Every company does them: a recap of the year (ransomware!) or predictions for the new year (ransomware!). Rather than putting out something generic from Red Canary, we interviewed our CEO, CSO, and CTO to get their take on the security industry and provide some helpful recommendations on how to improve your security in 2017.
What do you think some of the big trends in the security industry will be in 2017?
Brian Beyer, CEO: I think we’re going to see security teams continue to get better at identifying the gaps in their security and evaluating what people and technology they need to improve their security. Some of that will be internal, some with outsourced partners.
I think people will also begin to realize that what security products actually deliver is far different from what they’ve been marketed to do. From what we are hearing from organizations, they are confused and frustrated. Take “AV” and “next gen AV” for example. These shouldn’t be separate. They may use different techniques, but they’re filling the same need in your security program: preventing attacks. What really needs to happen is for everyone to stop calling everything “next gen” and just clearly explain the value their solutions provide. I am hopeful that organizations will start to push back on the silly marketing and force vendors to accurately market themselves in 2017.
What types of threats will increase in prevalence in 2017?
Keith McCammon, Chief Security Officer: Ransomware. There, I said it!
In the past, financially motivated attacks focused heavily on banking fraud, which has a relatively low infection rate as a percentage of all malicious emails or exploit kit visits. Banking fraud yields dollars per infection most of the time, but these dollars do add up. Now, attackers are reusing the same vectors that they know are successful—email and exploit kits—but the per-victim yield is orders of magnitude higher. Victims’ data is literally held hostage, and more than enough folks will pay. So, that relatively low infection rate that yielded a good return in 2015 with a banking fraud payload yielded a great return in 2016.
Even more concerning than opportunistic ransomware attacks affecting individuals are targeted ransomware attacks affecting businesses. These attacks use traditional breach tactics: access tools followed by lateral movement. But in addition to data exfiltration and other known objectives, they’re able to throw a switch and lock up an entire enterprise at once. Depending on the nature of the business, even a few hours of downtime may cost orders of magnitude more than a five-figure ransom. These attacks are and will be huge money-makers.
Attackers will also continue to heavily leverage native utilities. It is getting increasingly difficult to land a traditional binary first-stage payload, but at the same time automation and management utilities—Powershell, WMIC, etc.—are becoming increasingly powerful and also increasingly well understood. We’ll still see a lot of malware thrown around, but it will be delivered and executed in increasingly clever ways.
Watch our on-demand webinar with Keith McCammon and Carbon Black: PowerShell Abuse: Good Tool Gone Bad
What approaches will put companies in the best position to defend against the threats of 2017?
Chris Rothe, Chief Technology Officer: So much of it comes back to IT. Keith talked about ransomware; let’s take that as an example. The best protection against ransomware is having good backups and fast recovery procedures that you test regularly so that when you’re hit by an attack, you’re not losing money every second while you scramble to buy bitcoin. Losing data due to a ransomware attack is not a security failure; it’s an IT failure.
Exactly. Everyone’s really focused on technical controls, which is how we end up with “next-gen” everything. What we need to be thinking about is next-gen IT. For every minute that you spend thinking about security, you should spend four minutes thinking about IT service management, which should include security best practices. You can go broke buying security solutions to address every conceivable problem, or you can start identifying and fixing more of the problems themselves.
What about new security tools? How should businesses decide what technologies to invest in next?
The best way to decide what technologies to invest in is to know what the gaps are in your existing security program and understand the risk associated with them. If you have a good handle on what’s in your environment, good partners, and good visibility, you’ll have a much better ability to judge whether a piece of technology will actually make a difference for you. Any vendor can give you a slick demo, but only you can determine what makes sense from a value standpoint. No tool or technology is a silver bullet; you have to put time into it to get value out of it. If you don’t understand the incremental difference a piece of technology can make, it’s not worth the investment.
Learn more about assessing impact in Chris’s blog: Can thinking backward move your security forward?
Most businesses still overspend on tools. I believe there are three things that can be applied to any given problem—people, process, and technology—and a lot of businesses tend to focus on technology. They say: “I have a problem, what technology can I buy to make it go away?” That fact that you specifically ask about technology as part of the question speaks volumes. That’s what we hear from customers and prospects every day. It’s not a natural tendency to step back and ask: What else will this technology cost me aside from the initial investment? How much will we spend to tune it, maintain it, and respond to what it tells us? How will we measure its efficacy? Much of the time, the answer is as simple as asking your people to take a closer look at the data that they already have, and build a process that allows the business to use that data to address an identified risk.
What are your biggest priorities in 2017 for Red Canary?
My biggest priority is ensuring we continue to deliver exceptional quality and intimacy with our customers even as we grow our team and defend more companies. Saying “we make your security better” is not a marketing slogan. It’s actually what we do.
We have a huge opportunity to grow at a very fast rate. My priority is helping us grow as fast as we can while keeping the highest level of customer relationships and detection and response quality. As we scale our teams, we make sure the growth model is something we all feel comfortable with. At the end of the day, it’s about making sure the size of our customer base fits our ability to maintain the quality standard we hold ourselves to. We won’t sacrifice our customers’ security for growth. We’re very stubborn about that.
For me, it’s all about figuring out how to help customers do a better job understanding risk. We’re very heavily focused on detection and visibility, and those are very difficult, evolving problems. We’ll never stop working on them, and we’ll always have something new to understand or learn.
In the meantime, we can complement our efforts there by using what we know about each customer, and about our customers at-large, to help them understand and measure risk. It’s easy for customers to look at things like number of alerts over time, but that tells them nothing about their exposure to risk. Which attack vectors are trending, and what new techniques or controls do businesses need to create to address them? Understanding and measuring this is very difficult, even for a company full of people who think about security and risk all of the time. For most businesses, this is a completely unapproachable problem, and one for which no elegant, affordable solution exists.
So customers are the priority across the board. What’s your biggest hope for 2017?
Nothing would make us happier than a bunch of people calling and talking to our Technical Account Managers—just having really good conversations about security and their 2017 goals. I would love for the team to get a deluge of phone calls from people asking what they should do with their security programs. Call, email, Tweet, whatever. Maybe we’ll create a 1-800 line just for security advice and send it to Keith’s cell phone.
I was actually going to say the same thing. We legitimately care about making companies’ security better. I always tell people to reach out and be friends with us. We don’t charge for consulting and we don’t resell any products so we’re unbiased. Not enough people take advantage of this. (sad face)
I hope that our customers continue to challenge us in thoughtful ways. Everything we do is and always has been customer-driven. We’ve been really lucky that we have customers along the entire spectrum of security maturity, from businesses that are just getting started to those that are part of a giant enterprise. And each of these customers has challenged us by bringing us real-world security problems that have helped to evolve and improve our offering. Bring us your problems and questions. Our entire organization is at our customers’ disposal. The harder they push, the better we all become.
Last but not least…what are you hoping to get for Christmas this year?
My Christmas list is small and mostly beverage-focused: coffee and cocktail accessories. Aside from that stuff, I really want to find a nice, new notebook. I’m somewhat of a notebook junkie.
If Keith’s a notebook junkie, I’m a movie junkie. My Black Friday tradition is stocking up on Blu-rays and I’m a few speakers away from wrapping up my complete 9.1.4 home theater build.
I want some snow! I bought a truck with a snowplow for my 800-foot driveway and it hasn’t snowed once since I bought it.
Editor’s Note: Colorado received 6 inches of snow the day after this interview took place. Chris must have been good this year.