Insight Interview Series

CISOs: Why you shouldn’t give up the fight on ransomware just yet, according to cybersecurity expert Todd Dekkinga

Cybersecurity

August 26, 2021
·
5
min read
Todd Dekkinga, CISO at Airgap Networks

Todd Dekkinga, CISO at Airgap Networks, discusses ransomware solutions

Todd Dekkinga is CISO at Airgap Networks and a startup advisor.

Ransomware rises


“I’m sitting at these ransomware roundtables and meetings all day and the questions are mostly ‘What can I do to recover? Is our data backed up?’”


Todd Dekkinga, like many CISOs we hear from on Pulse, is fed up. Ransomware (software that maliciously gains access to private data and prevents an organization from accessing that data until a ransom is paid) has become such a big problem for businesses that many IT executives have accepted that a ransomware attack is inevitable. But that’s not an approach Todd is willing to take.


“The questions I’m hearing are all about backups: ‘Is Microsoft backing up my data in the cloud?’ But I’m like, why do I want to recover? Forget about the cost of the ransomware itself. Recovery also means wasted IT time spent syncing those files, etcetera … that’s business time. That’s money.”


On any given morning, scrolling through LinkedIn reveals posts from CISOs about yet another ransomware attack. Is this just the echo chamber of social media funneling collective security teams’ anxieties to the point where it feels like a ransomware attack is coming to a new business every day? Or is ransomware actually on the rise? 


Todd’s response is unequivocal:


“Definitely yes! [The ransomware problem] has been there for years, a decade or so, but it’s making headlines now because it’s affecting major infrastructure, things like meat [supply chains], and because folks are like, ‘OMG, I can’t get my steak, and gas prices went up?’ suddenly the news networks are picking up on it.”

No business is safe anymore 


Unfortunately, staying away from the LinkedIn doom-scroll won’t save CISOs from ransomware anxiety—the scope of ransomware attacks is changing. Feelings of “it won’t happen to us” don’t apply any more. Todd sees it in his day job as CISO of Airgap Networks, pitching a ransomware solution (more on that later).


“[Ransomware] used to be about carefully targeting certain businesses. Now these attacks are more a shotgun spray and see where it lands, [because] it’s so lucrative, right? I’ll be on a call with any kind of business and they’ll say, ‘Oh, we don’t need your solution. We have Norton antivirus, we have an EDR [endpoint detection and response] ...’ Then, they get hit by a million dollar ransomware and we get a call back.”


Bad actors have expanded their scope because most businesses are digital businesses now, and digital means data, which means sensitive information. The situation has become serious enough that the US government has stepped in with the Task Force on Cybersecurity to develop cybersecurity legislation and guidelines. However, not all businesses have equal resources when it comes to implementing those guidelines.


“We have this new Government ransomware task force … Well, that’s great, but it won’t work because you can’t just force every small business to adopt these new tools or policies.”

I’ll be on a call with any kind of business and they’ll say, ‘Oh, we don’t need your solution ... Then, they get hit by a million dollar ransomware and we get a call back!

A problem decades in the making


But what about the businesses that can afford to change? Why does that defeatist attitude Todd witnesses persist even among businesses that do have the resources? Something we often hear directly from security leaders on Pulse is that convincing non-technical business execs and board members about the realities of cybersecurity risk can be difficult. That often means purchasing new tools or increasing headcount isn’t prioritized or given budget. Have the high-profile ransomware incidents over the past year changed that? 


“[Board behavior] has changed because the board watches the news, and these incidents are making headlines, so now they’re seeing it [and thinking]: ‘Other businesses are getting killed, we don’t want our business to be killed.’ Which means the CISO is getting a call: ‘What can you do to stop this? Here’s some money, go figure it out …’ But the CISOs are buying the wrong tools.”


An exasperated shrug of the shoulders from Todd. Those “wrong tools” are numerous. One example is so-called honeypots, where dummy networks are set up to bait attackers into a part of the network that’s cutoff from the actual corporate network. In theory, it’s a way to learn about attack methods and behavior. The problem is, if we know about honeypots, so do bad actors.


