Interviews | April 9, 2021

Organizations Need to Pay Attention to Human Layer of Security


KnowBe4 | Qualys

Perry Carpenter
Chief Evangelist and Strategy Officer

KnowBe4

Q1. A recent survey showed that a majority of organizations are only making a half-hearted effort on employee security awareness and training programs. Is that something that KnowBe4 has observed as well? In your opinion how widely—and how effectively—are organizations implementing these programs currently and what's driving the trend?

We see that trend as well. The biggest problem is that many organizations either can't or won't dedicate sufficient effort in this area. They hope that their technical defenses will be enough. But — sadly — we see the steady stream of breaches continue.

I think that most organizations that don't focus on the human side are either under the impression that they can't change human behavior, that awareness programs are too much effort, or that they can just throw together an annual training exercise to pay lip service to awareness. All of these assumptions are wrong. Many of the offerings from the vendor community for security awareness can help by providing quality training, following behavior management principles, and automating the delivery of training to end users in bite sized chunks over time.

There is good news, however. Many audit firms, regulators, and international standards are beginning to set the bar higher. They know that organizations need to pay attention to their human layer of security. One great example we saw recently was in the newest revision of NIST SP 800-53 (rev 5) where they modified their recommendation for security awareness by adding a provision for simulated phishing testing. They recommend simulated phishing that helps prepare employees for real world threats – this means no-notice phishing testing across several different template types.

Q2. In your experience what are the biggest roadblocks to implementing an effective enterprise security awareness program? What's the best approach to addressing these roadblocks?

The biggest roadblocks tend to come in three areas: organizations that believe they can do it all themselves—but refuse to really dedicate themselves to the task; lack of executive buy-in; and a half-hearted approach.

On [the first point]: some organizations believe that they can do it all themselves. But they don't understand how to make security awareness training successful. They may have good intentions, but they don't understand communication theory, adult learning principles, or behavior science. The result is ineffective communication that alienates their audience, wastes everyone's time, and leaves the organization at risk — or perhaps even worse: with a false sense of security. Additionally, some organizations do actually make a good run at it; but then find that it is challenging sustaining the effort of creating great video content, newsletters, surveys, testing protocols, and more.

Of course, executive buy-in is also critical, but often not present if the executive team doesn't believe that humans can be effectively trained or if the executive team believes that they themselves are above being trained. An effective security awareness program is about so much more than just sending out videos and training modules; it's about working with the overall security culture of an organization. Some executives don't understand or appreciate that fact.

Half-hearted approaches also setup organizations for failure or unmet expectations. Here's the reason: a half-hearted approach will be reflected in low budget and low energy programs. Employees will immediately detect that the organization doesn't really value awareness and so, they will treat the trainings, events, and so on as quick ‘check the box' exercises rather than meaningful interactions.

The best way to deal with all of these roadblocks is to educate the executive team about the value of awareness and what a good program looks like. The organization needs to understand human risk and that there are some great tools within the vendor community that can help manage human risk in a meaningful way.

Q3. What does KnowBe4 plan on highlighting at the Black Hat Asia 2021 virtual event? What is your key message for enterprise organizations at the event?

KnowBe4 is thrilled to be a Diamond Sponsor again this year at Black Hat Asia 2021. We have two IT Industry experts speaking at the show, Roger Grimes, Data-Driven Defense Evangelist, and Jacqueline Jayne, Security Awareness Advocate at KnowBe4.

They will dive into important topics for security leaders today around social engineering and phishing with their sessions "How to Forensically Examine Phishing Emails to Better Protect Your Organization" and "Levers of Human Deception: The Science and Methodology Behind Social Engineering". You won't want to miss these informative and actionable sessions.

Also, be sure to stop by our virtual booth to meet our staff and discuss how we can help you manage the ongoing problem of social engineering, spear phishing and ransomware attacks by securing your last line of defense.

Attendees can check out all the KnowBe4 activities by visiting: www.knowbe4.com/black-hat-asia


Dietrich Benjes
Vice President and General Manager, Asia PAC

Qualys

Q1. What have breaches such as the one at SolarWinds and Accellion revealed about the kind of cyber threats/cyber risks that enterprise organizations are likely to face in the years ahead? What capabilities are organizations going to require in order to prevent, detect and respond to such attacks in a way as to minimize damage?

