For years we’ve been referring to malware protection as a cat and mouse game. The crooks come up with a new malware attack, and then the good guys figure out a way to stop it. And that keeps cycling over and over again. So where are we today with malware protection and is there any way to get ahead of the cycle?
Check out this post and this post for the discussion that are the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Steve Zalewski. Our sponsored guest is Aviv Grafi (@avivgrafi), CTO and founder, Votiro.
Got feedback? Join the conversation on LinkedIn.
Huge thanks to our podcast sponsor, Votiro
[David Spark] For years we’ve been referring to malware protection as a cat and mouse game. The crooks come up with a new malware attack, and then the good guys figure out a way to stop it. And that keeps cycling over and over again. So, where are we today with malware protection, and is there any way to get ahead of the cycle?
[Voiceover] You’re listening to Defense in Depth.
[David Spark] Welcome to Defense in Depth. My name is David Spark. I’m the producer of the CISO Series. And joining me for this very episode is Steve Zalewski. Steve, your voice makes noises. What noise does it make?
[Steve Zalewski] Hello, audience.
[David Spark] That’s a very common noise it makes, his voice. Our sponsor for today’s episode is Votiro. Huge thanks to Votiro for sponsoring this episode. They’ve actually been a phenomenal sponsor of the CISO Series, and we greatly appreciate their sponsoring and bringing our guest today, who I will introduce in just a moment, because they are very savvy on the subject of malware, Steve. So, you initiated this conversation, and it went in a lot of directions on malware. And I saw a lot of answers, which is the title of our show, which is Defense in Depth. So, there were theories on defense in depth to getting ahead of the perpetuating problem. What was your initial take on peoples’ responses?
[Steve Zalewski] First thing I want to say to all of them responders was thank you. You constantly surprised me in enriching my thinking on a problem. And I would say equally from looking at the perspective is history, which is are we actually better than ten years ago on all these different things. And in encouraging because the concepts around defense in depth and being able to get to a different form of offense are incredibly heartening to hear, and I think we’re making a difference.
[David Spark] Agreed. And let’s bring on our guest. Our sponsored guest from Votiro. We got the head honcho himself, who by the way is extremely savvy on malware, and I think our audience is going to be very intrigued on sort of their approach to the subject because the reason for your discussion was we need to be thinking of different approaches rather than the pointless truly endless cat and mouse game that malware is. Because I don’t see any legitimate end in sight to this. It is Aviv Grafi, who’s the CTO and founder of Votiro. Aviv, thank you so much for joining us today.
[Aviv Grafi] Thank you, David, for hosting us. And of course hey, Steve, and welcome to the audience of course.
How did we get here?
[David Spark] AJ Leece of Syntax Security Solutions said, “Computers are really good at detecting what we tell them to look for, but they can be easily fooled both from the static signature and heuristic detection standpoint.” And Tim Silverline of Gluware said, “email attachments, adware, etc., malware that is designed for the masses is often detected and prevented by the leading nest gen AV and EDR solutions.” And lastly, David Ratner of HYAS said, “We’re still deploying security solutions to block attacks in general and not spending time understanding who is attacking and watching them as much as they watch us.” So, what I got from this is there’s a certain area of the malware problem we’ve got solved and we’ve had solved for quite some time. But given that there are advancements and given that they’re very targeted attacks, we’re not spending our time on that. Is that what you kind of took away from this, Steve?
[Steve Zalewski] Partially. Here’s what I would say.
[David Spark] Okay.
[Steve Zalewski] For file based malware, I think as a rule I would say we’re good enough at this point, but people are quick to call out that if it’s targeted that malware still gets through. I think it speaks to what Tim says is for the general masses, for that type of malware, we’re pretty good. Unless you’re targeted. But I think what David is speaking to also speaks to the larger problem we have, which is the ransomware, and the fileless malware, and the worms, and the trojans, which is we are not going to solve that problem. We couldn’t ten years ago, and we can’t today until we start to change the way we think about looking at our I’ll call polymorphic defense or our offensive defense, of being better at watching them as much as they watch us.
[David Spark] All right, Aviv, I’m throwing this to you. I’m going to just essentially start with the question that Steve asked the audience – what do you think we’re doing really well in malware, and where are we kind of blowing it? Or could do a lot better. Maybe not say blowing it. Just we could do a lot better.
