Matthew Warner, Blumira: “prioritizing cybersecurity requires a certain level of security maturity”
While most companies are aware of the existing digital threats, many are reluctant to adopt robust cybersecurity measures. Reasons for that can range from the lack of financial resources to misunderstanding cyber-related risks.
Putting a heavier focus on cybersecurity is the best preventative measure for companies to adopt. But often recognizing which threats to tackle can be a challenge on its own. Blumira, which offers a detection and response platform, can help identify, prepare for, and respond to threats effectively.
We reached out to Matthew Warner, co-founder & CTO at Blumira, to discuss the current most widely deployed cyberattacks, and talked about the solutions offered by Blumira to prevent them.
How did the Blumira project come about?
Blumira is fully conceived out of my frustration while dealing with open source SIEMs when trying to scale out my own defensive security programs. When you’re trying to suss out how to best secure an environment, there are so many different areas that must be covered, ranging from vulnerability management to threat handling. It’s fairly straightforward to understand that antivirus stops viruses and that vulnerability management finds vulnerabilities, but SIEM becomes this magical unknown component in many cases.
Tools like Splunk, Elastic/Kibana, Alienvault/AT&T Cybersecurity, et. al., have their own merits depending on the size and budget of a team. However, what they all share is that none help organizations react with action while continuously improving their security maturity with use. Blumira was and continues to be built with the idea that SIEM products should be servicing the user and their stakeholders — not be a pain point in their day.
What does dealing with the aftermath of an attack look like? Could you tell us more about the recovery steps?
Dealing with the aftermath of an attack is never easy, but it’s certainly much easier for organizations that have prepared in advance by running drills with tabletop exercises, implementing backups, and developing an incident response plan. Performing these preparations also means reducing headaches when dealing with external parties like cyber insurers, incident response consultants, or auditors in the aftermath of a cyberattack.
As far as recovery steps go, we advise following NIST’s best practices for incident response, which include detection and analysis, containment, eradication, recovery, and post-incident activities. There are a few tools we recommend to assist with those steps. We recommend enabling Sysmon as a preventative measure — a free built-in tool that is a part of the Windows Sysinternals package — which can help immensely during the detection and analysis process. Once you start ingesting those logs, it gives you a good breadcrumb trail in the event of a cyberattack. That way, you can begin investigating how a threat actor accessed your environment and what they did when they were in there. Dynamic blocklists, which Blumira includes as part of our platform, are another useful tool during the containment process because they sever the connection between external attack infrastructure and compromised systems.
Out of a variety of your services, virtual honeypots might be a lesser-known safety measure to some. Can you tell us more about how it works?
Honeypots are powerful security tools that can detect lateral movement and potential bad actors on your network, but they’re often a lesser-known security measure due to perceived complexity or the idea that it’s just another tool to manage. Honeypots allow you to get deep detections within your environment without much effort or budget.
Virtual honeypots are built into our platform. With Blumira, each sensor dropped can also be a honeypot that immediately provides high-fidelity detection with multiple levels of information. For example, if we detect that someone is trying to authenticate into a honeypot and they’re making multiple attempts to do so, we immediately send a finding to your IT security team. You’ll know that there’s an actual attacker with a specific IP that is trying to launch an attack into your environment.
Do you think the pandemic somehow changed the way people approach cybersecurity?
We set up a Windows Server honeypot in our environment to track cybersecurity trends throughout the pandemic, and we found some interesting data. Specifically, we saw an 85% increase in attacks in the time period from the end of 2019 to May 7, 2020.
The pandemic was a perfect storm for ransomware actors for many reasons: the sudden shift to a distributed, remote workforce that widened the attack surface, added stress on IT departments that hindered the ability to focus on cybersecurity initiatives, and the opportunity for cybercriminals to launch targeted attacks on industries that have been particularly affected by the pandemic, like education and healthcare.
For all of those reasons and more, ransomware increased exponentially in the wake of the pandemic and was brought into the spotlight of mainstream media, especially as more significant attacks like Colonial Pipeline impacted global supply chains. I think that media attention has opened peoples’ eyes to the dangers of ransomware and has resulted in a greater need for cybersecurity tools.
