What next for Aussie security after WannaCry?

Chad Kelly (Trend Micro); Chris Rowley (SolarWinds MSP); Zoaib Nafar (The Missing Link); Leonard Kleiman (RSA); James Sillence (Juniper Networks); James Henderson (ARN); Robert Kingma (ICT Networks); Tony Vizza (Sententia); Richard Tomkinson (Cloudten); Ken Pang (Content Security); Martyn Young (F5 Networks); Daniel Johns (ASI Solutions); Samantha Gotting (Kaspersky Lab) and Malcolm Salameh (Airloom)

Billed as the “biggest ransomware outbreak in history”, WannaCry took charge of the world for a weekend in May.

Crippling organisations across 150 countries and four continents, over 200,000 computers were infected with more than 10,000 organisations impacted.

With estimated economic costs approaching US$4 billion, this was no ordinary ransomware attack, rather a calculated attempt to grab the attention of the planet, an attempt achieved spectacularly through the paralysing of the UK National Health Service (NHS), the Russian government and the Spanish telecommunications sector.

Europe bore the brunt of the attack, as German railways also screeched to a halt, while US- based courier FedEx Corp suffered interference as the ransomware spread to Asia and South America.

Known as WannaCry and variants of that name, the malicious software locked computers in thousands of locations worldwide, demanding US$300 ransom per machine to be paid in cryptocurrency Bitcoin to unlock devices.

Creating front page headlines across the world, following a weekend of attacks in the Northern Hemisphere, Australia anxiously waited for WannaCry to strike. Yet an all out assault was avoided.

“It wasn’t as bad as what it could have been in Australia,” Airloom chief revenue officer Malcolm Salameh observed. “Europe got it first so everyone was patching over the weekend.

“Cyber security is something that is absolutely a business topic today whereas 12-18 months ago it absolutely was not. But now it creates a risk discussion, similar to competitive, market or people risk.”

For Salameh, the question of cyber represents another form of risk for businesses, a decision validated by the recent outbreak.

“Cyber requires a board level discussion and not necessarily an IT discussion,” Salameh added. “We specialise in high-end type work and WannaCry has validated a problem that needs to be addressed.”

Following three days of chaos, the spread of the attacks was eventually stopped when UK security researcher, MalwareTech, purchased a domain to help track the virus that ended up acting as a kill switch.

The vulnerability was one that had been identified by the National Security Agency (NSA), and leaked by a group called the Shadow Brokers in April.

“For a long time now, basic cyber hygiene has not been addressed well by many organisations,” RSA chief cyber security advisor APJ Leonard Kleiman said. “This attack emphasises the importance of getting the basics right.”

Legacy systems

Yet despite the world recovering, and Australia breathing a sigh of relief, the breach highlights the value of establishing effective security strategies for organisations across the country, irrespective of size or stature.

“Australia has been fortunate to avoid being hit but the industry now has material to put in front of customers,” SolarWinds MSP sales engineer Chris Rowley added. “They can use this material to build up towards a risk management type discussion because customers won’t move until they see something impactful such as WannaCry.”

Disrupting 61 internal organisations, the NHS in the UK was one of the worst impacted during the outbreak, with media outlets reporting outdated legacy systems as the main reason for the attack.

Specifically, the health service faced widespread criticism for its continued reliance on Windows XP, a version of Microsoft’s operating system that debuted in 2001.

“More than 60,000 machines were compromised in the UK and that was the NHS,” ASI Solutions head of services Daniel Johns observed. “The patching policy across the organisation would have been pretty similar so if it infiltrated one person it would have spread like wildfire.”

Spread like wildfire it did, crippling the system as infected and outdated systems slugged to a halt, leaving patients stranded and without medical care.

Following a public backlash, the NHS insisted that usage of XP had in fact fallen to 4.7 per cent, while claiming that expensive hardware — such as MRI scanners — could not be updated immediately.

The ability to bring down the entire health service of a nation due to legacy technology and an inability to securely update controls points to a worrying occurrence for customers across the world.