[Aviv Grafi] Actually I want to first refer to one of the quotes which I think is very interesting. That historically we would focus on the [Inaudible 00:05:02] We’re trying to really tell the computer what to look for if you think about the AV. Like 20 years ago, if you think about the sandboxes that were trying to look for bad or suspicious behavior. It’s always something that we tell them, “This is bad. Look for the bad.” And that’s why slight deviation from that probably would be good enough or easy enough to bypass the traditional detection solutions, which most of our defenses actually are relying on. And as for teams, the Silverline quote, whether the malware is only designed for the masses…I think when it gets to the masses is when it gets a commodity [Inaudible 00:05:40] into the commodity space, so everyone knows that technique. But new technique, not necessarily targeted. Those are the techniques that really are bypassing and deleting solutions. So, I think we got to that point, and I agree with Steve. It’s only because we keep thinking about the problem as let’s try to tell the computer what to look for.
[Steve Zalewski] I want to riff on that for a minute, too, because part of the conversation and part of what we’re learning is our expectations on what we can do versus what we should do are changing. What I mean by that is it used to be or the gut reaction is if it’s malicious content, block it and go away. But what digital transformation has done and a lot of this consumer data is that it’s not necessarily okay that we just block it anymore. That the business needs the data to go through because it’s necessary to sell more jeans. And so we’re challenged now to not just look at it as a simple static defense to block but what can we do to transform certain types of attacks in order to allow the business to continue.
[David Spark] Right, because think about it from the user standpoint. Something comes in. They need to use it. I’m going to toss it to you, Aviv, on this. They need to se it, and all of a sudden they just get this message. It’s been blocked. It’s been deleted. What do they go? They go, “Well, I guess that’s it. Not going to do whatever that is.” No, all it does is create problems and a ticket. And then more people get involved, and it just becomes an issue. Yes, Aviv?
[Aviv Grafi] Actually that’s a great point. And of course Steve pointed to the fact that security actually affects productivity. Actually employees cannot really work. When they get their files, their PDFs, their incoming traffic blocks, they’re just in a problem that they cannot really solve. We got to that point because we were trying to look for something we know, and then we start to deviate from that.
Nothing will happen until we take action.
[David Spark] David Ratner, again, from HYAS said, “We’re succeeding in defending against known attacks,” something we just mentioned, “and we are not succeeding in becoming proactive. Bad actors are innovating, and we’re reacting. We need more proactive approaches that are capable of stopping attacks, not just detecting them.” This is sort of an ongoing theme we’ve discussed on many shows here. I want to also add Daniel Sela’s comment, from Spiral, “The groups involved in developing and operating fileless malware, worms, and ransomware are also typically more mature and less amateur than the adware developer.” So, what we’re hearing is there’s essentially, from what I understand, Aviv…there is the sort of base level of attacks like the [Inaudible 00:08:34] attacks or the attacks from…the dumb attacks, if you will. Then there’s attacks that are becoming more targeted, more sophisticated, taking advantage of advanced capabilities here. Am I gathering this correctly?
[Aviv Grafi] Yes. I think that it used to be on a what we would call…it’s kind of a script [Inaudible 00:08:51] like 20 years ago, 15 years ago. I think that everything got faster today, so the new techniques are being published on GitHub. So, all those things that maybe only the targeted attack were using and maybe keeping for themselves a few months, now within days or weeks it’s being out there on GitHub, and someone is actually finding that technique. And it’s being adopted way, way faster. And that’s why just detection won’t be enough. So, having a proactive approach like David Ratner has mentioned, I think this is what we need to look for and not just respond, not just react as we mentioned next gen AV or EDR. Which EDR, I know that’s… We need to detect and remediate. It’s still responding. We need to take a way different approach, and I think such approaches exist in the market. So, we need to look into that.
[David Spark] Steve?
