Microsoft, Google & Cisco talk CISO priorities, state-sponsored attacks and the future – II

Photo by Jason Dent

Continued from Part I.

Abbas Kudrati, Chief Cybersecurity Advisor, Cybersecurity Solutions Group, Microsoft; Mark Johnston, APAC Head of Security, Google; and Dave Lewis, Global Advisory CISO, Cisco Systems give their advise in a two-part Q&A on the security realities during COVID-19 and what they anticipate the future to be like.

Australia has openly come out saying it has suffered a massive cyberattack recently, perpetrated by a foreign state. How does an enterprise protect against this massive asymmetry, of having to defend against state-sponsored attacks with limited resources?

Dave Lewis (Cisco): Whether the adversary is a “foreign state” or a kid in his room at home an organization needs to assess their risk profile. What are they trying to protect? They have to treat adversaries as they pertain to his assessment of risk. If an adversary is properly financed and motivated it’s always possible they can successfully breach a system or network. But, you don’t have to make it easy for them. Something as simple as replacing passwords with multi-factor authentication will go a long way to complicating the attacker’s attempts to access your resources. It is important to have clear recovery programs in place and the defined repeatable processes necessary to recover from an attack.

Mark Johnston (Google): Cloud service providers’ invest more in security than most enterprises. This takes enterprises beyond what they would typically build on their own (like Google’s cryptographic chip Titan to validate our boot chain integrity in hardware and integrated into our motherboards), and also takes away some of the basic toil that many IT departments struggle with. The shared responsibility model of Cloud also removes the need to manage underlying infrastructure protections. Google’s Advanced Protection Program (APP) for enterprises that are more susceptible to cyber attacks due to the sensitive nature of the data. It provides the strongest protections available against phishing and account hijacking and is specifically designed for the highest-risk accounts, and we’ve yet to see people successfully phished if they participate in APP, even if they are repeatedly targeted. For advanced workload protection, we recently announced Confidential Computing, which allows our users to keep their cloud workloads private by encrypting data at rest, in transit, and even in use. Our first product in this space, Confidential VMs (beta) gives you the ability to encrypt a running virtual machine, so that data within can’t be leaked or accessed by external processes. This is unique to Google Cloud and you can turn it on with one button – no app rewrite or replatforming required.

Abbas Kudrati (Microsoft): Microsoft is committed to supporting governments and businesses defend against nation-state attacks.

In the last two years, from 2018-19, Microsoft notified nearly 10,000 customers that they had been targeted or compromised by nation-state attacks.

While many of these attacks are unrelated to the democratic process, this data demonstrates the significant extent to which nation-states continue to rely on cyberattacks as a tool to gain intelligence, influence geopolitics or for other objectives.

Often, successful cyber-attacks work because victims are not adequately prepared, and make common mistakes such as not updating software and operating systems to the latest, most secure versions, or inadvertently providing sensitive information to illegitimate parties via phishing scams. This goes back to implementing key, immediate steps to upholding cybersecurity.

Ultimately, businesses of all sizes need to keep up with the latest threats and ensuring that the correct measures are in place. This can be a daunting task, and as such, rather than trying to manage security on their own, businesses are increasingly relying on cloud service providers such as Microsoft whose core competency and focus is on keeping its customers’ data secure and compliant.

Budgets are squeezed because of the economic downturn, while cyberattacks rage stronger, and the CISO gets caught in the middle. Having to do more with less, what are the top 3 priorities for CISOs to secure their enterprises?

Dave Lewis (Cisco):

Top three priorities to secure the enterprises are deploying multi-factor authentication, scaling VPN solutions and enabling reliable video conferencing solutions to enable the remote workforce. 

Mark Johnston (Google): The number priority from my perspective has to be Resource Optimisation.

By removing tasks that provided high toil but low business value, which includes patching firmware and underlying computing infrastructure and networking equipment, it reduces the attack surface you need to monitor, protect and manage. Employ a developer or a DevOps engineer into the security team and skill up in scripting and automation frameworks. My recommendation is to try to use as many open source or cloud-agnostic approaches as possible.

With Multi-Cloud being the most likely reality for many organisations, try to find abstraction layers that allow you to leverage the strength of each provider in as centralised a way as possible.

Lastly it is to start the education path for security across the company. This is a catalyst for you to provide a different security experience for the business and the developers in your organisation. The goal is to build the home you want to live in for the next 10 years. While it might not feel comfortable initially, it’s going to last a while and you really want it to be safe.

Abbas Kudrati (Microsoft): With remote working becoming the new normal for most organizations, it is safe to say that priorities will shift significantly. All companies big and small need to think differently about how they can keep their data and people secure.

We recommend three important steps for organizations:

  • Have strong tools to safeguard employees and infrastructure, including multi-layered defense systems and ensuring that multi-factor authentication (MFA) is switched on as employees work from home.
  • Ensure clear communications of employee guidelines and education on how to identify phishing attempts, distinguish between official communications and suspicious messages, and reporting these potential threats internally.
  • Choose a trusted application for audio/video calling and file sharing that ensures end-to-end encryption.

In the long run, how do you see the security landscape evolve? What are the technologies that excite and/or scare you?

Dave Lewis (Cisco): The landscape will evolve to meet the needs to the day. With workforces the world over now being remote there will be a concerted effort to have a stronger control of data and intellectual property. Technology that scares me is the lack of reliable consumer grade Internet connections for far too many people. I’m excited to think that there will be a greater push towards more fiber optic networking as well as 5G. 

Mark Johnston (Google): To me, it’s critical that companies not make the same mistake twice. When organizations do not approach our systems and infrastructure with consistency and automation, room is left in the cracks for malicious actors to find and exploit. That said there is much to be excited about, the use of cloud computing will bring strong standardization and optimization of the infrastructure organisations use to run their business. These systems being software defined allow huge automation possibilities.

Cloud is natively built for analysis and not limited by traditional hardware and connectivity limitations which allow us to collect and analyse system health faster, as well as apply AI to improve outcomes by detecting potential configuration errors or limiting access exposure by analysing access usage. An example of this in action on GCP is something like Google Cloud Policy Intelligence which helps enterprises understand and manage their policies to reduce their risk. Overall I look positively on the future of security, we have answers today that we can deploy to help enterprises, governments and consumers alike.

Abbas Kudrati (Microsoft): There are two trends of interest from my observations of the industry so far – one of which I believe will continue to be prevalent in the short run, and the other, impacting the industry in the long run. 

Firstly, Zero Trust will become the immediate priority and biggest area of investment for cybersecurity – where the predominant security posture will be that each step across the network and request for access is evaluated and verified as a unique risk. In the past, Zero Trust was a business option, but now it is increasingly seen as a business imperative.

In the long run, for organizations to effectively uncover attacks and stop them before they do real damage, they will need solutions like Microsoft 365 Security that would enable an integrated view across apps, endpoints, networks and users. This will be crucial in unlocking greater maturity in terms of an organizational approach to cybersecurity as business decision makers start to prioritize a holistic view of its IT infrastructure and ensuring that users are truly secure as they continue to collaborate in a world of remote everything.