• Garrett O’Hara

    Garrett O’Hara is the Chief Field Technologist, APAC at Mimecast having joined in 2015 with the opening of the Sydney office, leading the growth and development of the local team. With over 20 years of experience across development, UI/UX, technology communication, training development and mentoring, Garrett now works to help organisations understand and manage their cyber resilience strategies and is a regular industry commentator on the cyber security landscape, data assurance approaches and business continuity.


    Add comment

Gar is joined this week by Luke Francis, the Channel Director for CrowdStrike in Australia and New Zealand. Luke has over 20 years experience in global sales and marketing and has had a number of successful tenures with Dell, Citrix, and BMC Software. In this episode, Gar and Luke discuss the CrowdStrike 2020 Global Threat Report in detail — including how the report is created, how geopolitical and socio-economic unrest is reflected in the report, COVID-19, the trends highlighted within the report and their impact on Australia and New Zealand, the rise in malware, the uptake in data exfil and its use with ransomware, and also the recommendations within the report. Luke brings his considerable experience and knowledge to the conversation and  also provides some of his own insights on integration and security fabrics.

To get your copy of the CrowdStrike 2020 Global Threat Report visit this link: https://bit.ly/37FPJRW
To join the upcoming CrowdStrike & Threat Intel Briefing virtual session on the 02/07/20 please visit this link: https://bit.ly/2YMXNfU

#cybersecurity #cyberresilience #getcyberresilient


The Get Cyber Resilient Show Episode #20 Transcript

Garrett O'Hara: [00:00:00] Welcome to the Get Cyber Resilient podcast. I'm Garrett O'Hara, and this week I'm excited to be joined by Luke Francis, channel director over at Crowdstrike. Luke worked his way through a variety of roles, he was with Coca-cola back in the day, then moved into a role with Dell doing sales for 11 years. He moved into another role in Citrix doing enterprise sales, and then BMC. And in Crowdstrike, did a little dance, and he didn't originally want to move into the security area. It took Mike Sentonas, Crowdstrike CTO, to get in his ear, in a coffee shop in north Sydney, and the rest is history, as they say.

In this episode, we talk about Crowdstrike's 2020 Global Threat Report in some detail, we talk about how they created the report, the geopolitical and socioeconomic unrest, and how that is reflected in the report. COVID-19 of course, the trends the report highlights, and what that means for Australia. The rise in malware-less attacks, the uptake in data exfil being used with ransomware, and then recommendations. And some of Luke's thoughts on integration and security fabrics.

The conversation with Luke will hopefully serve as a teaser for you to go and grab a copy of the report, and we'll link to that in the show notes. Luke is a great guy, uh, to talk to, and he did an awesome job of distilling down the important insights from Crowdstrike's 2020 Global Threat Report. Please enjoy.

Good morning, and welcome to the Get Cyber Resilient podcast. This morning I'm joined by Luke Francis, the channel director over at Crowdstrike. How're you doing today Luke?

Luke Francis: [00:01:31] I'm well Garrett, how are you?

Garrett O'Hara: [00:01:33] I am doing well, apart from this weird, uh, cold rainy weather, which, you know, is- is maybe nice, but, um, yeah, I'm gonna say, I- I'd prefer if it was a little bit more sunny, but there you go.

Luke Francis: [00:01:43] Does this remind you of home?

Garrett O'Hara: [00:01:45] [Laughs], it does, actually. It sort of- it- it sort of makes me want a Guinness, and, uh, beef and Guinness pie. Um, and I know it's only, uh, what, 9:20 in the morning, but that's- that's how the Irish roll, you know? [Laughs].

Luke Francis: [00:01:56] As listeners sure realize it's- it's early morning.

Garrett O'Hara: [00:01:58] [Laughs], it- it certainly is. Um, Luke, do you mind running us through how you, kind of, got the- the position of channel director over at Crowdstrike? Just for those who may not know you.

Luke Francis: [00:02:08] Yeah, sure. Um, look, I was, um... my- my journey in technology started, um, at the- at the very bottom of the rung, I guess. I was, um, I was working for a distributor called [Tech Specific 00:02:24] many, many years ago, uh, and I was- I was one of those guys that picked up the phone and dialed people. I cold-called for a living, for a long time. Which was, kind of, my [inaudible 00:02:34] when- when it comes to selling. And, um, I went from there to... the first [inaudible 00:02:41] that I worked for, which was Dell. And again, I- I'd started as an inside sales guy. Um, manning the phones. I was... my patch was New Zealand, and I- and- and I was in acquisition. So I was basically thrown a New Zealand phone directory, and said, "Go for it."