[Steve Zalewski] I think what I want to say here is we actually have two different problems. What Daniel is talking about and when it’s fileless, when it’s Trojan, when it’s [Inaudible 00:09:53] that is still killing us. It killed us ten years ago, and it’s still killing us now. Targeted attack. And that’s when we’re talking about proactive defense – what do we do for Defense in Depth, how do we do more about finding when it’s coming in and moving laterally, malicious attack. And that is one whole theme when we’re talking about what we do. But what’s interesting about what David said on the first part is but the other thing is it’s not just defend anymore.
When you look at the malicious malware, that conversation used to be blocking, and we’re pretty good at 98%. But now the business is demanding that we don’t just block it, but we want to sanitize it and kind of let it through because it has very legitimate business value that yesterday we threw it away. That’s lost dollars. That’s business revenue that we were throwing away. And now that we’re trying to enable the business to become the cost center, that’s money that security is now making for the business. And so we’re having to now figure out how we proactively remove and then let it through. And so we’re now tackling the problem of smart people, and defense in depth, but having to revisit a problem we also thought we solved because the business has demands, and we want to be able to increase that profit.
[Aviv Grafi] Steve, you raised a very good point. I think that sanitizing content on its way in, it’s a great approach when you want to allow the business to flow, and you’re stepping away from the guess work of whether this is bad or suspicious. So, allowing the good stuff to go in, allowing the documents, allowing the files, allowing the content, even thinking about uploading that content through your business partner portal. So, you need to get those documents. You need to get that content. And instead of trying to stop it, guess it, [Inaudible 00:11:44] maybe send it to a sandbox, you want to have the business flowing now. So, having that approach of sanitizing the content and delivering that immediately, I think that’s a way healthier approach business wise and security wise.
[David Spark] I will just point to our audience who is not aware of Votiro, this is what you do. This very different approach of just not guessing but sanitizing everything.
[Steve Zalewski] And I want to riff on that. I know you want to move on, but I don’t.
[David Spark] [Laughs]
[Steve Zalewski] Which was three years ago if I’d had this conversation with this very influential body here, I would have been in a different camp and said, “No way. Why would I possibly accept the risk of letting malicious stuff through just because there was some potential business content?” But the last 24 months with digital transformation and the way that business is demanding to be able to compete, this is one of those cases where I’ve changed my mind. And so I want to take a moment is it’s a new business demand that’s being placed on security organizations that we are obligated to respond to and not just being able to take a historical approach about throw away if it’s bad, and tough on the business. And so it’s not so much that as you had said Votiro has the ability so much as I want to call out the fact that it’s an opportunity for us as security practitioners and CISOs to move our own maturation and thinking from one of secure the company to enable the business.
What aspects haven’t been considered?
[David Spark] Evgeniy Kharam of Herjavec Group said, “Many companies not doing a good job of protecting browsing when working from home.” So, addressing some other issues. Also AJ Leece of Syntax Security Solutions notes that, “AV should be a control within an environment, but it shouldn’t be the only control.” Hence our discussions about defense in depth. And Paul Lanzi of Remediant, who admits he has a horse in this race, said, “Admin rights. Most malware can’t spread laterally without admin rights. But most enterprises offer malware, a rich cornucopia of admin rights, to exploit on every machine. Our data shows an average of 480 accounts have persistent admin rights on an average machine in a company with 10,000 employees.” So, I’ll start with you, Steve, on this. This is just touching a few of the issues that we have to take into account here. All are important here, and it’s just going to grow.
[Steve Zalewski] So, what I would say is there’s actually a couple things to tease out. One, never forget the basics. Least privilege as a concept definitely has value. It’s always been a struggle with the business to know where that friction is between too little privilege and too much. So, to Paul’s point is, hey, don’t forget to do the basics and always remind yourself of that. but what Evgeniy and to a certain extent AJ Leece is talking about is what I call the work from office to work from anywhere to work from everywhere. It’s a realization that the employee or the contractor persona and their personal persona, because of where they work now, is anywhere – on their phones – doing work one minute and doing personal the next. Is the realization that it’s raised the bar for us as well. And so sandboxing and again other technologies for us to revisit what we think we’ve solved, as well as looking at how we need to move our offensive capabilities, it’s all in play again. And so don’t fall into the trap of thinking we’ve solved a problem. Reevaluate, and that’s why. Digital transformation and the integration of the personal persona and the work persona are creating yet more challenges that goes back to what are we doing about malware and the different types that we’ve got to think that problem through yet again.
