Beyond ransomware: Sophos’ Aaron Bugal unpacks tomorrow’s cyber security landscape

Liam Garman, editor of Cyber Daily: You have a research division, X-Ops, at Sophos. Talk me through some of their significant findings at the moment? What's their research saying? I know a lot of chatter is around ransomware at the moment, but also nation state cyber campaigns. What's your team saying?

Aaron Bugal, Field Chief Technology Officer at Sophos: There are two parts to this, the first thing is, I know ransomware is a big problem and it's a big problem across all geographies and all industries. But it is something that we focus on, I think, too much. I think ransomware is merely a tool in the attackers' kit bag that they will persistently use to bother organisations from here on out and more.

So it's just used as a tool to get the organisation, the victim, to understand that their environment has been tampered with and data most likely exfiltrated, which is the real end game. In my opinion, attackers these days, information stealers, exfiltration of information with the intent to extort seems to be the pure action of objectives on many of these cyber criminals, not only just the opportunistic ones that happen to glance across an open organisation, but also those that are nation state backed, that have got their stuff together, that are really working in a concerted effort to breach organisations that they are wanting to choose to gain access to and then take that information for usually quite subversive purposes in the future.

Garman: I find that it's almost controversial to say we're focusing too much on ransomware, but it's the means to an end right? In traditional crime you target the criminal, not just their tools.

Bugal: You make a good point. I think it is just a means to an end ransomware. And just on that, you mentioned focusing on the groups or those that are responsible. I think attribution is another area that I like to be polarising on talking about ransomware.

Cybersecurity, we've got better terms for it. Threat attribution to specific groups and so forth. Threat group naming really does evangelise those threat actors and give them a little bit of a chest beating sort of moment, which I don't like. I don't like it at all. So I'd rather just stamp them a number or just a technical sort of label, a token, if you will, and just move on from there.

It’s a problem. It is something that I think most organisations can grasp now as a problem that they face. The ‘oh, have you heard about this ransomware thing?’ And I don't think that many people would have not heard about ransomware in this day and age.

But focusing on that endgame, there's a lot more that happens. Shift left of that attack phase that really, in my experience, is that there were a lot of trivial things that organisations could have done to sidestep this whole big breach that they may have experienced, which, more than nine times out of ten is the case. Ransomware is problematic, but I don't think it's something that we should all be focusing on truly moving forward.

Garman: I understand that companies like Sophos are utilising artificial intelligence to detect threats. What does this look like for Sophos?

Bugal: The big thing with AI from Sophos is that the first thing that we did when everybody began using it is to correctly govern it. So really meddling out policies around how we as employees can approach a generative AI or an artificial intelligence provider and what we can and cannot do with it.

I think a lot of organisations have yet to get to that point in time where AI is seen as helpful, but aren't really correctly governing or regulating its usage.

And case in point, we saw the Melbourne mayor release some mock ups of some underpass gardens that would sort of look beautifying and used machine image generated pictures which didn't really turn out so well for that exercise. Not that we're blaming that government for doing that, it was a contract, but nonetheless supply chain right?

Going back to your question, at Sophos, AI is a big thing for us from a scalability standpoint. When we look at our customer base, and this is just for our managed detection and response service, we've got over 23,000 customers globally. Using our managed detection response service, we have augmented and scaled our security operators. The people that we've got in front of the terminals that are providing the security capability for our customers, we have given them access to AI to help them sort through the copious amounts of noise, all of these alerts that are coming at them, to help sift through what could be of interest.

We don't expect AI is going to solve everything when it comes to all security problems, but it's at least going to present actionable intelligence to the operators that know what they're doing, the people to then go and target things quite quickly and succinctly and get that quick time to respond.

Garman: What must business leaders who are listening to this podcast be aware of as they move into adopting AI?

Bugal: If you don't have a policy that's been typed up on paper and sent around as a communique to all of your employees around what the business expects you to do and not to do with the information of which the business holds nearest and dearest to its chest in regards to submitting it to an AI to give its opinion on an outcome, I think you need to write one.

So just as an example, at Sophos we've got a generative AI policy template that we've provided publicly, that we've largely based our own internal generative AI policies on, that we're just providing for anybody to come and download. Many different government organisations are now supplying these just as an example. But it does provide some food for thought. If you are in the medical industry, it's probably not the best for your employees to take sensitive medical documents and present them to chat GPT to then write a case summary for one of your patients. That's no bueno, right?

I think we will see more information breaches where people have inadvertently given away company secrets to the generative AI models in the cloud without first vetting the information they were giving up, and then that generative AI company then owning that information that they can use to do whatever they see fit with, which was the policy of OpenAI and ChatGPT back in the olddays. So I'm concerned what that would lead to, such as organisations just simply trying to block generative AI. The fact is. It won’t work. People will find a way. Like Jeff Goldblum said in Jurassic park, life finds a way.

Garman: Now, very hand in glove with this is the concept of zero trust security. Talk us through just how Sophos is working with their customers to develop zero trust. And in today's environment, why is this so crucial?

