity Skills Are in High Demand
Meanwhile, Singapore is not immune from the skills shortage we face across our industry. Experienced SOC analysts remain both in short supply and a hot commodity. The ability to attract, retain, and grow analysts is also an area of focus for the country’s CISOs.
We know, both from our own research and that conducted by other industry leaders that burnout amongst SOC staff is a real problem. From a technical perspective our focus at Carbon Black is helping to improve the SOC Analyst Experience by providing the tools to remove time and effort from the incident investigation workflow. Here, Carbon Black XDR adds enormous benefit. Click here to read the XDR security industry guide.
On a practical note we are investing in our customers to help them upskill their SOC analysts. We do this through our Threat Hunting Challenge (THC) program, where we pit defenders against attack simulations that mirror the real threats they will face. Through our THC workshops we have helped improve the threat hunting and incident response skills of nearly 1000 cyber defenders, globally, this calendar year alone. I encourage you to take advantage of this incredibly valuable, no-cost learning opportunity.
Remember though that security is about people, process, and technology. As well uplifting the tools (the technology) SOC Analysts use don’t neglect the human element. We need to ensure that the right support programs are in place to ensure that stress and staff burnout doesn’t drive our industry colleagues out of the industry, or worse. My colleague Karen Worstel has written extensively on this topic and I highly recommend you reading her advice. Click here to read more.
Together, We Can Win
Lastly, while we still have much to do, I want to end on a positive note. Our “happy ending” to this State of Security report from Singapore.
The Cyber Defenders I met with all believe they can win. They remain positive, passionate, and committed to this shared fight. This belief, that we can win, is one we share at Carbon Black. Adversaries remain committed, relentless, and wily in their efforts to disrupt, steal, and destroy. Together we can and will prevail.
What you as Cyber Defenders do every day is incredibly important and perhaps appreciated more than you know. Thank you for everything you do to keep your organisations, and the world safe from cyber attacks. Until next time.