Cybersecurity for the SMBCrowdStrike’s Murphy on Steps to Improve Defenses on a Smaller Scale

“I think it’s a real mistake to think you’re somehow insulated or protected from attack because you’re small,” says Murphy, vice president of managed services with CrowdStrike. “If you as an organization depend on IT systems for operating your business, then you are a target for attack—let’s just state that plainly.”

In an interview on cybersecurity for the SMB market, Murphy discusses:

• Threats and threat actors that matter most to smaller organizations;

• Common security oversights by smaller enterprises;

• Strategies to build stronger cybersecurity defenses.

Threat LandscapeTOM FIELD: I’d like to get your take on the current threat landscape. What are the threats, and who are the threat actors that give you the most concern?

AUSTIN MURPHY: One thing to note about the current threat landscape is that everyone really seems to be upping their game—all of the actors that we track. We used to think about the threat landscape as different types of actors. There were commodity actors, nuisance actors, script kiddies … all the way up to the highly sophisticated targeted threats—the state-sponsored actors that were known for being very difficult to deal with because of the tactics that they used for establishing persistence and networks and bypassing controls.

We’ve seen many of these tactics that used to be really reserved for the targeted actors democratized. Now they’re being adopted by opportunistic attackers and then automated to put them to scale. It’s a little bit less helpful now to think about different actors that we need to be concerned about or not concerned about, because many of them are using things like credential theft and lateral movement and multistage malware that’s modular, polymorphic.

One of the largest concerns that we’ve observed when we think about the state of the threat landscape is that actors that used to blindly and opportunistically attack very broadly, and use nuisance threats like bots or spam or click fraud … are now regularly brokering that access into networks that they compromise.

We’re seeing that they’ve identified additional revenue streams from their botnets by identifying which networks they have access to. Then they choose do they either want to use this access for spam or click fraud, or do they want to sell that access on the dark web to an attacker that may have a more targeted interest in that network?

The takeaway there is that we can no longer ignore the lower-level threats; we need to treat them all as hostile to our networks.

Everyone’s a TargetFIELD: Austin, we hear a lot about the high-profile breaches that effect Fortune

Austin Murphy

Murphy has a broad background of leadership experience in the information security community, from both private sector professional services and the U.S. Department of Defense. As the vice president of managed services, Murphy leads the team responsible for managing the Falcon platform on behalf of customer organizations, delivering a complete managed endpoint security strategy, from prevention, through detection and response, including full hands-on remote remediation.

The high-profile breaches of Fortune 100 companies are the ones that get the headlines, but small and midsized businesses should not breathe any sighs of relief. They are very much still targets, says Austin Murphy of CrowdStrike. He offers cybersecurity advice to SMBs.

Cybersecurity for the SMB 2

500 companies, such as Equifax. This focus might make smaller organizations feel that they’re relatively secure and that they’re not targets. But in your experience, what are the odds that these smaller organizations could encounter the same types of attacks?

MURPHY: It’s a real mistake to think that you’re somehow insulated or protected from an attack because you’re small. If you as an organization depend on IT systems for operating your business, then you are a target for attacks. Let’s state that plainly. If you store or process data that can be monetized, such as payment card data, that data can be sold on card forums. If you process personally identifiable information, that information is valuable for fraud schemes as well.

Even if you don’t think you have sensitive data, or that you don’t have enough of it that it would be interesting for an attacker to target you, you can still be targeted for things like email compromise or wire fraud and extortion.

Recently, we worked a case where an attacker was able to compromise the email account of a CEO of a very small company just by getting their password and then

logging in. What they did is they monitored those emails. They would log into the CEO’s account for weeks, monitoring the emails and observing the pattern of how transactions were being approved at that organization.

They identified that in this organization, invoices over a certain amount had to be approved by the CEO, so they would send the invoice to the CEO for approval, and then he would forward that on for processing. The attackers waited until a particularly large invoice came in and they intercepted it. What was interesting is that they actually left the invoice as it looked, but they changed the wiring, the routing instructions, on a legitimate invoice. Then with the access to the CEOs email infrastructure, they forwarded that on for processing.

What the CFO received was a legitimate invoice from a legitimate customer with a legitimate PO, and processed it, but the CFO sent the money to banking infrastructure that the attackers controlled. There’s nothing special that would make a large or a small organization more vulnerable or less vulnerable to it. Attackers, in fact, know that smaller organizations

don’t have strong controls in place and may not have prepared for this, so they’re easier to take advantage of in these types of schemes.

Biggest Cybersecurity RiskFIELD: Austin, we hear a lot about business email compromise and ransomware. What do you see as today’s biggest cybersecurity risk for small to mid-size organizations?

MURPHY: The biggest risk to these organizations … is their own lack of visibility into the state of their security in the organization. The legacy solution vendors and the providers are partly to blame for this because of their historically poor performance against modern, more complicated threats.

The lack of awareness that these small businesses have is a doubled-edged sword. First, visibility is what exposes the vulnerabilities in the first place. Second, it makes it much worse if there is an attack, because when an attack occurs, they also don’t have the visibility to effectively respond, so they can’t conduct an investigation, and they can’t rapidly understand what is happening. The attacks

“We can no longer ignore the lower-level threats; we need to treat them all as hostile to our networks.”