Um, uh, so, um, yeah, that was- that was an interesting beginning. So- so- so calling in- into NZ customers unsolicited for a number of years. From there I jagged myself the field role at Dell as a sales guy, and because they worked through different patches, I started in education. So, I started in universities, uh, I was then thrown some corporate accounts, um, and then moved into enterprise, and- and was responsible for running the banking and finance vertical for a while at Dell.

So look, I was at Dell for a little- a little over 11 years. Um, uh, as a- as a rank and file sales guy, enterprise sales guy, um, and at the time I thought, "I wonder whether these skills translate to software sales?" So, I went to work for Citrix a number of years doing the same thing. Um, so look, my background is in enterprise sales. Um, and I- I had a pretty good run at BMC Software, um, for a while there, and, uh, and again, was responsible for running banking and finance.

Um, took a break, um, I- I was fortunate enough to do a pretty good deal, um, with one of the- one of the larger banks in Sydney, which afforded me the opportunity to, um, have a little career checkpoint. Not many of us get to do that, it- it was luxury that I was fortunate enough to enjoy.

And it was during that break, that a buddy of mine who- who, ironically, I'd started out with at Dell, um, a guy by the name of Brett Raphael, who is the country managing director for Crowdstrike today, rang me, and said, "Listen, how do you feel about coming to work for a cloud- based endpoint security company, that's somewhat start up, in terms of it's- it's, um, it's nature?" Uh, and I thought, "Well, why would I do that? That's... no. [Laughs], that doesn't sound exciting at all."

Garrett O'Hara: [00:04:39] [Laughs].

Luke Francis: [00:04:39] I didn't have a background in security, and, um, I actually said no to Brett, a couple of times. Um, and it wasn't until he... he's a tenacious bugger, and it wasn't until he put me in front of a guy by the name of Michael Sentonas, that I started to appreciate what the opportunity was.

I had been working at BMC, um, and for th- those of... for your listeners that- that aren't familiar with what BMC does, I mean, BMC does a number of things, but, um, uh... IT service desk, and service management, was- was what BMC was known for. And so I was the guy that was kind of on duty when, um, a cloud-based service management tool landed from, you know, the- the outer reaches. And effectively, disrupted my entire business. Um, and at the time, it was a little known cloud-based company, but obviously today, it's a behemoth, and of course, I'm talking about service now.

And when I sat down with Mike Sentonas, in a coffee shop in north Sydney, um, not knowing anything about security, all- all I heard was a reminder of- of service now. And my previous- my previous gig at BMC had been characterized by this massive di- disruption to my business, and the more we spoke, the more I heard, "Disruption," and, um, and so I followed my instincts and, uh, and Brett's, Brett, uh, offered me an opportunity to- to build the channel business with BM- uh, with- with Crowdstrike in Australia and New Zealand, and I took it. And that was almost four years ago, and here I am.

Garrett O'Hara: [00:06:10] And the rest is history, as they say. Um, yeah, you guys are... yeah, you're doing well, and that's probably an understatement. [Laughs], eve- everybody we talk to is kind of looking at you guys, which is, uh, is definitely good, a good place to be in.

Um, look. One of the things that, um, I think kind of reflects your- your success, is the popularity of your Global Threat reports, and I think your- your 2020 one is- is fairly recent? I think it's a couple of months old at this stage. But, um, one of my benchmarks is, when I send stuff around internally, uh, within Mimecast, as I do, um, it's how many people come back and say, "Yeah, I've read that already." Um, like, m- part of my job is to try and, kind of, you know, help- help people with what's going on in the industry, and- and cool stuff that's out there.

And, uh, I sent your report around, uh, it's a couple of months ago now, and it was brilliant, because normally people go, "Oh, thanks for that, haven't seen it." Um, in the case of the, [laughs], the Crowdstrike Global Threat reports, um, it was like, "Yeah, thanks man, already caught it." Um, which is... I think it's- it's a good sign.

Um, so it's obviously very, very popular in terms of a take on the global threat landscape. Uh, an opening question; like, how do you guys go about creating that report?

