Ep. 6 – Top Tips for Reducing Cyber Risk with Suroop Chandran at SonicWall
Steve Rivera, CRO @ Logically
Suroop Chandran, Sr. Director of Product Management @ SonicWall
August 7, 2023 | 45 mins
In the final episode of season 1, Steve speaks with Suroop Chandran, Senior Director of Product Management at SonicWall, about his background in cybersecurity and highlights from the recently released SonicWall Threat Report. Topics include the evolution of threat actors and the cyber threat landscape over the last 20 years, how the onus of cyber hygiene has shifted to the end user, and how to maintain security at home. They wrap up their conversation with Suroop’s recommendations for mid-market organizations and the top two things you can do today to increase your threat resilience
Listen wherever you podcast and share with your networks.
Key Takeaways from the Episode
- Understand the evolution of threat actors and the cyber threat landscape
- Learn about the shifting responsibility of cyber hygiene to end users
- Discover tips for maintaining security at home
- Gain Suroop’s recommendations for mid-market organizations
- Find out the top two actionable steps to enhance your threat resilience
Top Tips for Reducing Cyber Risk with Suroop Chandran at SonicWall – Episode Transcript
Welcome to Logically Speaking, where we discuss the latest trends and challenges in cybersecurity with top experts in the field. Today, you’re going to learn how to protect your data safe, how to keep your operations sound, and your business ready for whatever comes next.
This is Logically Speaking.
STEVE RIVERA
Today we’re speaking with Suroop Chandran of SonicWall. Could you introduce yourself? I know you lead product management for SonicWall’s capture client and the web application firewall products, but maybe you can share with our listeners about how you got into cybersecurity and then maybe talk about your current role.
SUROOP CHANDRAN
Absolutely. So, interesting enough, I’m probably one of the people in my generation who had the fortune to start my career in cybersecurity. I actually started off with the coming to the United States. I’m brought up in the Middle East in Dubai, but I did my undergrad in India, originally of Indian origin, and I eventually then went to do my postgraduate or I should say my grad school in the United States at the University of Pittsburgh, where I got to do a master’s in networking and specialization in security. That’s kind of where it started, in a sense. It was one of those early programs that was actually sponsored by the NSA, where they were trying to spread cybersecurity awareness and education through grad school programs, underserved programs, and the University of Pittsburgh was one of those early pioneers in that space. Once I got into that space, I couldn’t get out. So after I got out, I kind of got a little stubborn about the fact that I want to get a job in cybersecurity. I don’t want anything else. I remember getting a job as like a DB operator for any of these, and I decided, no, I don’t like this. I don’t want to do this. For an immigrant in the United States to be able to say no to a job three months later, it was a big risk I took. I figured out how much fun that would be because at that time, cybersecurity was still one of those niche spaces that you could only get a job in if you’re someone who has a lot of experience in IT. Here I am, three years of age, only gone through schools, never worked a job in my life. The other side of it is that if you do want to get a break, most companies were federal contractors, and obviously I’m not a US citizen. So getting security clearance level, I don’t know, minus one if that even exists is impossible. So three months and about 150 job applications later, I finally found my first job with a managed security services provider called Integrals. They were based in Connecticut at the time, and they’re originally from Germany, but their United States operations was in Connecticut. And I got in over there, I think originally interviewed as a break fix engineer, those in the hardware world understand it’s this person who drives out to the site plugs the network cables turns it on walks away.
