Danny Smoulders, Vice President, ExtraHop, Asia Pacific
Data&StorageAsean: Has the rise in cloud adoption affected the way people (vendors and users) approach security?
Danny: Absolutely. It is estimated that nearly half of large enterprises will have hybrid cloud deployments by the end of 2017. While cloud offers businesses efficiency and scale, it comes with its own complications – especially when it comes to security.
With major security threats like ransomware impacting global enterprises, as well as a spate of high-profile data breaches over the past few years, IT security is top of mind for organizations. Cloud only makes the emphasis on security more imperative. Not only are cloud platforms vulnerable to the same types of attacks as traditional on-premises applications and infrastructure, the highly scalable nature of cloud means that far more data often resides there. This can make the impact of a breach exponentially worse.
While there are many factors to consider when developing a cloud security strategy, two of the most important are advanced persistent threats and access controls.
Advanced persistent threats (APTs) are one of the most insidious and difficult to detect security threats. They infiltrate systems and then slowly exfiltrate data over a long period of time from the target's network to a location controlled by the threat actor.
ExtraHop plays an important role in detecting APTs. The complete, real-time East-West visibility made possible with streaming analysis of wire data allows IT security teams to detect patterns of potentially malicious or anomalous behaviour and initiate a forensic investigation to identify the source of the problem and shut it down.
Access controls are another area where ExtraHop can help IT stay in control of its security posture in the cloud. Data breaches often result from access control issues like weak passwords, poor key and certificate management, and misallocated permissions. ExtraHop automatically discovers, classifies, and surfaces all SSL servers and clients communicating over a network, and identifies non-compliant servers. The platform can also help IT identify which users can access which resources, helping them stay on top of permissions.
Data&StorageAsean: Do XaaS providers do a good job of securing our data?
Danny: I think they do what they can. It can be complicated because different customers use different infrastructure and have different needs. This may require customisation and a “one size fits all” approach usually is not a sufficient solution. Ultimately, it depends on a whole host of factors – including which XaaS provider the business chooses – but I think, in today’s rapidly evolving landscape, everyone can do a better job because it is about constant improvement.
Data&StorageAsean: Security used to be about virus protection and access control. How has that changed?
Danny: In the past, detecting viruses meant that businesses were detecting signatures – which is using key aspects of an examined file to create a fingerprint of known malware. However, it is impossible for businesses today to stay up-to-date with signatures as modern attackers frequently avoid detection by changing the file’s signature. Businesses must therefore move up to the next level of security: anomaly detection.
Ransomware has turned into a business. Estimates from the FBI put ransomware on track to net over $1B in 2016. In the first quarter of this year alone, global ransomware payouts topped $200M. The perfection of the ransomware business model poses an increasing risk for businesses as cybercriminals are turning their attention to corporate networks.
According to a new Kaspersky Labs report on ransomware, the number of corporate users attacked with crypto-ransomware is trending upwards – attacks have increased by over six times with 718,000 victims in the last year compared to 131,000 during the previous 12 months. Today, the average ransom demanded by attackers has also increased to US$679.
Businesses need to assume they have been breached. Rather than focusing on securing the perimeter, organizations must start detecting anomalous behaviour already happening within the network.
ExtraHop offers one of the industry’s most sophisticated solutions for the detection and mitigation of ransomware. The ExtraHop ransomware solutions provides a trigger that can help detect ransomware attacks in real-time based on analysis of traffic from the SMB/CIFS network protocol. Through its REST API, the ExtraHop platform can also kick off orchestrated mitigation actions in other security tools, allowing IT security teams to automatically block malicious IP addresses with their firewall appliance or quarantine infected clients with their network access control device. Most recently, ExtraHop introduced packet-based file restoration to its ransomware offering. Leveraging Precision Packet Capture that starts the moment ransomware is detected, ExtraHop delivers the packets from which encrypted files can easily be restored.
Data&StorageAsean: Can a company protect themselves 100% from data security threats?
Danny: Cyber-attacks are becoming more sophisticated, and cybercriminals seem to always be one step ahead of businesses. Because it’s turned into an industry, the bad guys are never going to stop trying to hack into databases. As a result, no company should think they are safe from an attack.
The way we at ExtraHop approach security -- starting from the posture that breaches are inevitable and have likely already occurred -- is a really good example of how the landscape has changed rapidly and profoundly. Preventing significant, harmful breaches is about more than technology. It’s a mindset. It’s no longer enough to just set your perimeter security and forget it. IT teams and organizations are large need to remain vigilant, and look to solutions that will help shine a light on all activity taking place in their environment.
Data&StorageAsean: Are you seeing big data or machine learning being used in data security - on either side of the fence (hackers and/or vendors)?
Danny: Definitely. Machine learning in particular is going to be enormously important in the new IT security landscape, helping to detect and alert on potentially anomalous or malicious behaviour taking place within the IT environment quickly. By understanding what “normal” looks like, these technologies can pinpoint even minor deviations from the base. As threat actors become more sophisticated and evolve their malware to evade detection, the ability to parse even the slightest anomaly could mean the difference between a minor disruption and a large-scale breach.
Data&StorageAsean: What’s unique about your own offerings and product strategy?
Danny: At ExtraHop, we offer a unique real-time stream analytics platform that enables visibility across the network. Unlike current management and monitoring platforms, ExtraHop unlocks new dimensions of business, information security, applications, and operations data flowing through the network and delivers actionable analytical insights through our built-in big data capabilities.
We also don’t just see north-south traffic, but also east-west traffic, which is all the activity that is happening in the data centre – including on-premises and in cloud and virtual environments. With security threats nowadays, businesses have to be able to visualise all traffic on the network in real-time. This means not only being able to know who is communicating (e.g., NetFlow), but to see each conversation between clients, systems, infrastructure, and applications and understand how these play out. The fact that our solution is so fast, so easy and so complete makes us a trusted partner and global leader in real-time wire data analytics for IT intelligence and business operations.