‘Evolution Not Revolution’: Kenna Security CEO Talks Risk Management
Add bookmarkThe rapid spread of ransomware attacks in the enterprise was a top concern in the April 2 episode of “Task Force 7 Radio.” Host George Rettas was also joined by Kenna Security CEO Karim Toubba, who discussed the process of enhanced risk management.
Rettas kicked off the show with a look at the ransom-demanding cyber-attack that struck Atlanta, Ga. last month – the effects of which are still being felt by city officials. Rettas cited an article from Gizmodo’s Tom McKay suggesting that officials are still in recovery mode 10-plus days after the event. The attack reportedly struck five out of 13 departments, forcing some to return to paper records. In citing Reuters, Rettas said that the hackers demanded a $51,000 ransom payment that has reportedly still gone unpaid.
Recoverable Data?
The attack has been extensive, too, as some city councilmembers have been forced to share an old laptop to try and reconstruct records. It remains to be seen whether affected data will be recoverable.
Rettas cited additional reporting in suggesting that city officials have not disclosed the extent to which servers were backing up information on corrupted PCs. However, the host said, Atlanta police were forced to return to writing out case notes.
“Public safety could clearly be at stake,” Rettas opined. “(That’s because of the) department’s inability to disposition and prosecute these cases that have these potentially dangerous criminals.”
The SamSam malware strain – believed to be in play in the Atlanta incident – is an advanced version which exploits vulnerabilities and guesses weak passwords in public-facing systems, Rettas said, in citing WIRED Magazine.
The “TF7 Radio” host also said that, according to CBS News, Atlanta was preparing to implement stronger security measures, based on an audit released in January which found a “large number of severe and critical vulnerabilities” leading to a “significant level of preventable risk exposure to the city.”
The FBI and the Department of Homeland Security (DHS) are reportedly assisting Atlanta officials in the ransomware fallout.
CEO On Risk
Rettas was then joined by Toubba, Kenna Security CEO and a longtime executive with 20 years in the security product world. The company maps the overall attack surface for its customers – through the lens of risk and prioritized remediation.
On high-profile breaches and unpatched systems, Toubba said, “We’re seeing things that have oftentimes been around for a long time being exploited by attackers… First of all, it’s a signal-to-noise problem. In an enterprise that leverages us, there are 18-24 million vulnerabilities open at any given time, on the entire infrastructure.”
See Related: CISO Calls For Sweeping Policy Changes To Address Cyber Concerns
The CEO said that security practitioners must “figure out extremely quickly how to filter through millions and millions of existing vulnerabilities to get to ones that matter.”
According to Toubba, another factor in this conversation is the overall landscape. What’s been created, he said, is “an environment that is dynamic and extremely fluid in organizations and governments…” He added: “It’s causing an age-old problem to rear its ugly head and then it’s giving attackers an opportunity to exploit the problem.”
The ‘Remediation Path’
Toubba also outlined the “remediation path” which, actually, goes beyond the security team and incorporates DevOps, IT operations and application developers. He called the environment “multi-faceted.”
On whether enterprises are effective in their security tactics, Toubba said, “We see a myriad of capabilities that organizations have when they come in. The spectrum varies widely. Some organizations manage vulnerabilities inside an Excel spreadsheet. That’s probably the most arcane way of doing it… On the other end: organizations have built up an entire app library with a database where all vulnerabilities or scan results of vulnerabilities are incorporated.” Practitioners can run searches and do queries on these data sets.
Effectiveness, Toubba said, “varies based on the commitment of making this a cross-organizational discipline.”
Toubba also called this entire remediation path/risk management process an “evolution” and “not a revolution.”
There are “high-profile vulnerabilities…(which are) raising the issue of how prevalent vulnerabilities have become, largely because of the volume as an entry point for attackers.”
“Vulnerabilities are not only exploited in isolation,” he explained, saying that they can be leveraged inside tool kits when automated and weaponized. He said they can be exploited as part of a kill-chain inside malware.
“People are looking at a more proactive and comprehensive way of understanding, managing and driving remediation,” he added.
Business Assets
Toubba explained vulnerabilities as significant “relative to the importance to the business and the asset it sits on.” In saying how an understanding of risk is important, he said, “(It’s) a common numerical framework that allows you to baseline where an organization is, start to understand progress over time and rally multiple aspects of the organization around a common lexicon you can use to drive remediation…”
The CEO added: “If you don’t understand how to drive down risk and increase efficacy through business value, you’re ultimately going to be checking off a checkbox.” He continued: “(You might) get regulators off your back, but it doesn’t do a lot in terms of moving the needle on efficacy and reducing risk. (Risk is) a fundamental construct most organizations (must) think through.”
He said that once the “lexicon” has been established, it facilitates effective communication and “bubbles up,” even to board members.
See Related: Is Cryptocurrency Cyber Security's Next Big Threat?
Tips on more efficient risk management, according to the “TF7 Radio” guest, include: viewing data sources outside the network and which attacker tools are available, as well as monitoring the volume and velocity of the exploits being “popped” into the wild.
“We’re way past human intelligence,” Toubba noted. “It’s about a confluence of big data and security. External data points…require compute and algorithms at an insane scale…”
A part of the remediation path, the Kenna Security CEO said, is finding “truth from telemetry” in discerning what attackers are doing worldwide.
According to the CEO, the security team owns less than 10% of the remediation path. Yes, they explore data and prioritize, but the only thing in the “toolbox” is reconfiguration or adding a filter in the network. When it comes to writing application code or upgrading systems, that’s an entirely different IT unit pulled into the mix.
Practical Automation?
Will vulnerability remediation, then, become fully automated? Toubba said that it “depends on…how forward-leaning the organization is.”
“There are organizations, from a security perspective, that have jumped in with both feet.” To do so, he said, they had to understand the criticality of the assets that vulnerabilities sit on.
Toubba said that one advance is the ability to “automatically create” stopgap measures in the firewall as a temporary remediation effort “until the right level of resource” can be allocated.
To be clear, the “TF7 Radio” guest admitted there is “no silver bullet,” no “one-size-fits-all” solution to automation and risk remediation.
However, he said, “Today, we’re looking at near-real-time information, which is informing people as quickly as possible.”
The "Task Force 7 Radio" recap is a weekly feature on the Cyber Security Hub.
To listen to this and past episodes of "Task Force 7 Radio," click here.
Find Toubba on LinkedIn, here.
Be Sure To Check Out: Inside The Life Of Former FBI Agent's International Cyber Security Stings