The US Government might be the latest and most high-profile victim of increasingly sophisticated global cyberattacks, but these breaches have long been a threat to corporations across a multitude of sectors. As the world becomes more and more digital, the consequences of data breaches and hacks become a question of survival for companies. I sat down with Eyal Wachsman, co-founder, and CEO at Cymulate, to discuss recent trends and developments in the cybersecurity industry.
Ishan Pandey: Hi Eyal, welcome to our “Behind the Startup” series. Tell us about yourself and the story behind Cymulate?
Eyal Wachsman: Hello, and thanks for having me. The story behind Cymulate is simple. I have been in the security industry for over 20 years, on the customer side of the fence, as a CISO, and on the security service provider side. Over the years, I have seen how security spend has grown into a $150B market. Nevertheless, we are not any safer from cybercrime; in fact, it seems to be getting worse. Something was broken, what we found was that many breaches could have been stopped with existing security, they were either not configured correctly, or they failed for some other reason.
Moreover, security teams were totally unaware of the problem. Pen testing was no longer effective because it is a slow process compared to the rate of change in IT, the attack surface, and threats. The industry needed a way to deal with the threat landscape based on a continuous assessment of threat and business evolutions. Cymulate does this by replicating threats in our cloud so that our customers can check in real-time how their security is performing in the production. People, processes, and technology. We also tell them what needs to be done to improve their performance. We provide an easy way for security teams to maximize the utility of all the security capabilities they have.
Ishan Pandey: Keeping sensitive data secure is a huge challenge for corporations. What recent trends in cyber-attacks and data breaches are we witnessing in 2020?
Eyal Wachsman: It is all about the data, and its always been about the data. We are seeing human-powered ransomware, where a criminal can buy a “bundle” that includes credentials to access a network and the tools to launch a successful ransomware campaign in one package. We see automation used extensively to increase the monetization of cybercrime and increase the likelihood of success. For example, to automate lateral movement, so that once within a network, it will distribute the ransomware to as many endpoints before the organization has detected a breach.
Ishan Pandey: What advice would you give to a company’s management on handling and disclosing a data breach?
Eyal Wachsman: I do not think there is any option today. You must disclose. The public is sensitive about it, and penalties can be high. The issue is how long does it take to make the decision to disclose. Most companies figure out how to go about disclosure during an actual event. I would advise them to figure it out beforehand and even exercise the process once a while.
Ishan Pandey: How can simulating attacks and breaches help an organization in preparing for a cyber-attack?
Eyal Wachsman: That’s the essence of what we do. Look, we will make sure your preventive security controls are working at optimal performance by subjecting them to a broad set of attacks. We will show you the variants that succeeded and provide the IoC’s or guidance to block them. However, that is just one part of the equation, and it’s not only about the technology. We also provide scenarios that exercise your people and processes to detect, contain and remediate malicious activity. Company’s that have limited resources will gain the most because most of them are not able to cope at all with the pace of threat evolution, we provide them with that capability. Nevertheless, large companies that have in-house pen testers and red teams will benefit from the offensive knowledge that we operationalize, automate and scale.
Ishan Pandey: More and more companies are moving to the cloud, and the cloud is notorious for its security. What best practices and policies should companies have in place while migrating to cloud platforms?
Eyal Wachsman: It is debatable if the cloud is more or less secure than on-prem. Also, it depends if we are talking about SaaS or Infrastructure. Infrastructure puts the burden on the customer; SaaS puts the burden on the provider. In any case, best practices should include a robust identity and access management system, data encryption where you own the keys, and anomaly detection systems.
Ishan Pandey: According to you, deploying which new technology is changing the game for IT professionals when it comes to cybersecurity?
Eyal Wachsman: Companies have anywhere between 25 to 50 types of security tools. My point is that there is no game-changer. There is an arms race between threat evolution and security technology evolution, and its won or lost on points. What is missing, and what is a game-changer is providing a CISO with the visibility he needs, to know what his security deficiencies are so that he can close them. It may be new technology; it may be more skills. Maybe it is related to a business initiative like cloud-first or working from home. Cymulate will show him, by challenging his security where he is vulnerable and what he needs to do to fix it.
Ishan Pandey: Are you finding any new types of sophisticated malware and viruses during your forensic research?
Eyal Wachsman: Actually, that is the sad part; many breaches can be stopped with existing technology. You need to understand how the threat landscape has evolved. The cybercrime economy is powered by a high-tech industry of suppliers and a market of consumers; the irony is that a lot of the glamour associated with hacking is not there anymore. It has been replaced by the same roles in the legitimate economy. They have analysts and developers, sysadmins, sales and customer support. If you have a working product that is good at ransomware, you will want to sell it to as many criminals as you can, and you will want to make it as simple as possible to use. So, a lot of the attacks are automated and replicated. The legit security industry catches on quite quickly and implements the safeguards. So yesterday it was automated ransomware combined with data exfiltration and now its human-powered ransomware. The question for a CISO is, do you know if the safeguards are useful in your network?
Ishan Pandey: How can companies imbibe antifragile culture in their organizations?
Eyal Wachsman: 2020 and Covid-19 has shown us the difference between agile businesses that survive the pandemic, and antifragile businesses that come out of the same period stronger. Antifragility is a company’s capability to react to “black swans” like the pandemic and leverage the situation to their advantage over slower-moving or rigid companies. To develop such a culture, a company should develop an environment that encourages experimentation, fails fast and learns from its mistakes.
Ishan Pandey: What trends and opportunities do you see in 2021 for the cybersecurity industry?
Eyal Wachsman: Let me gaze into my crystal ball 😊 I see more of the same which means more change. Business initiatives will drive changes in IT, and these will create new opportunities for cybercrime, new variants of malware and techniques and the security industry will try and sell you as much kit as possible by showing you how scary it is out there. Cybersecurity skills will remain scarce into 2021, which may just be the weakest aspect of cybersecurity today. The precious few will focus on collaboration to pro-actively fight cybercrime, and I hope this trend grows. Furthermore, we will continue to shine the lights on a company’s security stack so that they know where they need to focus their efforts limited by scarce resources and facing constant change.
Cybersecurity requires periodic assessment to ensure that the cyber defences are adeqaute in order
The purpose of this article is to remove informational asymmetry existing today in our digital markets by performing due diligence by asking the right questions and equipping readers with better opinions to make informed decisions. The material does not constitute any investment, financial, or legal advice. Please do your research before investing in any digital assets or tokens, etc. The writer does not have any vested interest in the company. Interviewer - Ishan Pandey.