But I fortunately, because I had studied and I had some fairly good background in understanding what security concepts are, they moved me up in the sock pretty quickly. And that was my first experience in enterprise security. I would shouldn’t say enterprise, but in cybersecurity, but working in the soc, managing firewalls, IPS, and doing eyes on glass monitoring for security alerts for mid-market customers. So credit unions, banks, healthcare organizations, state organizations, really interesting experience being literally on the floor, working in shifts, working on call, leading teams eventually making sure that our customers are secure with a company that I thought at that time was a real pioneer in the security monitoring space because this was before even sim really took off. And it was I got really lucky that I got exposed to all of that at that, you know, in my very first job and I’m really eternally grateful that company eventually got acquired by NTT and is now part of the NTT security division. And after that, I moved into a much bigger sort of IT outsourcing organization. It’s a company called Wipro based in India, one of the largest IT outsourcing companies. Very interesting experience. Their customers are typically the Fortune 200. And you know, those security needs over there are very, very different. And I switched hats from being an operator to being more of a consultant on how to build a soc, how to implement best practices for security technologies, et cetera. And that’s sort of where after coming from the operator world and also playing consultant side of the house, the seed of product management got sewn. Right. Because I was like, okay, I know what the problems are when I use a product. I know what the problems are when I position products with customers and why they don’t like our products, whether it’s from the use perspective or whether it’s actually effective for them. But I can’t keep complaining about the fact that my customer doesn’t like the product because it’s not good enough. How about I switch over to the dark side and figure out how to actually make the good product. Right. And that’s kind of how I rolled into product management and where I am at SonicWall right now. And I think my background being mostly in the security operations and soc space, I got the opportunity to be in the cloud side as well as the endpoint and the socks. And what I do at the SonicWall today is I am the product management leader for our endpoint strategy. I’m also leading our third party integration strategy. So as we try to build out the ecosystem with no enterprise customers as well as our managed services partners like yourselves. And I am very heavily involved. I should say I forced myself to be involved in building out what should be our, you know, Uber management strategy or security operation strategy for whether it’s for MSPs who are really like the real in today’s world, they’re the real operators of cybersecurity. Right? Or even for those really highly regular enterprise customers that want to do things by themselves.
STEVE RIVERA
Yeah. So you touched on a couple of great things that maybe we can chat about. So in your career, right, you started as an operator and you moved through your career. What have you seen kind of the threat landscape evolve or red actors and their tactics evolve over your career, right? So, you know, that that’s something I’m really interested in kind of your viewpoint on how – how that has changed over the last maybe 10, 12, 15 years.
SUROOP
So I think a lot of it is actually tied to how technology evolves. Right. So when I started off, you know, being in the sock. You know, it was really fun to see attackers trying what you would call the classic vulnerability exploit. Right. We’d see SQL injections or cross-site scripting type of attacks or, you know, any sort of like application vulnerability. I remember actually looking at a series of events and seeing hexadecimal obfuscated SQL injection attacks where you’re, you know, you’re actually have to decode from hex to text to see, oh, this is a SQL query. What are they trying to do with a SQL query in a web packet? Right. So that’s sort of where like when I started that that was like the in thing, right? This is early 2000s, I would say, right? The in things, intrusion into external systems and being able to get access to them. Not that malware wasn’t popular, but the challenge I think that existed at the time was how do you get the malware to the user? Right.
You still have to try to get a vulnerability exploit and maybe plug it into a server or something. Why? Because a lot of the broader mass of people weren’t already completely on the internet. And then over time, as more people at workspaces at home started moving their machines, you know, using laptops a lot more. I remember when I got a laptop in 2000, you know, 2004, it was the biggest deal of my life. Wow, I have a laptop. Right. Right. And, and, you know, so laptops. Laptops started getting more prevalent. People started going to various places. Security layers started getting a little fuzzy. Right. Everybody’s not just in the network. There are now various other places you can get people are using more mobile drives. People started doing things like social engineering a lot more, you know, things like fishing, fishing, wailing, all of that started getting a little more popular where they’re trying to target users because of their behavior. So, you know, classic attacks that we’ve heard off in the past where, you know, someone calls you from a call center and says, Hey, you know, we’re calling from XYZ Bank and your password is expired. Would you like to set a new password? Tell me what it is. And we’ll set it for you. People fell for it. Unfortunately.
