Welcome to the Leading from Within series. Here, we showcase leaders from within Morphisec as we discuss emerging topics and trends dear to the cybersecurity community. From ransomware variants to phishing scams, from attacks on healthcare institutions to the downsides of digitizing your workforce--we’ve got you covered. We hope this series provides valuable information as you secure your cloud-based, as well as tangible, assets.
Today, we’re speaking with Netta Schmeidler, VP of Product. She has more than 25 years of experience managing global development groups and product teams. Without further ado, let’s jump in.
Netta, what do you think is the single most important thing emerging enterprises can do to protect their data?
Netta: Well, I think prevention tops everything else. There are all these methodologies on how to detect, or how you can detect better, but prevention trumps it all because if the breach hadn't happened, then you don't need to handle it. You don't need to notify or do these post-breach activities.
So I think by far prevention is the best technology out there.
It seems like prevention has taken a back seat to detection. Why do you think that is?
Netta: Well, I think it got a bad reputation due to signature. You see, initially, prevention was all about signatures. Then, attackers switched signatures very fast, right? So, there was this huge set of signatures and nothing was ever updated, so it didn't really work.
So that was the reason for the shift to detection. “They” said, "Well, prevention doesn't work. Let's do detection. Let's try to detect by behavior. Let's try to detect anomalies. Let's get a lot of telemetries, and we'll be able to analyze it." Therefore, over time, the sort of race became, "Let's get more and more telemetry. Who's the king of telemetry?”
Whereas, after that, people said, "We have so much telemetry. How are we ever going to analyze it?" Because there were sets of breaches that, looking back, people could actually recognize, in their telemetry, if they could possibly analyze it on time, but they can't. Right?
So then people said, "Let's do a SIEM." Or, "Let's do second-generation SIEM," where a SIEM tries to do more and more analysis. They created this problem by generating all this telemetry, and now they were trying to solve this problem of their own creation. Why did you even collect all this telemetry when it's meaningless, right? So that was, I think, the initial reason, prevention was pushed aside for defense. Everything else came on top of that.
What excited you about the field of cybersecurity?
Netta: This is a field that's always changing, right? That's, I think, one of the great things about it because there are all these other fields that are pretty static. This field is very, very dynamic. Your attackers are very dynamic, right? So kudos to them. They keep changing the demand and as they keep changing things everything changes with them.
This isn't like solving the problem of Alzheimer’s or cancer--but cybersecurity does good. I think doing good is something that we all want to do.
You mentioned that threat actors are pretty dynamic. Since they constantly change, what is the typical profile of a threat actor?
Netta: Some of us have this sort of perception of this very intelligent guy working as he sits in his room in Eastern Europe or whatever. Then, you find out there are these teenagers in Canada, right? [When they get caught] they come into the police station with their mother, and she bails them out, and it's all like...
Are cybercrimes simple crimes of opportunity or state-sponsored attacks?
Netta: So some of these, I think, are crimes of opportunity. They are teenagers that are loners in Canada or the States or wherever. But, I think the real ones, they're all state-sponsored. You can look at the attacks and see where they come from and figure this out.
So, I think, a lot of the heavy guns and a lot of the resources and the money are moving towards these state-sponsored attacks. Sometimes they get shut down (look at FIN7), and they change, and they shift, but they come back.
Do you think the next war will be digital?
Netta: Well I don't know exactly what the next war is, because there are all sorts of half-war situations in many places. Look where they use poison as warfare, is that digital?
That's not digital, but it still is advanced. It's chemical warfare. It's biological warfare. So I think that's a large part of it, and yeah, it’s a big scare. I don't think it's all going to be like tanks--tanks are last century. That's not where everything is. But look at the drones, drones are starting to be a big part of warfare in general.
A lot of the IoT threats are dangerous. Additionally, a lot of the threats revolve around power plants too. If you could turn down a power plant, or even smaller things, if you just shift the balance between various power towers, then you could put down a whole city, and that's really warfare, and that could be terrible.
Advanced modern warfare. As we grow and as things get so much better, there are also so many different ways we can hurt one another if we choose to.
Netta: Very much so, yeah.
Do you feel that, once organizations switch to prevention, threat actors are just going to be smarter? Do you foresee any emerging threats?
Netta: I don't know. I think they're going to do their best, right? Right now, basically what they're doing is they're adding more and more small engines or more and more techniques. I think at some point they'll do this whole switch, saying, "Okay, this technique is working out pretty well.” Then, they’ll add another technique. We’ll add defense strategies, then they’ll add another technique; a whole MITRE attack chain.
Right now, I think it's working very well for our adversaries, so I don't think they need to switch anything, but yeah, once the world switches to deterministic prevention, which is what we do, I think at some point threat actors will need to look for something new.
Like the memory, which is the battleground, the real battleground, where, up to now, they were winning--now they're losing because we're there. So they'll need to see what else they can find. The thing is, there's not a whole lot more, right? Because there are only so many things you have when you plan an attack. You have your machine. You have your users. You have your application. You have your memory. That's all there is to it, so I don't know what they'll come up with. But they're smart people.
Good, good, so got to be on our toes, too.
Netta: Yes, we do.
Don’t forget to subscribe to the Morphisec Breach Prevention blog to for how to prevent damaging attacks, and to keep up to date on the latest threat research of the Morphisec Labs team.