Cyberattack - your worst nightmare or just a hiccup? - interview
Sooner or later, malicious hackers will get to you. Hoping it won't happen is the worst possible cybersecurity strategy you can come up with.
There's a mantra in the cybersecurity world: there are only two types of companies - the ones that have been hit by the cyberattack and those that don't yet know they have been hit.
Whether it's going to be ransomware or a distributed denial of service (DDoS attack), cybercriminals will get to you. Cybersecurity experts are well aware of that but have a hard time convincing the C-Suite that this is the new normal we are living in. In fact, according to the latest World Economic Forum report, cyber leaders don't feel consulted on business decisions.
Ariel Parnes, Co-Founder, and COO of Israeli cybersecurity startup Mitiga, says that some companies still view cybersecurity as a cost center. However, the attitude is slowly changing - a cyber attack on an organization or its peers usually becomes that light bulb moment.
Parnes, a former Head of the Cyber Department for the Israeli Intelligence Service, winner of the Israel Defense Prize for significant technological innovations in the cyber field, agreed to share his views on this "new normal" we are dealing with.
By 2022, around 90% of companies will have a hybrid work environment. How happy are malicious hackers about that? How much of a headache it is for companies and you as a cybersecurity company.
I see two main challenges somehow connected. One of them is that the perimeter you have to defend is not very well defined. You could think about your environment - offices. And when your people are working from home with other people around, the perimeter is much more difficult to define. And the approach needs to be changed. That's the number one headache.
The second challenge and opportunity is very accelerated adoption of cloud environments and solutions. This is an opportunity because, eventually, the cloud is a more secure environment. However, the fast adoption did not always come with the proper knowledge and the right security in place. This rapid adoption of cloud environments opened and left some holes and blind spots in security, and that's quite a challenge for defenders and an opportunity for attackers, and this is what we have seen during 2021 and expect to see during 2022 as well.
Many companies are still on the basic stage of their digital journey, let alone protecting the perimeter. Are companies getting more cautious and aware of the risks when adopting cloud, SaaS, and other different technological solutions?
If you look back a few years, there were too many companies thinking that a cyberattack was not something that would happen to them. During 2020-2021, things happened that changed this approach. I see a lot of companies now understanding that cyberattacks exist and that they are exposed, so they are moving to the detection and prevention approach. That's like from kindergarten to middle school, so to say.
What needs to happen more, and we don't see enough of it, is moving from middle school to university - understanding that there are cyberattacks, that you will be attacked. You can't prevent it totally, so you need to be resilient and ready to respond to anything when it happens. I can see that in more advanced companies, but I don't see it yet enough. You have to say that it happened to your peers, and it's going to happen to you, and you can do only so much to stop it, now you need to be ready for that moment so you can respond to that and get back to business as fast as you can. Otherwise, you'll be losing a lot of money.
What has to happen to see this transformation? Can we learn from other's mistakes, or do you have to get hit by a cyberattack to understand the importance of cybersecurity measures that are not just cost centers?
From our experience, I can say that companies that have suffered an attack are in a different level of understanding and readiness to do what it takes to be in a better position afterward. If that company has suffered an attack, talking to that company is very easy. They understand the impact. I see another set of companies, maybe those that didn't suffer the attack directly, but their peers suffered. If, for example, there are massive attacks in some industries, then the other peers will be more open to discussing cybersecurity because it happened to their peers, and they can imagine and envision what would happen to them, so they are ready to invest.
And then there's a third set - companies that still believe it won't happen to them and look at cybersecurity as a cost center instead of the potential of what it can bring to the business. Those companies probably will only change their mindset when something happens. I see the progress, the difference, the maturity, the education, and awareness, and I see a lot of work to do.
The Biden Administration came with quite a strong focus on cybersecurity. I wonder, is this enough to somehow turn the tide on ransomware and other cyberattacks?
I've seen with the Biden Administration that they have cybersecurity as the main focus. They understand its impact on the US and the potential impact it could have in the future.