As we know well, there have certainly been many headlines this year involving "supply chain" breaches. This news should serve as a reminder to us all to be extra diligent in evaluating suppliers and their security practices to ensure the protection of intellectual property and customers' data. In the end, as any good security practitioner would preach, prevention is not 100%, zero days are unavoidable, and a defense-in-depth strategy is necessary to protect yourself the best you can.

We were victims, along with many others, of the Accellion FTA zero-day attack. What helped us minimize the impact was proper network segmentation, immediate vulnerability detection, fast patching, identification of indicators of compromise, and a well-prepared playbook, which significantly improved our time to remediation and containment speed.

The more we all can combine signals from different sources, add context and realize incident-driven awareness by mapping to the MITRE Att&ck Framework, the better off we will be. Emerging security platforms with contextual awareness will bring value over disparate tools stitched together.

Q2. What impact has the accelerated adoption of cloud and SaaS applications over the past year had on enterprise security? Where do the biggest gaps exist today in enterprise capabilities to deal with cloud security threats?

As more and more workloads move to the cloud, it has increased the overall attack surface. Shared security models with your Cloud Service Provider are still being understood, and while the basic controls are the same as your on-premises world, —vulnerability management, identity and access management, network security, endpoint protection, etc.—the target environments are completely different. Endpoints are going from boxes to virtual to serverless. Networks are now software defined. Workloads are ephemeral and ever-changing. Development is shifting-left, and expectations for security are that it is built-in, not bolted-on.

This change in environment for cloud and SaaS applications requires new solutions from security vendors. As network perimeters have eroded, it makes more sense for security tools to be cloud-based too. Rapid updates, reaching ever-increasing remote endpoints, service availability and disaster recovery are all taken care of by the vendor. Still data centers are not going away anytime soon, so hybrid solutions are required for the majority of enterprises, and DevSecOps requires a level of automation and integration that was not thought of 20 years ago. And as the sudden shift to remote workers caused companies to move quickly to SaaS applications, we must remember that these applications are prime targets for attackers, as they hold tons of valuable data.

Lastly, unless you are a cloud-only company, try to avoid buying a completely new set of security solutions for your cloud and SaaS environments. Having a consolidated view of your entire estate and familiar tools can eliminate or at least help reduce gaps in coverage.

Our world is changing, and attackers are getting more sophisticated in their approach. Fortunately, security vendors hire smart people too. With the right defense-in-depth strategy and appropriate funding, risk can be managed.

Q3. What do you expect people will want to hear about from Qualys at the Black Hat Asia 2021 virtual event? What is Qualys' main focus going to be at the event?

We are excited to be sponsoring this year's event, and as it's virtual, this allows many more people to participate. At Black Hat Asia, Qualys is focusing on the value we can bring to customers through one platform, one agent and one view delivering a single IT, compliance and security solution – from prevention to detection to response.

While Qualys is known for its market-leading Vulnerability Management, we have worked over the last several years to build a cloud-based platform to power our solutions. The Qualys Cloud Platform is FedRAMP certified and indexes over 8 trillion data points on Elasticsearch clusters, processes 2+ trillion security events per year, and performs more than 6 trillion IP scans and audits per year.

On the application side, we've added visibility to our platform by way of a free-offering, Global IT Asset inventory to provide visibility across all devices and environments. And expanded vulnerability management with the launch of Qualys VMDR (Vulnerability Management, Detection and Response), bringing built-in orchestration and allowing users to discover, assess, prioritize and patch critical vulnerabilities all from a single application. We've also leveraged this model to provide similar capabilities for SaaS security and compliance with the introduction earlier this year of Qualys SaaS Detection and Response.

Qualys now has more than 20 applications running off our cloud platform helping companies of all sizes to reduce their overall TCO for security and bringing valuable context and insights to risk management and compliance. We invite you to stop in and learn how you can eliminate silos and consolidate your IT, compliance and security stacks into a single platform.

Sustaining Partners