Home Features “Relying heavily on firewalls does nothing against determined adversaries”

“Relying heavily on firewalls does nothing against determined adversaries”

Tim Bandos was recently announced as the Chief Information Security Officer (CISO) for Digital Guardian. He has over 15 years of experience to the position including his five years as VP of cybersecurity at Digital Guardian. Prior to joining Digital Guardian, Bandos was Director of Cybersecurity for Dupont where he was responsible for overseeing internal controls, incident response, and threat intelligence.

In a recent interview with Augustin Kurian from CISO MAG, Tim spoke about console management, blockchain, effective implementation of USB control and encryption, shadow IoT among several other trends.

In most enterprises, the endpoint security realm is about managing multiple management consoles, each reporting their point of view on devices’ health. The situation becomes complicated when the may-a-time consoles can’t even agree on the inventory count as each of them reports independent numbers with considerable time spent on reconciliation. You have been tasked with the development of DG EDR. How do you think this problem can be fixed? 

This particular problem around asset inventory plagues many organizations and there are varying reasons why they all report disparate numbers amongst each other. Some security solutions may not support certain operating system types, or as devices go offline, they’re not properly being updated in the list. I believe relying entirely on a technology to do this is not the best approach. It requires a process as well to adequately account for all IT assets in your inventory, which gets continuously updated and reviewed. Network scanners can do a great job at identifying live nodes on a network and even identifying potential rogue endpoints. Coupling that data with your inventory list is essential, in addition to knowing the primary usage of the device and whether it stores sensitive data. This upfront work will dramatically increase your success in rolling out an EDR program. If you miss even a single device, such as an externally facing RDP server used for remote access, it could be used as an entrance vector by an adversary. If that turns out to be the case, your visibility into detecting that attack is now zero. So, acquiring complete coverage will require a bit of upfront work first to ensure your entire enterprise is being monitored appropriately.

How do you see the uptake for managed security services today, as compared to, say, two years ago? From which types of businesses (small, medium, large) do you see the maximum uptake for outsourced security services? (Nearly half of all cyberattacks in the U.S. target SMBs). What is driving demand for managed security services?

I’ve seen a dramatic increase in SMBs latching on to managed security services over the last several years given the number of benefits that can be derived out of the partnership. One of the most difficult challenges is hiring employees with the right level of skills to cover the broad swath of capabilities required to sufficiently protect an organization. Take Incident Response for example – if a cyberattack occurs, you would need a fleet of resources with the ability to conduct digital forensics, log analysis, possibly reverse engineering, and more. Managed security services provide these capabilities on Day 1 and you no longer have to rely on the single IT guy wearing 15 different hats. The benefits of a managed solution, such as more time to focus on your business, lowering your costs in multiple areas, quick access to expertise, etc., all drive this growing demand we’ve observed recently.

How do you think MSMEs are handling cybersecurity post-COVID-19? You have pointed out that there are hundreds of terabytes of potentially sensitive, unencrypted corporate data floating around at any given time due to an increase in the volume of data downloaded to USB media by employees since the onset of COVID-19. What are your suggestions for smaller companies for effective implementation of USB control and encryption?

I believe it’s been difficult for some MSME’s to properly address cybersecurity-related concerns during this pandemic. Implementing controls and purchasing technology during a time when funds and even resources may be strapped is a considerable challenge. We’ve seen this play out with the amount of data egress occurring across our managed services customer base; specifically to USB devices and various cloud storage sites. It comes down to the culture and workflow you’re looking to set in your organization. Having policies in place that prevent USB usage can be enforced with Group Policy Object  (GPO ) settings along with requiring users to encrypt their PCs with something like BitLocker. When it comes to filesharing and interacting with sensitive data, it’s important to store them in a technology that provides you control over permissions, the ability to encrypt, password protect, classify, etc. Services like OneDrive or Dropbox have these types of features, which can provide a significant level of comfort with how your employees access, interact with, and share sensitive information such as financial, legal, or HR data.

The virtualization of computing, software-defined storage, and networking has given birth to hyperconverged infrastructures. Implicit trust is gone and has made way for a more effective practice- explicit identity-based trust. The rapid shift to work-from-home has accelerated the adoption of Zero Trust frameworks. Do you believe Zero Trust-as-a-Service will be a necessary component of security strategies for 2021 and beyond? 

Absolutely. I believe you’ll see a significant increase in the adoption of a Zero Trust-as-a-Service model being used in security strategies beyond 2021. We’ve learned over the years that relying heavily on network security such as firewalls does almost nothing for you when faced with determined adversaries. Also, as organizations move more of their workloads to the cloud, it only becomes more imperative to protect and restrict those whom have access and ensure you have the right level of visibility. This approach will require more granular perimeter enforcements based on who the user is, where they are located, and other elements of data to determine the level of trust that’s granted. Implementing this type of strategy is not something that’ll occur overnight. My recommendation to organizations looking to embrace the Zero Trust model is to first design it and try to avoid the incorporation of legacy systems that aren’t fully capable of taking this journey. For larger and more complex businesses, this may be a multi-year project depending on your IT environment. But for smaller and medium-sized companies, it could be a great opportunity to completely transform how they approach cybersecurity that’ll ultimately protect them from advances being made by threat actors.

Read a longer version of this interview in the next issue of CISO MAG.

Subscribe here

Augustin Kurian

About the Author 

Augustin Kurian is part of the editorial team at CISO MAG and writes interviews and features.