Anna Delaney: Protecting against ransomware and a look at the U.S. Department of Energy's National Cyber-Informed Engineering Strategy. These stories and more on this week's ISMG Security Report. Hi, I'm Anna Delaney. What are some unique challenges for healthcare when battling or responding to ransomware? This is a question our executive editor Mathew Schwartz posed to Peter Mackenzie, director of incident response at Sophos in a recent interview about protecting healthcare against ransomware. Peter says that what he sees is not so much mistakes that are particular to healthcare, but rather common mistakes across the board.
Peter Mackenzie: If you think about how a ransomware attack works, so when we speak to victims, we'll often ask them, "When did this attack happen?" And the answer we'll typically get is "last night or this morning." The users have come in, they've tried to open up their documents, the icons will change and nothing's working. So the IT Service Desk starts getting all these phone calls. And that's when they realize there's an incident, that's the typical thing that happens. But the reality is most ransomware attacks are human-driven now against organizations, and that human or group of attackers have to accomplish certain tasks to be able to achieve the level of destruction and impact they want to do. So they need to get into the network, they need to get the domain admin accounts that will allow them to do what they want to do across all machines, they want to find out where your backups are, and they probably want to delete them prior to the attack. And most groups now will also want to steal large amounts of data before they launch the ransomware. And then they'll plan out how they're going to deploy the ransomware to all of your servers, all of your machines or whichever ones they choose. That's not something that happens instantly, that can take days or weeks of preparation. The average amount of time we've seen ransomware attackers in networks prior to ransomware deployment this year is around 11 days. So that's what we expect an attacker to have been on the network for. So if you take that time into account, and the reality is that a lot of these attackers aren't that advanced, they watch a lot of YouTube videos, there's a lot of tools out there, there's a service for everything. So a lot of the stuff they do is given to them with instructions. I'm not saying they don't know what they're doing. But a lot of them are following instructions and using pre-configured tools. What that means is these attacks are relatively noisy. And by that I mean mistakes, the attackers use tools and techniques that will get detected by your security solutions. And what we found in investigations for ransomware this year: over 80% of ransomware victims had what we class as warning signs prior to the ransomware deployment. So that is detections by your security solution, sending alerts to an administrator, to someone in charge of security at that organization. So if you think about 80% or more had warning signs, something is going on. The problem is security is so fast-paced, so complicated that most organizations don't have the resources to even be looking at these alerts when they are flooded by alerts. And they often don't necessarily have the experience to know which alerts are the most important. And this one needs investigation. This one maybe doesn't. So they get missed. And that allows the attacker to stay on the network and do what they're there to do, which causes a large amount of impact and when it's healthcare that answers the risks or life issue as well. So there are common mistakes. And yes, they can impact health costs more than anyone else. But it is an industry problem that security is too complicated. And you shouldn't be trying to attempt it by yourself. You should be partnering with other trusted vendors and services like MDR services, managed detection and response services that can help provide you that 24/7 coverage.
Delaney: The critical infrastructure now. The U.S. Department of Energy this year unveiled its National Cyber-Informed Engineering Strategy. The plan looks to incorporate more cyber resilience during the manufacturing, development and deployment of computer systems used by energy providers. At ISMG's recent Critical Infrastructure Summit, Mara Winn, deputy director, preparedness policy and risk analysis of the office of CESER, the U.S. Department of Energy, shared an overview of what's to come.
Mara Winn: One of the things that we're trying to do in the Department of Energy is break it down into manageable chunks, everything that can be coming at, many utilities, many suppliers right now can feel overwhelming if you don't happen to have resident experts and trying to understand what the sensors are doing, and how to make sure that you have proper information sharing can be complex, if it's not your daily bread and butter. So, in June, we announced this release of DOE's National Cyber-Informed Engineering Strategy. We're aware of the need for energy systems to be built securely, instead of tacking security on after deployment of the grid. So if you build it in early, it's going to be less expensive, it's going to be more in tune with the true needs, because you've thoughtfully designed it in, and it's going to, in the end of the day, be more effective. And so, we have five major pillars that we build on for the strategy, we have awareness, which recommends raising awareness of the approach, the application, making sure that decision makers in our energy sector industrial base, which are the owners and operators, but also the manufacturers, the researchers, other government leaders understand the importance of integration. We definitely find that awareness is not equivalent across all of the various partners. And sometimes, you need to look at those that may have more complex challenges, given the way that their entity is structured to be able to lift them up. And then we have education. Once you're aware, you have to educate. How do you embed into formal education training credentialing, we cannot effectively implement this without preparing the workforce. You need people who know how to operate, who know what to look for, who know how to understand the threats, because they are complex. And especially, when you have a nation-state concern, there's something that you have sophistication. And then development. We move on to development when we want to mature the approaches by building repository of tools, practices, methods and other enrichment that practitioners can draw upon. We're looking at current infrastructure. We have a lot of energy infrastructure in this nation right now. And we're not tearing it out and replacing it. So how do we make sure that the tools and technologies and solutions and collaborations are available for current infrastructure, but we also know things are changing. We have future infrastructure that is going to be implemented as we look for more resilience. It's something where you need to plan in the energy infrastructure needs and design needs now and talk about it as a sector, as a cohesive industrial body so we can plan appropriately.
