Table of Contents
In this Help Net Security interview, Chester Wisniewski, Director and Global Field CISO at Sophos, discusses the shifting ransomware landscape, the risks posed by quantum decryption threats, and the role of vendor security validation.
Wisniewski notes that cyber resilience is more crucial than mere defense, with AI playing a key role in managing threats, and calls for ongoing improvements, transparency, and proactive measures.
With ransomware payments decreasing, some cybercriminals are shifting toward data-centric extortion rather than just encryption. How should companies adjust their incident response and business continuity planning to address this shift?
To begin, I am not sure that the data is that clear on ransom payments decreasing. The data I’m looking at shows a small decrease in percentage of organizations who pay, but a significant increase in how much they are paying. Whether it is true or not, the strategies should remain the same. We must focus on reducing the time to detect and time to respond. Whether extortion or encryption is involved, the costs go up and the pressure to pay increases with time.
Finding the balance between protect, detect, and respond is difficult, but I’m seeing it out of balance at both ends of the spectrum of organization size. Small organizations are over-reliant on prevention and don’t have enough focus on early detection and planned response.
Enterprises on the other hand have often become disillusioned by hype and broken promises from some endpoint security vendors, leading to them not always maximizing the advantages many of these tools offer if well configured and deployed. All organizations, regardless of size, must have 24/7 monitoring and trained teams to respond when incidents in progress are discovered.
How should CTOs assess the risk of “harvest now, decrypt later” attacks, where threat actors steal encrypted data today to decrypt it once quantum computing matures?
In most cases this is only a risk to organizations handling data that would be of importance to the national security of their home country. Most cybercriminals are coin-operated and are looking for a quick payout, most often in cryptocurrency and are not playing the long game.
That isn’t to say we shouldn’t be migrating to quantum resistant cryptography as soon as we possibly can, as those same cybercriminals, if they gain the ability in the future, will likely steal things like encrypted backups and still attempt using them for extortion.
Post-quantum cryptography (PQC) has made great strides in recent years and is mature enough to begin migrating toward now. The majority of cryptographic software libraries now include some PQC algorithms and can be added to software applications now.
In the next 24 months I would begin to make this a requirement of vendors during the software procurement process. We have migrated to newer cryptographic schemes before, like when we deprecated SSL for TLS, or when we moved on from MD5 to SHA-1 and now SHA-256. We need to call back to that process and be more diligent and insistent on doing it more quickly and universally if we don’t want to be caught off-guard when the day arrives that RSA isn’t going to cut it anymore.
Many high-profile breaches have originated from third-party vulnerabilities. From a technology leadership standpoint, how can CTOs establish more effective security validation and monitoring of vendors without introducing operational bottlenecks?
This is incredibly challenging and with what we have seen the last year or two, simply relying on tools or a SOC 2 certification isn’t enough for some mission-critical suppliers. I encourage procurement teams to include the security team early in the procurement process, preferably before the evaluation stage to help assess the potential security risks to the organization due to compromise or even simply lack of availability.
For vendors where the security exposure is considered high you need to not only assess certifications the vendor may hold but also do some research on the security culture of the organization. How do you measure security culture? There is no easy answer for that, but from where I sit, I think one of the most important values that demonstrate cybersecurity seriousness is transparency.
Has the supplier published a root cause analysis of any previous cybersecurity incidents? How open and honest are their public communications to customers when they have unexpected outages or security incidents? How detailed are their release notes when providing security patches and fixes? Do they have a bug bounty program and are they perceived to be welcoming of reports from security researchers? All of these indicators are a reflection of a supplier’s attitude toward data security and transparency in their operations.
With the increasing volume of real-time threat intelligence data, how can CTOs prioritize actionable insights without overwhelming security teams with alert fatigue?
Small and mid-sized firms are turning to managed detection and response (MDR) vendors with deep expertise in triage and spotting threat actor patterns in oceans of data. Even some enterprises prefer external help, even if they want to run their own response actions when incidents are discovered.
Clearly to do this at scale requires automation and everyone in this area is looking to use artificial intelligence tools with a human-in-the-loop to get best of both worlds’ outcomes. By using AI for the boring, large-scale data processing, this should allow analysts to focus more on threat hunts and reduce fatigue and burn-out. We hope to start seeing this become standard practice in the coming year with noticeable benefits to SOC operations.
Given the pace of cyber threat evolution, should organizations focus more on cyber resilience than just cyber defense?
Absolutely! In my experience, well-rounded security approaches yield better outcomes. We need to do our best, without impeding the business from achieving its goals. Perfect security is impossible, but focusing on resilience can strike a good balance between the competing factors executives must weigh when making cybersecurity decisions.
The most important thing is to continually iterate. No plan is ever finished, and revisions and lessons learned will aid in the journey of continuous improvement. Do the basics well, have a plan, learn from experiences, repeat. It is much harder than it sounds, but done well it can’t be beat.
