Chad Holmes, Partner and Cybersecurity Leader at Ernst & Young, and Tom Padgett, COO at SAP NA Analytics, discussed in detail how to address the increasingly innovative strategies used by threat actors.
Holmes and Padgett sat down for a Fireside Chat at the 2016 Chief Information Security Officer Leadership Forum held on June 22 in Chicago to talk about malicious actors and security measures companies can use to protect their critical data.
Padgett described security risks as resulting from these four components:
• Dramatic increase in the value of data.
• Increasing vulnerability of endpoints – “There’s no perimeter, and that’s not going to change. My company is pushed every day by our customers to take the applications that we provide and apply them to different mechanisms.”
• Exponential volume of data – “Big Data has been around forever, and that’s not going to change, either. There will be more devices and more mechanisms, and companies need to transform their business and business models in response. Much of this transformation needs to be around the data—how to pull it in and use it. Data is the new business model.”
• Proliferation of attackers – “The reputational risk goes beyond the organization that was attacked. If one of the big application developers is attacked, it’s not just that company that’s compromised, it’s the systems.”
"Data is the new business model.”
Holmes then told a story about a criminal organization that went after a large company and stole millions of records. He outlined the attack lifecycle: initial compromise, credential harvesting, lateral spreading, remote access, and data exfiltration. “These attackers used some advanced techniques that you, as CISOs, need to be aware of,” said Holmes. “Their initial compromise strategy was a spear phish. What was more complex was how they communicated with the malware. They used custom malware that they downloaded off the dark web inexpensively and then compromised different infrastructures from like-minded organizations so they could target the bigger organization with that email. These attackers used social media channels to communicate to the malware. The malware went to Twitter to get hashtag data for its instructions. It went to a posting site like GitHub and downloaded images containing instructions for the next step. So you can see how sophisticated this process has become.”
Holmes continued, “In my experience, almost all attacks start with an email. The easiest access to the target is through the front end, just shaking somebody’s hand.” For this reason, user awareness training is becoming more critical and more challenging.
“Another challenge is the magnitude of the threats—a million pieces of malware daily, and 60% to 70% are unique to that day. Not completely unique,” explained Holmes, “but unique enough to escape detection.”
“Another challenge is the magnitude of the threats—a million pieces of malware daily, and 60% to 70% are unique to that day. Not completely unique, but unique enough to escape detection.”
Holmes remarked that in all the investigations he’s worked, almost half of the machines he looked at didn’t have malware.
“What have we learned as a result of these ever-more-sophisticated threats?” asked Holmes. The top 10 lessons, with Holmes' comments, are:
1. Leadership needs to be on board. “This has been improving, especially in the last year or two.”
2. You can’t protect everything. “The important thing is focus. Identify your critical assets, wrap the right roles around them, and do the right identification of your data.”
3. Leverage talented third parties. “We have more jobs than people to fill them. Use consultants in your projects and technology implementation.”
4. Follow a proactive strategy around automation. “We need to respond more quickly to threats, and automation orchestration is critical for this. People need to become more comfortable with trusting a technology to make a decision on their behalf.”
5. Have a defensive framework that includes true threat intelligence. “Information doesn’t equal intelligence. You have to ask the right questions of your information.”
6. Develop and follow an incident response framework. “You’ll spend more money on the response if you don’t have a good process for that model.”
7. Develop and work from playbooks to build efficiencies.
8. Build proactive capabilities with a cyber-analytics and business-risk focus.
9. Conduct red team exercises to test your environment once you’ve identified your core assets.
10. Learn, enhance, remediate.
ABOUT CHAD HOLMES:
Chad Holmes is a Partner/Principal for Ernst & Young’s LLP’s (EY) Advisory Services Cybersecurity practice. He has extensive experience working with Fortune 500 companies in the high tech, healthcare, financial, retail, and many other industries across the globe as well as experience working with key public sector organizations.
Chad has more than 18 years in the cybersecurity space that extends across all industries on a global scale. Ten years of his experience has been working directly for large organizations in their cybersecurity operations as a chief cyber architect or officer (CISO). During this time, Chad had the opportunity to develop and lead large cyber programs, transformation efforts, teams, and service lines around the globe.
Eight years of his experience was working directly for high-tech product manufacturers and consultant organizations. During this time, Chad had the opportunity to build high-tech startups from the ground up to billion-dollar organizations. He is also known as a thought leader in the cybersecurity space and has spoken at hundreds of cybersecurity and government conferences around the world.
Directly prior to EY, Chad was the Chief Technology and Intelligence Officer at FireEye/Mandiant, where he was on the forefront of helping organizations prepare for, respond to, and contain some of the largest cybersecurity breaches and malicious actors. He focused on providing strategic direction to mature and optimize organizations overall security posture.
During his tenure at FireEye/Mandiant, he was able to translate business objectives into actionable, repeatable, and reliable cybersecurity solutions that he delivered to the market. He was directly or indirectly responsible for technology innovation, engineering, product management, threat intelligence, corporate strategy, consultative services, and strategic sales operations.
As a cyber-liaison officer for many government intelligence agencies and a threat intelligence expert, Mr. Holmes has had the opportunity to brief federal and state law enforcement, intelligence agencies, governors, boards, and other senior executives on the latest cyber threats and intelligence on a weekly basis.
Prior to joining FireEye, Chad held several senior level positions at large hardware and software manufactures (Intel, CheckPoint, Core Security), where he was able to work with clients across many different industries.
As mentioned earlier, he has held chief-level positions in healthcare, construction, and financial organizations, not including owning his own cybersecurity business for six years.
Chad brings a unique value of experience in product development lifecycles, go-to market strategies, cybersecurity operations, and cross-industry experience.
ABOUT TOM PADGETT:
Tom currently serves as COO for SAP’s NA Analytics & Insight business. Prior to this role, Tom was GVP of North American Sales for Oracle’s CPQ Cloud. He was part of the Executive Team at BigMachines that was responsible for the growth and sale of that company to Oracle, achieving 40%+ CAGR both prior to acquisition and following the sale.
Prior to Oracle/BigMachines, Tom held national and regional sales leadership roles selling analytic platforms and technologies at Adobe and SAP/Business Objects, where he consistently demonstrated the ability to scale sales organizations by implementing operational frameworks that maximize the productivity of the entire organization.