Miniassian, commenting on the current threat landscape in Australia, says that in the majority of cases of security breaches, it’s “opportunistic, and very few organisations find themselves subject to targeted APTs.
“Basically, what you’re up against is a bunch of hopeful, financially motivated IT-savvy crooks who build an infrastructure designed to attack virtually everyone and anyone,” says Miniassian.
“The threat landscape is in a state of constant flux: as organisations shift to defend against one set of attacks, attackers are quick to develop tactics and techniques that make defences obsolete. So, our protective controls are constantly being tested. And, as defenders, we can never afford to drop our guard.”
Loris Minassian - who with his team of security experts focuses on providing business and IT stakeholders with cyber assurance - talked in detail about the security landscape in Australia in a Question & Answer session with iTWire:
Introducing Loris Minassian, Founder and CEO of CyberStash, a specialised Australian Cyber Security Company with its focus on providing business and IT stakeholders with cyber assurance.
1. Loris, please tell us a bit about CyberStash and its inception in 2018 - what was the spark that gave you the impetus to bring a new business to life?
CyberStash was born out of the need to provide companies with cyber risk management options that could be measured on multiple scales of risk. In other words, measured not only on efficacy but also on efficiency, on value at risk, replacement cost and total cost of ownership. It all came about through a combination of my experiences developing security services, running a security operations centre, and setting up and running a managed security services practice.
And all the time, like a mantra in the back of my mind, the words of Albert Einstein, saying something along the lines of “if you continue doing the same thing, you will continue to get the same results.” This inspired me to develop services that would take a totally different approach to combat cyber risks.
2. We’ve seen fair few organisations being breached in recent years. What’s your take on the current threat landscape?
Basically, what you’re up against is a bunch of hopeful, financially motivated IT-savvy crooks who build an infrastructure designed to attack virtually everyone and anyone. The threat landscape is in a state of constant flux: as organisations shift to defend against one set of attacks, attackers are quick to develop tactics and techniques that make defences obsolete. So, our protective controls are constantly being tested. And, as defenders, we can never afford to drop our guard.
As I say, the number of organisations facing APTs from specific adversaries is currently quite small though growing steadily. However, armed with the right combination of technology, personnel, and processes, organisations can, for the most part, keep their adversaries at bay. Of course, some advanced, targeted threats will always slip through. If they do, it’s vital that organisations have a post-breach strategy so they can detect and respond when systems do get breached; otherwise, the business impact can be devastating.
Another concerning trend is the sophistication of the exploit kits advanced threat actors are using these days—kits that are capable of circumventing protective controls are becoming increasingly common, even in run-of-the-mill attacks.
3. Does anything else set CyberStash apart from the competition? And is it something that customers really notice?
Well, as with anyone who’s introducing something new and unique to the market—the Australia market in our case—we’re kind of forced to excel when it comes to educating our customers on the current realities of cyber-attacks.
Everyone in my circle has 20 plus years’ experience in cybersecurity and consulting to a variety of business types on cyber risk management, so we know our stuff. And although our conversations can be quite high-level, they’ve resonated really well with prospective clients. We keep it real and avoid the hype, and they get it!
The clients that appreciate our value proposition most are the ones who’ve tried using a SIEM but failed to detect any advanced threats. SIEMs cost an absolute fortune, so an actual ROI from such solutions is very rare. That’s because they’ve tried to detect threats by collecting an enormous volume of logs and then tried to discover threats within those logs.
Clients who’ve yet to experience the failures of using a SIEM are lured by the bells and whistles that come with this type of solution. Obviously, it’s harder to push your value proposition to clients who are already sold on an existing solution… but running our Proof of Value 30-day Trial soon gets us over that hurdle.
When you’re building defences, you have to really understand the security architecture and how to use it to your advantage. That’s another thing that sets us apart at CyberStash. You must have heard about the problems security teams around the world are facing trying to find needles in haystacks. Well, at CyberStash, we don’t have that problem because we reduce the amount of “hay,” or rather noise, to begin with.
We use actionable threat intelligence to protect our clients against opportunistic and emerging cyber-attacks. That is, we give them a clean Internet feed. We operate the service at scale, protecting companies against 150 million known sources of threats. These are automatically updated IP addresses, domains, and other threat indicators that are known to be associated with malicious cyber activity.
Only then do we set out to detect and respond to advanced threats that can circumvent defensive controls.
This is totally unique to CyberStash: actionable threat intelligence to protect against known sources of threats, followed by independent surveillance of endpoint and business systems, forensically detecting advanced threats and ascertaining the state of compromise… i.e. detect systems that have already been breached and clean them up before they impact business.
This is our approach to advanced threat detection. It reduces dwell-time and provides clients with cyber assurance.
4. You've obviously helped and served hundreds of customers over the past 20 years. Tell us about some of your most memorable achievements during that time.
Speaking personally, I co-founded earthwave, a specialised, Australia-based MSSP that, back in 2013, sold its business to Dimension Data … but only after 13 years of organic growth.
During this time, we built the security defence strategies and programs of work for many organisations and then provided real-time threat detection and incident response through our 24/7 SOC practice.
Our most memorable achievement was building a government-grade secure internet gateway and certifying it to the security classification level of “highly protected.” Other notable projects included protecting the NSW Parliament with its 96 electorate offices and protecting McDonalds’ free Wi-Fi in their 1,000 restaurants throughout Australia. At the same time, we also secured most of Sydney’s water and energy. I’m incredibly proud of these success stories because they reflect the achievements of the exceptional team I had the pleasure of working with.
