3074: Netwrix - Hybrid Security Trends Report

[00:00:03] How are organisations managing the increasingly complex and evolving landscape of cyber security today?

[00:00:11] Well, to explore this pressing question, I'm going to be joined by Dirk Schrader,

[00:00:17] Field CISO EMIA and VP of Security Research at Netwrix.

[00:00:21] And with an extensive experience in cyber security research across critical industries from healthcare to energy and finance,

[00:00:28] my guest today is going to offer his unique perspective on the latest threats and effective strategies for protecting against them.

[00:00:36] For example, according to Netwrix's recent annual security report, 79% of organisations have experienced a cyber attack in the last 12 months.

[00:00:48] That's a significant increase from the previous year, and among the top concerns are the usual suspects,

[00:00:54] ransomware attacks, identity compromise and the growing risks also associated with cloud-based infrastructure.

[00:01:02] So we're going to have a look at that report today, some of the cyber security trends that every organisation should be aware of,

[00:01:09] and also the alarming rise in attacks on cloud infrastructure,

[00:01:12] the critical importance of managing privileged identities,

[00:01:16] and some of the best protection and mitigation measures from implementing a just-in-time privilege approach to fostering a more security-aware culture.

[00:01:25] I think that culture side of things is often missed.

[00:01:28] So whether you're dealing with the challenges of remote work security or looking to future-proof your cyber defence against AI-enhanced threats,

[00:01:37] this conversation has got to be packed with valuable advice and real-world examples to help you and your organisation stay secure.

[00:01:46] But enough from me. Let's get Dirk onto the podcast right now.

[00:01:49] So a massive warm welcome to the show, Dirk.

[00:01:53] Can you tell everyone listening a little about who you are and what you do?

[00:01:57] I mean, we last spoke, I think it was July last year, wasn't it?

[00:02:01] Well, it has turned a bit in the last 12 months.

[00:02:03] Well, thanks for having me, first of all, having me again, Neil.

[00:02:07] My name is Dirk Schrader. I'm the VP of Security Research at Networks, which is a term that is kind of broad.

[00:02:15] And I'm trying to sort of live up to this broadness by saying I am looking into ways I can help our customers,

[00:02:24] our prospects to make better use of our products, how to improve our products in terms of addressing the future cyber security risks, trends, needs.

[00:02:36] And on the other hand, I'm doing sort of broad security researches like our recently published reports and some sort of sector specific researches as well.

[00:02:46] On top of that, I guess probably mid-50 guys, bold, bold is beautiful. Here we go.

[00:02:52] I love it.

[00:02:53] And I think the last time we spoke, we were talking about the cloud data security report and how it revealed so many different cloud vulnerabilities.

[00:03:01] And like you said, the world continuously evolves and changes that although we were talking about AI a little, it's just gone off the charts now.

[00:03:10] And you've now got a new security report, which is showing a significant increase in cyber attacks predictably over the last year.

[00:03:18] But I've got to ask, I mean, since our last conversation, what do you think is driving this surge in attacks now?

[00:03:24] And what should organizations be doing to prepare and respond for future attacks?

[00:03:30] If you look at the data, the major factor here is actually the increase of attacks on cloud-based infrastructures.

[00:03:38] They are sort of becoming a prime target.

[00:03:41] In our previous report, the responses showed us significantly more attacks targeting on-prem infrastructure.

[00:03:50] It seems that now attackers have sort of are trying to be sort of up to par with the on-prem.

[00:03:58] The on-prem attacks did not decline, but the cloud attacks came out at the same level now, be it phishing attacks or user account compromise.

[00:04:08] So, yeah, that's the driving factor, I would say.

[00:04:11] And so many different things change and we see new technologies, new threats, but an oldie but a goodie ransomware still remains one of the top threats identified in your report.

[00:04:22] So, what are some of the most effective strategies organizations can adopt to protect themselves against ransomware attacks?

[00:04:29] Because it feels like we've been talking about this for, what, the last five, ten years.

[00:04:34] Well, we do actually.

[00:04:35] I mean, there are a few mantras in our industry and protecting again ransomware is one of them, I guess.

[00:04:42] Yeah.