The Biden Administration is running a campaign in several dimensions - the legal dimension, the law enforcement, the international cooperation, and using capabilities that the nation has, following the money and putting the pressure on crypto exchange service, etc. This is a multidimensional campaign. It is undoubtedly the right approach. I think it will have an influence during 2022-2023. It won't stop cybercrime, obviously. Crime doesn't stop ever. It just changes modus operandi, moving to different areas. Maybe from extortionware (ransomware), the significant extortion attacks, we will see a transition to a more considerable number of smaller extortions that could be one result of this campaign, and then the campaign will change. This is a game between the governments and the criminals. As long as there's business there, criminals will try to find a way. What the Biden Administration is doing is the right thing to do at this stage. It still remains to be seen what the impact will be and how to reshape the campaign accordingly.
You mentioned crypto exchanges. And cybercriminals love cryptocurrency, especially Monero. I guess it's unavoidable to see some regulations on the crypto market in the future as a measure to curb cybercrime?
One of the dimensions of this campaign is following the money. In this specific case, it's cryptocurrency. They will do what they can to harm this. In the end, think about cybercrime ransomware - it's a business. Not a legitimate one, but it's a business. In a business, there's the cost, the revenue, and the risk.
The campaign that the US is leading goes to the three areas: to maximize the cost by having better defense so that criminals would need to invest more to get the same revenue; to minimize the revenue by making life harder with cryptocurrency so that it takes more time and effort to get the same revenue; and the risk - follow the criminals and arrest them, so the sense of risk is higher. When you work with this equation, you might be able to change this ransomware trend.
In 2020, you said that the private cybersecurity industry is segregated because of the lack of communication and their niche solutions to the problems. I wonder if that's any different now?
It is changing, but the attackers cooperate better than the defenders worldwide. That's not good enough. I see better cooperation between different industries and dialogue between governments and nations in different areas. Still, for obvious reasons, cybercriminals cooperate more efficiently. They leverage the darknet and the fact that they are not related to any country and are very flexible. They adapt more quickly. As long as they can cooperate better, we, as defenders, have more challenging work. But I see the progress, and still a lot of work.
You joined the private sector from the military. And I see this happen quite often in Israel, the US, and other countries, where people who used to work in some state intelligence unit are joining the private cybersecurity industry. How can the private industry benefit from the skills that you bring from the military?
I took a mission-oriented approach from my military experience and what I am trying to implement in the private market. This is very typical for the military in Israel. We are very oriented on a specific mission and can laser focus on it and do whatever it takes to achieve. I take this approach to the private industry. Applying it in the right way creates the energy and pace needed nowadays in the volatile, uncertain, complex, and ambiguous world.
Another thing that I take from my military service is understanding how an attacker in the cyber world thinks. I believe this is crucial, and it gives you a very high advantage when you move to a defending mission because you understand how an attacker thinks, what goes on their mind, and what to expect next. This, too, is very relevant to what I do now.
So what's your laser-focused mission now?
Our mission is to minimize the impact of cyberattacks in the cloud and hybrid environments, and we do that in two ways. When something happens, with our tools, we can rapidly investigate and respond to the incident so that the organization can go back to business as quickly as possible. The more innovative approach is readiness instead of waiting for the fire to start and only then reacting to that. Our solution prepares you for this moment with a particular set of activities so that when this happens, you are not wasting time in understanding what is happening and collecting the evidence to understand what the attack was. You already have that in place. It improves the response time, which is the essential pain in an incident. Our mission is to help you move from a catastrophe and a crisis to a hiccup. That's our vision.
So you are saying that companies need to understand that there will be a fire, so you need to be prepared for it, not just hope for the best?
Hope is not a strategy. A strategy is to be ready, do whatever you need so that when it happens, and it will happen, you can be as efficient and effective as you should.
More from CyberNews:
Subscribe to our newsletter