In this episode, we sit down with Satinder Khasriya, Senior Product Marketing Manager at Trend Micro, who joined us all the way from Austin, Texas. Satinder discusses the different types of threats organisations need to be aware of, and how to best defend against them.
Matthew: On today's show I'm speaking with Satinder Khasriya, Global Product Marketing Manager for Trend Micro TippingPoint who has joined us all the way from Austin, Texas. Welcome to the show, Satinder.
Satinder: Thank you so much.
Matthew: Yeah, thank you very much for taking out time in your busy schedule. I know you're a busy man, so really appreciate you coming on today. Now before we jump into the security questions, I wanted to ask a little bit about yourself. Could you tell me about your role and what you spend most of your time doing?
Satinder: Sure. Again, I'm a global product marketing manager. So I spend a lot of time talking to our customers, talking to our channel partners, trying to understand what are the different challenges our customers are facing. And my role as a product marketing manager is to really come up with the positioning and messaging, what customers would like to hear from us, right? We don't want to sell products, we try to solve problems for our customers.
Matthew: So that leads in actually to my first question, one of the main challenges for organizations in 2019 is the infinite amount of threats that they're faced with. How can organizations better manage these threats?
Satinder: Great question. I might preface it with a couple of statements. The enterprises today are using more and more software. So that need isn't going down. And yes, most vendors like ourselves and other vendors in the industry, whether it's Microsoft or Adobe are all getting better at writing software, writing code, but still there is always going to be flaws in the software, and that's what the dark side of the internet, the bad guys or the black hats, what we call, those are the guys who would be looking to exploit those flaws.
Satinder: Now with the advent of technology, all the changes happening in the landscape, the attack surface has really grown a lot. So what it means essentially is there's so many different ways attackers can come at your network. There's so many different softwares that they can use. Now they have a lot more in their arsenal to exploit versus when we were not connected. And we typically do quantify or categorize, I should say categorize is probably the right word, on what customers would like to protect in terms of the different styles of threats we see.
Satinder: Again, I'll introduce a few new terminologies and I'll try to explain what it means in each of those categories. So the number one threats we hear from customers are what we call known threats. As the name says, it's something that's been around for a long time. Everybody knows that this is a threat, and they will take action to protect against that threat. The other category of threat that we talk about is called unknowns. So there's some guy sitting in the basement trying to come up with something new that nobody has ever seen in the world or in the wild being used as a threat. That's something that we call as unknown because nobody knows about it. It's never been seen before in the wild on how it actually permeates.
Satinder: And the last category is, it's kind of unique category on what we call is undisclosed. The reason why it's a bit quirky in the name as well as it comes across is when a researcher discovers something, they discover a flaw. Now at that very moment of time, very few people know about it. The researcher who discovered is the number one who actually knows what he discovered as a flaw in the software that can be exploited, and maybe a few other people. It could be he might have disclosed it to the vendor saying, "You know, I discovered a flaw in your program," which what we call a bug bounty typically. "You know, I found a bug in your software" and I'll go to Microsoft saying, "I found a bug. How much do you think you can pay me for discovering that bug?"
Satinder: At that point of time is what we call it undisclosed because the researcher knows about it, the vendor knows about it, the flaw, but nobody else in the world actually knows that there is this new bug that's been discovered. That's also a critical threat. I think a lot of times some of the enterprises kind of overlook that threat category, but we definitely want to make sure that everybody is covering across the entire threat landscape in those three categories.
Matthew: Yeah. Can I ask, are you specifically talking about vulnerabilities within software when you talk about the different types of threats? Yeah?
Satinder: Absolutely. Yes. So underlying is the vulnerability. And let me give you a great analogy that's probably going to simplify the positioning of these threats. Everybody's gone through, some point of time, flown because we don't have a good infrastructure in terms of trains as in US. Everybody's used or gone through an airport. And yes, growing up as a kid it was really exciting. You're going to go fly. And the experience at the airport was really simple because at that point of time it's just one guy looking at the picture. Boom, you're off to the gate.
Satinder: Now take that same experience into the airport, which is 30 years later, which is now the threats have really expanded at the airport level as well. So when you go to the airport now, there's just not one guy. You have to go through multiple processes, right, to make sure that the airport people or the staff knows that you are not a threat. It's similar to an organization, right? You want to put in multiple layers to identify all those different types of threats. And each layer might uncover a specific threat type. So let me give you an example. One of the things that you probably hear a lot is no fly list. You're not allowed to travel outside the country. You've done a crime or a misdemeanour. You're barred from leaving the country.
Matthew: Black listed.