[00:04:43] When you look at the three layers that need to be secured in your organization, which is the data, the identities and the infrastructure, the threat actors are nowadays often trying to abuse your identity.

[00:04:56] So, now the other mantra is identity is your new parameter.

[00:04:59] Protecting them, having a good security posture for your AD, managing privileges in a just-in-time, just-enough approach and having a good identity threat detection and response are the measures that I think will give you as the organization an upper hand against your enemies, against the attackers.

[00:05:20] As simple as it is, if there is not enough privilege to abuse and there is no way to increase the privilege to collect more, if you have a good handle on this, these two aspects, the attacker is likely looking for a different, much easier target.

[00:05:38] And another standout stat for me from that report was 79% of organizations have spotted a cyber attack in the last 12 months.

[00:05:48] So, what are the key trends and key patterns that you've seen emerging, the kind of attacks being carried out here?

[00:05:55] What are you seeing?

[00:05:56] It sort of relates to what we have just discussed in the previous question.

[00:06:00] The primary attack vector of the war identities, it's simple as that, especially privileged identities, with phishing kind of resurfing as the method to carry out the attack, to execute the initial compromise.

[00:06:15] The mantra, coming back to that, that the identities are the new parameter, is now a threat in full swing.

[00:06:23] It's simple as it is, that risk to cause havoc on an organization with a need to manage it end-to-end.

[00:06:34] So, managing end-to-end in privilege in identities is knowing your identities, knowing what kind of privilege they have, reducing the sprawl of omissions.

[00:06:47] That is a thing you need to do.

[00:06:51] And the key pattern that have emerged is attackers abusing this particular part in terms of organizational negligence on it or individual negligence.

[00:07:05] And, of course, employee mistakes or sometimes negligence is cited as one of the biggest challenges in ensuring data security.

[00:07:13] And there is that awful phrase that I wish we would retire at some point that, hey, employees are your weakest link.

[00:07:19] I don't think we could do something about that.

[00:07:21] But how can organizations improve and get better at educating and equipping their employees to minimize some of these risks?

[00:07:30] Because those annual clicking next compliance tests that we see in organizations, they don't work, do they?

[00:07:36] There's got to be a better way.

[00:07:38] Yeah.

[00:07:38] I mean, counter question, with employees, you mean all the non-IT SEC stuff or is IT SEC stuff also meant with that?

[00:07:48] Wow, that's a good question.

[00:07:49] I would hope that many people in IT or the majority of people in IT would be well-versed in this stuff.

[00:07:54] But I think the bigger challenge is outside of that department and finance, HR, marketing, and how they deal with things like phishing, emails, et cetera.

[00:08:03] I mean, you mentioned it.

[00:08:05] I mean, seeing and looking at employees, non-IT SEC employees as your weakest link is one of the sort of root causes of all this force and back that's babbled between, let's say, the IT crowd and the non-IT crowd.

[00:08:23] In my opinion, there are two major factors that will help to overcome this not-my-business attitude, which is sort of on both sides of the aisle, so to speak.

[00:08:38] Yeah.

[00:08:38] It's not my business to secure information, to secure data, to secure the device.

[00:08:43] Why, on the other hand, in the IT SEC side of things, it might be sort of that mindset saying it's not my business what kind of processes do deliver the most value for our organization.

[00:08:59] And this is the part where I think the understanding for what's driving the business at our side, at the IT SEC folks side, is important.

[00:09:10] What are the business processes that generate value?

[00:09:13] How do they work?

[00:09:14] What's critical?

[00:09:15] What's the critical pass in each of them?

[00:09:18] And how do people contribute to each of these business processes?

[00:09:21] So to understand what is individual value, i.e. the person's value in driving that business process and what are the business processes overall, how do they fit together so that I have a good understanding of where do I need to focus my efforts as IT security to protect my organization?

[00:09:45] And on the other hand, it's for the non-IT SEC employees.

[00:09:50] It's also the make it their business without any repercussions.

[00:09:55] If they make a mistake, okay, everyone makes a mistake.

[00:09:59] We don't have to blame them.

[00:10:00] We don't have to shame them.

[00:10:02] If they come to us and say, hey, here is a phishing email.

[00:10:07] I might have clicked on it.