And the challenge that you see over there is that enterprises weren’t necessarily as mature. And so I remember working at one point for a project for implementing a sock for a banking customer banking, no less. Right. Banking customer and they were getting targeted by fishing attacks. So fishing attacks where the URL is posing as their bank and it’s going to their customers as email. And the head of IT security at that time, no less is questioning us as to why the SIEM is not able to detect this. And I had to explain it. We’re not monitoring our users. We’re monitoring our employees. Right. I mean, how do we know they’re getting the email? I mean, you’d have to ask us to hack into Gmail or something of that sort. Right. So, so this, so this as the proliferation of attacks started and the complexity of attacks started to get increasing, the maturity wasn’t really going up there as much. And I think the real turning point in my opinion were two events. Number one, I will say today, Stuxnet. Right. So, right. Stuxnet and how they went about taking what was at that time just called a virus. Right. And took down a nuclear reactor, which was later revealed to be potentially a state sponsored attack. Like, look at the number of changes of it. In an industrial system that nobody really understands through a removal device that was an attack vector that people didn’t understand as much yet from a threat actor that was state sponsored. Like, how does this, I’ve only heard of this in movies, Terminator or someone like that actually talks about governments getting involved. Right. This is real. Stuxnet just made the whole thing real. That was number, event number one. And that’s when the whole concept of APT and an advanced persistent threat started getting popular. Right. Right. So, you know, then there was this whole marketing and thought about signature based AV not being good enough and malware is getting more and more popular. And then, you know, underground dark criminals, et cetera. Then the second event that changed a lot of things ransomware. Because now the thing with mount with viruses in general was it, it almost felt like you’re doing it because you just want to tickle someone. Right. You want to annoy them. I mean, what are you really getting out of it? All you do, you are, it’s not so easy to obviously go and get into every Stuxnet in every time. But ransomware was simple enough. I encrypt your data. You want it back, pay me money. It became financially motivated. Right. And it didn’t help that cryptocurrency just blew up at that time because that became the number one source for how these criminals are getting paid. So ransomware had its run for a long time. So evolution of malware evolution into ransomware that all has kind of changed the game quite a bit. And I think in the last couple of years, some things, some of that has started reducing. You know, a lot of those two events increased awareness and increased awareness all the way up to boards and businesses, at least for a large number of enterprise organizations to the point that investment in security became important. And as investments started increasing, it started getting harder for these attackers to get around. So, what we’re seeing now, and that some of that data is in our report is that volumes of ransomware are actually starting to dip a little bit. Volumes of malware after five years are actually dipping as well. What is increasing is what I saw back in 2000, early 2000s, the traditional intrusion detections and vulnerability exploits on these environments. But the attack surface has changed. The pandemic has put people anywhere, has put data anywhere, has put applications anywhere, and has created an explosion of devices ranging from my laptop to my phone to my printer to my camera to my Alexa to my washing machine to my television to my home security system. And all of these could be attacked and compromise your machine. Why? Because I’m right now sitting at home on the same Wi-Fi as all these devices and one of them gets compromised, they can get to my laptop.
STEVE RIVERA
Yeah, so you’ve touched on a couple of things that I wanted to discuss with you because I was very much interested in the proliferation of the Internet of Things. And when I got into the industry, that was just a pipe dream, right? So, I started in cybersecurity in the 90s. You and I probably crossed paths because I was at Verizon and we were reselling logic calluses, managed services, and so I remember, I think it was Vincent Surf, who calls himself the grandfather of the Internet, speak about the proliferation of these devices. He tells a story about how his doctor wants to know when he weighs himself so the scale is going to be Internet enabled and then eventually your fridge will be Internet enabled to tell you what you need to shop for and what you’re missing when you go low on eggs. And well, eventually he’ll step on the scale, his scale will email his fridge and then he won’t be able to open his fridge because he’s gained too much weight. And we used to laugh about that back in the 2000s, but this is now becoming a reality. And like you said, all of these devices are sharing that same Wi-Fi, which now becomes an attack vector. It becomes a launching pad for future attacks.
I mean, this is something that I was reading in the report, right? In your report, you’re talking about the Internet of Things really going to be that next wave of kind of what we have to protect. What can you share with our listeners that are some best practices when it comes to their corporate entity and protecting the mobility of all those devices you touched on laptops, but then there’s data is growing feet and going everywhere. So, what are some of those best practices that you could share with our listeners?
