Posted on September 27, 2017 by Nicole Geronimo
In our recent IEF Spotlight Interview, we had a conversation with Jeremiah Grossman, founder of WhiteHat Security and the current chief of security strategy at endpoint protection provider SentinelOne. Grossman discussed his transition from the head of a “professional hacker army” to his new role in the escalating fight against malware.
In this article, we’ll explore his experience and his resulting insights into:
From Professional Hacker to Security Leader
As the founder of WhiteHat Security, Jeremiah Grossman played a pivotal leadership role in helping enterprise organizations understand and mitigate their own security weaknesses. He credits much of that success to his background as a “professional hacker.”
Grossman believes both hackers and entrepreneurs find motivation in the same place – the next challenge, the next problem to solve, the next way to make the world better.
“Beyond the world of application security, where I certainly left my mark on the industry, is the world of malware, which is anything but solved,” he explained. In fact, organizations have spent over $12 billion a year on anti-malware products. Yet, there’s been no measurable improvement in our defenses.
“With something as important as the internet, this situation can’t continue. The need for a novel approach, a new way of thinking, was what brought me to SentinelOne.”
The Rising Threat of Ransomware
Over 48 percent of organizations have experienced a ransomware attack in the last six months. The rates of attack show no signs of slowing down.
“These numbers are staggering, frightening even,” says Grossman. In recent years, he explains, when a breach occurs, business grinds to a standstill. Financial transactions stall and international shipments halt, critical hospital care and physical surveillance systems go dark. “The information security industry must equip itself more proactively,” he argues.
But, how should organizations equip themselves?
Grossman explains companies must have immutable backups in place for their most sensitive data. “Systems and software must be up-to-date with the latest patches. Even seemingly small tasks like disabling Microsoft Office macros are crucial.” Organizations must also invest in an anti-malware solution. While it’s easy to justify the investment in anti-malware, the biggest challenge for a company of any size is choosing a solution that’s effective. For this reason, he only looks at vendor solutions backed by product warranty that covers the cost of an incident.
“I mean, if they won’t put their money where their mouth is, it’s difficult to understand why a customer would find them credible.”
The Arsenal of Information Security
It’s now a safe assumption that any given organization will face a ransomware attack in the next year. Grossman predicts attack vectors won’t stray far from worm-based attacks, like WannaCry and NotPetya, that pass via malware-laced emails and websites.
“We will not be able to do much to stop the transmission of malware through these infection vectors, but what we can do is stop their execution on the endpoint itself,” he explains.
The failure of traditional signature-based technologies, he explains, is well-documented. Today’s sophisticated attackers employ every possible trick to evade defenses, prompting the need for a sophisticated defense.
Building A Multi-Layered Defense
The involvement of machine learning and artificial intelligence has evolved from a need to shift security from a reactive practice to a more proactive position. When done right, these technologies are able to use behavioral indicators to identify the kinds of abnormal activity that indicate a threat.
“Of course, it’s important not to be over-reliant on purely preventative approaches when looking at the new technologies,” he cautions. “It’s crucial to have a holistic multi-layered defense in place that looks at behaviors pre-execution and on-execution to identify the more evasive threats.”
A multi-layered defense looks at both pre-execution and on-execution behaviors at the endpoint to pinpoint more evasive threats. This automated response minimizes, if not eliminates, the threat of ransomware threats like WannaCry and NotPetya. To work, says Grossman, these protection engines must be autonomous and as close as possible to the source of data to accelerate time to protection.
Engaging Damage Control
“No matter what preventive steps are made, there is no way to reduce the risk of ransomware infection to zero,” says Grossman. At a certain point, added layers of security control reach a point of diminishing returns. At this stage, it’s more cost effective to shift security spending to measures that cover the cost of an incident after the fact, such as a product warranty or cyber insurance coverage.
While only a third of companies in the US have purchased cyber insurance to-date, Grossman points to the 40 to 60 percent market growth rate in the industry as a sign of where the trend is headed. At the same time, he explains, cyber insurance is quite inexpensive, running around 1 to 2 percent of the liability limit.
When it comes to digital ransom, however, very few companies pay out (or admit to doing so). Nonetheless, Grossman advises that it may be wise for organizations to pre-purchase cryptocurrencies just in case. “Ransomware is a time-based transaction, and every second counts,” he says. In the event an organization does decide it will pay a ransom, avoiding the delay associated with acquiring Bitcoins is a key benefit.
Meanwhile, he asserts government measures to thwart ransomware via legislation won’t have much effect. “Cyber-criminals aren’t going to play by the economic laws and regulations of any government. If we allow them to succeed in their operations, we’ll have to play by their rules. This includes paying in the manner that they demand.”
Cybersecurity and Organizational Transformation
More CEOs are looking to their CIOs and IT leaders to take on significant roles in planning for the strategic future of their organizations. When asked for his advice for technology leaders looking to make a disruptive impact, he provided these concluding thoughts.
“Business growth has been increasingly interconnected with digitization of infrastructure across industries,” he explained, pointing to recent digital transformations in retail, financial services, manufacturing, hospitality and education. “Every one of these traditional industries has seen a sea of change powered by IT trends such as cloud, automation, mobility, virtualization and IoT.”
However, he argued, the number one impediment to the potential of digitization is business exposure to security threats. According to McKinsey, CIOs estimate that indirect and unaccounted security requirements drive as much as 20 to 30 percent of technology spending. This has the effect of crowding out other opportunities that could create tremendous business value.
“It’s clearly imperative that security be an integral part of future planning at the C-level.” Safeguarding innovation, business operations, partners and customers from rogue elements is a mission-critical aspect of that planning, says Grossman.
“And, it all starts with the weakest link: The user in front of that computer.”