“Honeypots don’t work. Because, these bad actors just need to find what they’re looking for once. They can scan every part of the network till they find it. They’ll find where the honeypot is. They’ll find where the backups are. That’s what they want.”


This reveals the wider issue of why businesses, and the security leaders employed to protect them, are so vulnerable. It’s a problem years in the making.


“Corporate networks haven’t changed for 20 years. We have so many VLANs [virtual local area networks] which are designed to connect machines remotely, but that’s exactly how ransomware works. They just need to get the creds once, doesn’t matter where [they get them], and, the way corporate networks are set up, they can move from machine to machine finding those backups. Once you’re in, you’re trusted … then things like 2FA (two-factor authentication) don’t even matter. That’s how corporate networks are designed.”


That was a problem before the COVID-19 pandemic. Now, with remote work as default, there are more corporate VLANs being used more often by more employees—from their home networks. And, when it comes to the average employee’s security hygiene, well …


“I can do [employee] end-user training till I’m blue in the face. It doesn’t make a difference. I don’t even send out phishing test emails anymore. I’d be getting 50% clicks, at best 25%.”


No wonder security leaders feel pessimistic. One thing that has changed over the years however is the ability to outsource tools and processes to third-parties, whether that’s single point SaaS solutions in the form of apps, or by engaging a managed services provider (MSP) or managed security services providers (MSSPs), specializing in cybersecurity. Does outsourcing provide a solution for security leaders who feel overwhelmed and under-resourced? Not necessarily.


“It depends … MSSPs usually won’t solve the problem for you. They can alert you and say something like, ‘Hey, this IP address is sending something to Russia.’ But it’s still on you to figure out why that is, or what you have to do about it.”


Outsourcing might even add an extra headache. The recent Kaseya incident, for example, was a software supply chain breach that affected numerous managed service providers’ software, putting their customers directly at risk. Such novel “zero-day” attacks are particularly problematic for security leaders who spend years integrating and optimizing tools that fight known threats, only to find bad actors have spent those same years developing brand new weapons (those famous “unknown unknowns”).


“CISO playbooks haven’t changed. We like to have as few tools as possible, but they’re the same tools we’ve been using for decades, [and they] defend for only certain things. When something like Solarwinds or Kaseya happens, the tool you have that’s protected you [before] won’t defend against other kinds of threats. You can’t fight new threats with old tools.”


CISO playbooks haven’t changed [. . .] You can’t fight new threats with old tools.


Fighting back


Doing things as they’ve always been done doesn’t work against an evolving threat. Without business buy-in and with decades of legacy tech to work with, there doesn’t seem to be much reward or encouragement to problem solve or innovate. However, necessity does still breed invention, even in IT. The solution, according to Todd, means looking in places where ransomware doesn’t happen. 


“Look at any telecomms company, any cell phone network … why aren’t they getting hit [by ransomware]? Because they ring-fence each phone; each device is cut off from the network. That’s the opposite of the corporate network, because of the VLANs.”


A new philosophy has emerged that acknowledges how problematic it can be to grant access to the network: Zero Trust. The name is self-descriptive: Don’t assume that anyone seeking access to any part of the network at any time can be trusted. It sounds reasonable. But Zero Trust is not a tool, it’s a concept. That concept is hard to apply as a practical solution for all the same reasons, as Todd mentioned, that businesses are susceptible to ransomware attacks in the first place: Legacy technology, a lack of executive buy-in, and employee security hygiene. Can businesses find a practical approach to Zero Trust that bypasses these issues? Todd’s confident they can.


“Yeah, I know how to do it: With Airgap, we agentlessly micro-segment every device on the network and only allow device to device communication where necessary. Above that, we can also manage app access securely and can enforce MFA [multi-factor authentication] on any application such as RDP [remote desktop protocol] or legacy on-premise applications. And because this is all agentless, no-one needs to be maintaining ACLs [access-control lists], firewall rules or group policies.”