SUROOP CHANDRAN
Sure, sure. So, I think a lot of the best practices isn’t magic, right? It’s really about hygiene. And I know it’s a really overused word and a lot of people think, well, if I could figure out hygiene and patch management, then we never really have a problem. But the thing that I’ve seen the most, really the most important, and I want to hit on IoT for a second because that’s relevant to this is because when IoT and its explosion started, most people looked at it as an enterprise problem to solve. But from the angle off, the IoT devices that you’re using in your office, right? So as an example, I remember reading at a time, there were a series of attacks of how organizations got hacked because they were able to get into the building control system. Right? And that was connected. So that has happened and probably still can happen. But I think the change that’s happened is that because of more people working remote, the attack surface is not that building control system. It is your personal device. So now the onus of hygiene has shifted. It’s shifted from the admin of the enterprise to the end user. And as an end user sitting at home with my corporate laptop, my organization is not going to be able to do anything about my home Wi-Fi or my home devices. The best they can do is to keep my device secure. Right? So and I’ll talk about that, what we could do in those measures as well. But as an end user, there are a few things that you really, really want to be careful about. Right?
We talk about two different things that will work in the enterprise, but also work at home. Number one, never, ever, ever use default settings on devices. How many of you have logged into your D-Link router with admin-admin? And it still works. Yeah, it’s so true. So if you go to show that, it’s just nuts. Right? You’ll find so many writers out there and I’m sure you people could probably hack in the half of them. Right? So get rid of default settings, number one, number two, be extremely careful with your credentials. Please, please, please do not use your corporate password to log into Facebook or Instagram or something like that because that data will get leaked and you are done for it at that point. The third thing, we talk about micro segmentation a lot, but how many of us actually practice it at home? People actually have a firewall at home that will do micro segmentation. It’s not a really common thing. Right? But the easiest thing you could do to actually separate some of this traffic is everybody’s got broadband, high speed broadband and super high speed Wi-Fi routers at home, 5 gigahertz, 2.5 and usually dual band, quad antenna, all that fun stuff. The least you could do is to keep two separate Wi-Fi networks, one for your personal devices and one for your corporate device. That’s the least you could do. And it’s very simple to do that. It’s not rocket science. So I think at a personal level, making sure that we maintain our own hygiene of network and information security at home is going to be really, really important. Now where do enterprises come in place?
So, enterprises have to come into play because humans are humans. We all know that the biggest problem security is layer eight. So there have to be measures put in place. So obviously all the usual things, endpoint security has to be intact. I won’t even say up to date because we’re beyond signatures at this point. So it has to be intact, has to be covered. Zero trust is big. Never trust the fact that the user sitting at home with the corporate laptop is actually safe because the device could be infected. How do you know?
You know because when you apply as your trust framework, you could use device posture. You could determine if the machine actually is infected or not and then you could restrict their access or block their access altogether. That’s why endpoint security is important because you need to have coverage. You need a visibility. You need to be also able to make some of the hard decisions. Yes, everybody wants flexibility, but do you want to allow everybody to use all the personal devices to access all your corporate resources? Zero trust would say no. Why? Because you don’t know what they’re doing with their personal devices. Think about all the recent news you’ve been hearing about chat GPT apps that are fake but actually malware. I open up my phone and I go to my VPN, log in and I get my corporate data. There’s all my customer data in it and well, I have an app here that’s stealing all that data. Well, you’re done for. Well, then don’t allow them to get to that kind of data using your VPN. You want to use a VPN? Use the corporate laptop where we have a lot more control and visibility. I love BYOD. Absolutely. I totally love BYOD, but it has to be rolled out with discretion.
STEVE RIVERA
Yeah, that’s a really good point. I wanted to shift gears a little bit to talk a little bit about your experience in building security operation centers because a lot of our listeners are deciding whether they build a SOC in the mid-market space and then the challenges with resources or out task that and go to a provider. In your opinion and your experience, when do you see there’s a break even point where it actually makes sense for someone to build a SOC or leverage a third party?
