Interviews | October 28, 2019

Security Awareness Campaigns Should Focus on Changing Behaviors

Javvad Malik
Security Awareness Advocate


Q1. What is the biggest challenge organizations face when it comes to making employees aware of cybersecurity issues? What are the most common mistakes they make when implement security awareness programs for employees?

The biggest challenge when it comes to security awareness is the fact that we are dealing with human behaviors, and changing behaviors can take a long time.

If we look at any campaign that has sought to change behaviors, such as drunk driving, or recycling, we see that these have taken a long time to implement through constant repetition over time.

Similarly, security awareness should be thought of as a marketing campaign that is looking to change behaviors. This means focusing on the top two or three behaviors you want to change, then like a marketing campaign, build out memorable and easy-to-implement messaging across a variety of mediums, be that video, posters, email reminders, games, and so forth. Once that is in place, the key is to remain consistent and understand that behaviors won't change overnight.

Too many companies make the mistake of running one phishing campaign, or putting up one poster on the wall during security awareness week and then wonder why they don't get to see any change.

Another mistake many companies make is relying on technical security experts to create and deliver the content. While there is no doubt these professionals understand the domain and all the intricate details, they are not always best placed to convey these concepts in an easy-to-understand manner to the masses. That is why it is important that security professionals work closely with marketing and communications teams to refine their messages into simple terms, and obtain the best content available that matches the company culture for learning.

Q2. What was the impetus for KnowBe4's decision to introduce a 'Women in Cybersecurity Scholarship' in partnership with the Center for Cyber Safety and Education?

Women have been discouraged from going into technical fields for decades and we thought this would be a good opportunity to encourage more women to go into cybersecurity and make it possible by funding the training. We also wanted to support the efforts made by the Center for Cyber Safety and Education and the good works they are doing.

The seeds of this decision were sowed long ago, and are part of the fabric of KnowBe4. The company has an almost even ratio of men and women employed, and has also been recognized by Work and FORTUNE as one of the 2019 Best Workplaces for Women.

As a company, KnowBe4 see the great benefit of having a diverse workforce, and is something that they will continue to support.

Q3. What do you want those attending Black Hat Europe 2019 to know about KnowBe4? What is your main messaging at the event?

The human layer is an essential part of security that can't be overlooked. It is unrealistic to expect that technical controls can secure and organization when it is humans that make key decisions and drive the day to day operations. Technology is no replacement for humans, nor can you expect technology to make critical decisions needed across diverse businesses.

This is a particularly key consideration given the fact that many attacks against the human don't even have a technical component that can be detected by a technical control. Rather, it's designed to fool the individual into carrying out some action that is in the interest of the attacker.

To address this, users need to be challenged with engaging content on a regular and ongoing basis that will enable them to make better security decisions, so that they can better protect themselves and their organizations.

Frequent social engineering testing, backed up by good and relevant training will help create a strong security culture throughout the organization, where adopting good security practices becomes the normal practice.

Marco Rottigni
Chief Technical Security Officer


Q1. What are some of the biggest security challenges raised by enterprise digital transformation efforts? Typically, where do the biggest gaps in capability exist?

The digital transformation journey that many companies undertook has [significantly increased] the digital biodiversity within organizations. Cloud adoption, enterprise mobility, DevOps, application containerization, IoT and OT are just examples of how diversified, expanded and complex this landscape became.

The biggest challenge afflicting security practitioners and professionals is definitely the lack of visibility. Because you cannot assess, you cannot secure. You cannot protect what you do not see or what you do not know exists. This missing visibility is causing side effects such as unwanted exposure of sensible data, due to incorrect or incomplete configurations of storage in cloud environment. Too often we read news of data leaks because a cloud archive or bucket was left unprotected, or because a list of authorized IPs was not restricted, or even because database instances were left with default credentials.

[Data leaks can happen] because the relationship between resources in the cloud are not fully understood and secured [or] maybe because a group of containerized applications had a vulnerable surface or they drifted too much from the original image instead of remaining immutable as they should. That cheap batch of smart bulbs might pose a security issue by broadcasting geolocation information and the list of SSIDs they see to a server in another continent to help analytics of the manufacturer. [So could] smart IoT devices such as a Bluetooth and Wi-Fi enabled digital toothbrush [that] connect to a corporate network getting credentials from the smartphone of an employee.

Visibility remains the capability where the biggest gaps are still there. It becomes the capability that every organization strives to achieve.

Q2. How can the security team ensure that it gets involved in enterprise digital transformation projects early in the planning stages and not at the very end of it?

There is only one possible approach: have the security built-in and not bolted on. As much as this sounds like a fluffy marketing slogan, it can gain tangibility and great value when properly implemented and executed.

Let's take for example the DevOps world: how to turn it into DevSecOps instead of the more frequent... DevOoops?

Security should become non-intrusive [and] not perceived as an obstacle to overcome. It should become ergonomic to the process.

A technique could be to integrate it with commonly used tools within the CI/CD pipeline, such as Jenkins, CircleCI, Bamboo, etc. When the developers commit the code from one stage (e.g. coding) to the next (e.g. QA), this integration will leverage APIs to trigger a dynamic application security testing to verify and assess the vulnerable surface within the committed code. If the severity of vulnerabilities is too critical (as in "remotely exploitable"), then the build process will fail and the build report will contain indications about remediation. This approach not only blends the security within the process, but also provides developers with the needed autonomy and context to remediate the vulnerable code.