[David Spark] Aviv, I’m going to throw this to you.
[Aviv Grafi] I think that that’s an interesting point. I think in the last 24 months where we don’t really have a parameter in some way where employees are working from home, where bring your own device, that’s the default method for a lot of organizations. That’s why for example controlling the admin rights, it may be even impossible in some ways. So, we really need to think about the least privileges…as Steve mentioned, the least privileged approach within our environment on our data, on our systems that control data, that host the data. I think for the end point level, we’re not there anymore. That’s my sense.
What are they looking for?
[David Spark] Robert Gezelter, who’s a consultant, said, “We’re often far too dismissive of novel and targeted attacks. Our defenses rely upon knowledge of the threat. High value targets need to be less complacent that attacks are all mass attacks.” And this goes to the target issues we were talking about before, but that’s a really good point. And for those who don’t invest in upgrading their defenses, Tim Silverline of Glueware said, “They are the ones that continue to be hit by low level attacks, both aimed for the masses and sometimes targeted towards them due to the clear lack of security inside their infrastructure which becomes apparent after initial breach.” So, Aviv, I’m going to go to you on this. This just seems like a drum that everyone is banging of you got to look high and you got to look low. There’s going to be the mass dumb attack, and then there’s going to be the extremely targeted attack at your CEO and your CFO. And they use malware when they do that. For the dumb attacks, the CEOs can’t think that, “Oh, as long as we’re protecting the whole company I myself personally am protected as well,” correct?
[Steve Zalewski] High value targets need to be less complacent. Here’s the challenge. Everybody is a high value target now. Because it used to be that we had a common understanding of high value targets. If you were nation state attack. Or if you were interested from an organized crime or script kiddies. The challenge we’re having is the tools that are out there for the bad guys to use make it easy to target you. So, whereas the definition of high value used to be key monetary or maybe key from a nation state attack, high value now is pretty much everybody is targeting you because they all have a bone to pick. Or they’re all looking for a way to make money. Ransomware is what I would hold out as the classic example now of everybody’s high value. Okay?
And so what I realized from that when I read it and said high value targets need to be less complacent, that’s really what we’re talking about is that the onus is on every CISO to reevaluate what their defensive perimeters are to move from static defense to some form of a polymorphic defense where there’s an offensive component where our ability is not just to hold them at bay but to understand as they’re coming through how to get them out. And I just thought that was very insightful in Robert when you understood that high value. It was actually the key phrase. And then to the point of like Tim said, which was yes, and if you have a strong perimeter, but it’s very static, they all get in. This is what we’re talking about. So, what are you doing to be able to put a defense in depth in?
And now your visibility into your infrastructure that used to be hidden by your network firewalls, third party integrations, digital transformation has moved the network edge out to almost an application edge. And so now my ability to reestablish that defense as to how the different types of malware and the malware attacks are presenting themselves is really what those two are calling out on the two sides. Our job is not over. In essence we have to think about this like ten years ago, which is reimagine what we’re going to do given what the current defensive posture looks like and what the offensive nature of the attacks are demanding of us to do.
[David Spark] Aviv, I want you to have the last word here because I think it’s interesting… Steve, the way you put it, there’s kind of da full circle that’s come back in that yeah, we can deal with low level attacks, but that is so ten years ago. And also just getting gift cards from the CFO, that’s also a few years ago. Ransomware has made everyone a massive target. Yes, Aviv?
[Aviv Grafi] Yeah, I think that Steve mentioned a great point where it’s getting very, very easy to craft what used to be called sophisticated attack. It’s so cheap and so easy. All the tools are available online.
[David Spark] It’s as a service. Ransomware as a service.
[Aviv Grafi] Correct. You can buy those weaponized documents, those fileless malware. And by having short intelligence exercise on the company’s website, you can craft a pretty nice attack that I think even one of us might be clicking one of those things if you think that this is coming from a colleague. So, I think that this is a very good point that each and every one of us can now be considered high value, and it’s very easy and very cheap to craft such attack.
[David Spark] Good point. And we’re going to close right there. Now it comes to the point of our conversation where I ask you, Aviv and Steve, which quote was your favorite, and why. I’m going to start with you, Aviv. Do you have a favorite quote, and why?