Luke Francis: [00:07:20] Yeah, look, it is- it is a really useful tool, and as a- as a guy that's, um, has done front line sales most of his career, I mean, you know, I'm always looking for a reason to give customers, existing and- and otherwise, a reason to talk to- to- to my organization about how we can improve their security posture. And I think the Global Threat Report, is a- is a- is a really great tool for that, outside of it being instructive in terms of, um, helping customers, um, new and old, understand what's going on in the world in terms of- in terms of threats.

Um, but to answer your question, it's- it's really a team effort. It's... you know, we're leveraging- we're leveraging different aspects of the organization. Will they b- will- will... first and foremost, we're leveraging intelligence team. Um. So, when George and Dmitri started the company... Dmitri, um, has a- has a background in, um, threat intelligence, he worked for McAfee for a number of years. And so it's, you know, that- that legacy, um, is con- continued within Crowdstrike. So we have a global threat intelligence team that, effectively... now their job, Garrett, is to track adversaries.

So, we track upwards of 130 adversaries, um, from all around the world. We track, um, Chinese nation state adversaries, Russian nation state adversaries, um. We track the People's Democratic Republic of North Korea, uh, Iranians, we've got threat actors are now emerging in places like India and Vietnam. Um, so that threat intelligence team, their job first and foremost, is to build, um, intelligence on the tools, the tradecraft, the processes, that those groups use.

Um, so that's- that's one source, um, of information that we compile in the Global Threat Report. Another source is what we get out of the OverWatch team. So, OverWatch is, um, is a team that effectively, um, uh, mans- mans the wall if you will, in terms of, an- analyzing, um, and interrogating the threat data that we collect in what we call, our threat graph. So- so, being a cloud-based company, um, we ingest telemetry from millions of endpoints around the world. Um, the OverWatch analysts are effectively looking for, n- needles, like, you know. The- the way I frame this is; needles in stacks of needles.

So, um, so they are looking for, um, tradecraft, um, events, incidents, that for whatever reason, have passed existing security controls. Um, so their findings are also being added to the Global Threat Report. Of course, we have a services team that does, um, I- insert response every day of the week, um. So we're taking some of their learnings and ingesting those, and- and- and curating those as part of the report.

Um, so there's- there's three or four areas where we are taking intelligence, information, gathering that together, curating that in a- in a highly polished and crafted threat report, and- and making that available for free to, uh, customers, partners, prospects, et cetera.

Garrett O'Hara: [00:10:27] Yeah, which is a, it's an awesome- awesome thing to be doing. Uh, Luke, you mentioned obviously, the- the tracking you're doing and you- you kind of listed, uh, quite a few countries there. And, um, I don't think it's controversial to say that, right now, there's a lot of kind of geopolitical, socioeconomic unrest around the world.

And, I kind of wonder, like, how you think the information in the Global Threat Report overlays with the world that we're in today, which just seems a little bit topsy-turvy?

Luke Francis: [00:10:53] Yeah. Yeah, look, I- I think it's... t- to some degree it's- it's almost reflective of what's going on in the world, in terms of, you know, so- some of the, um, the financial trade winds, that... and- and economic trade winds that we're sailing into, particularly at the back of COVID-19. Um, you know, I think the threat landscape is really reflective of some of the macro geopolitical activities, um, uh, and trends that we're seeing more broadly around the world. You know, we've... we saw, um, you know, the assassination of Suleimani in Iran, you know, I think broadly speaking, you know, we're- we're expecting some sort of retribution, or attempted retribution from Iran.

Um, we're seeing, you know, threat actors, nation state based threat actors, particularly like North Korea and China, um, continuing to, um, extract, uh, either IP, or- or- or financial gain, by l- leveraging things. Particularly, COVID-19 has been a- has been a, uh, a real reason to- to go and prosecute attacks.

So, I think, you know, whilst, you know, whilst the world seems to be, um, turning inside out, I think the threat landscape is- is really, you know, to some degree, a reflection of what we're seeing more broadly across the- the global landscape.

Garrett O'Hara: [00:12:17] Yeah, absolutely. And you mentioned COVID a couple of times there. And that's probably the, you know, I think the- the sort of geopolitical, socioeconomic unrest has been building for... Look, it's not an era, it's probably at least a decade, probably 15, um, 15 years or so in my mind. Um, I'm not a politician or I don't study that stuff, but, like, if I'd have put a finger in the air, I- I'd say it started around then. And, COVID is much more recent, right, and- and it's a little bit different in that it's- it's kind of random, you know, it's not a... it's not necessarily, you know, a human driven thing, it's just a- it's a virus, right, so it's got a- a different sort of vector, and it's a... it's symptoms are different in the world.