SUROOP CHANDRAN
I think really the break even comes in terms of how much of a budget are you willing to spend on tech and people? That’s number one. That’s a big thing, of course. That ties back to what is the financial motivation to actually do this? For example, if you look at cyber insurance, a few years back, it was really probably a thing of the enterprise organizations. The enterprises have bigger budgets and so they’re able to go and invest in people process technology to build a stack that will give you security operations. Now, none of that is easy. Even process is not easy because people are going to ask you, well, how do I hunt for the latest thread? I don’t know. You’re the expert. You should know how to do that. Or well, what is the latest thread? I don’t know. Well, how do I use XYZ SOC tool to do that? I don’t know. That’s the real question that most people are making these investment decisions are going to be asking. Enterprise organizations have the money to go and buy the skill and they’ve done that in the past. Cyber insurance now making it down to the lower, I should say the mid-market here is an even maybe even to the some of this, you know, the upper end of SMB if you want to call it that, right? Has started to make it more urgent. Urgent to the fact that it’s not just about time. I mean, not about money. It’s about time as well. I can build a SOC, but it’ll take me 18 months. Well, am I going to be remaining unprotected without proper insurance or do I want to be paying those high premium rates of insurance for that much time? Not really. Right?
I think with mid-market and lower mid-market, I would highly recommend that start looking at providers first because the job of building a SOC is a true SOC, right? Now there are some providers who will say they have SOC, but all they’re really doing is managing firewall policies and deploying endpoint software. I mean, that is a function, potential function of the SOC, but the real sock today is one that does detection response. People who can actually do true real-time detection response or near real-time detection response, that’s really the one that actually runs the SOC, right? 24-7, all those things. A lot of MSPs don’t want to get in that space because they don’t have the money. These are not cash rich organizations. They run on recurring revenue and that’s really where their profit really comes from, the month-to-month profits that they make. So they can’t make big investments, right? They also have to pay now increased monthly amounts for insurance premiums because that’s just, you know, if they don’t have the insurance premium, the next attack that hits them, they have to pay out or they’ll pay for all the data breaches that they’ve done, you’re in trouble, right? So mid-market organizations are probably in a better place to start looking at providers who are specialists at this or who have already made the investments to build and run the SOC, build the credibility, have the people and have probably also have the engineering layers to build productivity enhancements because with it, you can’t just say, I’m going to hire 100 people and run a SOC. It’s not going to work. It’s not going to be scalable.
STEVE RIVERA
Well, yeah, not only that, but you’re also competing with some of the largest organizations and institutions in the world that can pay better and then cybersecurity groups that are hiring away as well. So I wanted to, it’s really good point. I also wanted to take a look at, you know, going back to the report that you guys have just published. I was reading the report and it looks like, you know, of the top data breaches from last year, the top five, it looks like three of them were government. And we do have a part of our listener base that are part of state, local, education, municipalities. What can you say about that trend that in the top, you know, five, three of them were large government, you know, entities that were breached last year?
SUROOP CHANDRAN
So I think with government entities getting breached, they’re usually, I don’t believe they’re financially motivated because it’s not like they can pack into a government agency and steal a bunch of money or ransomware them out to pay something. I mean, city of Atlanta or, you know, other states and cities that have been hacked similarly, that attackers aren’t necessarily looking for the money from them.
The bigger problem we have to be worried about is the nation state sponsor attacks. And if you look at what happened last year, you know, like for example, the, I guess it was a kill net attack that targeted hospitals in the US. It’s this year, in fact, the late last year, this year. And they were not motivated by they want to get money from these organizations. It was determined that the motivation was purely going after countries that were geopolitically positioned against them. In this case, it was like the East European situation in the Ukraine war and things like that. Right. So, they’re not looking for financial motivation. They’re looking to disrupt and deface governments and their credibility by getting into their networks.
Now, it’s not that that’s not the only thing, right? So, like when the pandemic happened, NHS got hit and all that, you know, some of the motivations were of course, you know, they’re really vulnerable right now. This is the time to go and go after them, right? Want to cry and all shame, shame, shame on these actors for at that time to go after someone like NHS and use that as a crutch to make money. And I believe for a period, there was a bit of a unsaid agreement that during the pandemic, they won’t go after hospitals. I’m not sure everybody actually followed that. So government organizations should certainly be a little more worried and it goes all the way right to the bottom. Of course, they’re holding citizen data and that is the challenge.
So very recently, there was a reach reported right here in India, where in India, when you get a vaccination, there is an application that you can log into to sign up for a vaccination. That you get for your COVID essentially. It was an app that was developed in India with the investment from the Indian government and a breach has been reported in the application. The problem with this is that there’s a lot of citizen data associated with this application, personally identify the information as well as personal health information. Are you vaccinated or not? What’s your what we call the odd higher number, which is kind of like the social security number in the United States, a unique identity number essentially. So people are going after governments to get some of this data, maybe people are going after governments to deface their credibility. People are going after government agencies because they control nation state infrastructure. But very rarely are they really going after the fact that they want to make money. It’s just because this is the new way of war.
STEVE RIVERA
Yeah, with some other folks have been talking about this new concept of cyber warfare and how it’s kind of changed the game a little bit and disrupting communication, disrupting the ability to everything seems to default to cyber. And that just becomes a part of the campaign in cyber warfare. I mean, how do you see this playing out of the over the next few years? I mean, do you have a I know you don’t have a crystal ball, right? But see things changing from a cyber warfare or even how mid-market can compete with these nation states and these other large companies that are consuming mass amounts of the cyber resources right out of college. How can the mid-market compete with – that in this kind of new world order that we see in terms of like cyber attacks?
SUROOP CHANDRAN
(00:29:25 – 00:33:07)
So I think the big sort of linchpin to make this a successful, you know, for organizations that can’t actually throw all the money in the world is what we call an India PPP, which stands for public private partnership. If the mid markets can obviously withstand the might and the money of these nations, especially in sponsor state attacks, the people who can are the governments and the governments in hand with the larger enterprises, whether they’re technology companies like ourselves or their enterprises that one massive security operation teams as well. Threat intelligence sharing through agencies like the FS Isaac or the retail Isaac are very effective mechanisms for sharing information about latest threat campaigns, what are those kind of patterns are seeing out there and what people should be looking out for. I actually applaud CISA for the amount of work they’re doing to actually make that happen. Not just in the government, but they’re actually working with private organizations as well to be able to share that kind of intelligence and provide advisories on being able to do these kinds of things. It’s not a common trend that you see across many other organizations as or I should say other countries, cybersecurity as a real pillar in the government policy is not found in a lot of countries. In some countries, it’s still very native or nascent, I should say. Whereas in others, it’s very, very mature. I can’t, I don’t think I have enough geopolitical information to say whether the India or United States, where do they fit in that spectrum. But they’re both doing pretty well in that space. The least you could do is have a national cert that keeps an eye on these things and lets you know which is what happens in India and what happens in the US as well. Public private partnership is really, really important.
Second is everything else. Everything else still matters. All the best practices, the hygiene, continue to invest in being security. I think education to customers also becomes important, especially if you’re a managed services provider. The challenge that a managed services provider is always going to have is, and this has been on for decades, is that if you think about information technology or applications or even cloud for that matter, it’s really easy to quantify what the financial benefit is. Hey, I’ll implement automation to save 10 people’s jobs or I’ll move my CRM from on-prem where I’m spending so much money on application and so I’ll go to the cloud and cut my cost by X percent whatever it is. How do you quantify security? Because the only time you actually see the value is when a breach happens. So the closest thing, seemingly the closest thing that you can actually do to help quantify your security investment is an insurance premium.
If I don’t have the right security, my premium goes from, I don’t know, $5,000 to $50,000. I don’t have the money to pay that remaining $45,000, but if I invest 20,000 more, it keeps my premiums down. Simple math. Right? So, I mean, those are some ways and I think that’s the hardest thing that organizations are going to have to do. So this, I like the fact that cyber insurance is being taken more and more seriously even as you go down from the highly regulated and large enterprise organizations because the least it’s doing is making a financial business case for investing in security.
STEVE RIVERA
No, it’s really important what you just laid out because I think that is the challenge, right? Is there really is no return on investment of security until you have an incident. And some of our customers and partnerships, we find that they say, well, nothing’s happened. You’ve told me all these things that could have happened but didn’t happen. And now justifying or quantifying that to the CFO and the board where they’re looking to reduce costs is somewhat of a challenge. So, in a case like that, how do you recommend that quantification take place? I mean, how is it that you’re, you know, the reports are great. I mean, third party attestation is always great, right? And a third party like SonicWall say, this is what we’re seeing. These are the trends. This is how you need to protect helps because then you go to your board or your CFO and say, we need to put these countermeasures in place to protect against this. Here’s the increase in malware that, you know, a provider like SonicWall is seeing. But how would you recommend those conversations take place?
