Updated on: September 21, 2024
Whatever you know about protecting your online privacy, cybercriminals probably know that too and are already finding new ways to breach your defenses and steal your sensitive data.
It’s hard for everyday people like me and you to always be on top of threats, vulnerabilities, emerging trends, and overly-complex cybersecurity concepts without going nuts. Not to mention the hidden truths no one talks about…
In this new interview series by Safety Detectives, I am talking to cybersecurity experts and thought leaders who share untold truths and actionable insights from their decades of experience to help you immediately become more effective in protecting your sensitive data (without losing your sanity).
Today I’m joined by Greg Crowley, Chief Information Security Officer at eSentire, one of the leading providers of Managed Detection and Response (MDR) services to more than 2000 enterprise customers worldwide, across 80 countries globally. They have been recognized as one of the top MDR providers in The Forrester Wave™, KuppingerCole’s Worldwide Leadership Compass, and more.
His 20+ years of experience in cybersecurity and technology span across various sectors including media, entertainment, technology, and managed security services. Before joining eSentire, he was head of network and cybersecurity for WWE, World Wrestling Entertainment. He is also a Certified Information Security Manager (CISM) and Certified Information Systems Security Professional (CISSP).
We discussed some key issues affecting businesses’ security:
- The problem with most vulnerability programs
- The biggest improvement companies can make to secure authentication
- How attackers can bypass MFA
- The mindset shift CISOs need to bring their companies’ cybersecurity awareness to the next level
What are the most overlooked and underestimated cyber threats in your industry?
The biggest underestimated threat has to be the absolute assault on vulnerability management programs. Threat actors are having great success with zero-day exploits. Couple this with the massively increasing number of software vulnerabilities that security teams have to deal with, but yet still have the same pressures and timescales to deal with. This is leading to a long overdue evolution of vulnerability management programs. Security teams have to shift away from simply looking at the number of vulnerabilities that exist and instead move over to an exposure management approach. This involves looking at the levels of risk that you are exposed to around security issues, and then putting your efforts into fixing those problems that represent the most risk to your organization.
Zero days will be a bigger issue over time because they represent such a significant risk to security. Across the board, I see that companies are getting better at exposure management and preventing issues around their common applications and services. This stops a lot of potential risks and makes things harder for attackers to compromise systems. However, threat actors have realized this and they are taking different steps to get ahead of the game. They are looking more and more for zero-day security issues, those faults in software that they can exploit, and where there is no patch available. They are willing to pay huge sums for those issues, so they can find more ways into corporate networks and then carry out ransomware attacks or steal data.
I expect that there will be more nation-state attackers targeting a wider spread of potential targets across critical national infrastructure services, from utility and telecom providers to areas like supply chains and infrastructure. In the past, nation-state threat actors looked to compromise other national security agencies or organizations, but this has changed over the past few years. Over the next few years, we will see a lot more intelligence gathering by these groups.
My biggest fear for security, in general, is around deepfakes, where attackers use AI to create videos or other content to fool their targets. We have already seen one company in Hong Kong where the finance manager was fooled by a deepfake video and it led to the loss of millions of dollars. This kind of attack will continue to grow as more AI services are created. Similarly, these kinds of tools will be used in campaigns around the world to influence elections taking place in multiple countries. So, deepfakes have a lot of potential for social impact and use in new social engineering attacks.
https://www.youtube.com/watch?v=DfmNO8cs0uw
What further steps do you usually suggest to your customers to enhance their online security?
I think the biggest improvement companies can make is around how they look at identity and access management.
Take passwords – they have been around forever, and people hate them. People have too many of them to remember and passwords alone are a weak form of security anyway. Multi-factor authentication is now a lot more common and widely accepted because users are adjusted to this approach through services that they might use every day, but we can push this further. It’s time to improve the user experience and authentication security.
I would push any organization to move to passwordless approaches where they can. Today, we have services like Windows Hello and facial recognition that can provide access securely and manage authentication for users more easily. We can consolidate the approach so that security improves the user experience rather than adding friction.
This means that users don’t have to remember multiple passwords to work. There is nothing to steal, so attackers can’t leverage credentials to gain more access to other network resources or cloud accounts. This makes life a lot easier for both users and security teams. It’s an approach that works and is available, we just have to start using it.
Can you share any experiences your company had with cybersecurity incidents and the lessons learned?
Alongside that theme of identity, we have learned about how attackers are now targeting MFA to find specific ways around this technology…
While it does provide a good degree of security, MFA is not bulletproof – determined hackers like those linked to nation-state groups can find a way around MFA by trying Man in the Middle attacks. But for the wider variety of attackers out there, MFA is a very effective way to prevent their methods from working and to ensure that your team remains as secure as possible.
