Because of work-from-anywhere becoming the new normal, the attack surface of cloud, mobile, IoT / OT / medical IoT has significantly expanded.
Extreme situations that have drastically impacted the world over these past two years have undoubtedly left a footprint in the cybersecurity sector. And the impact continuously threatens all sorts of sectors, such as large companies, governmental agencies, medical institutions, and more.
While regular users can protect themselves with such tools as Virtual Private Networks (VPNs), antiviruses, and others, enterprises are in need of more complex solutions, including threat detection and response services.
For this reason, to learn how to better detect and manage cybersecurity threats, we reached out to Partha Panda, the CEO and Co-Founder of Cysiv – a company that is an innovator in the field of SOC-as-a-service.
Tell us a little bit about your history. How did Cysiv originate?
Cysiv began in 2018 with the recognition that existing approaches to threat detection and response were inadequate. A security operations center (SOC) – whether in-house, outsourced to an MSS or MDR provider, or a hybrid approach – is increasingly an essential part of an effective, layered defense security strategy. But SOCs weren’t designed for complex modern applications and cloud-scale data volumes or the highly fluid threat environment that has become common. They relied on outdated point solutions that weren’t integrated or efficient and they depended on cyber skills that were not widely available. And they weren’t effective: they generated too many false positives and meaningless alerts that prevented them from focusing on true threats and other high-value activities such as risk management, audit, etc. As importantly, a modern 24/7 SOC was simply beyond the means of the vast majority of enterprises because of the reasons stated above and the lack of skilled resources required to create and operate a SOC.
Cysiv was founded to address these problems by delivering world-class 24/7 cloud-native SOC, as-a-service, to businesses of all sizes. For some, including high-growth unicorns and resource-constrained businesses, we are their SOC. And for large enterprises, including the Fortune 100 companies we proudly serve, we augment their SOC, helping to elevate its efficiency and effectiveness and extend their reach to additional parts of their IT environment.
Can you introduce us to what you do? What set of tools do you use to detect and, eventually, remove threats?
Cysiv SOC-as-a-Service provides enterprises with better detection and faster response of true threats. We do this by uniquely combining our cloud-native next-gen SIEM, with a data-centric and automation-backed approach and a collaborative team of experts that operate as a seamless extension of your IT/security team. All of this is delivered as a subscription-based service, with predictable and flexible pricing, that can be operational in weeks.
Cysiv’s cloud-native next-gen SIEM has been purpose-built to accelerate and improve the threat detection, investigation, hunting, and response process. It combines essential SOC technologies – including SIEM, SOAR, UEBA, and a threat intelligence platform – into a single, unified SaaS platform. It is co-managed by Cysiv and by the client, providing them with full transparency and participation in the threat investigation process.
Unlike many services, Cysiv leverages its clients’ existing data sources from across their complete IT/OT/IoT environment and doesn’t mandate a specific product stack.
Security logs are an important input to the threat detection process. But alone, they’re not enough. Important signals of an attack might be picked up in an application, in enterprise infrastructure, or from cloud infrastructure. And valuable context can be derived from other related data sources.
That’s why Cysiv SOC-as-a-Service ingests, leverages, and provides cloud-scale storage for a broad range of telemetry and other data sources that clients have already invested in. This improves the quality of, and confidence in, the threats detected, and dramatically shortens the dwell time and mean time to detect (MTTD) threats, investigate, and respond to them.
You describe Cysiv as data-centric. Would you like to share more about your approach?
Security has increasingly become a big data problem. Specifically, a typical mid to large enterprise needs to be able to collect, process, correlate, analyze, and store billions of logs monthly from dozens of data sources, to identify threats that have bypassed their security controls and need to be mitigated.
Cysiv’s data-centric approach is highly unique and is the critical foundation for being able to deliver better detection and faster response of true threats at cloud-scale. We start by leveraging industry-standard frameworks like MITRE ATT&CK to help prioritize the data sources that should be ingested for broad or specific TTP coverage, and to identify potential blind spots. Some data sources provide significant detection value, and others not as much, depending on the use case the client has identified. We then ingest essential data and telemetry from the relevant sources to our cloud platform to get a more complete view of the threats across the clients’ entire IT environment. And we automatically enforce a common information model (CIM) to normalize and enrich this data, which maximizes its security detection value, and facilitates faster correlations and threat hunting across multiple data sources.
Cysiv uses ETL (extract, transform, load) because it allows for speedier, more efficient, more stable data analysis than ELT (extract, load, transform) processes that other providers may use. And we quickly support important new use cases to clients with additional data sources.
Have you noticed any new threats emerge during the pandemic?
Yes, during the pandemic, we’ve seen a significant rise in business email compromise attacks targeting Microsoft Office 365, as companies made a significant shift to the cloud for their office productivity suites, to better support remote workers.
Triggered by the pandemic, the shift to the cloud was often done in haste, and as a result, we’ve seen more intrusion attempts because of cloud misconfiguration issues, which typically happen as a result of a lack of attention to detail by the person configuring the cloud environment. One of the most common misconfiguration issues relates to cloud storage buckets, which should not be publicly accessible via the Internet, but which are often mistakenly left open.