SUROOP CHANDRAN
So it’s what we’re seeing as a trend, right? And it’s very interesting. When we talk to our customers and partners, and I’m comparing this against what I’ve heard like some years ago, right? When you offer a security service, everybody, you know, is expecting or if you’re, whether you’re in-house or external, right? Your business stakeholders who are looking to invest in security are looking for some kind of a report, right? Weekly monthly something that says, you know, basically where you prove what you did. And back in the day, the expectation was that the report’s going to come back saying, green, green, green, green, green, green, green, green, green, green, you’re awesome, right? Which doesn’t really mean that you actually did a great job. It probably means nothing happened. So, you’re going to do it.
But what’s changing now is that the kind of intelligence that our customers are expecting to see are the reports is not just that everything looks good, but show me that if something was green, it’s because it was red and we changed your green. For example, there was a malware attack, but we took care of it. There was a surge in certain types of traffic. We found that IP, we blocked it. This level of intelligence and to be able to measure and report that school report is essentially what organizations are looking for. And, you know, we started off with a concept in SonicWall that we call the risk meter, right? And the risk meter was essentially a mechanism to say, you know, we take our global threat intelligence and we compare that against what you, Mr. customer or Ms. customer have for security, at least from SonicWall, and then eventually we expanded out for other products as well. So do you have a firewall? Do you have email security? Do you have endpoint on the email? Have you turned on anti-phishing, DLP on the endpoint? Have you turned on, you know, pre-execution, post-execution analysis, threat hunting capabilities, whatever it might be, right? And based on each of those controls that you’re using, we calculate, you know, a score of how risky you are. Because what we’re seeing is, well, last week we just saw the surge in attacks targeting endpoints where script based set, you know, protection would be very, very valuable because it’s all fileless malware. But Mr. customer or Ms. customer, you don’t, your script based detection engine is turned off. So you’re at risk because there’s an increasing volume hitting your endpoint and you’re at risk. That’s a problem. So this kind of mechanism, and I think the market is sort of calling it a cyber risk quantification or something of that sort, right? There’s a few vendors out there playing in the space. Microsoft done a pretty good job with their platform with the Microsoft secure score. I got a hand into them, right? Similar concept in that through this dashboard of report now, you’re not just seeing that it’s green.
It could be red, it could be orange, but you also see why. And you’re also getting guidance on what should I do to fix this? Should I turn on a setting? Should I get a machine off my network? Should I turn off the setting? Should I implement something else? Or should I go patch a system? It’s a combination of all those things that will ultimately result in, you know, a risk score for you.
STEVE RIVERA
Yeah, I like to shift gears because, you know, one thing that I thought was really interesting about the report was the increase that you guys saw in PDF based attacks. And I found that interesting because I’m paranoid by nature, so I don’t click on anything, whether it’s a link or a document. If it’s unsolicited, I’m always picking up the phone and calling someone, even internally. Hey, did you mean to send me this kind of document? And do you really need me to open it? So I’m noticing the report that there was like a 35% increase in these attacks. How can mid markets protect themselves from that being, you know, the attack vector that’s used to penetrate the outer shell? PDFs are something that are commonplace, e-signature for contracting. How would you recommend that companies and organizations protect against that?
SUROOP CHANDRAN
Ultimately it has to be a layered approach, right? Because if you look at the way that they’re trying to get to us, think of the journey of what that’s happening over here. How, who’s sending the PDF? It’s usually someone who’s like a potentially trusted user who compromised an account or a spoofing email account. If it’s compromised, you have bigger problems. Let’s, let’s, we’ll solve that. You know, so credential theft is a real problem. You’ve got to be able to identify if this is a real email address or not. Basic email social engineering techniques that get used like this can be easily averted by plain awareness training for your users. A lot of people are doing things like phishing simulations and email, you know, attack simulations on users. So, phishing is still, is one of the largest vectors for threats to organizations. And that’s how these PDFs are getting to you, right? There’s a segment of this that’s coming out of like shared links from like a OneDrive. So I mean, I don’t know what, you know, bit.ly, whatever it is. So I think it’s suspicious, but what if it just says office.sonicwall.com because somehow somebody got access to somebody’s OneDrive shared and hosted it over there. You still want to click on it, right? So that’s a different problem and we need to solve and I’ll talk about that in a second, right?