“If you look at the healthcare system in Australia, a lot of the ultrasounds and MRI machines are still run by Windows XP and they have to be because they’ve got no choice,” Sententia cyber security practice director Tony Vizza said.

“We were very fortunate purely on a timing basis because when it hit the NHS it was during the middle of a Friday when they were doing their scans, had it happened on a Monday in Australia, then we would have been hit just as bad.”

With recommendations immediately issued to install relevant Windows security updates, the importance of deploying up-to-date technology continues to heighten.

Yet despite such a call for action, do customers recognise the value of a refresh?

“It’s not necessarily the customer mentality of not updating new systems, it’s a vendor mentality,” Johns said. “The reason those machines can only run on Windows XP is because the vendor hasn’t updated software to run on more recent platforms which puts a huge constraint on managed service providers [MSPs] to support them.

“I could tell a customer that I can’t support Windows XP machines, which is fine in a vacuum but in reality, if one of those machines goes down and it’s key to their business, the noose is still around my neck to make sure the systems come back online and works.”

Mainstream attention

Throughout the attack, WannaCry demonstrated the ability to spread itself within corporate networks without user interaction, by exploiting known vulnerabilities in Microsoft Windows with computers that do not have the latest Windows security updates applied at risk of infection.

While the ransomware can spread itself across an organisation’s networks by exploiting a vulnerability, the initial means of infection — how the first computer in an organisation is infected — remains unconfirmed.

“For the most part I think this was a shot across the bow,” Trend Micro territory manager Chad Kelly assessed. “Ransomware is happening everywhere so I think the fall out has been expected, for the most part what we’ve seen is a showing of what we are yet to see.

“The Shadow Brokers are threatening to strike again and if that’s the case they are kind of toying with us.”

During the past 12 months, enterprise scale cyber security breaches have become more successful, with every industry sector facing increased threats.

Today, businesses must invest to reduce cyber risks to an acceptable level and protect client data effectively to remain competitive in challenging markets.

Yet despite the rhetoric, only a ransomware attack of this magnitude can help change customer direction.

Page Break

“WannaCry drew attention to cyber security and brought the conversation into the mainstream,” Cloudten principal infrastructure architect Richard Tomkinson said. “Everyone got a call at a very high level over the weekend following the attack, and I’ve never seen purchase orders get approved so quickly for mass renewals of anti-virus and endpoint protection on the Monday.

“From the channel’s point of view that was a positive step in that it’s helped raise the awareness.”

Awareness has risen because this was previously a hypothetical debate, a debate based on little local experience, rather takeaway snippets from the cyber frenzy unfolding globally.

But as 2016 and now 2017 have demonstrated, cyber attacks have reached Australian shores en masse, with ransomware raiding organisations across the country.

“WannaCry puts the ball back in the IT court because they can’t say ‘don’t click on this’ because they didn’t have to,” Rowley added. “You still have end-users clicking on the classic ransomware threats that have made millions of dollars but now it’s moving towards the IT level where they need to take more responsibility.

While WannaCry didn’t unleash its full carnage on the country, the nation is no longer relying on standard Sony and Target type breach stories to communicate its message.

Instead, the industry has a sobering reminder that Australia is well and truly in the game, emphasised through the Red Cross Blood Service data breach in October 2016, which impacted over half a million donors nationwide.

“Why is Australia such a target?” Kaspersky Lab North Australia territory channel manager Samantha Gotting asked. “We’re more likely to pay these ransoms and therefore we’re more likely to be targeted again.

“We’ve seen a lot of businesses reaching out after the attack trying to be proactive. Partners must talk to the users about processes, risk management plans and back-up as a trusted advisor.”

With government interest spiking, the stakes for a cyber breach will soon get higher in Australia, creating a new dynamic for the channel as a result.

“As an industry, we must be pragmatic and put in stringent measures to protect ourselves,” Juniper Networks senior manager systems engineering James Sillence said. “The onus is on security vendors to make the security message more digestible because it’s so complex.

