Interview: Focus On The Real Risks: How CISOs Should Tackle Today’s Cyberthreats

Cybersecurity is a challenge. Not only are businesses today faced with an enormous variety of threats to prevent, but they also find themselves drowning in the noise of a plethora of solutions promising to provide protection against said threats. Because of this, it can be difficult to work out which threats pose the most serious and real risk to your organization, and how you should go about preventing them.

To find out how CISOs and security teams can identify the real risks their organization is facing, and what steps they can take to stop those risks from becoming security incidents, we spoke with Ryan Kalember, EVP of Cybersecurity Strategy at Proofpoint at RSAC 2022. Kalember has over 15 years of experience in the cybersecurity space and currently leads a global team of security experts that ensure Proofpoint is always protecting their customers against the most prevalent attacks they’re currently facing. 

Proofpoint is a global market leader in cybersecurity. Their powerful, scalable solutions are trusted by 75% of the Fortune 100, the top five banks across the world and many smaller organizations to secure their data against today’s most sophisticated threats.  

Proofpoint is an established vendor in the email security space, and one of your solution’s core strengths is its ease of deployment within Microsoft 365 environments. Why is it so important for businesses using MS365 to implement third-party security solutions?

I think the simple answer is that the risks that you’re most likely to encounter, and that have the highest impact on most businesses, all flow through Microsoft 365. The vast majority of ransomware, for example, still arrives via email. And the largest economic losses in cybersecurity are typically due to business email compromise (BEC), which relies extremely heavily on Microsoft 365 accounts being relatively easy to compromise. 

If you think about it from an attacker’s perspective, what is the one thing that I need to be able to do to maximize my leverage? What would you actually want as an attacker, as a first step in perpetrating financial fraud? It’s probably the Microsoft 365 account of the CFO, the controller, or someone in accounts payable—anything like that is hugely valuable. 

What are some of the challenges associated with securing Microsoft 365 environments?

Most security teams are constantly making trade-offs. Every new tool you bring in introduces complexity or an integration challenge, and somebody has to be there to run it. If it chirps out alerts all day, you need somebody to respond to those. And none of that is free of costs.

You mentioned deployment—one of the things that is actually quite useful about Microsoft 365 is that you can actually cover 100% of your users pretty much instantaneously. That’s something that’s always been a challenge to do on a network, which usually involves physical hardware. And if it’s a cloud network, it doesn’t involve physical hardware, but it can be deeply confusing and it’s just not in the skill set or bailiwick of a lot of people right now. 

Even if you think about endpoints, you’ve got all kinds of different endpoints where someone might interact with maybe not a ransomware actor, but most likely with a BEC actor. Your mobile device has an inbox on it, and one of the likeliest things you’re going to see is an imposter in that inbox pretending to be somebody that they’re not. It’s possible to cover traditional endpoints with security software, but it’s very hard for mobile endpoints. And again, if you’re going to align to those big risks, ease of deployment and ease of covering all your users really does matter.

The rapid adoption of cloud services such as cloud email has led to huge changes in the threat landscape in recent years, alongside other factors such as the increase in hybrid working, and, more recently, targeted state-sponsored attacks as a result of global conflict. What are some of the biggest security risks you’ve seen since the last RSA conference?

There’s been a long-term evolution in the threat landscape, but it’s all led to basically two business models on the attacker side winning out over all the others: ransomware and business email compromise. 

The cybersecurity industry used to mean talking about stolen health records and stolen payment cards, which meant that only a small subset of organizations were actually in the crosshairs. But now, because anybody can be extorted—ransomware—and because everybody does business by email and wire transfers between organizations—business email compromise—you have two threat categories that have out-competed all the others and that, fortunately for cybercriminals but unfortunately for us, also scales pretty well. 

Five years ago, you’d see attackers trying to ransom individual computers, but it’s now a broader extortion game. Business email compromise has arguably seen less innovation because they haven’t had to innovate. Attackers have scaled their techniques, but by and large their business model is still the same. 

I think that’s important for defenders to remember because yes, advanced persistent threats (APT) attacks do exist, but only a single digit percentage of all Proofpoint customers have ever seen even one nation state attack. Obviously, it depends on who you are; if you work at a non-governmental organization (NGO), in government, or in a Ministry of Foreign Affairs, you should be worried about APT attacks. But the vast majority of other organizations should not, because a really serious, skilled adversary is not likely to be what you encounter. You’re much more likely to see a BEC crew, or a big bot like Emotet. 

This is where defenders have a big advantage: they know what’s coming most of the time. And while it can be tempting to learn about APTs and their tradecraft, and try to defend against it, it’s just not statistically very likely for the average organization to encounter that type of attack.

Absolutely—we often get caught up in the headlines screaming news of these huge nation state-level attacks, but it’s important to remember that that’s not necessarily what’s going to be affecting us.