Um, and in Mimecast we, you know, we saw a ton of stuff light up around COVID and coronavirus. Um, what was the- the, kind of, Crowdstrike experience of, you know, how COVID actually played out for, you know, an enterprise, or a government organization, or- or the folks that you guys protect?

Luke Francis: [00:13:12] Yeah. Uh, a lot of phishing campaigns, uh, in which, you- you're probably far more familiar with than I am. Um, so- so- so absolutely w- you know, we're seeing, um, nation state actors use COVID-19 as effectively, the precursor to- to go and prosecute an attack. Uh, a lot of ransomware attacks as well, leveraging COVID-19. I think- I think, you know... hu- human beings, you know, we- we- we get scared of things. Right? And I think, you know, COVID-19 in an email, for example, is going to grab someone's attention, particularly, you know, a- a mom and dad, or a small business.

Um. So- so I think, uh, I think, t- events like COVID-19, or- or, you know, a- a pandemic, they really- they really play to the heartstrings. Um, and, you know, I think adversaries have an appreciation of that. And they get pretty creative in terms of- of how they go and prosecute attacks. So- so I think predominantly, if you were to say to me, "What- what are the types of attacks that've- that've, um, um, proliferated as a consequence of COVID-19?" I'd be saying, "A- a lot of email attacks. Um, phishing scams, and you know, I- I guess and uptick in ransomware as a- as a- as a tool that adversaries are using to prosecute their attacks."

Garrett O'Hara: [00:14:34] Absolutely. And- and what are the- the sort of, the big trends then, you've seen highlighted in the 2020 reports?

Luke Francis: [00:14:41] Yeah, look- look, I guess, the biggest trend, Garrett, would be, the- the continuation of a trend that sees malware-free attacks starting to become, um, more used than malware itself. You know, I think- I think for a number of years, the industry has been obsessed with malware. And- and look, rightly so, um, rightly so, but, I think, um, adversaries, you know... if you think about what adversaries are looking to achieve, and the- the natural answer is, you know, there's- there's normally three motivations that an adversary has;

He or she wants to get money; he or she wants to steal IP; or he or she wants to manipulate data. Um, so- so really, there are those three things as primary drivers for- for adversary behavior. Um, and in all three instances, the one thing that adversaries need the most of, is time. Time- time is the currency that adversaries live and breathe by. And so, if I apply the desire to gain more time to tradecraft, then by definition, adversaries are using... or- or are seeking to use, tradecraft that does not sound an alarm.

If you think about what AV was designed to do, AV 25 years ago, was architected to stop one threat vector. And that threat vector is called malware. Um, of which ransomware is a type. Um, and so I think, for the longest time, um, AV was the only security -troll controlling an end point. Um, and so I think, you know, when you- when you've got a hammer, everything looks like a nail, right?

So I think we've- we've, as an industry, we've obsessed about malware. And what perhaps we've- we've missed, is the reality that adversaries... I don't want to sound an alarm, right, so- so... looking to avoid sounding an AV alarm, is- is principally what motivates, um, adversaries. And so what we've seen as a consequence, is the emergence of very advanced tradecraft. Tradecraft that does not- that does not, um, sound off an AV alarm, that- that slices through AV, and effectively enables adversaries to sit on a network, um, undetected, and prosecute their- their attack within their own timeframes.

I think the average, um, dwell time, the- the last stat I saw in dwell time, was about 84 days. And I always say the- there's nothing that an adversary can't do with the right- with the right amount of resourcing, and that'll- that amount of time, you know, 84 days, is a long time.

So- so malware-free attacks is definitely a trend. So- so I think, the report, uh, that we released in 2020, suggested that the- the difference now... in 2018, it was... what we saw, was about 60% of attacks used malware and 40% of attacks used some sort of non-malware based technique. Um, this year the most recent report indicated that- that it's now, you know, malware-free attacks have now become the majority, so it's 51/49 now. We can sort of debate the numbers, but what- what's apparent to me, is that adversaries are clued into the fact that, if they use an attack that does not use malware, and let's just say they, you know, they use a Windows-based tool like, Powershell, or WMI, to get a credential done, um, elevate, escalate privileges, and then start to move laterally across a network, silently, undetected. That- that provides them with the currency, time, that they need to- to get what they want.