“In some respects, some organisations say that this is all too hard, let’s give up and deal with the consequences. And that’s rather than trying to deal with the problem.”

Servicing the security market

In 2017, enterprises are transforming security spending strategies, moving away from prevention- only approaches to focus more on detection and response.

According to Gartner, worldwide spending on information security is expected to reach US$90 billion in 2017, an increase of 7.6 per cent over 2016, and to top US$113 billion by 2020.

Specifically, spending on enhancing detection and response capabilities is expected to be a key priority for security buyers through 2020.

“The conversation is now changing as the industry realises the tactics of these cyber criminals are changing, so it’s not just about protect it’s also about rapid detection,” Kelly said. “There’s no guarantee that businesses can stop threats 100 per cent so the next move is what are the technologies to help remedy that.”

The shift to detection and response approaches spans people, process and technology elements and will drive most security market growth over the next five years.

While this does not mean that prevention is unimportant or that chief information security officers (CISOs) are giving up on preventing security incidents, it sends a clear message that prevention is futile unless it is tied into a detection and response capability.

“Threat levels are reflective of the scale of the business,” F5 Networks senior manager system engineering Martyn Young explained. “There’s obviously a lot more risk the higher up you go while at the lower end of town, there’s more of a hope strategy.

“Large organisations are more prepared and have better security posture. We leverage other vendor technologies and form alliances to meet the demands of the customer, and the value of the partner is in pulling that all together.”

Unsurprisingly in Australia, skills shortages are further driving spending on security services.

“Many organisations lack established organisational knowledge of detection and response strategies in security because preventive approaches were the most common tactics for decades,” Gartner principal research analyst Sid Deshpande said.

Consequently, skill sets are scarce and, therefore, remain at a premium, leading organisations to seek external help from security consultants.

“Our work boils down to instilling basic practices,” The Missing Link cyber security sales executive Zoaib Nafar said. “Regardless of the size of the organisation, businesses always have problems with security.

“We take the pain away from the customer and provide a schedule around priorities.”

In assessing the local market, Nafar acknowledged that most organisations “don’t know where to start” when it comes to threat management and security, creating a role for the service provider to offer digestible information and clarity.

“We take care of the neglected and difficult areas that customers forget and that’s the opportunity for the channel,” Nafar added.

Specific to managed services, the emergence of specialised managed detection and response (MDR) services represents a threat to traditional MSSPs.

The rising number of point solutions in the security market that address detection and response is creating sprawl and manageability issues for CISOs and security managers, driving spending for management platforms and services that are better integrated with adjacent markets.

“Flexibility remains the key,” ICT Networks CEO Robert Kingma added. “If we go back five or six years ago businesses were very segmented and we could focus on that segmented nature to extract a good return.

“Customer organisations are more dynamic today and we need to also be more dynamic. We can’t be all things to everyone and we need specialist security organisations to work in conjunction with us and our managed services customers.”

Specifically, and according to IDC research, services will be the largest area of security-related spending until 2020, led by three of the five largest technology categories: managed security services, integration services and consulting services.

Together, companies will spend nearly US$31.2 billion, more than 38 per cent of the worldwide total, on these three categories in 2017.

“We build a business not on products,” Salameh added. “I’ve worked for vendors for 20 years but they are becoming less relevant to me. The vendor go-to-market model for the channel is ‘teach the channel how to sell more product’ around partner enablement but that’s turning the channel into an extension of their sales people. That doesn’t help.”

Page Break

Delving deeper, network security (hardware and software combined) will be the largest category of security-related spending in 2017 at US$15.2 billion, while endpoint security software will be the third largest category at US$10.2 billion.

According to IDC, the technology categories that will see the fastest spending growth until 2020 are device vulnerability assessment software (16 per cent), software vulnerability assessment (14.5 per cent), managed security services (12.2 per cent), user behavioural analytics (12.2 per cent), and UTM hardware (11.9 per cent).

