Interviews | February 12, 2020

Social Engineering Cause for Most Data Breaches

Roger A. Grimes
Data-Driven Defense Evangelist


Q1. What really is data driven defense? How can it help enterprise organizations deal more effectively with social engineering, spear-phishing and ransomware attacks?

It's a way to better align the right defenses against the biggest threats in the right amounts and places. It's about better risk management. It's about being able to see that most of the things you are being told to worry about aren't really threats. It's about learning how to concentrate on the right threats successfully attacking your organization the most and ignoring all the noise. It's about focusing on the root causes of initial exploits. For example, ransomware isn't your problem; it's how ransomware got in. Was it from social engineering and phishing, unpatched software, or a misconfiguration, and so on? It's about recognizing what your true biggest threats are, using your organization's own data, and then communicating that to the rest of the organization so you can most efficiently fight cybersecurity risk the fastest and cheapest. It's the way everyone should have been doing computer defense from the start.

Q2. What do you see as some of the biggest trends around email phishing and social engineering attacks?

The biggest trends are the same biggest "trends" for the last thirty years; and that is that social engineering and phishing will still be the number one way most malware and hackers break into an organization, accounting for 70% to 90% of all successful data breaches, followed by unpatched software (20% to 40%). Every other root cause added up all together equates to just 10% of all risk. So, if defenders don't concentrate on stopping the number one and number two biggest threats, nothing else matters.

What worries [me] the most from a defender standpoint? Firstly, most defenders don't understand what they really should be defending against. They are worried about so many things at once that they lose sight that just two of those root causes, social engineering and unpatched software, account for 90% of the risk, to which they probably devote less than 10% of their time and resources. It's a serious fundamental misalignment that underpins the reason why most people's computer defense can easily be compromised. Secondly ransomware is taking a distinctly more malicious turn right now, this minute, from simply encrypting data and computers to data and credential theft. They are essentially gathering the most important things in any organization and holding it for hostage against leaking to your competitors and to the public. Imagine every company email out there on the Internet—like Sony Pictures experienced from the North Koreans a few years ago.

Ransomware gangs have learned that the most important thing they had was admin access and encrypting data and holding it for hostage was the least thing they could do. We thought ransomware was bad already, but based upon the changes we are seeing right now, I believe we will think of ransomware that only encrypted data as no-so-bad—like the "good ole' days"

Q3. What is KnowBe4's main messaging at Black Hat Asia 2020? What do you want those attending the show to take away from your company's presence at the event?

Seventy to ninety percent of all malicious data breaches occur because of social engineering. And no matter what your technical defenses are-firewalls, anti-virus software, content filtering, DMARC, etc.-or what you do to try and stop it from reaching your end users, some of it will reach your end users. And so your end users have to be prepared with security awareness training on how to recognize phishing and social engineering attacks and how to handle them. You want to create a culture of healthy skepticism, where people don't automatically click on most things and where they report attempted attacks to the IT security department so the IT security department can get involved more, if needed.

Deepak Balakrishna
CTO, SaaS Security


Q1. How has Qualys' purchase of Adya helped enterprises? What new capabilities will the acquisition allow Qualys to deliver?

Qualys is a pioneer in cloud security solutions with a comprehensive platform for security and compliance that covers all parts of a company's environment—laptops, servers, networks, edge devices, cloud, etc. The Qualys Cloud Platform provides 19 apps offering an end-to-end IT security solution that provides users with a continuous, always-on assessment of their global security and compliance posture, with 2-second visibility across all their IT assets, wherever they reside.

The SaaS security compliance software focuses on management, security and compliance of SaaS applications such as MS Office 365, Google G Suite, Slack, GitHub, etc. As enterprises rapidly move to SaaS applications to power their businesses, IT teams are confronted with several problems related to managing and securing these cloud applications. There are many ways by which data can get shared—maliciously or inadvertently—from these SaaS applications, and IT has no idea of how critical data is being exposed. This technology complements Qualys' platform and will expand its reach to cover security and compliance of SaaS applications.

Q2. What are some of the biggest challenges organizations face when it comes to managing the security of their SaaS environments?

The ongoing Digital Transformation is driving enterprises to rapidly move to SaaS applications to power their business. As this occurs, IT teams are confronted with several problems related to managing and securing these cloud applications. First, each new app increases the workload on already stressed IT teams to learn yet another tool that they have to manage. Second, as the number of tools grow and the company purchases these potentially expensive SaaS subscriptions—typically paid on a per-month basis—IT loses track of what licenses are commissioned and which ones are being used.

Lastly, and most importantly, there are many ways by which data can get shared—maliciously or inadvertently—from these SaaS applications. What's more, IT has no idea how or if critical data is being exposed. In one case, an ex-employee had shared all of the documents he owned with his personal Gmail address before leaving the company. At that same company, a consultant who had worked with the company more than two years previously still had access to over 100,000 documents. The IT team had no idea this was happening.These problems are becoming ever more rampant as companies continue to expand on their use of SaaS applications.

Q3. Why is it important for Qualys to be at Black Hat Asia 2020?

Qualys is a cybersecurity pioneer active in the industry since its founding in 1999, and promoting the industry as a whole and helping companies secure their IT environment has always been a focus for Qualys. Additionally, Black Hat Asia is one of the most influential events in the region, and it allows us to meet with some of our more than 12,000 customers and to showcase our latest solutions.

This year we'll be showing our recently announced next-generation vulnerability management solution, VMDR – Vulnerability Management, Detection and Response. VMDR is a single Cloud App that can identify in real time any device that connects to your network. VMDR seamlessly creates a Global Asset Inventory across on-premises, endpoints, cloud(s), containers, web applications, APIs, mobile and OT and IoT environments. It easily maintains Asset Groups, identifies vulnerabilities in real time and prioritizes them with precise and powerful algorithms, and finally remediates vulnerabilities via the new Qualys Patch Management solution. This workflow, accomplished from a single console with orchestration built-in, drastically reduces exposure time, saves precious human resources, and allows consolidation of the stack in record time. Deployment for the cloud-based app is simple, and pricing is asset based, which makes it easier to procure.

Sustaining Partners