Zero Trust Security

Interview: Deepen Desai On Zscaler’s Holistic Security Approach, Phishing Trends, And Putting Zero Trust Into Practice

Expert Insights interviews Deepen Desai, Global CISO and Head of Security Research & Operations at Zscaler.

DeepenDesai-Zscaler-Interview

The war in Ukraine, divisive US mid-term elections, and continued fallout from the COVID pandemic have presented cyber-criminals with ample opportunity to take advantage of global disruption over the last 12-months. “Cybercriminals are always looking out for any of these trends where there is public interest,” says Deepen Desai, Global CISO and Head of Security Research and Operations at Zscaler.

Desai is responsible for protecting Zscaler’s cloud security infrastructure. As a CISO at a global security company, Desai has the advantage of a fully resourced security research team – ThreatLabz. This team of security experts continuously searches for the latest threat campaigns, tools, tactics, and procedures (TTPs) that reveal how threat actors are evolving, to help protect thousands of organizations globally. Expert Insights interviewed Desai at the RSAC 2023, you can listen to our full conversation on the Expert Insights podcast.

The ThreatLabz team recently released their annual Phishing Report, which found that the number of phishing attacks rose by 47% from 2021 to 2022, numbering in the billions of attack. And the threats are evolving. “Phishing continues to be one of the top vectors. That’s where attacks start. We’re no longer living in the era where the attacks involve sending a malware through an email and call it done. It’s multistage attacks. Phishing is where it starts” Desai says. 

As well as phishing attacks becoming more complex and multi-stage, the report also found an increase in the usage of pre-built phishing kits and phishing-as-a-service offerings. This lowers the barrier to entry for launching sophisticated phishing campaigns. Attackers are also starting to leverage artificial intelligence and machine learning platforms to generate more convincing attacks aimed at tricking users at scale.  

A particularly concerning attack that the team picked up involved the recent wave of lay-offs in the technology sector. “For instance, if a security engineer got laid off from Company A, [attackers] will identify security engineering positions from hiring companies, and then reach out to that victim with a fake posting, which is a mirror of a real posting. And then they will conduct the interviews and scam the user. This is one I want to make sure everyone out there is aware of, and not fall for it,” Desai explains.

Putting Zero Trust Into Practice

One of the most important trends in the security space today, for preventing phishing as well as many other cyber-threats, is the implementation of Zero Trust principles. “Zero Trust has been tagged as a buzzword. It heavily used, and also abused by many of the vendors” Desai says. “It’s a journey. It’s not a flip of a switch, where you just turn it on, and you’re not trusting. There are four key tenets of implementing Zero Trust principles in practice.”

Number one is reducing your external attack surface and using zero trust architecture to reduce your footprint. Number two is having the capacity to apply security policies consistently, to support users and assets wherever they are, whether they are in the office, working from home, or hybrid. 

The third, and for Desai, the most important part of Zero Trust, is having the controls in place to prevent lateral propagation. More than 90% of today’s breaches occur because attackers are able to move laterally within the network, Desai explains. Threat actors are able to start an attack from a public cloud or local home network and use that as a gateway to get inside the network environment. 

“If you have true network zero trust architecture implemented, your blast radius should be contained to that single asset where a user made a mistake. You need to have proper user-to-app segmentation,” he explains. The final tenet of Zero Trust is to have a full data loss prevention engine applied to everything in your environment, whether it’s a laptop, server, or any other assets. 

“So, eliminate external attack surface, prevent compromise, prevent lateral threat movement, and then prevent data loss. The question that you always ask is, assuming compromise – what’s my blast radius? Am I able to contain it to a single incident? And that’s how we should look at it. It’s a journey.”

Common Security Mistakes

Many organizations are on this journey, but many of them are making fundamental mistakes and missing opportunities to actually enhance their security posture. There are three common mistakes organizations make, Desai explains. First, is not doing proper SSL inspection. “More than 90% of the traffic that is internet bound is encrypted, so unless you terminate that connection, you’re not going to be able to stop many of these advanced threats.” 

Second is missing the critical importance of segmentation. “If you’re still relying on the older technologies, like VPN, you’re brining the user on the same network as the application, no matter what kind of ACLs you have established, there is a zero-day vulnerability. The bad guys will be able to hop from one machine to the other… so having that segmentation implemented is crucial.”

The last component is educating end users on the dangers of phishing and cyber-threats. “Security awareness training is critical. But your awareness training needs to evolve as well… training has to continuously be updated. You should deploy controls that allow you to train the user the entire time.” Real-time, continuous training means that when users are about to visit a destination that’s not safe, or click a malicious attachment, you can warn users before the mistake is made. “You will be surprised how many less mistakes users make when you help them at the time of incident, rather than afterwards.”

AI And A Holistic Security Approach

The biggest theme at this year’s RSA conference is AI, Large Language Models (LLMs), and ChatGPT. “It’s no joke,” Desai says, “we’re starting to see some of these risks show up. One large company disclosed a data breach because their engineers were uploading stuff that they weren’t aware was going to open-source. We’ve seen proof-of-concepts, as well as malware incidents, leveraging AI to generate polymorphic code. We will see more and more threats taking advantage of large language models.”

On the other side of the field, security vendors are using more resources than ever before to leverage large language models to improve threat detection, perform correlations at scale, and help organizations run more efficiently. Zscaler is investing heavily in LLMs models to scale advanced analysis capabilities, as well as to address use cases like threat detection and policy operations. “We will be announcing a lot of cool innovation in coming months,” Desai says.

Two other major trends that will continue to be of critical importance are supply chain attacks and insider threats, Desai says. “Supply chain attacks continue to be top of mind. We’ll see more and more of those in the coming years. And as a CISO, one of the prime areas of focus for me is insider threats. Everyone should have a formal insider threat protection program because gangs like Lapsus are paying your employees $30,000 per week to get access.”

One of the most critical challenges that IT managers face when it comes to tackling these threats is measuring quantifying and managing risk. “There are a lot of different ways that CISO’s, including myself, measure risk,” Desai says. “But there’s a lack of tooling which helps you manage that and gives you a holistic picture.”

“Zscaler see 300 billion transactions daily. We see how your organization is configured, we see all the behaviors, and we are also integrated with the largest eco-system, whether it’s EDR vendors or SecOPs tools. We are trying to build a holistic risk engine, which will then benefit security execs when quantifying risks, make risk-based decisions, and policy decisions in the product. That’s something we’ll probably announce in a couple of months as well.”


You can listen to our full interview with Deepen Desai on the Expert Insights podcast:

Listen On Spotify:

Listen On Apple Podcasts:

About Expert Insights

Expert Insights provides leading research, reviews, and interviews to help organizations make the right IT purchasing decisions. You can find all of our podcasts here.