Garrett O'Hara: [00:18:22] Yeah, absolutely. And- and whether-

Luke Francis: [00:18:25] So that's ce- that's certain- that's certainly one of them, I mean, the other-

Garrett O'Hara: [00:18:26] Yeah.

Luke Francis: [00:18:27] ... one of the other things that come to mind, Garrett, are things like, we are seeing, as I said earlier, we are seeing an increase in- in ransomware. Um, that's, you know, ransomware is an interesting one. Because, that- that's a technique that is typical of a financially motivated cyber crime. Um, so- so, you know, we see that continuing. I mean, that- that- that just continues to- to- to be, um, a very, very significant threat vector.

Um, yeah, I- I, you know, to some extent, your ransomware is becoming, um, almost industrialized. You know, we're seeing s- you know, e-criminal groups that- that have got, um, KPIs for themselves, in terms of, you know, how they work, right? Um, the- they're, it's, you know, the- they're very corporate in- in nature now. So- so I think, that's not going away. So that continues to be a- a- a key trend. And- and the types of verticals that we're seeing targeted, continue to be, um, pretty varied. And c- certainly globally, we're seeing, um, small business... small business constitutes a big, um, a big part of the industry that's targeted. Um, typically because they're under-invested in- in cyber security.

Um, local councils, um, state governments, the technology segment is- is typically targeted, healthcare continues to be targeted, manufacturing continues to be targeted. Um, media, um, particularly with, um, the, you know, some of the- some of the geopolitical narrative about media, and the effectiveness, or lack thereof, of media. So there's... the media has become the- the, uh, uh, a new targeted segment. So, um, I mean, they're just a few of the things we're seeing.

Um, I think more- more regionally, we're seeing, um, uh, some of the threat actors, um, particularly out of China and- and North Korea, target telecommunications. Um, they're looking to steal intellectual property, um, and- and- and computer intelligence. Um, or course, China continues to focus on penetrating supply chains, um, that- that continues. And North Korea, um, there, the trend that we're seeing with the North Korean actors is, um, uh, a- a- a preparedness and a willingness to target, uh, crypto currencies. Um, again, you know, money's important to- to North Korea.

I, you know, I always like to... I kind of giggle when I see that- that footage of missiles rolling down, rolling- rolling through the streets of Pyongyang. Um, and Kim Jong-il is sort of waving to the troops. I mean, I always think to myself, "Who is paying for that?" Well, the reality is, that, you know, businesses around the world are paying for that, because, um, you know, N- North Korean nation state actors, make a living out of extracting, um, money, um, through ransomware attacks across the world.

Garrett O'Hara: [00:21:18] Mm-hmm [affirmative]. And- and you mentioned quite a few countries that are- are, relatively speaking, close to Australia. And, you know, some of them we have, I think, "Interesting relationships," is probably a fair way to say it. Um, like, how do the- how do the trends that you're seeing in 2020, they're obviously global trends, but how do you see them play out in Australia specifically?

Luke Francis: [00:21:37] Look I think, um, you- you're right. I mean, we've got a- we've got a very, very interesting and delicate situation, um, at the moment with China. Um, that- that I think, w- we- we've got to be very mindful of, and tread very carefully, um, around.

Um, but I think what- what those... you know, how those trends that I mentioned earlier, translate to Australia, I would suggest that, relative to the rest of the world, I think, um, our- our security posture as a- as a nation, is somewhat behind that of the rest of the western world, certainly. I think, um, we've- we've spent a lot of time simply thinking that, you know, the most effective and only endpoint control, um, that we need is anti-virus. Um. You know, I- I think Australia is a- again, the EDR conversation is, um, still for a lot of customers, it's still a nascent conversation.

Garrett O'Hara: [00:22:35] Mm-hmm [affirmative].

Luke Francis: [00:22:35] It's still a conversation that- that customers struggle to get their head around. Um, so- so- so I would say that, w- we-re a little behind the world in terms of our average security posture. We continue to see lots and lots of breaches in this part of the world, Garrett, so I- I know that, 'cause we've got a [inaudible 00:22:53] team that is- that is fully utilized. I've got a bunch of partners that do incident response, and their teams are fully utilized. S- so certainly, you know, w- we live in a world where, you know, customers continue t- to buy tool sets. Um, and often times, those tool sets are disparate, they don't integrate. Um, and it's- it's those little air gaps that adversaries, um, around the world and certainly here in Australia, are going to leverage.