(00:40:05 – 00:40:41)
So, but the first part is, and it feels like the last part, but the first one actually has to be get your use to be more aware about identifying that an email is bad or not. Now this is getting challenging because whether you like it or not, ChatGPT is going to have a really bad influence on site security as well. Good one, but don’t forget that the good people aren’t the only one using it, right? Bad people are too. A lot more. So it’s going to get probably a lot more easier to create an email that looks legitimate, but you know, put all kinds of stuff in it, right? Essentially.
So back to the PDF. So now what happens is if let’s say that they, the email is seems legitimate enough and they get it. Now as they get it, when it comes through your defenses, you need to have good email security that can catch these documents, can analyze these documents. So for example, with Capture ATP, if we pick up one of these documents, we throw it in, it goes into our Patented real-time deep memory inspection that kind of tears it apart and finds a malicious URL or malicious script embedded in it and says, this is a bad file. This is the reason why we can find these things, right? And it’s not easy, but it has to be done. And that’s why we always encourage you to take advantage of Capture ATP as much as you can. But you need that layer. And you need that layer first of the email to catch it when the email comes through. And then second, let’s say the email does get through because you don’t have the layer. User opens up the document and either clicks a URL or the document loads some kind of JavaScript which makes a call out to the bad world. Let’s call it that.
Then you need a second layer that will actually protect you from that. So whether it’s content filtering, URL filtering that’s driven by threat intelligence, or even the latest craze, which is DNS protection where domains don’t even get resolved because it’s a known bad domain. So that’s the second sort of layer. Now let’s say you don’t have all that and whatever, you don’t have the investment, so you don’t have all that. You make the call, it hits your, something gets downloaded at that point, right? Because what’s the point of this? The idea was to make an entry. What do you do then? So, either you make a command and control call or download something malicious. That malicious thing then hits your endpoint. It could be file based, could be fileless. Either way, you need something on your endpoint to be able to find this. I’m not going to say that signatures aren’t enough anymore because that’s old school. But let’s just say static analysis itself is not enough anymore. You need behavioral AI. Like what Capture Client has with Sentinel-1 Engine and similar technologies are coming up from other vendors as well. But the ability to do, to be able to identify suspicious behavior and then say, this is bad. Either it’s on your endpoint that is trying to do, make a create persistence or trying to reach out to get credentials from your machine or maybe make a lack of movement to other machines as well. You need to be able to catch that and say, this is bad and block it.
STEVE RIVERA
Yeah. Great stuff. I really appreciate just the conversation. If there were two takeaways that you would recommend that our listeners do today, what would it be? And I know limiting it to two is a bit of a step.
SUROOP CHANDRAN
Honestly, I think for all users, because, and I said, I would recommend this takeaway for the simple reason that it’s often ignored. And that is take a look around your house and see what devices are internet enabled. Are they okay? Are they patched? Are they running default settings? Are they on the same Wi-Fi as the same Wi-Fi that you use for connecting to your corporate VPN? Do something about it. I think I talked about what to do, but definitely do the right things about it. Get off the default settings, change the Wi-Fi that you’re connecting to, make sure they’re patched the latest. It’s not easy, but the onus is on you as a user, not just as an admin. That’s the number one thing.
Number two thing I would recommend is absolutely, if you do not have already a partner or a capability, today start looking at partners that can offer you managed detection response. Someone like yourselves, it’s you, right? We can offer the managed detection response services to help you stay asleep, not awake at night.
STEVE RIVERA
I like that. I think we just found our next tagline. But Suroop, thank you very much. I want to encourage our listeners to go out and get SonicWall’s Cyber Threat Report. It’s a fantastic read. I learned so much. Suroop, thank you very much for your time.
That’s all for this episode. Make sure you take time to listen to our next episode of Logically Speaking and stay cyber-first and future-ready.