Ben Love [00:00:00]:
I would like to introduce our expert speaker today. We have with us today Jasa from Sophos. Jasa is a cybersecurity consultant with experience in architecting and building scalable networks and security systems for enterprise businesses. He has an array of technical skills in the network and security verticals, including software defined networking, enterprise network and of course, enterprise security. Yada, thanks for joining us.

Jasa Rakus [00:00:29]:
Thanks very much, Ben, and appreciate the warm welcome. And I’d just like to extend welcome to everybody joining us in the webinar. I know there are a lot of virtual webinars these days, so hopefully we’re going to make this one interesting for you. And just over the next 30 minutes or so, I’m going to share some insights into some of the questions I get from a lot of partners, customers and the like. And one of that question is, what are supply chain attacks and how do I protect myself against them? So we’re going to look into some of the most common attacks we see these days, as well as dive deeper into one of the largest supply chain attacks we’ve seen in the last few years. So without further ado, let’s kick this off to start with. For those of you who don’t know, Sophos, I’m just going to share a bit of who we are. We’ve been around for, well, just short of 30 years now. Founded in Oxford, UK, which is where our headquarters are still to this day, and we have over 100 million users, over 150 countries. So we do see a lot of things out there, and it’s important that that information is shared with our customers and partners, because making you secure makes our job a bit easier as well. And the way we do that, we sort of have three principal guidelines, is that our solutions are predictive, which means, regardless of the time and the threat landscape, that you do get the best of breeds of protection. But it also has to be very adaptive to what is happening these days. And as you’ll see in some of the later slide, it is important that those solutions do talk together. We used to all be very accustomed to security in depth with different products and different vendors, but more and more people are now acknowledging that visibility across all of your security estate is very important. Funny enough, I will start with a bit of good news, which is a fairly rare occurrence when discussing cybersecurity. So this chart is from Verizon’s data breach report, which was published towards the end of last year, so very much in the post Covid era. And it showed that in 2016, about two thirds, or just over two thirds of attacks took months to detect, which means that during that time, whoever was in your environment could do whatever they wanted. They could traverse the network, they could slowly exfiltrate the data. Funny enough, just three years later, that number has dropped by just over a quarter of breaches. It’s still high, but a vast improvement. Now, on a face value, this looks like a very positive news. But before we start congratulating ourselves, the reality is a bit different. In 2016, the trends for the threat landscape was, I’m going to get your data, which means I will slowly exfiltrate your personal information, your intellectual property, your passwords, your emails, et cetera, which takes time and has to be done. Very subtle. Unfortunately, what we’ve seen in the last 18 or so months, the predominant threat landscape is, I guess, populated with ransomware. And the key of ransomware is get in fast, get encryption fast, which means it gets detected pretty fast because it gets a very quick return for the buck. And that is the unfortunate reality of the situation we live in. So how do we attack this? Well, one thing that a lot of organizations, and we are not different in that respect, you have to align yourself with some sort of a framework to know from a process standpoint what are you going to do in cybersecurity. So we as an organization, we look at the three pillars of the NIST cybersecurity framework, which is the protection, detection and response, because that is sort of what we do as an organization and in the protection. A lot of organizations have spent a lot of money and they have solutions and they have products and they have, in fact, achieved a very high maturity level of implementing multiple security controls. The problem is that once we start moving into detection and response, which is what we call a proactive approach to the cybersecurity, that shift in mindset hasn’t really happened. Larger organizations with large budgets can afford a 24/7 operation with people, et cetera, which is a struggle for meat to small size enterprises and environments. And it is hard to dedicate that amount of time to just cybersecurity. So what do we see as an organization, a global security vendor, in terms of what a cyberattack looks like these days? Well, they pretty much all look the same. They always start with the infiltration. And that’s the initial agenda of any cybercriminal, is to find a way to infiltrate into your environment. Funny enough, the main method these days is still phishing emails. People are susceptible to emails if they’re crafted well enough. I’m not going to lie. We as an organization always test each other. And I have received an email that I’ve almost clicked because it was really well crafted and I do this for a living. And I still almost clicked on it. Another one is stolen credentials, either poor passwords or password dumps that are pretty much everywhere in the Internet and can be found and exposed public servers. Those are the orphan servers that provide a service that people sort of forget about. And once the infiltration happens, the next step is always to report of that success, which is what we call the call home or command and control server communication, where they tell the attacker, hey, we’re in, what do you want us to do? And the next