So- so I think, um, the trends that, you know, the- they're being reflected here in Australia, probably more so than in other parts of the western world.

Garrett O'Hara: [00:23:32] Fair enough. And that, uh, that all makes sense. Um, look, one of the other things that the report does highlight is that, um, you're seeing th- the kind of increase in data exfiltration. Um, and combining that with ransomware attacks, and I know Toll, is- is probably a- a good example of that. I mean, it's obviously a horrible thing that happened th- there, but, um, you know, it's that idea of, uh, encrypting the data, but then also, kind of saying, "Hey look, if you don't pay the ransom, we're actually going to publish the data." So it's kind of a... you get a two for... a horrible situation to be in.

Um, can you kind of talk more about that approach by attackers?

Luke Francis: [00:24:10] Yeah, it's- it always reminds me of, um... it always reminds me of, um... warcraft techniques. You know, when... often times, you know, there'll be a- there'll, you know, there'll be a missile strike, and then the, um, the- the locals come out to help the wounded and carry off the dead, and then there's a follow up strike, because- because that's, you know, we- we expect that sort of behavior. Um, and- and whilst it- it's a, uh, it's abhorrent for you and I to think about, I think that the same type of behavior exists within, um, you know, cyber criminality.

So- so you're right. There is- there is a two for, two for one. Um, often times, and I think- I think, you know, you've mentioned Toll, and I think, um, unfortunately for those guys, um, they were subject to that type of strategic attack. Um, but I think, you know, look, Garrett, cyber criminals are first and foremost persistent. Um, particularly- particularly really good ones. And so, you know, some of the challenges that- that- that, um, lend themselves to a two for one attack, if you will, are persistence. The fact that often times, um, you know, really advanced adversaries, nation state adversaries, they'll go to ground.

You know, they- they'll go silent for weeks, months, and if, you know, if you don't have the right level of skill set, either in house or- or externally, then, um, it's very easy to think that they- they may have gone away, when in fact, simply, you know, that adversary is lying dormant. Um, so, I'm not- I'm not suggesting that's what happened at Toll-

Garrett O'Hara: [00:25:47] Mm-hmm [affirmative].

Luke Francis: [00:25:47] I'm not across the- the detail at Toll. But- but time and time again, we see those types of attacks. So adversaries go to ground, remain- remaining dormant, and then, you know, I guess the other aspect of that is, often times, the response from, um, the affected entity is such that they- they're implementing, you know, ineffective tools, or processes. Um, so I think, you know, it- it's a combination of factors that lend themselves to that type of two for one attack.

Garrett O'Hara: [00:26:18] Yeah. And- and my heart goes out to them. I think, you know, as an industry, I watched, uh, the commentary on LinkedIn, uh, in the security community, and the- the heartening thing I think is, that we- we don't do the finger pointing stuff anymore. You know, people are very much aware that, um, not that it could happen to anyone, but, you know, it- it's... realistically, everybody could be a- a target. And everybody could be a- a victim, so, um, yeah. No, definitely take your points on that.

Um, wh- what are your thoughts in- in the next evolution? Right, so, you know, when you think about how ransomware started, and it was just encrypting machines for the most parts. Um, and now we're seeing the encryption with the threat of data exfiltration, and they follow through on that. Um, any thoughts on- on what might be next in the, [laughs], in the kind of evolution of attacks? When it comes to, uh, the kind of blunt instrument of getting money from companies?

Luke Francis: [00:27:08] Yeah, look I think, what we're starting to see is, the- the splicing of different tradecraft together. And so, what I mean by that is, the use of potentially malware in combination with a malware-free attack. I think that is probably, um, uh, something that we'll see a lot more of. Certainly our- our threat intelligence teams have- have started to see, um, attacks that- that use, um, a number of different techniques, um, or processes, in combination with each other to effect a better outcome in terms of, um, uh, the efficacy of- of their attack, right?

So, I think that's what I expect to see more of, or what we expect to see more of going forward. So- so, less of a binary. It's either malware, or non-malware-

Garrett O'Hara: [00:27:59] Mm-hmm [affirmative].