Cybersecurity for the SMB 3

that they do face are more impactful than they need to be.

Biggest MistakesFIELD: Well, what do you see then as some of the biggest mistakes that SMBs make when it comes to cybersecurity?

MURPHY: There are really two main mistakes that we see a lot of smaller organizations making. The first is having an assumption that it won’t happen … to them. The types of attacks that we face today are easy to automate and scale, so it’s really unhelpful to think that the size of your organization somehow factors into the risk profile the way that it does in the physical world for physical world crime.

The power of automation, for all of the wonders that it does us, it also allows attackers to automate and scale their attacks. An attacker can dream up a lifecycle of attack, and then launch it out into the world with automation. Oftentimes, it’s the smaller organizations that are less prepared and vulnerable that do get hit the hardest with these. And that’s what we see with the evolution with ransomware and other extortion techniques: Smaller organizations are hit much more frequently and much more impactfully than larger organizations.

The second big mistake that we see smaller organizations make is that some of them think of security as a state that you can achieve. We know successful organizations understand that the concept of “secure” is not something that you are; rather security is a process that you participate in. The former way of thinking leads you to buy security products and technology and put controls in place and then sit back and hope that they work. The latter way of thinking—thinking of security as a process—leads you to think, and engage and evolve

your process with the help of technology and solutions.

Successful organizations are spending time testing their controls. They’re observing where they fail, and they’re improving them and learning about how attackers are changing by paying attention to what’s happening to other organizations. They’re applying those lessons learned back into their networks. It’s that ongoing improvement that ultimately leads to success.

Getting StartedFIELD: How do you recommend that an SMB get started on the path to better cybersecurity protection?

MURPHY: It starts with an inventory … not only of your assets, but also an inventory of the controls we have in place to really understand what is happening today. We seek to know thyself first and inventory your processes.

A security professional in the organization should not only understand how security

“A big mistake that we see smaller organizations make is that some of them think of security as a state that you can achieve.”

Cybersecurity for the SMB 4

functions within their company, but also how the business operates, how data flows, how teams work, how decisions are made, to understand where would the vulnerabilities be so that they can build and enhance controls into that.

A lot of this inventory does involve having good technical visibility into what’s happening on your network, what’s happening on your endpoints, and understanding what types of applications are running, and what those applications doing. Then we can understand what is normal and what is not normal, and we can respond effectively to threats that we observe, identifying attack scenarios that may effectively target your own organization, and then modeling them out in tabletop exercises and understanding how your organization would perform in a given scenario.

How would your organization prevent an attack scenario, or if you were unsuccessful at preventing it, how would you detect it? A big part of this is just understanding if something like a business email compromise happened here, how would my organization even know that that happened?

Let’s talk about our detection controls, and then if we did detect it, what’s our response? How do we respond to something like that here? Who has what responsibilities, and do we have the training and the technology and the visibility required to effectively to deal with an incident?

Then go through those tabletop exercises on any given attack scenario and take those lessons learned back to improve your controls, increase your visibility, increase the awareness from your organization in addressing those gaps. For the gaps in those areas where you don’t have the

capacity or capability or budget or funding to address them internally, look to partner with other organizations that do have those types of domain expertise to be effective in that space.

I always tell people, my team is staffed with people that are experts at endpoint security, incident response, and forensics. We don’t know a whole lot about audit regulatory compliance, but our sweet spot is in that incident response and incident handling. Every organization should understand what your team is good at and where your deficiencies are, and then seek to partner with others.

3 Top Cybersecurity IssuesFIELD: To summarize, what would you say are the three most important things an SMB should know and understand about cybersecurity?

MURPHY: Most importantly, the first is understanding that security is not a state; it’s a process. It’s a really important concept that it should be always evolving, and that it involves action of people on your team, not simply on setting controls and technology.

Secondly … no controls can be effective and no technology can be properly implemented without a proper inventory—the concept of really taking inventory not only of assets, but of process controls and applications and really defining what the landscape looks like within your organization.

Then last is to look to partner with organizations that have domain expertise in areas where you’re seeking to shore up after you’ve done that inventory. Once you’ve identified where your gaps are, partner with organizations that can effectively help you close those gaps. n

“Every organization should understand what your team is good at and where your deficiencies are, and then seek to partner with others.”

Cybersecurity for the SMB 5

902 Carnegie Center • Princeton, NJ • 08540 • www.ismg.io

About ISMG

Information Security Media Group (ISMG) is the world’s largest media organization devoted solely to information security and risk management. Each of our 28 media properties provides education, research and news that is

specifically tailored to key vertical sectors including banking, healthcare and the public sector; geographies from North America to Southeast Asia; and topics such as data breach prevention, cyber risk assessment and fraud. Our annual global Summit series connects senior security professionals with industry thought leaders to find

actionable solutions for pressing cybersecurity challenges.

Contact

(800) 944-0401 • sales@ismg.io