INTERVIEW with Halim Abouzeid
Advisory Systems Engineer, NetWitness (RSA Security)
Advisory Systems Engineer, NetWitness (RSA Security)
Hello, Halim. You’ve worked with a lot of enterprise clients in the META region, so let’s start with the cybersecurity landscape. What are the top threat detection and response priorities organisations should keep top of mind?
The first is the world of work. Whether it’s a fully-remote workforce or a hybrid model (where workers aren’t on premises all the time), this type of new work environment is here to stay. In the META region specifically, this is the norm in most industries. So security teams have to be focused on this remoteness and have to take care from a security perspective, because these networks can be much less secure than an enterprise network. And therefore breaches that happen from a remote workforce are going to be more common.
Another priority is effective resources. Organisations are quickly implementing many new tools, solutions, and technologies to combat the latest exploits. And in light of the damaging Log4j vulnerability, identifying which applications are impacted by these zero-day exploits becomes even more difficult and time consuming to repair. <AUDIO HARD TO HEAR 3:30> These exploits are open for longer periods of time which means bad actors have more time to exploit—which leads to another layer of problems for security teams.
Ransomware actors are leveraging this maleficence because it’s extremely lucrative. They’re able to invest in zero-day applications, quickly adapting their malware using these exploits. This means that the traditional types of preventative measures that security teams used to do (for example, single point solutions) are not as efficient anymore.
The bottom-line priority is really to take a step back. Go back to basic methods, a proactive approach to threat hunting, instead of being reactive and waiting for an alert to be triggered. Make sure you have the basics in place. The tools needed to do effective threat hunting in place. The visibility in place. Visibility across packets, endpoints, on-premises, cloud, applications—have this base priority of visibility and then build on top of that. So to come back to the question, the #1 priority is go back to the fundamentals.
Are there any issues you are seeing consistently with customers and prospects? Perhaps many of these companies have “blind spots” that they need to address?
Organisations tend to invest in the “best in breed” technology (AI/machine learning for example). But if it’s not properly deployed, if it’s not adapting as quickly as the attacks of the bad actors, you still have a visibility gap. As you move to the cloud, if you don’t integrate quickly with your SOC, you will still have more visibility gaps from other perspectives; threat actors are going to bypass some of your preventative measures, some of your visibility and protection.
If any organisation is re-evaluating their cybersecurity posture—from the SOC to the one-person team—what are some best practices for intelligent threat management and security ops?
I think regular assessments are important. And assessments can come in many forms: they can be a SOC assessment when you review processes, tools, or gap analyses, or proactive incident response engagements by third-parties (because sometimes we get tunnel vision and need another pair of eyes looking at what we’re doing and how we’re doing it). Understanding where you are today and how to build on that—and expand on that—to optimize your SOC operations.
Also, doing regular incident discovery engagements to IR retainers or other services. These can help identify potential threats that are currently in your environment that have been undetected by the SOC. Utilizing these services can help you enhance the SOC’s performance. And even if there is no breach, these IR services can identify potential weaknesses and identify gaps that could lead to a breach in the future.
How do you see the customer journey (roadmap) for building an end-to-end, extended detection and response (XDR) platform? What do they need to consider in a threat detection and response platform?
One of the issues we see quite frequently is that customers hear of a new technology or a term in the market, like “XDR.” And then they come to you and say, “I want an XDR solution.” But first you must take a step back!
What problem are you trying to solve? What challenges do your security teams have? What are you trying to achieve? You need to answer these questions first. And then look for the features that can actually solve the security problems in your specific environment. Because each environment is unique. Each customer has different requirements. What security solution works best in one organisation may not work that well in another. And the requirements might be different; the maturity of the customer might be different.
Another example: a customer says, “I want a SOAR solution.” But if you don’t have proper sub-processes, if you don’t have playbooks, if you don’t have things to automate—you won’t get the value from an orchestration tool. You have to first build up in a phased approach, build the basics, and build on top of that. You should not skip steps. Because then you’re creating problems on top of the tool. It’s not giving you the output you want. You may not have the right teams or skills to operate the tools. Or you’ve detected something that you want investigated, but you don’t have <AUDIO HARD TO HEAR 9:23>. So it’s important to build from the ground up, and not skip steps to suit a trend in the market—especially when there’s a breach.