Airgap’s technology—Zero Trust Isolation—means that ransomware is isolated to one machine and doesn’t have the ability to spread.. Even if an employee clicks a phishing link, Airgap creates a moat around that employee’s machine, stopping it from roaming the network. In effect, it’s creating a network of one for each device: Taking that roamable corporate VLAN and ring-fencing each machine like a cell phone. Todd saw the importance of network segmentation through his background in biotech, and the need for a simpler solution.


“Network segmentation is a big thing in some industries. Think about biotech: there’s a robot that’s hooked into this old machine that’s running [e.g.,] Windows 7, it can’t be updated because that’s the only machine that will work with this robot’s firmware. So you need to keep that part of the network cutoff because it’s vulnerable. So what happens every time you add a new device? You have to go through all those steps to add the ACLs , the firewalls, the GPOs [group policy object] … that takes a lot of time and maintenance. Because we can identify and categorize new machines through the tagging, our system does all that immediately.”


It sounds like a good solution to the ransomware problem ...? Todd laughs.


“It is! That’s why I work here.”

CISOs Assemble (the fight goes on) 


However, Todd accepts that when it comes to cybersecurity in general, the challenge is more complex than any one solution can solve—and any vendor claiming otherwise should be treated with skepticism.


“Again, look at SolarWinds or Kaseya … because that’s the software that’s in all the machines [in the network] when they update … we can’t solve that.”


So, even if there’s a solution that can help prevent ransomware attacks, a CISO’s work is never done. Hackers are like water: Wherever the tiniest opening is, they’ll find it. They’ll flood that carefully maintained, but ultimately imperfect, security stack. Todd doesn’t claim to have all the answers, but he’s actively trying to relieve the burden of cybersecurity by speaking to other leaders, hearing concerns, and sharing ideas and experiences.


“We need CISOs together, old ones and new ones, just to talk it through.”


So don’t throw in the towel yet, CISOs. You can join Todd and thousands of other CISOs in the Pulse community where you can ask questions and help others solve their problems based on your unique expertise. Plus, gain access to original peer-driven research, including this ransomware survey.

Access data and intelligence from thousands of verified technology CxOs, VPS, and Directors, while engaging in compelling conversations about what's top-of-mind for tech leaders today.

Join the Pulse Community

Join the executive community

Make and shape business decisions with tried-and-true advice and benchmarks from technology leaders

Executives powering Pulse

“With its survey data, Pulse skips the anecdotes and provides deep context and real numbers for the topics that are top of mind for my organization.”
Julie Cullivan photo
Julie Cullivan
Chief Technology and People Officer, Forescout
“Pulse beats any other platform, research company, Slack groups, etc. at getting me the most relevant advice and content. I rely on Pulse for all knowledge and insights. The answers are consistently exactly what I need.”
Roberto Torres photo
Roberto Torres
CTO, Taimingo
“What the IT community has needed is a vendor free, agenda free platform which encourages discussion and debate amongst peers. Pulse has nailed that in both their Q&A and timely reports.”
Lee's headshot
Lee Vorthman
CSO, Oracle
“I love that Pulse is a one-stop shop for all the peer conversations and insights that are presently super scattered and disconnected among various Slack channels and other CIO groups.”
Enrique Jenkins photo
Enrique Jenkins
Head of IT, DoorDash
“Being able to drive discussions on new tech with my peers and getting immediate feedback is exactly what has been missing until Pulse.”
Manjit Singh photo
Manjit Singh
CIO, Toyota
“For the past two weeks, the first news source I check [every morning] is Pulse. I look at Focused Five everyday. Pulse first, then Twitter, etc. You're that good.”
Miguel Borbolla Olea photo
Miguel Borbolla Olea
Director of IT, OCESA
“I’m excited for what the Pulse team have built to better connect the CIO community. It’s been exceptional for many of us in the community to get clarity and aid decision making as we develop our strategy.”
Yusuf Khan image
Yousuf Khan
CIO, Automation Anywhere
"Transformative change and real-time insights can only come from the people who are doing it day to day in an innovative way. I get a wide variety of that insight from Pulse."
Malcolm Harkins photo
Malcolm Harkins
Chief Security and Trust Officer, Cymatic