Luke Francis: [00:28:00] ... and more of a collective combination of two or more techniques that are designed to- to deliver their outcome.

Garrett O'Hara: [00:28:08] Yeah, no, definitely get you on that. Um, look, we- we're kind of closing in on time here. But I thought, um, I've- I've got two more questions, [laughs], and the first one really is around, um, obviously, that's a very insightful threat intel report, and- and obviously, insightful in commentary from- from you just now. Um, what would you say the recommendations that you could make out of that 2020 report would be, for folks who are listening?

Luke Francis: [00:28:32] Yeah, well, I think there are a number of things I'd- I would s- I would call people's attention to. Um, first of all, if you've got a security control on the endpoint, turn it on, push it out. Um, make sure your patching hygiene is- is up to scratch. Um, you know, it's important that- that organizations are fully leveraging the security cr- controls that they do have today. So- so that would be step one.

Um, two-factor authentication. You know, that's-

Garrett O'Hara: [00:28:59] Yeah.

Luke Francis: [00:28:59] ... a- again, that should be established as a base line for all users. Um, I mean, today's attackers have proven to be adept at accessing and using valid credentials. So, um, you know, I think two-factor authentication is- is key, but in addition to that, you know, building, um, a robust priv- privilege access management, um, process, um, and that's always going to limit the damage that adversaries can do to get in. So- so that's important.

Um, you know, in- in- in relation to eCrime and social engineering. Um, you know, technology's clearly critical in the fight to- to detect and stop, um, uh, e-criminals, and- and techniques that leverage social engineering. So, you know, user awareness is- is- is pretty important, and- and running user awareness programs is really keen. I know Mimecast do a great job of that.

Um, in terms of geopolitical tensions, I think, you know, we're gonna see, um, a continuation of high profile attacks. You know, we've got the Tokyo Olympics. I know they've been pushed out, but, you know, typically events like that are, um, are quite tempting, um, in terms of threat actors, and, you know, giving them a, you know, a- a broad palette to go and prosecute their attacks upon.

Um, in terms of Crowdstrike's recommendations. You know, we- we've been banging on now for- for quite a while now, a- around, um, driving a- a new paradigm into the industry, so- so, you know, we've been talking about the 1/10/60 rule for, um, a- a number of years now, so this concept of, you know, you've got to hold your endpoint control to account, effectively. And- and by that I mean, you've got to be able to say to yourself, your board, your organization, that we've got an endpoint control that can detect an incident in a minute, investigate that in 10 minutes, and fully remediate that situation within 60. And I think that is the new base line that, certainly, Crowdstrike is- is pushing its customers towards.

And- and frankly speaking, as an industry, I think we should be holding ourselves to account with some of the security controls that we- that we implement. So, I mean, that- that's certainly the principal recommendation that- that Crowdstrike would put forward.

Garrett O'Hara: [00:31:19] Yup, and- and a worthy base line as well, I would say. Um, so on- one last thing, and I just, I- I wrote down when you said it, this idea of disparate tool sets. And so, I know that that's something that most security teams struggle with. Um, I think, [laughs], I saw a stat recently where... I'm probably going to get this number wrong, but, you know, in- in an enterprise organization you've got, literally, dozens of different security tools and platforms potentially in play. And, um, to use your words, they're disparate tool sets, they're not talking to each other, um, and you're not kind of raising all the boats on- on a tide by kind of sharing threat intel or, you know, being part of playbooks. Like, what- what are your thoughts on the future of, uh, integration and the value that can be provided between... tools like Crowdstrike for example, and other tools sets within a- a sort of security fabric.

Luke Francis: [00:32:07] Yeah, look. I- I think- I think choosing discreet best of breed tools is, you know, there's... um, that- that's always been a philosophical debate, hasn't it? You know, do we- do we- do we go for a platform approach, or we- do we just get the best in each category? And I think, um, in security, the- the latter is dangerous. Right?

Because to your point, when you're buying, you know, if you're- if you're buying a tool set that's top right in every Gartner Magic Quadrant, then that's great, but unless those tool sets integrate seamlessly, then, you're- you're going to have to remediate some of those little air gaps, um, if you can, right, and- and remembering, those are the air gaps that adversaries love to leverage.