[Aviv Grafi] I think that my favorite quote would be a quote by David Ratner that mentioned that we’re maybe succeeding by defending against known attacks, but we’re not succeeding about becoming proactive. I think the reason why I like that is that being proactive, I think that’s our obligation. That’s what we can do in order to win in that cat and mouse game. Just responding, just reacting would make us just being attacked and losing, and then maybe we’d be able to fight the next one. So, being proactive, sanitizing content, understanding what’s coming into the organization, having a better hygiene, I think that’s the way better proactive approach than just reacting to what’s going on there.
[David Spark] Steve, your favorite quote?
[Steve Zalewski] That’s a great quote that Aviv picked. I think that’s good. But I am going to go with Robert Gezelter’s conversation around high value targets need to be less complacent with an appreciation that we’re all high value targets now. And so the fact that the masses that is coming through, the 98% is a huge volume. But security awareness training, and the ability to filter, and what we’re doing around malware, I want to call that out as kind of the sounding the bell to remind everybody that we are all high value targets at this point and that we’ve got to step up our game.
[David Spark] Good point to close on right there. All right, I want to wrap up this show. And, Aviv, I’m going to let you have the last word. Please make a pitch to our audience about Votiro. If you’ve got any special offer, please extend it. If you’re hiring, we always like to know that. Our audience likes to know that. But hold onto that. Steve, any last thoughts?
[Steve Zalewski] I want to make a shoutout and a thank you to the people that responded to this on LinkedIn.
[David Spark] Really thoughtful comments.
[Steve Zalewski] Really. And that’s my point, which was the degree of thoughtfulness that are going into the response is just outstanding. I honestly mean it. Which is the enrichment of I think I have the problem, and people remind me or show me all the different ways. This really is shared responsibility, and we’re all helping make ourselves better to protect the community protecting the security title. And so just a huge thank you for the folks on the thoughtfulness of the responses and the effort that you’re putting into making this show as good as it is.
[David Spark] Good point. All right, Aviv, any pitch for Votiro, and are you hiring?
[Aviv Grafi] Of course. So, we in Votiro here are helping organizations to make sure [Inaudible 00:24:33] maybe something out of the S3 bucket is being sanitized before it’s actually stored and getting into the network. That way we’re allowing security. We’re proactive, so there’s nothing that can get in. We’re allowing only the good stuff, the known, good content to go into the application and the network. And of course we’re also allowing way better productivity. So, we’re not having that block page for the users. We’re allowing the content to flow in. There’s no need to quarantine, to ask for really something from span. And that way we can balance way better between productivity and security, no matter where the document or the content is coming from. So, this is about Votiro of course. I would love to continue the discussion on LinkedIn. Of course you can visit Votiro’s website. And of course we’re always hiring. We’re expanding the team in the US. We’re looking for sales folks, and of course we’re expanding the R&D team in the US and in Tel Aviv for those who listen to us here from Israel.
[David Spark] Awesome. Lots of jobs, lots of opportunities. And please check out Votiro. This is a very unique way of dealing with the malware problem, which has been dealt with in a very sort of standard mundane way for many, many years. And, again, possibly a way to get ahead of the cat and mouse game as we brought up at the beginning of the show. Thank you very much, Votiro, for sponsoring this episode and being a great sponsor of the CISO Series. Thank you, Aviv. Thank you, Steve. Thank you to our audience, as always. I’m going to echo what Steve said earlier. Greatly appreciate your contributions and for listening to Defense in Depth.
[Voiceover] That wraps up another episode. If you haven’t subscribed to the podcast, please do. We have lots more shows on our website, CISOseries.com. Please join us on Fridays for our live shows – Super Cyber Friday, our virtual meet up, and Cyber Security Headlines – Week in Review. We’re always looking for fascinating discussions for Defense in Depth. If you’ve seen one or started one yourself, send us the link. We’d love to see it. And when any of our hosts posts a discussion on LinkedIn, participate. Your comment could be heard in a future episode. If you’re interested in sponsoring the podcast, contact David Spark directly at David@CISOseries.com. Thanks for listening to the CISO Series Podcast.