Trust no one: Zero Trust Summit highlights key factors for IT pros to consider
As cyber threats grow at an alarming rate, IT teams are turning to Zero Trust methods to protect against ransomware and other cyber threats. Zero Trust is based on the assumption that all users, devices, and applications are untrustworthy.
Attendees at last month’s Zero Trust Summit heard from leading experts on how to proactively protect your data and minimise the impact of ransomware attacks with Zero Trust Data Security.
The event, which took place at the Marker Hotel in Dublin, was based on the theme of ‘readiness for real world data security’.
There to kick off the event was summit host Niall Kitson, editor of TechCentral.ie. “Why Zero Trust?,” asked Kitson. “It’s a much bigger question than we initially thought, informed largely by a survey TechCentral carried out with Rubrik last January.”
To discuss some of the survey results and put the summit in context, Kitson invited John McCleverty, country manager for Ireland at Rubrik to the stage.
Threats to data security
Setting the tone for the rest of the day, Kitson and McCleverty discussed what the survey tells us about threats to data security. Based on the experiences of 100 IT professionals in Ireland, the survey found that 90% of IT professionals consider external threats such as ransomware the biggest risk to organisations, while 54% felt their organisation was either well or very well placed to defend against cyber-attacks.
Meanwhile 55% of respondents said they are confident that their organisation’s ability to recover quickly in the event of a breach and 54% said their organisation is well placed to defend against ransomware attacks.
When it comes to who is responsible for data security in their organisation, respondents overwhelmingly said it lies with IT departments. Just 24% said it was the c-suite leadership’s responsibility, and 13% said they had a specialist data management team in their organisation.
McCleverty was concerned that the figure for IT departments was so high, but was not surprised as their resources are so stretched. “If you have a dedicated data management team, you’re among the lucky few.” He added that it would be great to see more responsibility at c-level.
Is this changing? In large, global companies McCleverty said it is, but in Ireland IT departments are often still responsible for everything.
Next to take the stage was Pierre-François Guglielmi, field CTO, Rubrik, who delivered the first presentation of the day. Guglielmi discussed Zero Trust as the evolution of data protection to data security and cyber resilience
“Your data is the life blood of your business,” Guglielmi told the audience, “so this is what is being targeted by attackers.”
Achieving the promise of Zero Trust security requires more than just infrastructure security, he said, which is where data security comes in. Data security combines with traditional infrastructure security to fully secure data assets and as such, secure the business and defend it against cyber-attacks.
He warned attendees that relying on traditional security solutions to scan infrastructure devices for threats is not sufficient in the age of ransomware. As ransomware attacks occur slowly over the period of weeks, organisations are getting attacked in spite of these traditional infrastructure security investments.
What’s more, Guglielmi highlighted Rubrik’s strategic agreement with Microsoft that addresses rising customer needs to protect against surging ransomware attacks. Together, Rubrik and Microsoft will provide Microsoft 365 and hybrid cloud data protection and integrated cloud services on Microsoft Azure.
“Microsoft decided to invest in Rubrik to reinforce their own Zero Trust Strategy, because they recognised Rubrik as being the leader in that space,” added Guglielmi “So that means we’re going to have tighter relationships, tighter integrations, development coming up.”
Next was Des Ryan, director of cybersecurity at Microsoft, who shared his unique perspective on what’s happening in cybersecurity in Ireland today.
Ryan asked the audience whether they consider Microsoft to be a security company. When three or four hands went up, Ryan told them that Microsoft is the biggest security company in the world. Last year, its security operation reached $10 billion in annual revenue.
“Our whole network is constantly under attack,” said Ryan. “With all of these attacks, we’ve got great insight into what’s happening in the cyber world. We take in trillions of signals everyday. Those signals are fed into our AI and we’re able to deduce what kind of threats are floating around out there. We have built that intelligence into our products, and we share it with our partners.”
Ryan then gave the audience insights into Ireland’s security posture since the outbreak of the pandemic. As remote working moved end users and data outside of the network perimeter, it had a big impact on the security posture of lots of organisations, Ryan said. Attackers are opportunistic, they will attack you though any means necessary: “We saw Covid-19 related domains popping up, and people spamming you with socially engineered emails to get you click on links.”
Previously it was gangs carrying out these attacks, but there has been a great shift since the pandemic broke out. “About two years ago we started to see ransomware-as-a-service. Now anyone can do ransomware attacks. They gangs have written the code and made it available to others to use.”
In Ireland the most common form of attack is a crypto or bitcoin attack, “but ransomware is the most devastating,” Ryan said. “When an organisation is hit, it cripples them.”
To conclude, Ryan explained the three core tenants of Zero Trust – verify identity, assume you have been breached, and least privilege access – and implementing zero trust through identity, data, devices, network, applications, and infrastructure.
World’s best hacker
Ryan was followed by Alex Bacik, systems engineer at Palo Alto Networks. Bacik opened with a bold declaration: “I’ve always wanted to be a hacker. I don’t have the criminal proclivity, but I’m interested in the technical aspect.”