What are some of the most common tactics cybercriminals use nowadays? Which industries do they typically target?
Over the last five years, ransomware techniques have evolved drastically. In the ‘old’ days, advanced persistent threats (APTs) like emotet infiltrated an environment and quietly stole some information. That’s why some incidents would go unnoticed for longer periods of time.
Ransomware has only grown since then, largely because of the amount of money that can be made from it. These days, the ransomware-as-a-service model has enabled smaller, less tech-savvy affiliates to launch attacks, often by purchasing access credentials on the dark web. On the other side of the coin, larger operators like Conti and REvil take a militaristic approach, often staying in the environment for weeks or months to gather data and intel before they decide to encrypt. Both types of threat actors use common tactics like phishing campaigns, exploiting known vulnerabilities, and leveraging open internet-facing remote desktop protocol (RDP) ports.
The changing nature of the ransomware landscape also means that ransomware affiliates are less focused on specific industries and more focused on the relative ease of launching an attack. Even larger ransomware gangs like DarkSide — the threat actors responsible for Colonial Pipeline — have also stated that they don’t intend to disrupt supply chains or make political statements — they simply want to make money. That’s why small businesses are at risk; they often have fewer security resources and a wider attack surface for threat actors.
With the numbers of phishing and ransomware attacks rising, what are the main indicators of a malicious email? What should be done immediately after receiving a suspicious message?
Phishing is one of the most common ways that a ransomware attack begins. Threat actors will send social engineering emails, appearing as though the sender is from a legitimate company, making phishing difficult to detect. Still, there are signs to look for: emails coming from a public domain, misspellings, suspicious attachments or links, or urgent language requesting the recipient to take action.
End-user training can give employees the knowledge and awareness to detect a phishing scam. Ideally, employees should immediately report a suspicious email to IT. At Blumira, we believe that it’s more important to monitor behaviors related to phishing attacks, such as email forwarding rules, suspicious links, and malicious macros — and these are all behaviors that our platform detects.
In the age of frequent cyberattacks, do small businesses and big enterprises require the same security measures?
Small businesses and large enterprises don’t require the same security measures, but there are certain measures that every organization, regardless of size, should take to achieve a minimum security baseline. As a start, we advise all organizations to deploy multi-factor authentication, a robust antivirus product, an endpoint detection and response (EDR) platform, and a method to centralize logs so that IT and security teams have visibility over their environment and can be alerted early enough to detect a security incident.
Why do you think certain people still push cybersecurity to the background even though more and more organizations are hit by cyberattacks every day?
The short answer is that change is difficult. The long answer is that there are many factors that prevent organizations from prioritizing cybersecurity. Sometimes, there is internal conflict, for example, a leadership team that views cybersecurity as just another headache or doesn’t want to allocate a budget towards a security program.
People often see alarming statistics behind ransomware but incorrectly assume that their organization is too small to be a target or that they don’t store data that an attacker would be interested in. Additionally, many small businesses don’t have a dedicated security team, or even a single employee focused on security. Many of our customers, for example, have an IT admin or another similar role that is responsible for a variety of tasks, cybersecurity being only one task of many. To even consider prioritizing cybersecurity requires a certain level of security maturity, and achieving security maturity requires a change in mindset: from “How do I make this problem go away?” to “How can I become more secure in the long term?”
And finally, what does the future hold for Blumira?
Our goal is to make threat detection and response as easy and as fast as possible for smaller IT teams -- from initial setup to daily management and use. The faster an organization deploys a security solution, the faster it can start detecting and responding to critical security incidents. Right now, the industry average takes months to set up. We see this as unacceptable and a major barrier to security success.
We’ll continue to roll out new products and tools to help small IT teams expedite time to security, Later this year, we'll be releasing Cloud Connectors, which enables IT admins to set up cloud security in a matter of minutes for Microsoft 365, AWS, Duo Security and more cloud services on the way.