We’ve also seen the resurgence of formerly disbanded ransomware groups, as well as the arrival of a few new advanced persistent threats (APT): a stealthy threat actor, typically a nation-state or state-sponsored group, which gains unauthorized access to a computer network and remains undetected for an extended period. Some APT examples include Conti, RagnarLocker, Lockbit, BlackByte, Ryuk, and REvil.
In the age of frequent cyberattacks, do you think small businesses and big organizations require the same security measures?
Yes, to some degree. Because the impact on a small business of a successful cyberattack or data breach can be as significant, in relative terms, as one on a big organization, they require access to the technology, expertise, and processes to better manage these cyber risks. However, smaller enterprises have historically lacked the skills, budget, and tools required to build, staff, and operate an effective SOC. But SOC-as-a-service democratizes access to this important security measure and overcomes these limitations.
It's important to note the threats that organizations will be most concerned about detecting and responding to, are related more to their IT environment, their industry, and their existing security controls, than they are to the size of their business.
What actions can make threats more difficult to detect and eliminate?
Detecting and responding to threats before they become a breach is increasingly critical, but it has become more difficult for several reasons:
- Modernization of Applications – finding hidden threats has grown exponentially more difficult due to the increasing complexity involved with monitoring modern applications (cloud, containers, serverless and composable infrastructure) and the associated cloud-scale volume of data that needs to be processed and correlated.
- Fluid Threat Environment – The attack surface that cybercriminals can target has expanded significantly with cloud, mobile, IoT / OT / medical IoT, and work-from-anywhere environments. It is increasingly difficult to defend against threat actors that can quickly launch automated, complex, multi-stage attacks. Their weapons are more sophisticated and effective, and they increasingly leverage machine learning (ML) and artificial intelligence (AI) to achieve their objectives.
- Increasing Security Complexity – Fully leveraging the data generated from numerous and disparate security solutions that have already been deployed, and correlating and monitoring this data 24/7 to find indicators of an attack requires specialized tools that are expensive and difficult to integrate and operate effectively.
Overcoming these challenges requires a range of specialized security skills that are difficult to find and expensive to hire, manage and retain. All of these factors have created the need for a modern, more effective approach to threat detection and response.
What new threats do you think the public should be ready to tackle in 2022?
Organizations that do business with, or have operations in, Russia, Belarus, or any other country that is experiencing broad sanctions, should be prepared for an increase in cyber blowback from state actors and cybercriminals in those countries. War and conflict always lead to technological innovation as adaptation is needed. So as the battlefield moves towards the cyber front, we will most likely see an uptick in state-sponsored attacks on our domestic industries. We will also probably see longer, drawn-out, and targeted campaigns. On the other side, the activities of hacktivists (hackers fighting for social and political issues) will also likely increase.
And of course, enterprises that have embraced the cloud, need to increasingly pay close attention to threats targeting cloud applications and infrastructure. This includes monitoring for and responding to unauthorized access, ransomware, phishing, and API abuse along with data exfiltration and ransomware attacks.
Additionally, what security tools should companies and individual users implement as soon as possible?
The tools that organizations should be implementing are ones that provide detection and protection capabilities that align with the customer’s risk profile. For example, email and web continue to be big threat vectors for most companies, and having inline protection for these traffic sources would be important to create the right foundation for a well-tuned security strategy.
Additionally, a next-generation SIEM is required to consolidate data from all sensors and tools to run more analytics and find hidden threats, investigate and respond to them across the entire IT/OT/IoT environment. First generation SIEMs often failed because they lacked the breadth of integrated capabilities required to do the job properly or because the buyers lacked the resources to do ongoing rules tuning or to manage the SIEM, and monitor it 24/7.
A next-gen SIEM, delivered as a service, overcomes these issues. Beyond that, the other security tools that organizations should implement really depend on the maturity of the company’s security posture.
Implementing the right preventative security tools and sensors is important, but of course will never be sufficient, as cybercriminals, including insiders or disgruntled employees, have demonstrated their ability to evade these measures. And that is why 24/7 monitoring is so essential as a complement to these tools.
Share with us, what’s next for Cysiv?
As we continue to support a rapidly growing set of customers, we’re making significant investments in the three core areas that enable us to deliver better detection and faster response to true threats.
First, from a data perspective, we are expanding our native support for an even broader range of cloud, IoT, and other data sources, while researching how we can further maximize the detection value of these sources, and further enhancing the analytics engine to leverage them on day one of client operation.
Second, we’re continuing to add new features and capabilities to our SOCaaS platform that further automate and accelerate the threat detection and response process, and that enrich the reporting and dashboards available to different user groups, from analysts to SOC managers and executives.
And third, we’re enriching the information made available to customers. Because of our data-centric approach, we can analyze and present some very interesting information that can help customers drive more maturity in their SOC including identification of coverage gaps, appropriate data sources to be ingested into the analytics engine to meet compliance and manage risks, etc.
With these enhancements, we will continue to expand globally, and work with partners to serve the needs of clients across the world.