Bugal: Zero trust is more of a journey than a product. I know that at Sophos we've got products that are labeled zero trust network access that provide frictionless access to resources, but it's mainly getting that towards, like you were talking about before, if an attacker gets into my network and they're able to interface with the internal ChatGPT bot and then ask it for the company's deepest, darkest secrets, then they've got the jewels to the kingdom. So from our perspective zero trust, always verify, always be asking for a test station, always validate, then least privilege.

The conversations I have with organisations around walking towards least privilege authentication, MFA, it seems like it's blowing their mind sometimes. This is basic stuff and they can get some real quick runs on the board and really harden their resiliency against cyber threats before they've even gotten to deploying a product, which it's pretty rewarding to see.

Garman: Just how does it work?

Bugal: Zero trust includes user behaviour analytics, along with facilitating network access from places that you may physically be, is the big sort of draw to zero trust in my perspective. It's about not only who's accessing it, but where they are accessing it from and previously, where they have been.

So, as an example, if you had just logged in from Sydney, Australia, and then all of a sudden see an attempted login from say, Hawaii, to access those documents, that might be a course to pick up the phone and give you a call and ask if you are actually in Hawaii doing stuff in the corporate network. Because it's a brand new device that we're seeing and that's the sort of stuff that we would probably just chop off at the knees because it's not kosher. That's an example of zero trust. Just to always be validating activity to make sure that it is above board. And if it does look and smell dodgy, then it doesn’t proceed.

Garman: Now Sophos does a lot of work in the endpoint protection, detection, and response space. I’m guessing this has been a growth area since the pandemic?

Bugal: Employees, some understand, some do not, that blending their work life into one physical device has its advantages, but it also does have its detractors because many get suspicious and feel like they're being watched. I think that's a little bit unfounded, but it depends largely on the organisation geography that you work in and what sort of powers the organisations do and don't have.

From a working standpoint, our technology has been very much accelerated in the form of facilitating ease of access for remote users, especially when it comes to our own gateway protection systems, our XGS platforms and also our endpoints.

In 2015, we introduced a thing called synchronised security, where our endpoints and our firewalls would talk to each other, exchange security health and then permit you onto the network. Today, that's now ZtNa but formerly it was known as Nac. So a lot of things have come very much full circle and they've just been polished up as time has progressed. That's probably one of the biggest things that I've noticed, is that as a security community, as a participant in the security industry, as a vendor of technology and services, it's no longer conducive to better outcomes If you're insular with what you do.

Garman: Sophos released the state of ransomware 2024 report. What are some of the key trends statistics that we're seeing at the moment that we should probably be paying attention to?

Bugal: The good news is ransomware infections are going down from 59% globally this year to, compared to roughly 66% last year. It's not a massive drop, but it's a drop nonetheless.

But it is a testament and sort of an indicator that threat actors, although they're still terrorising people and harassing them with ransomware, they are gaining access to environments still, they are still exfiltrating data and they are still preying on those that are least secure because those organisations didn't know they were insecure. We also had a massive look at healthcare and manufacturing and governments, as they're now starting to be targeted more.

We've seen some pretty radical things happen in Australia with targeting healthcare providing organisations, some recently, some not so recently, but there has been discussions of parliamentary inquiries and so forth, and it has really sort of galvanised the requirement to change attitudes towards cyber security. Ransomware is a problem, but I think that the cyber industry overall has got a lot of work to continue to do to ensure that people aren't being popped opportunistically by these script kiddies that are out there.

Garman: On this note, why does geoblocking make sense? Are there any potential downsides?

Bugal: It’s a double edged sword. If you decide to put the shields up and say, right, we're only dealing with Australia and New Zealand entities because those are the only people that I need to do business with, I don't have any desire or ability to ship stuff or discuss with people outside of this location, that's really it.

But I mean from a benefit standpoint it can really just filter out the noise that you get from other destinations, for example the United States, Russia, Eastern Europe, everywhere really.

So it can be a real benefit there to geo block those environments and say no deal to any of them. But at the same time if your customers are next door to you, and they are supplying you and you are supplying them, but their mail server is hosted in America, how are you going to converse with them via email? That could be a problem.

So you need to identify what the overall impact to communications would be when running something like this. Because you don't want to miss out on anything, especially in this day and age. Maintaining that competitive edge and maintaining the livelihood of your business means that you need to capitalise on every opportunity that comes in. Having one block because geo blocking was enabled could be detrimental. Organisations should approach new technologies like geo blocking with some sense. Don't just turn it on and say “job done”. Do a bit of an evaluation of where you are getting your traffic from these days. Look at the logs and understand traffic flows, where they're coming from, identify things that you might need to exempt and then create policies around it to ensure that when you do enforce geo blocking, nothing is going to happen in an untoward fashion.

You can hear the full discussion between Cyber Daily and Aaron Bugal, Field Chief Technology Officer at Sophos on the Cyber Uncut podcast, here: