Intelligent CIO Middle East Issue 74 - Page 76

t cht lk

t cht lk

Robert M . Lee , CEO , Dragos
Usually , you ’ re talking about a multi-year journey . We ’ re kind of in this storm path , where we ’ re trying to advise people not to overhype the problem , but realise the trend is getting to a place that we need to get ahead of it if we hope to keep our people safe three to four years from now .
How can organisations best achieve the required level of asset visibility ?
It ’ s a cliché , but it ’ s true – it ’ s impossible to protect what you don ’ t know you have . Time and time again , when our incident response team gets called into cases ranging from targeted threat groups to ransomware cases , it ’ s consistent that there ’ s been a level of what we call ‘ prevention atrophy ’ in those environments .
How much of a risk do ICS adversaries pose to organisations , particularly in the Middle East region ?
The risk is high , but we all need to appreciate that the frequency will be higher in enterprise IT – we ’ re going to see more phishing emails and exploitation of IT environments than we ’ re going to see in terms of exploitation and accessing of operations environments .
However , the impact of a phishing email or the effect of compromising data in the enterprise , while meaningful , is nowhere near the same as the impact when you take down safety systems or critical systems or the ability to impact national security .
Tell us more about the different types of attacks , threat groups and what they ’ re seeking to achieve ?
We see a wide variety of groups . Some have already crossed the divide and taken down infrastructure or tried to hurt people , such as the attacks in the Kingdom of Saudi Arabia ( KSA ), which went after the safety systems in a petrochemical plant .
In other words , there have been many good investments in preventative controls , firewalls , patching , passwords , robust access control , etc ., but they put all the focus into prevention to the detriment of visibility , detection , and response . Without that consistency of visibility , they end up missing things .
We find that entities largely get that visibility by doing three things :
• Developing a good culture between the operations and the enterprise side . We need to educate people , but we also need to do it correctly .
• Start deploying technologies inside those environments to get consistent visibility .
• Developing staff , ensuring that they ’ re putting people and processes in place with the expertise required .
How important is threat intelligence in detecting and responding to these types of attacks , and how does your organisation approach this ?
It ’ s extremely important to learn from adversaries , and that ’ s all that threat intelligence is . What have we seen before ? What would we have done differently the next time ?
There are three or four groups that have gotten to that level , though they were working on those capabilities for four or five years beforehand . We see another 12 or so groups behind , exploring and attempting to access operations environments . They ’ re trying to research industrial control systems and perform reconnaissance against companies . These groups are getting into operations environments but not yet capable of carrying out the types of attacks we worry about . But if we look at that trend , we need to be cognisant that OT security is more than a project for a quarter .
Many organisations have focused heavily on indicators of compromise and are looking for an IP address or a piece of malware that they can find next time . While that ’ s not bad , it ’ s not scalable , especially when you think about attacks that may use the same methods but happen against different types of facilities or different equipment .
When we think about threat intelligence , we think about it in understanding adversaries ’ tactics and techniques and the methods they ’ re accomplishing .
76 INTELLIGENTCIO MIDDLE EAST www . intelligentcio . com