Another example relates to cloud adoption with a PaaS paradigm. Visibility in this environment is a real challenge, because of the volume, velocity and variance of the instantiated resources and their interconnections, potentially in a multi-provider cloud landscape. While a traditional approach based on scanning or deploying agents would fail, security can be once again built-in by connecting via an API-based connector the cloud accounts with a security solution. Such a solution would provide instant visibility across all the instantiated resources, how they are inter-related and even overlaying security controls (e.g. CIS) with the purpose of validating compliance and exposing remediation when it fails.

Q3. What does Qualys plan on highlighting at Black Hat Europe 2019? What are you hoping enterprises will take away from your organization's presence at the event?

Because visibility is the challenge with the biggest gaps, Qualys [will] grant augmented visibility to everyone with a free Global IT Asset Inventory app for unlimited devices.

[The Qualys solution] is grounded on a range of specialized sensors deployed across the IT landscape with different form factors such as network scanners, passive network sensors, software agents, cloud connectors, container sensors etc. [It] processes data streamed to a central "brain" by all these "eyes" to provide unmatched visibility across the most diversified digital biodiversity. Everything gets indexed, normalized and categorized to become instantly actionable.

Hardware details, software installed, running services, configured users, geolocation information, network ports communication, traffic details—everything becomes observable via fully customizable dashboards. The monitored population can be interrogated with response in seconds, for unlimited devices and with the possibility to trial the integration with external CMDB through an API-based, bidirectional sync. The app can be extended via a "pay as you need" license to expand the discoverable metadata with non-discoverable information such as End of Life, End of Maintenance, Market Version, License Type information and more.

Beside this expanded visibility, Qualys empowers other crucially important capabilities such as accuracy in detection, scale to cope with any volume and velocity and immediacy in response when interrogating the monitored population. [Qualys enables] transparent orchestration to create secure information flows towards other platforms and technologies such as IT Service Management Systems, CMDBs, SIEM, network security systems, etc. We are delivering the fundamental capability to create a single source of truth, consumable within a single pane of glass where over 20 apps can be combined to harmonize the needs of IT, Security and Compliance.

Staffan Truvé
Co-founder and Chief Technology Officer

Recorded Future

Q1. How has the Insight Partners acquisition better positioned Recorded Future in the market for real-time threat intelligence services? What is the biggest benefit for enterprise customers?

There are two major benefits that come along with the acquisition. First, we have an existing relationship with Insight Partners and have been working with them for several years. They are very familiar with cybersecurity overall, which makes them excellent advisors, but they also know our vision and have long supported us in executing towards our objectives. While funding can come with conditions, Insight Partners has recognized the strength of our existing team and agree that the best course of action is to continue on our current path.

Our executive team remains intact and our strategy firmly in place. The acquisition benefits customers because it not only validates their own investment with Recorded Future, but also does so with no disruption to regular service. The second benefit of the acquisition is that Recorded Future has the consistent funding necessary to execute on our vision of making threat intelligence a highly accessible, indispensable part of every security function.

We have big plans for the future, including better ways of automating security processes with intelligence as well as reaching more diverse customer groups and our relationship with Insight Partners greatly speeds our ability to bring new intelligence products and features to market.

Q2. What are the biggest challenges that organizations encounter when it comes to effectively applying threat intelligence?

One of the most common challenges we see has to do with familiarization. Until recently, threat intelligence largely sat in its own silo. Organizations that could afford it would hire threat intelligence experts who would put together research on indicators of compromise and then disseminate that information back to front line network defense specialists. Much of the work we do at Recorded Future is centered on empowering each individual security practitioner with the ability to access and make sense of threat intelligence so they can make decisions. That requires some training on what intelligence is, how it differs from threat data, and how intelligence can be used to improve decision-making processes. Fortunately, we have found that the right technology can speed up those processes so that intelligence-led decision making becomes more second nature.

Following that, another common challenge is in integrating intelligence with existing technology. For instance, many security practitioners are familiar with alerts generated by firewalls and SIEMs. They feed these alerts into rule-based ticketing systems and try to separate false alarms from potential threats. The potential threats then have to undergo analysis taking into consideration organizational infrastructure and business context. The whole process can be time consuming and laborious, filled with manual work that is prone to error. Threat intelligence is often used only after all of this work is complete. We are making threat intelligence an integral part of threat mitigation at the perimeter so information coming in is automatically separated based on severity — in some cases blocked outright — and includes ready made analysis so anyone in the organization can quickly understand why a threat is in fact a threat.

Q3. What do you want enterprise organizations at Black Hat Europe 2019 to understand about threat intelligence and Recorded Future's capabilities in this space?

The most important thing to understand about threat intelligence is that it is fundamentally different from threat data. Those who have dealt with intelligence analysis will know how much time and effort it takes to turn broadly collected data into intelligence that can actually reduce the uncertainty of a situation and lead to better decision making. For decades in cybersecurity, this work has been done by a select few who were either trained by government agencies or learned on the job out of necessity.

Today, because of advancements in machine learning and natural language processing, the collection and processing phases of the intelligence cycle can be both immensely broadened in scope while greatly reducing the time it takes to prepare data for analysis. Recorded Future's platform is a powerful example of these features in action. However, it is not enough to get data to a state that is merely ready for analysis. In addition to our team of data scientists, we employ expert analysts covering a wide range of issues, from global geopolitics to complex technical aspects of cybersecurity.

Our analysts perform two key functions to help turn processed data into intelligence. First, they conduct in-depth analysis based on trusted methodologies in addition to their own expertise and second, they feed that analysis into our platform, which makes a continuous feedback loop for determining what is and is not a threat and how severe threats are. We use this feedback to automatically assign risk scores to data elements such as IP addresses, domains, threat actors, etc. All of this, factor into the creation of threat intelligence. We are excited about our role in continuing to make intelligence accessible and intuitive to all members of security teams.

Sustaining Partners