[00:10:09] We shouldn't curse them.

[00:10:11] We should help them.

[00:10:12] We should make sure that they understand what happened, that they have a feeling of, okay, it's my business.

[00:10:19] It helps us as an organization.

[00:10:21] It helps me to do my job in a better way, i.e. saying doing things in a digitally secured way must be a positive experience and not a perceived hindrance or obstacle.

[00:10:33] That's probably a thing that is coming from both sides for us to better educate and equip our employees on both sides of the aisle to minimize the risk.

[00:10:48] And I think one of the things that makes your findings so valuable is your research is covering so many different industries from healthcare to energy and finance.

[00:10:58] And how can cyber – well, how do cybersecurity challenges differ across these vastly different sectors?

[00:11:05] Are there any unique approaches required or is it not so important that they are different industries, the challenges are the same?

[00:11:12] How should they be approaching this or how are they approaching this?

[00:11:15] Well, if you look at each of these sectors, or not just only healthcare or energy or finance, it is production, it is utilities overall.

[00:11:25] Each of these sectors has a unique aspect covering four areas.

[00:11:30] Regulation, dependence on IT, human labor intensity, and installation cycle lifespan.

[00:11:38] Now, if you look at the production environment, they have a machinery is there for whatever, 25, 30 years.

[00:11:46] If you look at the finance part, they're heavily IT dependent.

[00:11:52] Healthcare is somewhat in the middle of things.

[00:11:55] So, let's say from a regulation perspective, both in finance and healthcare have a similar level regarding information security.

[00:12:03] Let's say so.

[00:12:58] There are a couple of things coming to mind.

[00:13:03] The origins of these different challenges.

[00:13:06] When you look at it from a face value perspective, in all fairness, the approach for each isn't so unique.

[00:13:13] Make sure you know what kind of data you have, what's its sensitivity.

[00:13:19] Protect your identities and make sure that you don't have a rolling privilege kind of things.

[00:13:25] Keep your infrastructure hardened and up to date.

[00:13:29] But when looking deeper, the four areas have an immense influence on your approach.

[00:13:35] Health IT can't easily be patched.

[00:13:37] IoT devices in a power plant require extra scrutiny when you want to scan them for vulnerabilities.

[00:13:44] All this has an influence on your security processes, on your risk register, on your incident response plans, your alert mechanism and priorities.

[00:13:55] So, with all of that, you're taking the generic good practices and make it workable for your unique requirements across your sector.

[00:14:10] Again, regulation dependence on IT human labor intensity and installations now cycles.

[00:14:17] And something else that has continued to evolve since we last spoke is remote and hybrid work.

[00:14:23] It continues to drive cloud adoption.

[00:14:26] But are there any specific security risks that this shift is introducing?

[00:14:30] And again, how can organizations effectively mitigate that?

[00:14:34] Because hybrid work is going nowhere, is it?

[00:14:36] Yeah, I mean, moving to cloud is a whole new word of privilege.

[00:14:43] Matter of fact, a recent Microsoft report on cloud permissions states that only 1% of permissions granted is actually used.

[00:14:52] 1%.

[00:14:52] So, one right in hundreds you're using.

[00:14:56] The other hundreds are, the other 99 are disregarded, useless.

[00:15:01] And if they are disregarded, you're opening up a whole new grad theater, a whole new area of risk where the part of privileged access management, the privileged sprawl aspect is the central risk to manage, in my opinion.

[00:15:24] Moving to the cloud is not a copy and pasting.

[00:15:26] Even if the promise of it looks the same as if on-prem is made.

[00:15:32] Behind the curtain, there are lots of settings, lots of controls to take care of, especially if the plan is to couple the move to the cloud with the introduction of the things like Microsoft Co-Pilot.

[00:15:45] 100% with you.

[00:15:46] And I'm curious, given everything that we're talking about today, how do you see the role of cyber risk management evolving, especially as organizations?

[00:15:56] Increasingly face sophisticated threats that we're talking about here.

[00:16:00] Again, any practices that you would recommend here around cyber risk management?

[00:16:05] Well, what should it be for me?

[00:16:09] I mean, avoid, mitigate, transfer, or accept.

[00:16:12] These four generic ways of managing risk.