“It’s all around strategy and planning and everything else comes underneath that,” Vizza added. “We genuinely try and assist the customer from their point of view but when we do bring vendors to the table, it becomes an exercise in how we can maximise revenue. While we always want to make some money, we also need to push back at times.”

For Nafar however, vendors remain a “big part of the equation” for security-focused MSPs, yet a balance must be struck between selling products and solutions to customers.

“We adopt a consultative approach and a lot of the work we do is penetration testing and advising the customer accordingly,” he said.

End-user appetite

As enterprises shift toward balancing prevention with newer detection and response approaches, CISOs are changing how they measure the success of security strategies.

All security investments are being measured on how they contribute to the shift in mind-set.

Even preventive security controls, such as EPP, firewalls, application security and intrusion prevention systems (IPSs), are being tweaked to provide more intelligence into security operations and analytics.

“CISOs are keen to communicate the return on investment of their security strategy in terms of the business value associated with quick damage limitation, in addition to threat prevention and blocking,” Gartner research director Lawrence Pingree observed.

“The key enabler for CISOs is to get visibility across their security infrastructure to make better decisions during security incidents.”

For Pingree, this visibility will offer more strategic and risk-based conversations with their board of directors, CFO and CEO about the direction of security programs.

“The challenge most leaders have when it comes to IT is some things are easier to buy than others, because it’s easy to quantify how much of it that they need,” Salameh added. “I have 800 staff so I need to buy 800 computers, 800 phones and X number of ports for wireless — those are easy purchases.

“But we’re consulting so how do you quantify how much budget a customer needs to spend on security?”

The need to better detect and respond to security incidents has also created new security product segments, such as deception, endpoint detection and response (EDR), software-defined segmentation, cloud access security brokers (CASBs) and user and entity behaviour analytics (UEBA).

These new segments are creating net new spending, but are also taking spend away from existing segments such as data security, enterprise protection platform (EPP) network security and security information and event management (SIEM).

“We adopt new technologies and constantly assess the evolving threats in the market,” Content Security manager of consulting and pre-sales Ken Pang said. “But to translate this to the customer we must get into the C-level to talk about risk.

“Instead of talking about products, we talk about strategy and how a business aims to protect itself. We see a lot of users that get duped and some of the ones that we see are incredibly convincing.”

Across Australia, the rapid growth of digital transformation is putting pressures on companies across all industries to proactively invest in security to protect themselves against known and unknown threats.

Yet despite this, Vizza acknowledged that the industry has done an “awful job” of explaining security to customers.

“People think that we’re trying to take their money off them,” he said. “Therefore, organisations usually don’t upgrade because they believe they are being fleeced. We do need better ways to communicate what we do.

“Challenges also remain around security sales cycles. It’s not quarterly because we’re lucky to close a deal within 18 months.”

Therefore, Vizza said the challenge the channel often experiences from the vendors is around trying to force a deal across the line, a tactic that usually results in the end-user either walking away.

“It’s the best way to drive a customer away,” he said.

For Vizza, this is an area where the vendor community could be best served to know.

“We should embrace the 18-month sales cycle in security,” Kleiman agreed. “We have quarterly targets but when you start engaging with a customer, we now don’t expect anything to materialise until around 18 months which has changed the whole approach.

“There’s no value in ramming products down the throats of customers.”

In looking ahead to 2018, 40 per cent of large enterprises have formal plans to address aggressive cyber security business disruption attacks, up from zero per cent in 2015.

Representing a sizeable jump in end-user appetite, business disruption attacks require new priorities from CISOs, since aggressive breaches can cause prolonged disruption to internal and external business operations, akin to WannaCry.

“There is no one size fits all to security and the reality is that every customer has a different set of requirements, which channel partners must address to remain relevant,” Kingma added.

This roundtable was sponsored by F5 Networks, Juniper Networks, Kaspersky, RSA, SolarWinds MSP and Trend Micro. Photos by Maria Stefina.