In a world of state-sponsored threat actors, anyone who has an online presence is at risk, argues CounterCraft’s Head of Cyber Intelligence, Nahim Fazal. Yet the growing sophistication and complexity of attacks has not kept pace with an increase in security budgets, resources or availability of talent. So how can CISOs prepare for this new cyber landscape?
We might not be able to reduce the number of attacks in the short term, but thanks to the objective data sets, inbuilt automation and pre-emptive intelligence incorporated in CounterCraft’s Cyber Deception Platform, we can limit their impact and put strategies in place to reduce attacks in future. We can work out who is attacking and why, so companies can pinpoint threat actors’ strategic objectives and align their cyber strategies accordingly. It’s like a game of chess, Nahim explains. Except there aren’t just pawns on the line.
In our interview with Nahim, we chat about the ever-evolving world of cyber, the importance of building a consensus in the boardroom, and how companies can move from check to checkmate.
You studied law at university. Who – or what – convinced you to move into the cyber security industry?
It was absolutely a case of being in the right place at the right time. I wanted a different challenge, so accepted a place on a mature grad programme at Halifax Building Society. While I was working as an online platform development engineer, we suffered our first phishing attack – only back then, it wasn’t called phishing! I was part of the team set up to deal with this new phenomena. You can imagine how difficult it was trying to convince stakeholders to give us budget to deal with a problem that was entirely abstract. Suddenly I was interacting with the FBI, Europol and Interpol, and experiencing things I would never otherwise have been a part of.
How do you think a legal background prepared you for a career in cyber?
As a lawyer, you need to take complex, abstract ideas and break them down into their basic building blocks in order to explain – simply – what you’re talking about and why it matters. When we first set up the cyber security team at Halifax, everything was abstract! We’d never dealt with a cyber security incident before, and I had to explain complex cyber concepts to non-technical stakeholders.
What is it about cyber security that gets you up in the morning?
When I started working in IT, phishing the most complicated form of cyber attack. We now see nation state threat actors attacking critical infrastructure and interfering in election campaigns. Attacks are constantly evolving, so we’re always learning.
The other reason I love working in cyber security is that as a cyber citizen, you get up in the morning and want to do your bit – however small and insignificant it may be – to help fight threats that have real world consequences and affect real people. It’s the drive to help our partners and their customers and connect them with critical services that gets me up in the morning.
And just because we’re nosy, what’s the last book you read?
Can I have two? I’m a book addict… One of my vices is that I always read two books at the same time – I share this affliction with CounterCraft Product Manager Richard Barrell. The two books I’ve just finished reading are The Milkman by Anna Burns and Fractured Destinies by Rabai ai-Madhoun. And I would recommend them both.
Where do you go for the latest cyber security news?
I tend not to rely on one particular news source, as cyber is such a wide-ranging topic. Instead I set up Google Alerts to pull a very broad perspective that covers the technical aspects of cyber, malware, regulations, government laws and frameworks.
We’ve already touched on this, but how do you think the threat landscape has changed since you’ve been working in cyber security?
We’ve gone from very simple attacks by criminal groups to state-sponsored attacks. The reason why that matters is that nation states aren’t constrained by time, money, resources or the need to turn their ill-gotten gains into cash – they can simply collect data and probe day-in, day-out until they find a weakness. The complexity and sophistication of attacks has changed in a way we could never have envisaged 20 years ago.
How have businesses’ cyber security needs changed as a result? Do their needs differ across different industry verticals or in different locations?
We want to work with our customers and help them entrench cyber resilience into the DNA of their business. By doing this we can work with our business partners to enable digital growth and maturity, which will allow them to deliver services in a consistent, coherent and excellent manner. These high-level principles apply to all industry verticals and across all locations. What has changed is our awareness of threat actors and the complexity and severity of attacks.
Are there any industries in particular you think are under threat from attackers?
If you have an online presence, you’re at risk. There’s a mistaken assumption that attackers tend to go after the large organisations or those that may form part of the critical infrastructure chain, but what they will also look to do is exploit the weakest link in the chain of association and leverage their architecture or data sets in order to reach the target organisation. Each and every company needs to ask themselves “how do I qualify and quantify the cyber risk that faces my organisation?” And in order to quantify it and start thinking about the tools, workflows and people they need to put in place, they need objective data sets – and that is exactly what CounterCraft can provide.
So how can deception platforms, like CounterCraft’s, help CISOs protect their companies from cyber attacks?
The data is collected and delivered in an automated manner, alleviating a key pain point (the lack of technical resources) for our customers. The data collected will identify attackers that have breached a customer’s existing security real estate in real time. Once the attacker has been detected, both their technical and non-technical behavior is mapped, allowing security teams to get ahead of the attacker and helping them to understand where else the attacker may be in the network.
We also help customers to understand what tools, tactics and procedures are being deployed against them and deliver indicators of compromise, scaling the technical capacity of our customers – the ability to detect attackers more quickly and with fewer resources, resulting in significant cost savings when compared with other security tool sets.
Finally, we have the ability to deliver real-time, client-specific threat intelligence that connects the intelligence dots. Good intelligence should paint a vivid picture that informs the end user of the intelligence who, what, why and how. The CounterCraft tool helps customers answer these questions in an automated and real-time manner. All these key strengths of the solution feed back to one fundamental concept: cyber resilience – how can we help our customers stay online and deliver critical business services in the face of sustained and complex attacks.
How important is it to provide companies with personalised threat intelligence?
It’s absolutely critical. Personalised threat intelligence is threat intelligence with the dots connected, ready for you to put into a risk framework and add a layer of interpretation. It means we’re delivering intelligence in the most complete manner possible.
What do companies need to think about before establishing a threat hunting programme?
They need to think about the fundamental question they’re trying to answer, what it is they’re trying to achieve and – if CISOs are to build a consensus and achieve board buy-in – whether the business actually wants them to do it. CISOs need to ask whether stakeholders have any vested interest in the outcome of the activity and what business benefits it will deliver.
Dan Brett, CounterCraft’s Co-Founder and CSO, said that 2019 would be the year CISOs finally secure their position at board level. Do you agree?
I think Dan was right – CISOs have got to the board, but now they need to speak the language of the board. They shouldn’t be pushing security for security’s sake: they need to explain how increased investment in platforms like CounterCraft will enable growth, boost revenue and increase customer satisfaction. The narrative needs to change to focus on cyber security as a growth enabler.
Are there any trends on the horizon you think have the power to shake up the industry?
Yes, I think that in the longer term we will see AI being used against organisations to launch attack cycles that are self-autonomous and able to evade defences intelligently.
And how do you see the industry continuing to evolve and shift in response to new threats and technologies over the coming years?
The message that comes back from end users and industry is simple: with limited budgets and resources, we can’t expect security teams to be in the business of fighting cybercrime every single minute of the day. So it’s not just threats that are causing the industry to evolve, but also the lack of budgets and resources. CISOs are also constrained by the ability to acquire – and retain – talented resources.
If we can scale through automation, limited resources become less of a challenge. A key focus for us at CounterCraft is therefore the degree of automation that we have built into our tool to alleviate the resource constraints our partners face, and to provide clean, clear, concise data, with all of the dots connected, so our customers can make informed decisions about the best course of action in the interests of their organisations.