[00:16:17] Cyber insurance is certainly a favorable element in any cyber risk management strategy, as it can help you to cover any financial impact.

[00:16:28] But that doesn't work as a single measure.

[00:16:30] I mean, you can't go in there and say, okay, I'm overwhelmed by the cyber risk.

[00:16:36] I just transfer everything.

[00:16:38] The cyber insurance company will come back to you and say, hey, what do you do to mitigate the risk in itself?

[00:16:43] So I'm not here to pay everything if you don't do anything.

[00:16:47] And that is most notably things like MFA, PAM, ITDR, so identity, threat detection, and response.

[00:16:55] In all this is coming back to the notion of, and that's another mantra, it's not a matter of if but only when.

[00:17:06] Will it happen to me?

[00:17:08] Or am I important enough?

[00:17:10] Whatever you state as the sort of usual excuses or reasons for negligence here.

[00:17:17] Plus, there's one element that is sort of adding pressure here is the growing third-party focus of regulations in that sense.

[00:17:28] If, put it in a simplified question, the answers to that simplified questions might help a company to come to a good approach.

[00:17:37] If worse happens, where would a cyber attack hurt the most?

[00:17:43] And how can we continue to operate should it occur?

[00:17:46] That's the thing, sort of notion of cyber resilience here.

[00:17:50] If you manage your risk, make sure that you have this mapped out and laid out that will help you to overcome the occurrence of a risk.

[00:18:03] Make sure that the preparation for risk includes the planning of what do I do if it happens.

[00:18:11] It's as simple as it is, make it hard for the cyber groups to actually, yeah, threaten you, attack you in that sense.

[00:18:20] It's simple as it sounds.

[00:18:22] But the best practice, single best practice I would recommend is, in that sense, as it has an influence to all the other factors,

[00:18:34] is make sure you know about your privileges.

[00:18:38] Who is allowed to do what?

[00:18:42] And, of course, we're now only four months away from life in 2025.

[00:18:46] So, looking ahead, are there any other emerging cyber security trends or threats that organizations and business leaders should be looking out for or preparing for in 2025 and beyond?

[00:18:59] Well, I mean, you mentioned it already.

[00:19:02] We've heard about machine learning and AI quite a lot, and we probably have to admit that it is in everyone's mind.

[00:19:13] And even I have been talking about it and using examples of deep fakes in my presentations.

[00:19:22] In essence, when we look at what will happen in the near future, in the midterm future, in essence, they are tools.

[00:19:32] They will get better as tools as every tool is improved over time.

[00:19:36] And in the same way, your tool chain needs to adopt to them.

[00:19:41] You can use AI and ML in your own tool chain, and your adversaries will use them in their tool chain to attack you.

[00:19:50] So, this sort of adoption process is about your security processes and your incident preparations.

[00:19:59] That mentioned deep fakes.

[00:20:02] What is your preparation for a deep fake voice call attack?

[00:20:06] Did you ever consider that as a risk or as an option in your incident preparations?

[00:20:12] What about the persuasive AI-generated phishing emails on massive scales that might come in the near future?

[00:20:22] So, the trend and threat in parallel is preparedness for that in terms of, have I adopted my processes?

[00:20:31] Have I adopted my incident preparations?

[00:20:34] Are they on my risk register already?

[00:20:37] That is one of the things that will be a cybersecurity trend moving beyond 2024.

[00:20:44] Well, it's been an absolute pleasure to have you back on the podcast and join me.

[00:20:49] As we said at the very beginning, this isn't your first rodeo.

[00:20:52] You kind of know what to expect.

[00:20:53] But I always ask my guests to finish by sharing one final gift with everyone listening.

[00:20:58] And that is a song that means something to them we can add to our Spotify playlist or a book that they'd recommend that we can add to our Amazon wishlist.

[00:21:06] All I'm going to ask is what would you like to leave everyone listening with and why?

[00:21:09] There are two things coming to my mind here in regards to the book.

[00:21:13] That's one that I have read the first time many years back, which is the author is a German one, Stan Nadolny.

[00:21:22] And the book is called The Discover of Slowness.

[00:21:25] It's an interesting book, fictious in its sense, but addressing a famous British researcher.