Yes—let’s think of it in terms of a simple analogy. If you’re running a chocolate shop on a high street, what would your main adversaries be? Somebody might shoplift you, or you might be extorted for protection money. But you don’t need bulletproof glass or 24/7 armed guards, because that’s not what you’re up against. And in cybersecurity, we’ve always had a very difficult time attempting to understand and be okay with risks that exist but are not likely to be exploited. And those will always be there. 

If your chocolate shop has a website, that website might have vulnerabilities in it. You might have hired a developer to write it 10 years ago and never patched anything since then. But if an attacker can compromise your website, what can they do next? If the answer is not much, that’s okay as long as there’s no economic advantage that the attacker is getting by attacking. 

That’s one of the things that’s hardest to get to grips with, especially during events like RSAC week, when there’s so much noise. You lose track of being thoughtful about what you do, and even more thoughtful about what you don’t do.

In the face of these threats, your recent global survey found that half of all CISOs aren’t ready to handle a direct cyberattack. Why is this?

If you think about that question, it’s not really about whether you have faith in your technical defenses and whether you’re spending money in the right ways; it’s about whether you have the support of your organization to not only engage the resources you have internally, but engage the proper outside ones, and actually have the cover to do your job.

And sadly, that’s often not the case. 

At the end of the day, most CISOs have to rely on their teams, as opposed to their vendors or anything else that we occasionally get confused about in this industry. And too many of them don’t feel confident in doing that, which is a driver behind why our research shows that 66% of global CISOs do not feel prepared to handle a cyberattack.

How can investing in a product like Proofpoint help organizations overcome the threats we’ve discussed today, such as ransomware and business email compromise?

If I were looking at a CISOs priority list right now, I’d go back to that point around likelihood and impact: the classic definition of risk. You need to look at likelihood and impact and map your security controls accordingly. You want those controls to do a good job, not with some theoretical risk, but with a very, very likely risk that will show up in your environment. 

And that’s one of the things that I’m proud that we focus on. From a cybersecurity perspective, there are many great tools out there. Some of them solve very interesting, complex problems. But some of them solve problems that don’t really exist for the average organization. And some of them— going back to the point around CISOs not necessarily having the necessary resources and expertise  on hand—are just so hard to deploy, configure properly, tune, and respond to the alerts that they generate, that you question whether the ultimate outcome is better than if you’d never bought the tool at all. 

So, one of the useful things with Proofpoint—or many of the other tools that do something similar—is that it’s effectively preventative. We don’t recommend this, but it’s entirely possible to use it without ever paying attention to it, because it’s trying to stop malicious emails from being delivered and trying to stop cloud accounts from being compromised. Even the awareness training aspect of the solution can be fully automated, so you can do phishing simulations and train your users in ways that never require the security team to spend any time on them. Again, that’s not ideal, but it’s very much aligned with high likelihood, high impact risks. 

If you’re in the classic CISO position of looking to make sure your best tools are aligned to your biggest problems, and that you’re having the minimum amount of impact on your team, then these are the sorts of things that make sense. 

The last thing I’ll mention here is that, if you think about the classic attack gene, there are vendors that are shifting left and there are vendors that are shifting right. But the more that you can prevent the attacker from ever getting a foothold in the environment—if you can prevent those credentials from being compromised, if you can prevent malware from getting to that endpoint where the user can be tricked into running it, even if you can train the user to recognize that they shouldn’t run a file because it may be malware—it’s so much easier to solve that problem than when the attacker already has access to something that matters. 

The classic line in security is that attackers seek to convert illegitimate access into legitimate access. And they’re able to do that relatively quickly. So, if you can do things to stop that from ever happening, it’s just such an easier problem to solve than ripping an attacker out of your environment when they already have legitimate credentials.

It’s interesting, particularly in light of RSAC, because the industry seems to seesaw back and forth between, “prevention is possible” and “everybody’s breached, some people just don’t know it yet!”. One minute we’re over-investing in response and human things that don’t scale, then we need automation, then everything is a detection and response and then we put an X in front because we can’t even decide what letter goes first. 

All of that gets a little exhausting honestly, when so many of the cyberattacks that do the most damage are pretty preventable. It’s cliché, but the ounce of prevention thing is still very true, even if that phrase existed well before cybersecurity.

What are your final words of advice to organizations struggling to secure their inboxes against today’s email-based cyberthreats?

I would say don’t settle for default. That is the wrong way to economize. Everyone wants fewer security tools in consolidation, but where you should economize and be thoughtful is on risks that you don’t think you’re going to experience very often and would not be catastrophic events for your business. 

The other piece of advice I always give CISOs is, if you think about going through a breach, think about how that breach might have happened and what started it. Was it a phishing email, was it somebody’s credentials that were just out there, or was it a nation state APT using a zero day? In the latter case, honestly, that’s pretty forgivable. There’s no way a typical organization can be expected to defend against something like that. The others, on the other hand, are pretty preventable. And if you are pointing your security controls at these unquantifiable zero days rather than the highly likely events, it’s going to be really hard to explain when something goes wrong in a very predictable and very preventable way.

Thank you to Ryan Kalember for taking part in this interview. You can find out more about Proofpoint’s email security solutions via their website.