Anshuman Sharma is a seasoned professional with over 15 years of experience in the field of cybersecurity, leading the Hong Kong & India market for the Investigative Response (VTRAC) practice. He brings unique and vast experience in leading digital forensics and incident response, threat hunting, threat & vulnerability, advisory & security assurance, and PCI DSS compliance. Currently, he is the Principal Consultant, APAC, VTRAC (Verizon Threat Research Advisory Center).
In an exclusive interaction with Augustin Kurian, Senior Feature Writer at CISO MAG, Sharma talks about his journey, the impact of COVID-19 on cybersecurity, the adoption of AI and ML, and the global compliance norms.
Edited excerpts of the interview follow:
AK: You have over 15 years of experience across a wide spectrum of areas spanning information security, cybersecurity, cyber forensics, cyber warfare, risk management, expertise in the SOC and CERT, cloud computing, Big Data, Internet of Things (IoT), MEC, ML, and AI. How has your journey been so far? How has the cybersecurity space evolved in the last 20 years, and how did COVID-19 change the cybersecurity dynamics?
Sharma: My journey in the past 15 years has been fascinating. I need to be on my toes, keeping myself abreast with the latest know-how within the security domain. The security landscape has undergone exponential growth in the past 20 years. For example, two decades ago, organizations were taken by storm with the advent of firewalls. Then came the era of Intrusion Detection and Intrusion Prevention Systems (IDS/IPS).
Moving to the more recent past, with the advent of the Internet of Things (IoT), Artificial intelligence, and Machine Learning (AI & ML), cybersecurity has taken another quantum jump. The threat landscape changed with the advent of the cloud, and the complexity of the threats increased parallelly.
Digital transformation has played a key role in how cybersecurity has changed over the years. We moved from packet-filtering firewalls to next-gen firewalls, which provided other functionalities such as gateway AV controls, web content filtering, and email content filtering.
In the current context, AI and ML is being used for the next generation preventive and detective solutions such as Endpoint Detection and Response (EDR) at the endpoints; Network Detection and Response (NDR) at the network level, and User Entity Behavior Analytics (UEBA) — all utilizing the power of AI and ML to identify anomalies by first understanding what is normal. The contribution that threat intelligence brings to the table cannot be ignored. Threat intelligence (from Clearnet and Darknet) is providing the necessary ingredients for a threat hunting program in an organization, and it matures with the help of EDR and NDR technologies. Couple that with other recently matured and evolving technologies such as Security Incident and Event Management (SIEM), Deception Technologies, and Security Orchestration, Automation and Response (SOAR). This provides the necessary tools to a cybersecurity professional to thwart most of the cyberattacks and/or helps them in detecting many within a timely fashion. Also, matured organizations have great response plans in place as they know, “it is no more a question of if, but when.” The COVID-19 pandemic has changed, possibly forever, the way we work. It has caused many organizations to adapt and/or hasten their roadmap towards digital transformation and has resulted in many organizations such as banks, which traditionally have never moved aggressively towards the cloud or even toward providing remote access to the work environment.
When there is change, there exists a potential for confusion, omissions, and mistakes. Cybercriminals are aware of this and will do their best to capitalize on any opportunities that are afforded by them. I do not mean to imply that the cloud and remote technologies mentioned above are inherently less secure. Rather, the concern arises from the fact that due to the conditions the pandemic has created, most organizations are hurriedly adopting them, and they are often forced to do so while relying on fewer resources in terms of both personnel and revenue. When one adds to that dangerous concoction of digital transformation, the additional ingredient of large-scale remote work enablement, it can easily spell disaster. The likely factors contributing to the incident and breaches in the COVID-19 situation include:
- Increase in error – These error types are typically due to carelessness and/or hurry on the part of a system administrator or regular end-user, which includes misconfiguration, misdelivery, and publishing errors.
- Stolen credential-related hacking – Our recent research shows that over 80% of breaches within the hacking category are caused by stolen or brute-forced credentials. The majority of the time, these occur via web apps and/or the cloud. Since businesses are forced to lean on Software-as-a-Service (SaaS) platforms more heavily now, we expect this increased reliance to substantially widen the attack surface for bad actors looking for stolen and brute-forced credentials.
- Asset management and patching – Most of us will agree that making sure that, all corporate-owned assets are promptly and consistently patched, may be more difficult in the current environment than it has been in the past. However, given the current circumstances in which a large number of employees are being encouraged (or mandated) to work from home, maintaining those newly external workstations for remote access suddenly becomes a much bigger deal.
- Ransomware likely to rise – Several incidents where the ransomware group was also confirmed to have taken a copy of the data before triggering encryption and posting the data (either partially or entirely) publicly on their website of choice.
- Impact on the phishing landscape – The surge in remote working due to the pandemic may increase the reliance on mobile phones and tablets. Research from last year’s DBIR report indicates that many users are more likely to click on a malicious link when using a mobile device than a desktop or laptop.
- The Mind Games – Clearly, COVID-19-related terms are showing up in threat indicators. However, how susceptible people are to them is still an open question. To try to provide an answer, Verizon examined some simulated phishing data provided by a report contributor. Verizon compared emails that contained COVID-19-related terms (such as COVID, Corona, pandemic, Wuhan, SARS, etc.) to those emails that did not contain such references. Based on the data, phishing emails that were related to COVID-19 had a somewhat higher success rate and showed more organizations having far higher click rates, even above 50% in some cases.
AK: CEO frauds are a concern these days. Do you believe the new work from home format has heightened cybersecurity risks on CEOs and those with privileged access?
Sharma: In one of the recent reports, it was mentioned that senior executives are 12x more likely to be the target of social incidents, and 9x more likely to be the target of social breaches than in previous years. One of the factors behind targeting the senior executives is that they have access to the most critical information, and often, they have unrestricted access to such information.
With the new work from home scenario, we expect to see a rise in phishing emails. With the number of executives making use of personal devices for work-related tasks increasing, the risk for compromise becomes greater. So, we may see the number of business email compromise attacks increasing.
AK: When it comes to data security, many times, industries do not know what their critical data is. So, how do you think they can combat it?
Sharma: One of the most important aspects of securing data is being able to answer what sensitive data an organization has (PII, PHI, Payment Data, etc.), where it is stored, processed, and transmitted, who has the access, and what privileges they have, and what it will cost the organization if such data gets leaked. It means that a data classification exercise needs to be carried out.
Organizations are creating massive amounts of data that is both structured and unstructured. The key is to have a sound understanding of business processes and having business process flows to identify the data life cycle — creation, storage, usage, sharing, archiving, and destruction. Having a data classification policy is another important aspect as it identifies any legal and regulatory requirement and setting up of various classification levels. Using an Identity and Access Management Solution (IAM) and Privilege Identity Management (PIM) solution with assigned roles and responsibilities can help in better managing users’ access to data.
About the Interviewer
Augustin Kurian is the Senior Feature Writer and part of the editorial team at CISO MAG and writes interviews and features.
This interview first appeared in the December 2020 issue of CISO MAG. Get all your copies now! Subscribe