[00:21:31] And it's about how to overcome a weakness, how to turn a weakness into a strength.

[00:21:37] It's an interesting read, at least from my perspective.

[00:21:41] So The Discovery of Slowness is the book.

[00:21:44] From a song perspective, one thing, one song, if I hear it in the radio, that is always catching me is Love My Life by Robbie Williams.

[00:21:56] Because that song expresses everything, really everything I want my kids to experience.

[00:22:04] Simple as it is.

[00:22:05] If you listen to it, if you read the song text, you will understand what I'm talking about.

[00:22:10] Oh, I don't know that one.

[00:22:12] I'll be checking that out.

[00:22:13] I'll get it added to the Spotify playlist.

[00:22:15] And of course, the book sounds quite intriguing too.

[00:22:18] So I'll get that added to the Amazon wishlist.

[00:22:20] And for yourself, I mean, for everybody listening here, maybe you want to check out the report, find you or your team online, or discuss anything we talked about today.

[00:22:29] Where would you like to point everyone listening?

[00:22:31] Well, if they're looking for me next to the usual places like LinkedIn and Twitter.

[00:22:36] Yeah, I don't call it leaks.

[00:22:38] Well, it's probably our blog space at blog.networks.com.

[00:22:42] Where you can find more about me and most importantly, more about my colleagues who are doing even a better job than I do.

[00:22:48] Well, I will add links to everything to make it nice and easy for people to find you.

[00:22:52] I still call it Twitter as well.

[00:22:54] I mean, the fact we still tweet and the web address is very similar now.

[00:22:59] So I still live in the past calling it Twitter.

[00:23:02] So you're in good company there.

[00:23:03] And love chatting with you today.

[00:23:05] And we'll do some pretty big stats in that report that we mentioned there.

[00:23:07] 79% of organisations suffered a cyber attack within the last 12 months, which is up from 68% last year.

[00:23:15] And 45% of those attacked faced unplanned expenses to address security gaps.

[00:23:22] But what I love talking with you about today is how to adopt that proactive rather than reactive approach.

[00:23:28] So many great tips and advice in your answers today.

[00:23:32] So just a big thank you once again for taking the time to sit down with me and share your story.

[00:23:37] Thank you.

[00:23:38] Thank you for having me, Neil.

[00:23:39] So what steps can your organisation take to bolster your cyber security defences in the face of increasingly sophisticated and advanced threats?

[00:23:52] As Dirk highlighted today, the landscape of cyber risk is more complex than ever,

[00:23:57] especially with attacks on cloud infrastructure now matching those on traditional on-premise systems.

[00:24:02] But the insights from the security report there emphasise the importance of a more proactive than reactive approach,

[00:24:10] particularly in managing identities and permissions, which are the new frontiers in cyber security.

[00:24:16] But as I reflect on today's discussion, I think it's clear that organisations must prioritise resilience

[00:24:23] and ensure that they have the strategies in place to not only defend against attacks,

[00:24:27] but also continue operating effectively in the event of a breach.

[00:24:33] So building a positive security culture, one that's tailored to a specific industry needs,

[00:24:39] is obviously crucial, especially if you want to stay ahead of emerging trends such as AI-driven threats.

[00:24:46] But over to you.

[00:24:47] Obviously, I could talk forever on this stuff, but this is not a monologue.

[00:24:51] It's a dialogue, and I'd love to hear your thoughts.

[00:24:53] So email me, techblogwriteroutlook.com.

[00:24:56] Twitter, LinkedIn, Instagram, at Neil C. Hughes.

[00:24:58] Don't just hit follow.

[00:24:59] Send me a quick message.

[00:25:00] But I've taken up far too much of your time today and talked in your ears far too much.

[00:25:06] So rather than be that guy at the party that hangs around a little bit too long,

[00:25:10] I'm going to make my excuses and have an early night.

[00:25:12] But thank you for listening.

[00:25:14] And hopefully we can have another chat tomorrow morning.

[00:25:17] How's that sound?

[00:25:18] Well, awesome.

[00:25:19] Speak with you all then.

[00:25:21] Thank you.

[00:25:26] Thank you.

[00:25:28] Thank you.