2021 A Year in Cybersecurity in Ireland, Looking Back to Look Forward

As 2021 drew to a close, IBM Ireland hosted a panel discussion with three cybersecurity professionals to discuss the year from a cybersecurity perspective and what cybersecurity leaders could expect for the coming year in 2022. On the panel were Elaine Hanley, Partner, IBM Security Services EMEA, Pat Larkin, Chief Executive & co-founder at Ward Solutions, and Brian Honan, CEO of BH Consulting. The panel was hosted by Tim Arkless, Senior Account Manager at IBM.

The panel discussion was recorded and I will post links to the video recordings when they are available.

This blog post is a high level summary of those discussions and serve as an appetiser for those who want to view the video and get more insights and nuggets of information.

It won’t come as a surprise that the main topics discussed were;

• Ransomware
• How best to deal with cybersecurity incidents
• The impact of remote working and engaging with the cloud on cybersecurity
• The benefits of XDR
• Is Zero Trust the panacea to our cybersecurity woes?
• The cyber skills gap
• What does 2022 hold for cybersecurity leaders?

The above topics are covered briefly below

RANSOMWARE

There has been an explosion in growth in ransomware over the past 12 to 18 months. In 2021, IBM observed that 23% of all cyberattacks were ransomware attacks and estimates are that the criminals behind the REvil ransomware gang have so far netted themselves a lucrative $123 million in 2021.

Here, in Ireland, the real threat from ransomware was driven home to the public in a very dramatic fashion in early May, 2021 when the Health Service Executive (HSE) suffered the ransomware attack that brought all its systems offline. While there were obvious negative impacts from this ransomware attack, you could argue there were positive outcomes as well, the HSE attack placed cybersecurity, and in particular ransomware, in the media spotlight thus ensuring that the board, directors, and senior management of many other organisations asked themselves the question as to what they should be doing to protect their organisation from cyber threats.

The panel outlined the key lessons that should be learnt from the recent ransomware attacks and in particular what should be considered by organisations to improve their defence against ransomware. These were;

• Cybersecurity is not the sole responsibility of the cybersecurity team. Business leaders also need to engage with cybersecurity and treat the associated risks like any other operational risk to their business.
• Preventions is better than the cure when it comes to ransomware so cybersecurity leaders should look at ways to minimise their exposure to an attack by:

1. Regularly patching and updating software, especially on Internet facing systems.
2. Ensuring an effective, robust, and regularly updated end point protection solution, ideally XDR, is deployed on all end points.
3. Verifying that email security filters are effective in detecting and blocking emails with malicious content or phishing lures.
4. Turning on Multi-Factor Authentication (MFA) for all remote users, cloud-based systems, and critical systems.
5. Running regular and effective cybersecurity awareness training for staff.

In addition to the above steps the panel spent time discussing the importance of having effective backups and resilience solutions which should enable you to not only recover from an attack but allowing the organisation to continue to operate while recovering. It is important though for cybersecurity leaders to remember that while backup is important it is equally important to understand the restoration process, the length of time it takes to restore applications and systems and the associated costs, that in itself could be as crippling as the attack itself. So, leaders need to ensure they have built that into their planning.

Monitoring of your environment to detect potential threats and to repel an attack is crucial. IBM X-Force monitored over 4.75 trillion events across 130 countries during the year. Unfortunately, not many businesses are properly monitoring their environments and therefore will not be aware of when a breach happens. Cybersecurity leaders should look to implementing effective monitoring, either in-house or outsourcing it to trust partners. When there is an outbreak, you may be looking to deploy XDR solutions to the end points to help deal with the outbreak.

How Best to Deal with Cybersecurity Incidents?

There was a time when companies who suffered a cyber-attack were not willing to publicise it for fear of the negative impact the news would have on its reputation, stock price, or customer confidence. The panel highlighted that today this perception is changing.