part of the cyberattack is usually to spread around. You don’t just put all your eggs into one basket, you try to spread around the environment so that you have a bigger chance of success. And I’ve intentionally put a couple of things on this slide that are not just your standard it equipment, just to get you a bit of thinking about it. So you see that I’ve put a thermostat, I put a smart light. Keep in mind that all of those, as we call them, IoT devices, have some sort of an operating system. And unlike Windows Linux desktops, laptops, servers that can be protected with software, those usually do not have a way to protect themselves in such a way. Yet they still can present a tool for a cybercriminal to use against you. And obviously, the last part of a cyberattack is either to steal information, which we still see a lot, because that information can be used on a further attack down the road, or act on an objective. And unfortunately, this objective these days is mostly install some sort of ransomware and then collect data and try to extort you to give you that data back, or to give you unencryption keys for the ransomware that was deployed. So out of those cyberattacks, what is a supply and chain attack? Well, supply chain attack looks exactly like this. It’s slightly different that it doesn’t go essentially after you as the organization. It goes against somebody that you trust inherently as your supplier. So a supply chain attacker is not going to be attacking you as an organization. What they’ll do is they’ll try to deploy an attack against your third party supplier who provides a service to you, who you trust. And that sort of data changed into a supply chain attack. Now, funny enough, and I’m sure majority of you will agree, regardless of the size of an organization, everybody is either forming a supply chain or has a supply chain providing services or products or anything as such to them. And based on the research that vans and burn has done, an average number of suppliers for a small or a medium sized business is usually around three. And out of those, one of ten ransomware victims said that it was a part of a third party supplier attack. So the supply chain attacks are an actual and reasonable threat that we need to address. And some of the types of supply chain attacks that we see, as I’ve mentioned already before, phishing is still one of the most common attack vectors. Because you as an organization might be well educated about security awareness and phishing emails, your suppliers might not be. So they use third parties with a phishing attack to then use that as a springboard to infiltrate into your system. The next one, which we will probably spend a bit more time on today, is a bit more comprehensive, and I’d say a fair bit more dangerous. And that is a software update attack. It’s a more sophisticated supply chain attack where hackers will infiltrate a company that provides some sort of a software or a solution to you, and they will distribute usually a very small piece of malicious code within that software update package, which you don’t check. The package that you get is signed with a certificate that you trust. It’s a reputable source, so you just install it. It usually even happens automatically without you even knowing that it happens. And as a result of that, you unknowingly infect yourself in the process. And as you can imagine, the consequences can be devastating, particularly if the organization that we will talk about a bit later has a large portfolio of customers. And more and more, what we see recently is what is called a poison package. It’s a less common type, but we do expect to see it more and more frequently in the future. And it is sort of a result of an extensive use of cloud services docker agile development methodologies, where people want to shorten the development lifecycle of a software product, so they use off the shelf components to do so. Well, funny enough, the malicious actors have begun to booby trap those off the shelf components to push malicious data or malicious content into your end product without you even knowing. So let’s have a look at some of the main attacks from a supply chain that we’ve seen in the last year, and I’m sure you’ll probably know or heard of all of them. The first one on the list that I’ll spend a bit of time more in the next slide as well, is the SolarWinds supply chain attack, and this was the software update package attack, where SolarWinds, as the company that serves thousands of companies worldwide, had its own software update package maliciously compromised, which as a result compromised a lot of their customers. It took months and according to some of the data that’s available now, even years that this has been going on before anybody noticed the next one in that line was Microsoft Exchange, the hafnium zero day attack. Now, the problem with that is that while we might not consider Microsoft as a supply chain, it is the de facto mail server of choice for majority of organizations. So whilst you might not see Microsoft as your direct supplier, the fact that you use their services makes them part of your supply chain. And the last, and not the least, was the Cassea, where managed service providers were used as a springboard to go into your network because of that trusted relationship. So let’s have a bit of a look at the solar winds, the case study, just so that you understand what actually happened and how long it took for people to pick that up. It was in sort of late 2020. The dates on this slide show are in american format. Apologies for that. So this is taken from an american source. But in the late 2020, it was discovered that the solar winds, that their Orion product has been compromised. And that discovery, I’m sure you’ve seen, created headlines all over the globe, thrusting the vulnerability of supply chain security into the spotlight. Apparently it has impacted