Um, the fact that a tool set does not integrate seamlessly with another tool set, is an opportunity for an adversary. So, I think, um, you know, if you- if you follow... even if you just look at the [inaudible 00:33:05] community, I mean, no one is benchmarking who's got the best AV, or who's got the best EDR anymore, I think the- the narrative that's coming out of all the [inaudible 00:33:15] is, um, certainly in my space, or Crowdstrike's space, is endpoint protection platforms.

So I think- I think the gain that is afoot right now, certainly with legacy then, is in a splace- in a space, is really, um, coming- co, bringing existing legacy tool sets together with acquired tool sets, and trying to take those to market as a platform play. Now, that's really hard if you're not cloud-based. Because you've got a- you've got a legacy product portfolio to protect, and then you're inorganically responding to changing market conditions and demands by going and acquiring. Right. And so, you know, we've, you know... for those of us that have been this for any length of time, marrying new tools sets to existing ones, um, is a really, really difficult thing to do. Um.

So, fortunately for- for- for companies like Crowdstrike, we, you know, we built... we- we built our offering, um, from the ground up as a cloud-offering. So we- we're a sales based offering. And I think that really lends itself to a couple of things.

One, it lends itself to the- the- the idea of a platform play. Um, uh, you know, and- and again, using- using the cloud, I mean, it gives you some real advantages. Um, particularly scale and speed, so that if and when there is another threat vector that emerges, then by leveraging the existing telemetry that we've already collected, we can simply build an application, or a module, that addresses that particular threat vector, or- or- or piece of new tradecraft. And that's- that's a challenge that legacy vendors continue to struggle with.

So I think... so I- I think you're right, I think it's... the days of discreet conversations around, um, you know, AV or EDR, uh, are probably numbered. And I think for- for- for the really clued on organizations, they're starting to buy into this concept of, you know, a protection platform that gives them access to, uh, a number of capabilities, not just AV, and not just EDR.

Garrett O'Hara: [00:35:27] Yep, yeah, we- we're certainly seeing, uh, very much the same thing. Um, and I- I'd sort of sing from that same hymn sheet when it comes to the ideas of what I would call True Cloud, or HyperScale architectures. You know, not kind of repurposed, uh, appliances at the end, and stuck in a DC, but actually, you know, as you said, built for the cloud. Um, and that approach of using microservices that, yeah, as you say, you've got a platform play, and, um. Yeah, I see the part of the value that's emerging, is the integration of platforms. Um, so, you know, the things that do EDR type functionality, and more integrating with, um, something sitting on web, or email, or whatever, sharing threat intel between them.

And, you know, raising all the- all the boats in the harbor, ideally. You know, it's- it's hopefully where- where this defends with, you know, the outcome being better security, you know, whatever- whatever way that's delivered. But, you know, getting- getting to that point.

Um, we have well and truly blown over time. Um, which I- I seem to say every single episode, um, but it's a really good sign to me, uh, that, uh, [laughs], uh, we- we're 10 minutes past the- the- the normal 25 minute mark. So I think that's a great sign.

Um, Luke, thank you so much for taking the time out to talk to us. Um, I... like I say, really love the work that you guys are doing in terms of the Global Threat Reports, um, and I look forward to 2021, to see what that, uh, what that brings, and I really thank you for your insights as well.


Yeah, likewise, yeah. And some exciting stuff happening there, I think, uh, fairly soon. Uh, watch this space, maybe. Um, Luke, thanks so much, and, um, yeah, we- we'll hopefully chat soon.

Luke Francis: [00:37:11] Thanks Garrett, enjoy the Guinness.

Garrett O'Hara: [00:37:17] Thanks again to Luke for the insights, and for his time. He is a very, very busy man, so it took some calendar Tetris to get that one done.

We'll include a link to the 2020 Global Threat Report from Crowdstrike in the show notes. As always, thank you for listening to the Get Cyber Resilient podcast. We have a back catalog of episodes, so please do go and have a listen to those, and I look forward to catching you on the next episode.

Chief Field Technologist APAC, Mimecast

Garrett O’Hara is the Chief Field Technologist, APAC at Mimecast having joined in 2015 with the opening of the Sydney office, leading the growth and development of the local team. With over 20 years of experience across development, UI/UX, technology communication, training development and mentoring, Garrett now works to help organisations understand and manage their cyber resilience strategies and is a regular industry commentator on the cyber security landscape, data assurance approaches and business continuity.

Stay safe and secure with latest information and news on threats.
User Name
Garrett O’Hara