To take a step back, we know that passwords are insecure, yet we have built on top of this approach to create more secure workflows and approaches. This has led to more advanced attacks that specifically target those workflows to steal the method that we use to authorize a credential. If an attacker can carry out an ‘actor in the middle’ approach they can save the token that we use to authorize that access and can then replay the process using that stolen token, giving them access to the account.
Over the past 18 months, we have seen multiple major companies affected because they had access credentials stored in their code repositories. Those credentials were found and used to get access to cloud resources. This is a staged attack because once they get that initial access, they can understand the topography of those companies’ applications and use what they have learned to carry out further attacks.
It’s like burglars carrying out another raid three or six months after an initial attack – they leave enough time for the insurance to pay out and try to get things back to normal, and then they strike again.
Do you think the level of cybersecurity awareness is improving in your industry?
Security awareness is so much better than it used to be in the past. Take my mother – she is 80 years old, and she is aware of cyber security. She knows not to fall for fake calls or phishing emails, because there is that awareness in the general population, not just in the IT industry. She’s suspicious of everything, and that is due to the general awareness of these issues out in the media, rather than anything I have done to educate her!
Companies are doing a good job at training and investing in their approach to educating people on how to report phishing. They have worked with their teams on what to do, so now it’s a question of how you back that up with the right culture around reporting issues within your company.
Do you encourage reporting, do you want people to own up if they think they have done something that is a risk? Or do you blame them, which will lead to them keeping quiet?
If you encourage reporting, you are more likely to get ahead of a problem if and when something goes wrong. The truth is, that people are both your weakest link and your first line of defense. While they might potentially make mistakes, they can also inform you so you can respond quickly to issues. Without this insight, you will take longer to detect, prevent, and contain issues. It’s impossible to get everyone up to the same level as your cyber security team, and attackers will always look for that one percent chance that they can take to get in. But your people can be the most effective form of defense and your fastest route to knowing that something is wrong.
What cybersecurity challenges do you see coming shortly, and how do you plan to cope?
Artificial Intelligence (AI) is getting huge amounts of hype. It is at the top of a lot of people’s minds right now. Security leaders need to get up to speed on AI and security.
In this, there are multiple paths to go down, as you have to look at how you can secure any AI deployment that your company wants to make, and equally, you have to look at how you might use AI in your security strategy too. There are more nuances in these areas that we have to be aware of to make the right recommendations to the business or prevent bad decisions.
The most important first step is to get educated, so you can take the fear away around AI. From a security perspective, AI is like a lot of other technologies that have come up over the years – you have to be concerned about sensitive or private information, where it is stored, where it might go if it is used, and how this fits into a wider compliance approach. If we understand the processes involved around AI, then we can make sure those processes are built to be secure and follow any rules that we have to meet.
We have two choices:
- Try to deny access or block things and keep them out
- come up with a company-sanctioned approach to using AI.
The blocker approach does not work, as people will just turn to outside tools and carry out their experiments rather than talking to IT or security. Instead, we have to understand the risks, and then work with the business to take advantage of things that you can also manage and track over time.
Is it different from when tools like Dropbox came out to make transferring files to each other easier? Or other shadow IT projects, that came up to make life easier for those departments to get their work done? No.
- We need to have a relationship with the business where we can co-create the approach and make sure it follows security standards.
- We have to understand the components and how they work together so that we can collaborate with our teams and build criteria.
- We must build a good partnership with the business to get those projects moving. If we don’t it will leave a void, and someone else will fill it.
This should all be part of the CISO mindset around being a partner to the business. The role of the CISO is still a very new position, as we have to build out what that role does for the business as well as ensuring security. It’s only over the last few years that CIOs have been brought onto the board, and that is because the vast majority of today’s businesses can’t run without technology.
The CISO is in a very similar position – we have absorbed a huge amount of responsibility for security, for compliance, for ensuring that the business can operate effectively, but we may not have that direct route to the board to go into those conversations early or in advance of major decisions getting made.
You can end up in a reactive role, where you are always chasing after decisions to try and add that security or compliance viewpoint. It’s far better – and far easier – to be proactive and get involved, so you can put options together before those decisions get taken. This can help avoid massive amounts of additional work or extra costs that come up because you have to work with an existing business process or make wholesale changes. For CISOs, getting involved in these conversations early is essential if you want to make an impact.
Have a question for Greg?
LinkedIn: https://www.linkedin.com/in/greg-crowley-cissp-cism