Ransomware attacks are not a matter of if, but when

CISOs from Twitter, United Airlines and a Bain Capital partner discuss how to integrate security into all aspects of an organization at Rubrik's FORWARD conference Tuesday.

Ransomware

Image: kaptnali, Getty Images/iStockphoto

There are higher incidents of ransomware because new threat models are emerging and bad actors are participating more frequently in ransomware as a service, said United Airlines VP and CISO Deneen DeFiore. "There is an evolution happening," said DeFiore, speaking during a data security panel at data management company Rubrik's FORWARD conference Tuesday. She said she believes there will be "ransomware extortion without encryption" in the future.

Twitter CISO Rinki Sethi and Bain Capital Partner and former Symantec CEO Enrique Salem also discussed topics including how ransomware has evolved and how IT Ops and Sec Ops can better collaborate.  

While ransomware attacks have been around for the past decade, "they are getting more sophisticated," and if a company isn't prepared, the greater the impact will be, Sethi said. "They are happening at very, very large scale and consumer data is at a huge risk," she said.

SEE: 9 tips to protect your organization against ransomware (TechRepublic)

It's not a matter of if a company will get hit but when, Salem said. "You need to have a strategy and think about ransomware in multiple layers." Enterprises also need to think about the data that really matters to their business and if it needs protecting, how they are going to do it.

"From a data strategy perspective, you have to know what you're protecting," and how to give access to business users, he said.

Elevating the role of the CISO

The panelists were also asked how business leaders should think about data mobility and protect data no matter where it is stored.

DeFiore said she's been thinking about how to put data security controls around the data itself versus around the perimeter. "That's key to securing it and you don't have to worry if it crosses your perimeter," she said.

One of the main themes that emerged was elevating the role of the CISO. Sethi pointed out that while security leaders "want to get quick wins to share with the executive team," what they are developing are "not sexy programs--they take a long time to develop in the right way. Data security is built on getting the fundamentals right."

A key component of data security is having good backup and recovery systems, and Sethi stressed the importance of testing them on a regular basis to make sure they are working correctly.

Data governance is also important and security leaders must know what data an organization has and who has access to it. "That helps you recover quickly if there is a ransomware attack," Sethi said.

The need for tight collaboration with other internal teams

Another point the panelists were in agreement on is the importance of carefully vetting security vendors. They also emphasized the need to build a strong collaborative relationship with IT, digital tech teams and the business units.

DeFiore said her group is responsible for managing, containing and stopping security incidents, that "but recovery and resilience doesn't reside with us." Security is dependent upon the other teams, and as an airline, "any outage due to an IT stoppage hurts our bottom line. It stops planes from flying."

Having that "strong partnership and being attached at the hip makes a real difference," she said.

Sethi agreed and added that conducting tabletop exercises can really help. It should not just be IT and security that participate in these exercises but also end users and even customers in some instances, she said.

"Backup and disaster recovery is much bigger and more strategic than we've ever considered it before," she said. They have to become a board-level discussion, along with the question of whether the organization has the capabilities to recover from a ransomware or other cyberattack, Sethi said.

Silos can no longer exist, and data protection is not just one team's job, Salem stressed. Making that change means understanding the relationship between all the data assets an organization has.

"If you have a critical piece of information on a server with a vulnerability, that's what actually matters," he said. "We have to think about how do we bring different disciplines together and understand the different relationships between them."

Echoing Sethi, he said security has long been a siloed department and the discipline has to be integrated into everything an organization does every day. Salem also said that having the same tools in an organization will help security professionals be able to respond to an incident.

The CISOs' priorities

As the CISO role evolves and more data is stored in clouds, DeFiore said her priorities right now are moving "back to basics" and knowing where the airline's data is, applying patches and working from a stance of least privilege. Also important is reducing the attack surface, she said, and "making sure we're only publishing things to the internet that need to be there and segmenting and making sure there's no opportunities for lateral movement" inside the network.

Twitter's mission is to protect public conversations, and Sethi said that requires being able to recover quickly. She also said she thinks there will be an increase in the number of security vendors suffering breaches, "which is why I say think about who you partner with."

Salem said he was impressed with "how well CISOs responded during the pandemic," and moved from a world in which they had a lot of control to very little--almost overnight. The lesson the security community has learned from that experience is to be agile, he said.

Looking ahead, the CISO needs to continue becoming integrated into the day-to-day operations of the business so they can be better prepared, he said.

"Let's make sure we elevate [the role] of where the CISO sits in the organization and the voice they have," Salem said. "Security has gotten more complicated and we need them to be more agile than ever before."

Also see