During an incident you cannot communicate enough with your customers, staff, suppliers, and the public. If you suffer a breach and you communicate in a clear, transparent, and considered manner - ?you are much more likely to ?gain sympathy and more likely to get more collaboration and intelligence to help deal with the attack. It is therefore vital to make sure you have your communications channels well established and your crisis management policy in place. People won’t judge you for being a victim of a cyber-attack, but they will judge you for how you respond to it. Key to that is clear communications

Good communications can also have a benefit for other organisations. It is very rare for an organisation to operate solely in its own bubble. Criminals are targeting the supply chain and if they breach one organisation in that supply chain, they will move along the supply chain. Therefore, disclosure is critical to ensure your partners in that supply chain can be better prepared in the event they become targeted.

When initially responding to a cyber-attack the recommended first step to do in a crisis is actually to do nothing. Instead of responding immediately, it is better to gather information and get a good understanding of what is going on. This will allow the cybersecurity leader to better understand what has happened and to identify where “the bleeding happening” so that can be addressed as a matter of priority.

?The Impact of Remote Working and Engaging with The cloud on Cybersecurity

The rush to cloud computing and the rapid acceleration of digital transformation for businesses in response to the COVID19 pandemic enabled many businesses to get advantages of the cloud, some of these were security advantages. But while bringing some business benefits the move to the cloud also introduced new risks, threats, and opportunities for criminals.

In the rush to the cloud many security teams were diverted from their normal operations to focus on getting systems working and migrating businesses to support their remote workers. The same controls and diligence that may normally be in place for assessing new systems and transitioning to them may not have been done. As a result, many security teams face the backlog of retrospectively reviewing these controls and due diligence, on top of their normal workload, which is leaving some organisations exposed.

Criminals are not only targeting individual businesses but are focusing on cloud providers. An example of this is the Kaseya ransomware attack (early July 2021), where the attack on Kaseya resulted in over 1200 MSPs and their customers being ransomed. The gang behind this attack demanded a $70 million ransom for them to release the decryption key, which was not paid.

As mentioned earlier, criminals have made a lot of money from ransomware victims who have paid the extortion fee. These criminals are now investing that revenue into more sophisticated tools and attack methods, some of which will be targeting the cloud providers.

IBM researchers have seen a large increase in the malware targeting Linux with 56 new families of Linux focused malware. As Linux is the operating system employed by many cloud service providers this could be another indication that criminals are looking for higher rewards by aiming their attacks against bigger targets such as cloud providers. Cybersecurity leaders should regularly conduct and review their risk assessments regarding their cloud service providers and ensure they have appropriate controls in place.

The dramatic increase of “home workers: has posed additional threats and risk for businesses - with many home workers using their own personal devices for business purposes resulting in a proliferation of end points through insecure networks that companies did not have to deal with before. The same security rules no longer apply and cybersecurity leaders should look the principles behind Zero Trust and to new tools, such as XDR, to manage this threat.

The Benefits of XDR

The panel outlined how XDR provides enhanced security by providing much broader view as to what is happening on an end point. This viewpoint is gained by a consolidation of analysing user behaviours, endpoint logs, network flows, vulnerability management, and mapping to threat intelligence. This all enables companies to focus their efforts on how to protect their environments and how best to respond in the event of a breach.

Elaine Hanley outlined IBM’s plans to acquire ReaQta which provides an innovate approach using AI (Artificial Intelligence) and ML (Meta Language) to monitor what is happening on a device at the OS level to better protect it. ReaQta can learn from day one what normal activity looks like for a business and should anything happen outside that normal activity it can help determine if it is malicious activity.

Effective XDR solutions provides the CISO with better visibility as to what is happening within their estate, particularly if XDR is configured to work with a SIEM or Managed SOC solution. Traditional end point protection looks at what is known bad whereas XDR looks for what is known good and alerts outside that behaviour. It is important to remember that while a very powerful tool, XDR by itself is not the solution but needs to be integrated with good monitoring solutions and platforms and robust policies and procedures.