over 18,000 customers worldwide. And we are not talking small customers only, we’re talking Fortune 500 companies that use their products. What happens is that the attackers, or the hackers, manage to insert malicious code, a very tiny piece of malicious code, into their infrastructure monitoring management platform called Orion. And that was initially done in 2019, in September and 2019. And then they tested it a bit in their environment, see if they were going to be picked up. They weren’t. And then they stopped testing. And then a few months later, they actually injected that into the update packages, which were pushed out around April 2020. So the attackers had about six months of nobody knowing anything about this attack at all. So the first information about it was sort of known in mid of December last year. And six months is a long time to have a full elevated access to your environment. The success of that attack gave actors a wide range of access to corporate and government informational system, and it has already resulted in an uncalculated volumes of data theft that we’re slowly uncovering as we go. We, as a global security vendor, are part of the organizations that sort of form a task force to identify the scale of this attack and even months and months later, we don’t know the entire scale of this attack because it’s just not known. Now. It would be easy to say that we in cybersecurity industry are making this easy for you. Well, we’re not. And the next slide is going to show you why we’re not making this easy for you, because cybersecurity is one of the more fragmented industries in the world. And I think you’ll probably all agree with that. There is a lot of consolidation of vendors. In fact, Sophos has, in the last six weeks or so, bought three companies, three startups. But for every startup that we buy, there are probably five that come up independently at the same time. So that dynamic of innovation is great, but it’s not great for integration. So it makes it hard to integrate and innovate at the same time because startups are just popping up and disappearing. And it’s a very fragmented industry. So what do we do about supply chain attacks? It’s not all bad. There are ways and there are means to address this, and it’s an endless, almost a loop type approach. So one of the things that you need to do is you need to start monitoring for early signs of compromise, which means you look at the things that your own tools that you use are being used against you. It’s called leaving off the land. And this means that the attackers are going to use tools that you’re familiar with, that you trust, that you’re happy to use against you, because you inherently trust those tools. It means that nobody’s going to look at them when they’re being used in an unusual way. So an example of an early sign of compromise is me using corporate environment at 02:00 a.m. In the morning, when six months before there, I was asleep every time at 02:00 a.m. In the morning. So that is out of the normal. And somebody should pick this up. Somebody looking at surveillance systems, which are part of the physical security environment, is an unusual method as well. So those are the things that you should be looking at. Obviously. It may sound obvious, but the next one on the list is absolutely each one of you should do an audit of your supply chain. And by audit, I mean you should map out a list of all the organizations you’re connected to. And there are probably more than you think. And you will also, by doing that exercise, you’ll be able to identify any weak links. So organizations that might be more susceptible to cybercrime, some of the third parties that you might be using, are managed service providers, cloud providers, finance providers, legal cleaning, logistics, labor. You might be renting offices from somebody that then provides a cleaning of those offices by a third party, which means they are part of that same supply chain. So doing an audit of that is very important, understanding who has potential access to your environment. And then when you do that, you also assess the security posture of that supply chain. And one of the easiest way to access security posture is clearly some sort of alignment with a security framework, some sort of a certificate, such as ISO 27 one, HiPAA in health organization sock type two compliance if it’s a cloud provider. So things like that, GDPR, if you’re working extensively with overseas companies. So those are some of the security posture proofs and identifications that your providers can give to you. And you constantly have to review your own posture as well. So this is very important. It is important to know the posture of your suppliers, but it is critical in safeguarding against supply chain attacks to not neglect your own cybersecurity hygiene. And many organizations do that because either they didn’t know where to start, or they believe that they’re not important enough to be targeted, or they do not have a partner that will be compromised. And in reality, we all form a supply chain. Your cybersecurity practices could be the weakling in the supply chain, and it is the difference between a mild inconvenience in the case of a potential cybersecurity attack or a catastrophic data breach. And last but not least, and this is a shift in a mindset, is shifting from a reactive to proactive. And I think solar winds was a massive wake up call in that respect, because things were identified when they already started happening and data was exfiltrated. Nobody was looking at things proactively as they were happening. When the payload was dropped, it was already too late. They have already stolen the data they’ve already accessed to the network for days. So you need to change that mindset to assume you’re always compromised. And this is not fear mongering, this is just a change in mindset to say, do I just trust inherently my