The global uncertainty regarding the COVID-19 pandemic still persists, but companies have begun to adjust to the new scenario and, therefore, to rethink their medium and long-term strategies. A fact of reality is that the crisis has greatly accelerated the digital transformation and that process is creating the need for new investments in technological infrastructure and information security measures and prevention of cyberattacks.
What are the recommendations when drawing up new plans for investment or expansion in technology to sustain the business in the new situation? What are the new threats that can interrupt the continuity of operations or seriously damage the reputation of a company? Gonzalo García, vice president for South America at Fortinet, the company specialized in solutions for cybersecurity -based in the United States and with a presence in Argentina-, speaks of “a post-pandemic agenda” and advises the adoption of a new work methodology.
In other words, a new cycle opens. “The mentality of the market, of the customer, changed. In the first half of the pandemic, how to react and prepare for lockdown was at the forefront of every decision. Business continuity first. At this point, the agenda begins to plan 'the day after tomorrow'.
A post-pandemic agenda, knowing that beyond the health issue, there are habits and new ways of connecting with the client and with the workers who will remain. Infrastructures and strategies are already being reviewed and we also see projects that were stand-by are gaining traction again ”, García describes in an interview. -And thinking in this new context, what are the necessary investments? What advice would you give companies when rethinking infrastructure and security?
There are different methodologies, but today the approach of “Zero Trust” (Zero Trust) is being developed.
What is it about?
In reality, it is not a technology, but rather a methodology. It has to do with changing the paradigm of how to think about defences a bit. In the past, one thought of a perimeter and separate the good and the bad there. Then one said: this is the “risky”, this is the “reliable”, the “dangerous”, the “safe”.
And basically, the aim was to make segregation and put controls so that the transfer of information from what was considered external or internal, dangerous or safe, was highly audited. In many places, it is what still prevails as a cybersecurity strategy. On the other hand, the Zero Trust strategy consists of knowing that there is not something totally safe, so thinking about safe areas does not work.
And in understanding the totality of the attack surface. This means all devices, applications, actors who will be interacting with this technology and provide defences from that side. A device that is safe today may be compromised tomorrow, so the controls are not relaxed at any time. The level of trust can change over time. The aim is that the control mechanisms allow segmenting, containing in the event of an incident and detecting quickly.
And This Would Then Be The First Step Of a Strategy
It is reinforcing that strategy above all else. And it has to do with a change that will be permanent after the pandemic. The concept of "this is the network that I control, the perimeter", although you have been talking about it no longer exists, many have now become aware. This is beneficial and allows you to work in different ways to stay safe.
At The Infrastructure Level, How Is This Methodology Accompanied?
I like to start with the infrastructure and communications part. It is extremely important that the transport of information can guarantee levels of control and levels of detection and reaction. I also like to speak from the devices, because even if it has an optimal transport network with security, if the device at some point is violated and it also happens on a network, in an environment that one does not control when I find out it can be too much late.
You have to think about the network, about the security of the device and work a lot on what is the segmentation of the infrastructure and application. On the other hand, also work in a reality where today you will minimally coexist between legacy technology and infrastructure and multi-cloud infrastructure.
So your security vision has to cover the entire attack surface, it cannot be partial. For example, having a strategy for when it is my data centre or my applications, and another for that cloud provider, or another for something else, that doesn't really scale. Cero Trust needs a strategy for the entire attack coverage, but it has to be coherent and homogeneous because otherwise, it will cost a lot to deploy, maintain and manage it.
The New Criminal Modalities
In the first part of the quarantine, a report provided by Fortinet revealed the growing pattern of phishing-type attacks, both in the region and in Argentina. Does this phenomenon continue to be registered? Has anything changed in the last few months?
In general, ransomware is the main problem. And it has to do with the search to profit from what is being done. One begins to see more sophistication and personalization of the attacks. The criminals and criminal organizations mutated: first they sought out the individual, the consumer, hijacking their information.
They saw that it was not a profitable business and found in companies a much more profitable niche, for ransom payments that are made in order to avoid a problem. The most common techniques are related to exploiting the human factor, deception in order to induce an action that ends up compromising the safety of the company.
In some cases, even through bribery and extortion, that is, not through involuntary mistakes. And the Cero Trust strategy has to do with that as well. Another source is the exploitation of known vulnerabilities of an organization, for which a very important intelligence work is required to find those gaps. We are talking not only about code failures but also about errors in the settings that cybercriminals look for and know how to exploit.
What Recommendations Are You Making About Access To Corporate Networks?
First, to guarantee that the devices to which I am going to enable access are up-to-date, have malware prevention technology. Most antivirus systems are based on pre-execution. This means that when faced with certain software that a device wants to run, it is compared against a list of software commonly known as malicious.
This is proven to be inefficient. There was an evolution towards execution in some environment outside the computer, I see how it behaves and based on that I make a decision. This improved security a bit, however, it is not enough either because the malware began to have the ability to know that it is being executed in a closed environment (sandbox) and then it behaves well and then does something else.
The technologies that come now, and that we recommend implementing, have to do with what is post-execution. These are EDR (Endpoint Detection and Response) technologies: letting it run but monitoring the behaviour in real-time to know if it is hostile or not. If I see that it is potentially harmful I stop it, but the follow-up goes step by step. This significantly improves the ability to prevent both ransomware and targeted attacks.
Besides, you have to check if the access is remote or from a place that I control. In the latter case, deploy wireless connection technologies, secure Wi-Fi, to eventually be able to quickly block and isolate. If it is an environment not controlled by the organization, beyond encryption, which has to be, we also recommend security controls. And another important factor is authentication: how to know if the one who is connecting is really who they say they are. Many problems have to do with credential theft. The password system is not today a level of security that leaves us alone.
What Other Trends Can Finally Be Highlighted?
There is a new technology that can be called "deception", and that simulates the infrastructure or environment of the organization so that the attacks are diverted there. It is a technology available to be evaluated at the corporate level.
We also have to start incorporating as a new generation strategy the use of artificial intelligence to analyze the information that is generated, in order to operate and automate responses. If there is a difference between a security breach and a serious incident, it is how I reacted and how quickly I did. Today is really not the time to learn how to react while the incident is occurring.
Then, the infrastructure that is proposed must allow defining the different strategies to face different problems. These are even typical strategies in the Defense area.