Delaney: And finally, our business editor Michael Novinson writes that next-gen SIEM vendor Securonix has snagged long-time Ivanti executive Nayaki Nayyar as CEO to strengthen product capabilities and customer experience. I spoke with him about this new appointment. Michael, so you've written a piece this week about how Securonix has appointed a new CEO. I'd love your thoughts on this announcement.
Michael Novinson: First, thank you for having me. Securonix, which is a next-gen SIEM vendor, announced earlier this week that Nayaki Nayyar is going to be their new CEO. She's replacing Sachin Nayyar - they're not related - who's been leading the company since 2010. So the news came was a little bit of a surprise, because Sachin has been there since the early days, he has helped them along the growth journey and growth path. But it seems like he's taking a step back. Sachin had also served as the CEO at Saviynt for a number of years, he had stepped back from that role in 2018. So looks like he might be scaling back his involvement. But Securonix did bring in some from the outside. Nayaki Nayyar had been most recently president at Ivanti, which has some plays in security as well as some broader technology plays. What's interesting here is that Securonix received a large investment back in February, about a billion dollars, from Vista Equity Partners, a private equity firm. I'm sure it played a role in choosing her if they're looking for a change in leadership at the top, since they are now significant stakeholder in the company.
Delaney: So what does this move mean for Securonix? What capabilities do they have to develop?
Novinson: That's an interesting question. The SIEM space is changing a lot. So if you go back 20 years, there are three legacy SIEM players that was QRadar, which was bought by IBM, Splunk as well as LogRhythm, those were the old school traditional set. So in the early 2010, what was then called next-gen SIEM, notably Exabeam and Securonix come along, and they were trying to make SIEM actionable so rather than just getting this long list of "here's all the problems you have that would help you figure out what was the most important that and ideally can also take care of some of the more basic issues on its own." So what you've had since then, these companies on the cutting-edge. We now have Microsoft enter the space, they produce their own offering called Sentinel in 2019. They were highest-rated vendor in Gartner just three years after debuting their offering, which is a hard thing to do. But then you're also having this convergence of SIEM and XDR. A lot of the network and endpoint vendors are positioning XDRs to be SIEM replacement and just in the extensive data, ideally at a lower cost than a SIEM would be. So what you're having here is some of these vendors are having to figure out how to reinvent themselves. Exabeam, I know has pushed in and started doing some more things with XDR branding, that is trying to take advantage of that market interest. Securonix hadn't done that as much, but I think Securonix is going to have to think about how to position the company but from a competitive standpoint now that they're dealing with Microsoft, as well as how much they want to dip their toe into the XDR marketing and then also messaging, how to make it clear has this XDR backed by SIEM is different than an XDR from CrowdStrike from Palo Alto Networks, which relies on that endpoint to that network telemetry. So I think some of this is branding and messaging. And then some of this is, from a technological capability standpoint, deciding how much you want to get into the XDR space and take on Microsoft.
Delaney: Now Nayaki is the company's first female CEO and one of only a handful in the vendor community. Do you think this move will spark other such appointments in the industry?
Novinson: I certainly hope so. It is a sad sign for the industry that with hundreds of major vendors that we have, there are seven female CEOs of significantly sized vendors, roughly 500 employees or more. I'm hoping that changes. What's interesting is that it's rare that a female leader is brought in from the outside to become CEO. If you look at most of the other cases, female CEOs at Veracode, BeyondTrust, HelpSystems and Darktrace - these are folks who are there internally and then got promoted from an opening, Trend Micro has Eva Chen who was part of the founding team and she moved into the CEO role. So the only time we've seen a CEO brought from the outside was at Imperva a couple years ago. They brought in Pam Murphy, also extremely experienced, she was the COO at Infor, so I think it's a question, especially for these companies who are privately owned - at least private equity firms have a list of executives. And it's a question of how many women are on these list? And unfortunately, it seems like historically, there hasn't been too many. I think it's also a question of the go to market versus the technical side that in security, most companies want somebody with a deep technical background as CEO. A lot of the female executives in the security industry are more on the sales and marketing side. There certainly are some folks who are on the technical side, but a lot of the CTO, CEOs are male. So when it comes time to choose the CEO, you're drawing from that poll, which tends to be more male. I think the PE firms need to consider trying to get some more qualified female candidates on their list. But I think it's also on the vendor community to try to get more females into C-suite roles on the technology and on the R&D side. So you have some potential female CEOs in waiting.
Delaney: Well, Michael, it's been good to talk and thank you for your insight.
Novinson: You're welcome. Thanks for the time.
Delaney: That's it from the ISMG Security Report. Theme music is by Ithaca Audio. I'm Anna Delaney. Until next time.