During his presentation, Bacik introduced the audience to some of the best hackers in the world. The HSE attack, however devastating, was not orchestrated by the world’s best hackers, he said. The attackers sent a malicious email to a single workstation and a user downloaded a Microsoft Office Excel file. From there the hackers were able to get into the HSE’s IT system.
Ransomware-as-a-service and new and emerging threats have created no shortage of victims. So how do we defend against attack? Bacik advised companies use Zero Trust as a guiding principle to choose who they allocate their defence budget.
Zero Trust should never focus on a narrow technology. Instead, it should consider the full ecosystem of controls–network, endpoint, cloud, application, IoT, identity and more–that many organisations rely on for protection, to give organisations the best chance at blocking hackers, whether they are the best or not.
The final presentation of the day came from Frank Renehan, director of Kontex who discussed implementing modern Zero Trust strategies.
To start building a Zero Trust roadmap, he advised organisations assess the maturity of their current Zero Trust state; understand current business initiatives and security projects; document where you can reuse existing capabilities; and set goals for your future maturity state and time frame to achieve it. In understanding your current maturity level and where you want to be in a given time frame, Renehan said it can help you to focus your projects and initiatives.
During his presentation, Renehan outlined a number of common customer challenges, including treating Zero Trust as a “turnkey solution,” said Renehan. “A piecemeal approach to Zero Trust cybersecurity can create gaps, that’s why we need to analyse your overall risk profile to ensure we have the correct protections in place. Even the best of tools can fail in some ways, so having your layering and protective technologies can help you to achieve that.”
Moreover, he said Zero Trust is not a one-time expenditure. It requires commitment to ongoing administration, resources, management, and operational overhead. Doing this right will take effort, but it will allow you to protect your business ability to operate and continue to generate revenue if it is attacked.
After a short break where attendees were invited to and network with peers, chat with the experts in the exhibitor area and enjoy some refreshments, the customer stories began.
Leading the charge was Don Reynolds, head of special projects, CRH and SANS Subject Matter Expert, who told the audience that Zero Trust is an “admission of failure by the vendors that what we’ve been doing for the last five/ten years is rubbish.”
Telling the audience that trust is in very short supply in the digital world, Reynolds warned that without having a contract in place that clearly defines what security is, they are unlikely to receive the level of protection they require. “If you haven’t got a service level agreement in place, what happens when things go wrong? Then you’ve missed the first step of incident response – preparation. If you haven’t prepared, you can’t trust people to deliver. We’re profit-making organisations. We do enough security so that potential attackers will move on to the next vulnerable person.”
The World Economic Forum found that out of the reported breaches in 2020, 95% were because of human failure, said Reynolds. “Technology can’t help you when you’re dealing with human failure.”
Continuing that thought, he discussed the role human error played in the HSE attack. “If you look at the HSE report, you’ll note that they didn’t say the technology failed them miserably, it didn’t all that warning signs were there, but they were not acted upon. Why not? Because of a culture of a lack of accountability. That’s not just the HSE, it’s the civil service in general. The biggest single threat we have to the cybersecurity of this state and our information as citizens is the civil service. … these people do their job to the best of their ability, but when you have a structure that promotes people because they’re there longer rather than their ability, where those that are really good can’t be rewarded… we are doomed to fail.”
Finishing on a sobering note, Reynolds said: “If most businesses ask themselves can I recover from an attack, the answer I’ve seen in most cases is no, they haven’t got a chance. So trust, there is none, prepare for the worst. We have been lucky up until now.”
Trust no one
IT professionals often have eclectic backgrounds, and the next speaker was no exception. Louise Mahon, cyber security services manager, CIE, spent 21 years working in network security for the Defence Forces, which gave her a unique perspective on the concept of ‘Zero Trust’.
“When I think of Zero Trust, I think of my time in the military. We’re all taught to trust nothing from the very beginning. From closing doors and locking windows, to never leaving your weapon down, we always had to think about security in a very practical way.
With her unique background, Mahon is familiar with the idea of the user as the primary point of failure: “One of my roles was to give the user awareness training. It can be hard to judge if people are listening when you’re telling them about threats, and what they should do if something happens. Educating the user is imperative. When I was in the military it was all face to face, and you’d get great engagement with the person. But now we’ve lost that personal touch and I fear the message is being lost with it.”
Mahon noted that when the communication fails, organisations open themselves up to serious risk. “The systems don’t fail, they might let a few things through, but ultimately it comes down to the person who clicks the link or misses the alert. This is the Swiss cheese effect. When all these things line up, that’s when you could have a mass catastrophe on your hands.”
To finish the day, Kitson was joined onstage by a panel of industry experts from Rubrik, Microsoft, Palo Alto Networks and Kontex that discussed the evolving technologies and strategies for dealing with threats to organisation’s data assets.