There are a lot of threat detection and response platforms available to enterprises. But why is the NetWitness Platform different in your opinion—what “weapons” does NetWitness deliver to help organisations win the cybersecurity war?
The first differentiator is our technology. NetWitness is one of the only vendors in the market that has it all—logs, packets, EDR, orchestration, automation—in a single platform, from the same vendor, fully integrated. We’ve seen customers who buy the “best-in-breed” of each technology, and when they do that and it comes to practice, and they want full integration, it doesn’t work as well as they hoped for. So having everything natively integrated and working together, being able to navigate all the data from a single pane of glass, offers tremendous value.
Being able to expand as your organisation matures in security operations, you can add more and more cybersecurity jewels. Adding automation. Adding orchestration. Adding machine learning. Whether we do it for you on-prem, or in the cloud, having all this technology is a huge plus compared to the competition.
The second differentiator is our knowledge base. That we’re not just building a technology based on market trends. There’s a lot of influence from our own field response teams; we get recommendations and input from actual security practitioners, analysts, and security responders. So the people who use the NetWitness Platform are the ones who are providing essential, valuable feedback into the direction of the product and the solutions that are needed to make NetWitness better.
The fact that we use our own product for our own threat detection and response can benefit customers as well. We get to test innovations in the field and get feedback from actual investigations and detections of advanced threats and attacks. We build NetWitness with all this intelligence; not just a “good to have” set of features of what’s popular in the market.
We’re built to fix actual problems and actual requirements of incident responders. The combination of our products and the services we offer that fortify those products is really a big plus for organisations.
Extended Detection and Response (XDR) platforms: help or hype?
You hear a lot about XDR and the customer quest for XDR. Every vendor has a different definition of XDR, and the customer gets hammered with different definitions. The problem is, they buy the hype and not the actual capabilities behind it. So I would look for, try to understand what problems the customer actually has, and see how XDR can help fix these problems, whether it’s called “XDR” or anything else. The important thing to know is that what you need today may evolve in 2, 3, 5 years. So the XDR platform you choose today should be able to expand to your requirements as you mature in the future. You need to be sure that your investments today will scale as your maturity grows.
Last question, Halim. Looking to this new year, what do you think are some of the threat and attack tactics that nation states or bad actors may pursue in 2022 and beyond?
2022 will be an evolution of what we’ve been seeing in 2021.
1) Ransomware. It’s still going to be a big problem. Bad actors are investing more in zero-days and even giving a share of the ransomware profits to accomplices to encourage bypassing preventative measures completely. RaaS (Ransomware as a Service) is already a big thing. These attackers are shifting the way they’ve been operating; they understand companies are taking more proactive measures. So they are investing in more advanced tools, techniques, and time to infect more machines and commit more dwell time (often 2-3 weeks before starting an encryption) within a customer’s environment.
1) Ransomware. It’s still going to be a big problem. Bad actors are investing more in zero-days and even giving a share of the ransomware profits to accomplices to encourage bypassing preventative measures completely. RaaS (Ransomware as a Service) is already a big thing. These attackers are shifting the way they’ve been operating; they understand companies are taking more proactive measures. So they are investing in more advanced tools, techniques, and time to infect more machines and commit more dwell time (often 2-3 weeks before starting an encryption) within a customer’s environment.
2) Exploits. In the case of attacks like Log4j, there’s zero introduction by an end user. The moment your application is published on the internet and vulnerable, it’s game over. Get ready, because we can expect to see more of these types of exploits. Bad actors are becoming more flexible, more agile, and they adapt quickly to current trends.
3) Cloud. Governments and organisations here in the META market (unlike North America) aren’t as driven or ready to migrate their critical infrastructures into the cloud. While some applications are still being used via the cloud, and cloud migration is part of customers’ future roadmaps, many security ops in the META region prefer on prem.