5. What lessons have you learnt that have really stuck with you over the years?
The greatest lesson I’ve learnt is how to listen and how to be patient but persistent with people. Everyone’s dealing with their own set of challenges, in their professional as well as their personal lives… and I guess this is what drives their current priorities. It’s important to have real conversations about risks and only then position solutions that provide effective and efficient ways to mitigate them. When defending against cyber-attacks, it’s vital to optimise risk and resources because you’ve obviously got to keep operating costs to a minimum.
6. What mistakes do you see companies making when engaging with security companies and upgrading their security technologies to deal with modern threats?
A lot of organisations have very little idea of the range of options open to them. They often fail to consider the total cost of owning security solutions. Most of them don’t have the skills or the resources to properly assess and compare solutions. And when they do, the resources are time-poor. Most companies don’t have an end-to-end view of threats.
They often don’t manage their IT assets too well either and miss the complete view of their application and data, which is what they’re supposed to be defending in the first place! Lots of companies will buy solutions to address point problems instead of working thought a security strategy and program of work. They do very little research, then blindly place their trust in what the vendor says without even testing anything. My advice to them would be, first work on developing a security strategy and ask yourself what is the actual risk you’re aiming to reduce? What kind of resources and skills would be required to manage the security solution?
7. The Cybersecurity industry has seen a number of mergers and acquisitions in recent years. What advice would you give companies that are acquired or merge?
I’d say, take a really deep breath and get ready for change… and yes, your role is going to be impacted one way or another. Change and more bureaucracy come hand in hand with mergers and acquisitions. My advice would be to work through a gradual enterprise-wide change plan. No two cultures are ever going to be the same. You need time for the teams to be acquainted, to build trust and establish meaningful relationships before they start working on merging the two businesses.
Building meaningful working relationships takes 1-2 years at least, so you need to be in it for the long haul. What’s more, you should do everything you possibly can to keep the focus on existing products and sales. Don’t do anything that would impact your sales pipeline or existing product development. Don’t immediately set out to sunset existing products and services with a view to replacing them. Far better to retain existing services with their quality while you’re working on changes or introducing new platforms or services.
8. Can you share some more insights or stats relating to Cybersecurity?
I’m not a big stats person, but some of them really resonate with me.
One is that we as an industry have only discovered 50% of all the vulnerabilities out there. Ironically, many of them are found on the very same operating systems, common applications, and actual security applications and devices that we depend on to run and defend our business systems and information.
Another is that, in Australia, the average length of time between an organisation being breached and the breach being discovered and cleaned-up is about 92 days. This period is what the industry calls the “dwell-time.”
Another notable stat is that if an organisation can detect and respond to cyber breaches that circumvent their protective controls and confine dwell-time to one day, they can reduce the likelihood of business impact by up to 96%.
9. Without giving anything away, can you tell us about one of your customers, what you helped them to achieve, and why they needed your services?
Sure, we’ve been working with a government client who has 1,300 users and endpoints, 300 servers, 2 head offices, and 2 dozen branch offices. We helped them develop their cybersecurity strategy and program of work, upgraded their defensive controls including hardening their endpoints, upgrading their perimeter defence, and upgrading their endpoint security controls. We also reviewed and improved the way their financial department was authorising requests for changes to bank details… as you know phishing and email fraud is a massive problem for everyone. We also introduced a process for including cyber risk assessments for all net-new initiatives and projects. We then introduced user awareness training and are currently working to provide their business stakeholders with cyber assurance.
10. Wow! That certainly sounds like a compelling amount of value for your client. To change direction a little, as we get to the end of the interview, I always like to look to the future. When you peer into your crystal ball, what do the industry, security services, and business in general look like in say 2030?
In just 10 years? I believe we’ll see much of the same type of change. No let-up in breaches, and we’ll witness ever more increasingly sophisticated threats… attacks will become even stealthier and harder to detect.
I suspect that, like everything else, there will be a mixed bag of service providers… some offering real value and solving real-world problems and others relying on hype and making a quick sale. And a mixed bag of buyers too… some with experience and knowledge of the threat landscape and able to manage risks, and others heavily influenced by their emotions, buying solutions on the strength of vendor hype.
11. Thank you. And I’d now like to drop it down another gear and ask if you could please share the best advice you've received in life so far, which has kept you in good stead and helped you get where you are today?
Oh man, that’s a tough one! I guess it would be to keep my head straight and work hard and focus on my own longer-term goals. Not worry about what everyone else is doing, and speak up when I see something doesn’t make sense… to challenge to status quo, that is.
12. And your final message to iTWire viewers and readers, and to your future customers and partners?
The same advice I give everyone, keep on exploring and don’t be afraid to try new things… go for it!
13. What do you see as the key Value Proposition for iTWire readers, and do you have any special offers for iTWire readers
CyberStash already offers a free Proof of Value trial of its unique services. For iTWire readers, if you’d like us to carry out an independent survey of your business systems and ascertain whether any have already been breached, then just reach out to us. I guess the only other thing of value that I can personally offer is a no-strings-attached discussion with your readers on how we go about developing a cybersecurity strategy and program of work… a pick-my-brain type of thing.
14. I know from experience that some readers don’t want high-pressure engagements. How do you ensure their inquiries are a high-value, low-key, positive experience?
We appreciate that competing priorities and capacity constraints are the new norm, but what about having a general chat over coffee, or a call to begin with? We enjoy presenting our approach and the value we offer to clients, and we’re all about building trust and establishing relationships. We normally do this only when there is interest. It’s pointless positioning products and services when there’s no demand. We place far greater value on establishing a longer-term relationship. Our services and solutions are not always going to be the right fit for every company, and we encourage clients to continue exploring… at the very least, by having a discussion, they will learn about what we offer and can engage us when and if they ever have a need.