Muddu Sudhakar is a seasoned and successful entrepreneur with more than 20 years experience working with Silicon Valley companies. He co-founded and is currently CEO of Caspida, a cybersecurity company based in Palo Alto, Calif. that detects unknown and hidden threats without rules, signatures, sandboxing or human analysis. Caspida uses data-driven analytics to uncover APTs, zero days, malware and insider threats. Prior to Caspida, Muddu has held leadership and management roles focused on cloud and Big Data analytics technologies at leading companies including VMware, Pivotal, Cetas, EMC, Kazeon and Sanera.
Christopher Skroupa: Why should a company assume they are in an environment that has already been compromised by a cybercriminal?
Muddu Sudhakar: You should assume for a few reasons that at least one cybercriminal has access to your environment. First, the average time to detect a breach is well over 200 days, according to industry statistics. Second, surveys show that as many as 70 percent to 90 percent of companies have been breached in the past few years. Third, even if no outside hacker has broken in, there are thousands of users with access to the organization’s assets and resources.
A recent example of inadvertent disclosure was the JPMorgan break-in: employees used their corporate user names and passwords to register for a 5k run. Since the third-party vendor managing the 5k registration service wasn’t secure, cybercriminals were able to break in, steal the employees’ usernames and passwords, and then use them to access JP Morgan’s network and steal thousands of personal records. If an admin’s password is stolen, it can also be used to gain access to other employee credentials. Typically, cybercriminals move laterally from inside the organization, using different credentials, and privileges to access different parts of the enterprise and slowly extract data over time.
What enterprises need are new technologies and products to find the cyber attacks and bad guys hidden in their environment, not just point products that try to protect the endpoint or perimeter.
Skroupa: With the variety of cyber threats growing, how can a new breed of solution products assist in the event of a compromise?
Sudhakar: Legacy security tools are necessary, but security needs to evolve to protect enterprises and consumers against the ever-changing threat landscape. Most significant attacks are polymorphic in nature, and that mandates new security platforms driven by data science and machine learning that allow you to proactively counter the bad guys. Traditional approaches are designed to keep attackers out by creating rules or signatures or by sandboxing. Such approaches are band-aids on specific cuts, but they aren’t able to detect today’s more complex attacks.
What’s challenging is that security teams within enterprises are small, and they’re struggling to review all the alerts they receive every day. Organizations need a new breed of automated products that will hunt for attackers and focus on discovering the most critical threats among the many lesser threats. Security staffs can increase their productivity by using a data-driven analytic solution that leverages machine learning and data science to locate threats and provide forensic evidence around these attacks.
Skroupa: How can the roles of the chief information security officer and the board of directors impact a company’s success in implementing a new generation of cyber security systems?
Sudhakar: The CISO should report to the CEO, given the importance of security in protecting the enterprise’s reputation and crown jewels. CISO is a core function, no longer an ancillary function. Until recently, CISOs haven’t had the power to address cyber security issues. Since the Target breach this has changed; cybersecurity has become a board-level problem. CISOs are now invited by the board to address governance and risk issues. The next step is for the board to focus on how to detect breaches quickly, before they can do widespread damage. Since the costs of a major breach can easily exceed $100 million or more – just look at Target and Sony – spending a fraction of that on preventive measures should be an obvious solution. While cyber-security insurance is now becoming available, its coverage and restrictions are still very strict, so it’s not a cure-all for the after-effects of a large breach.
Skroupa: Tell me about the debate of employer environment versus employee privacy.
Sudhakar: With today’s borderless enterprise, a delicate balance is required to protect the company and its assets while also protecting employee privacy. Lots of attention has been paid recently to privacy, but security is needed to maintain privacy. Our lives are so wired today that it’s no longer practical to tell employees to sit at a computer all day without checking personal email, instant messages, news sites and so on. But as soon as employees access external data, they are exposing the system to attacks, creating channels through which a malicious employee could leak data and potentially violating corporate or government policies.
Realistically, employers have to assume that devices in the enterprise will be used for personal purposes from time to time and focus on systems that detect truly malicious behavior rather than futilely trying to block every single personal application, website and message.
Skroupa: What new legislation is necessary to take into effect the new balance of privacy and access, which is necessary to properly address cyber threats?
Sudhakar: We need Congress to enact new legislation to encourage vendors to build and companies to deploy solutions with state-of-the-art-security. Most major breaches have been due to security products and configurations that were, in retrospect, outdated and insecure, but companies have no real incentive to spend time and money upfront to eliminate these risks. We need standards, set by either industry consortia or the government, that put real teeth into minimum cybersecurity thresholds and have real penalties for not complying.
When a customer’s identity is stolen, companies issue an apology letter and possibly a free credit check. What consumers don’t have is a Bill of Rights that protects their privacy. This Bill of Rights would regulate and enforce businesses’ use of safeguards and cybersecurity protections to guard consumers’ private information. The bill would also include regulations to notify consumers in a timely manner that their identity has been stolen. Businesses should not take their roles and responsibilities lightly. Consumers need more rights and more choices in with whom their information is shared with, how it is shared, and what is shared. Without a Bill of Rights for consumers, one company may safeguard your personal data but another one won’t. As a consumer, you don’t want your personal data in the hands of anyone you didn’t authorize.
However, the bigger issue is how you safeguard your data when it’s in the hands of a third party that may not follow good security practices. Target was breached because a Heating, Ventilating and Air Conditioning (HVAC) vendor had access to its systems. When the HVAC contractor’s network was compromised by a cybercriminal, the bad guy could ride the HVAC access right into Target’s network. When you give a company your personal or financial data, you aren’t just giving it to that company, you’re giving it to every company that company works with. I feel sorry for the customers, but not for companies; they didn’t properly address a prescriptive solution in the first place and should be accountable for figuring out how to implement one. This isn’t the first time such a breach has happened, and it certainly won’t be the last.
On October 22, 2015, Skytop Strategies will present, “Big Data & Cyber Security: New Tools and Approaches to Increase Resiliency,” hosted by Edelman at the Chicago office. Continue the discussion with Muddu Sudhakar and chief information security officers, IT security engineers and information assurance analysts at this full-day conference, designed to explore operational strategies that minimize disruptions from a cyber breach. To inquire about attending, contact Chris Pulliam at firstname.lastname@example.org.
This article was written by Christopher P. Skroupa from Forbes and was legally licensed through the NewsCred publisher network.