environment is the same as it was a week from now, or as it was a week ago, or it’s going to be a week from now. What is my baseline? What is my normal? You have to ask your questions in that respect. And that brings me to what we can do. What we, as an organization that deals with security and grassroots, as one of our premier partners, can help you to do that. And this is mostly around reviewing your own it security as well as shifting from a reactive to a proactive approach. So what we’re trying to do as an organization is help you to reduce cybersecurity risk, to enhance visibility across your entire estate. And obviously, because it, we all know and agree, is considered a cost, we want to increase the return on that it investment. And in terms of reducing cybersecurity risk, we all know what to do. We throw money at the problem. There’s no wheel to invent here. You get a couple of products, you throw them in there and you hope things stick, and you hope you’ve done the best you can. And some of the products you’d be looking at are endpoint protection, server protection, encryption software, protecting your mobile devices, email servers, your wireless network, and obviously your gateways such as firewalls. This is not enough these days anymore. You have to be sure that these solutions talk to each other. And we are capable of doing that because we have something called adaptive cybersecurity ecosystem, and it’s just a term that we use and we’ve sort of coined together. But what it means in reality is that each one of our products can inform every one of our other products what it’s doing and what its posture is and what its health is. So you can have an email protection tell, a firewall the status of an email server, and by that a firewall can make a dynamic decision on what kind of traffic can be allowed in and out, left, right, up and down. And it’s all done through a single management platform that makes it very easy for you to see everything across your environment. Now, obviously you’ve spent money on this and you want to see that this is actually working for you. So to actually increase the return of your it investment, we underpin this with technologies such as artificial intelligence. We use APIs so that our partners and you yourself can automate some of these tasks so that the things can happen automatically for you. We have global sofa slabs footprint, which is a bunch of very smart cybersecurity analysts that look at things 24/7 from those 100 million endpoints, or customers or users that I was talking about very early in this presentation. And one of the things that is very important here is that organizations do not have time to do all this right. You can rely on your partner, but partners have this ability, and so do you, to augment their solution with what is called a managed detection and response, which is a service that we provide at Sophas. And what that does is that from a protection standpoint, a lot of you have heard of our Intercept X protection, which is our server, our mobile, our endpoint protection solution. We’ve been very successful with it. We are leader in Gartner quadrant for, I believe, eleven years running. So we know what we’re doing in that respect. But to become proactive and not reactive anymore, you have to start detecting and responding to events. Now, if you have time and if you have the skill set, you can do it yourself, which is you buy a license, which is called an extended detection and response license, which is on top of Intercept X or what more and more organizations opt in for is a managed detection and response, which is done for you. And it’s a service and it’s something that we provide in conjunction with our partners, and we provide you essentially a 24/7 service. So what does that do? So this is a combination of people, obviously, of the technology that those people use and processes, because processes, as much as we sometimes hate them, are just as important as the people and technology that we use. So this is essentially an outsourced service of experts. Experts are threat hunters, incident response people, security analysts, threat researchers, et cetera. It will help with your in house security operations team if you have it, or let’s say it will augment your it team, not just security operations team. So if you have an it team that doesn’t have a security mindset or security time, or it doesn’t have a security component dedicated, this is something where you can augment that by getting it as a service. It is obviously a. It’s important to know that the 24/7 means that these guys will proactively look at things and they will contain and neutralize any threat. So unlimited amount, infinite amount of threats that might happen against your environment, they will be addressed. It’s not just a notification where you might get a call on a Saturday at 02:00 a.m. This does not help anybody. They will contain the threats, they will neutralize the threats and they will let you know what they have done to do so. They will also assist in giving you advice on how you can improve your security posture by giving you information that we see globally as well as what we see for your environment specifically. And because we want you to feel comfortable of working with us. The way that this works is that you decide how to work with that team. If you feel comfortable that you just want to be notified by them, that is okay. You can collaborate where they do a part of the work and you do another part. If you don’t have a fully fledged trust in them and over time you can even say, hey, I fully trust you. I will authorize you to contain, neutralize, and let me know what has happened so that I can address the root cause of these attacks. And with that, ladies and gentlemen, I will thank you for your time and I will sort of give it back to Ben for some remarks and any questions. If there were. Thank you very much.