Is Zero Trust the panacea to our cybersecurity woes?

While Zero Trust is touted by many as the saviour to our security woes the panel were quick to point out that Zero Trust is not the panacea that many are saying it is. Zero Trust at its heart, is a security architecture and as such would require many organisations to redesign and re-architect their networks, skills, systems, and applications. This can be very challenging, especially in environments with legacy systems and solutions.

However, the principles of Zero Trust can be used by companies to better understand the risk and threats they face and to identify ways to address them. The key is to take a pragmatic approach by understanding the benefits and principles of Zero Trust and balancing them against the realities of legacy systems. Zero Trust is more a way of thinking than an actual technical solution, IBM provide various blueprints based on the Zero Trust principles that companies can use to protect their systems.

The cyber skills gap

There is a huge skills gap within the cybersecurity industry and that is a threat. The panel all agreed that we as an industry cannot address this threat on our own and that we need to look for sources of advice from other parts of the business or by engaging with partners.

Pat Larkin highlighted the great work by Cyber Ireland which is working on some interesting developments in the Irish skills market by encouraging cross pollination between industry, academia, and research. Cyber Ireland is working with training and skills providers in developing new cybersecurity award schemes to make it easier to move into a career in cybersecurity.

The panel also addressed the challenge with the lack of diversity. The IT sector, and in particular the cybersecurity area, have been dominated by males for too long. Cyber Women Ireland and Cyber Ireland are engaging in bringing more people from more diverse backgrounds into the industry. It is therefore very important that industry engages with these skills providers to ensure we have more innovative ways to get people involved in cybersecurity. An example given was the language we use within the industry which is very militaristic and machoistic. Companies should make job advertisements more diverse friendly and make the skill requirements realistic in job adverts particularly for entry level roles. As an industry we must do a better PR job to make the roles more attractive to all.

On the positive side, it was noted that with cybersecurity being such as hot area with high salaries and opportunities we should see a flood of people coming into the industry. However, while this will bring much needed skills it will not bring in a key missing element such as experience. As an industry we need to start to recruit skilled professionals from other business sectors such as risk management, marketing, IT, and management to cybersecurity.

Companies can also address their internal skills gap by outsourcing functions such as security monitoring to trusted providers or by deploying technologies to automate detection and response such as XDR solutions.

?What does 2022 hold for cybersecurity leaders?

Looking back at 2021 it has been a challenging year for businesses in many ways from having to deal with the pandemic and the associated changed threat profile and landscape.

As in 2021, ransomware will continue to be a threat in 2022 and threat actors will look to exploit the supply chain as much as possible. Cybersecurity leaders are urged to learn the lessons from the major trends and attacks that happened in 2021 and apply those lessons learnt to their own environments for 2022.

The coming year can also be an opportunity for Ireland to lead the way in cybersecurity. At the moment cybersecurity seems to be in infinitive defence mode. In traditional military doctrine infinitive defence does not work, you defend to either counter-attack or await reinforcements. How we currently operate in a constant defence mode is not sustainable. We need to change how we deal with the threats from cyber criminals and move to areas outside of the technical realm such as political, economic, and societal approach to dealing with the threats and activities that are happening. Otherwise

Ireland should invest in defence and policing of the Irish cyberspace. We should retool our police, our defence forces, and our foreign policy to be more proactive in dealing with cyberthreats. Ireland is a non-aligned country with a place on the UN Security council and a robust digital economy, 2022 could be the year that Ireland leads the way in how to deal with international cyber threats.

?#IBMPartner #paidpartnership #IBMSecurity

For more information on IBM Security:

Zero Trust : ?https://ibm.biz/BdfkqT

Cost of a data breach report 2021: https://ibm.biz/BdfwGU

Threat Intelligence Index 2021: https://ibm.biz/BdfwG5

Identity and Access Management: https://ibm.biz/BdfwGW