Satinder: Black listed, right. So the person who's sitting up front in the desk, you know when he looks at our boarding pass and he looks at our passport, so that list is a known threat. You can really quick saying, "This guy is not allowed. He's bad guy. I'm not going to let him leave the country." Right? So that's one format of how we call it. It's a known threat because everybody, the police department, the databases know that you're bad. And that's our way of sharing the information saying "This is a known threat. Let's block it."
Satinder: The other also other aspect of knowns is let's talk about the different threat vectors. You know, a human could be a threat vector at the airport, right? Guns could another be another threat vector, right? There are different types of guns. And we all know that there's different caliber. There's a 40 caliber, 50 caliber guns, there's a shotgun, there's a pistol, there's a long rifle. So that's also a known threat, when you're taking that gun into the airport and that person, when it scans, that's a known threat because it is known to do harm, right? It's a gun. It's a known threat.
Satinder: Now the example I want to throw about unknowns is that let's say you have somebody who's modified a gun. They have disassembled all those different pieces of the guns and hid those into different compartments in their luggage. Now as you're going through the metal detector, the metal detector might detect saying, "These are metals, right? These are known metals." So you don't know if that's harmful. It could be a medical device, but the way they have concealed that threat is to evade that detection from the metal detection. Right?
Satinder: So here's what the category's unknowns, where you want to have something similar in your arsenal that can permutate all the combinations and say, "I've never seen this kind of... all these metal pieces scrambled across the luggage. But if I do put them together in a format, they do look like a gun." So that's the concept of unknowns.
Satinder: The entire goal of the threat landscape or our security portfolio for our customers should be, how do you convert those unknowns into knowns, right? So you want to have a path where you tell the world, "You know, we found this unknown threat. Somebody was using the gun in a very different way." That's how we find there's some of these threat vectors, right, somebody hiding the bombs in the shoes or underwear bomber, right? So that's an unknown. Nobody's ever done it before. But when it was discovered through really intensive process of evaluation, it was found to be bad. And once it was found to be bad, it's disclosed. We tell everyone, "People could do it this way as well."
Matthew: Yeah. And now when you go to the airport, they check you with the bomb threats.
Satinder: Yes. They look at every vector saying, "Oh, you know, somebody was hiding that in their shoes. So I need to look at that cavity as well. That's another way of bringing the threat into the country."
Satinder: The third one is somewhat similar to unknowns. And again, undisclosed is the typically whoever was at the airport who first discovered that this could be done in a unique way, they knew it for the first time. And the only people who knew was the one who discovered, the guy who found out the way to smuggle in the gun into different pieces and the guy who caught it. So that's the undisclosed, because nobody else knew it until it was announced. Right? Once you announce it to the world saying, "You know, this is how it can be done and this is how you protect it," then it becomes a known threat as well.
Matthew: So the way that I've been thinking about undisclosed, it's kind of like say there was a criminal who might be known in Australia, uses a fake ID though to get to Europe. Over there, they have no idea that he's a bad guy, but we sort of said, "Hey, this is the guy's photo. Everyone beware," then that would then go into a known threat.
Satinder: Absolutely. You know, the INTERPOL is a great example to make that undisclosed into a disclosed because you can have that red alert saying, "Hey, this guy's a bad guy from Australia and he's in Europe and that's making it disclosed to everyone in the world saying, "He's bad. The moment you see him in the country, let's send out the criminal."
Matthew: So can I ask. Out of those threats, is there... Obviously, I assume that companies would deal with known threats a lot better than they would deal with unknown and undisclosed threats. Could you talk a little bit about that, sort of what they're doing well and what they might be doing not so well?
Satinder: Yup. Great question. When we look at the threats for organizations, you know, obviously what we would all assume is that customers would be great at catching known threats. Right? You know, it's, everybody knows about it. So, there's no reason why we should be seeing all these threats on the network or environment, right? But sadly, that's not the case because again, there are multiple different nuances that come into factor when we look into how organizations respond to threats, right?
Satinder: You know, 99% of the threats are malware that's out here. Whether it's a zero day or anything that's bad is propagating using existing bugs. So again, not a lot of new bugs are being exploited because again, if you think of the process to create a bug or a malware to exploit something, it's pretty hard, right? You have to be a darn good coder to actually reverse engineer and do something fast in a very sneaky way to get it online, right? And it's not easy to do it.
Satinder: So what the threat vector most of the bad guys are using is, is that organization or customers in general, it's hard to patch systems. And most of the threats that we hear about... We probably heard about WannaCry ransomware, right?
Satinder: It was a big outbreak across the globe. Now, if you looked at the underlying vulnerability to which the malware was created, that vulnerability was disclosed part of a breach from NSA's Shadow Brokers-
Matthew: The EternalBlue, yup.
Satinder: EternalBlue was the name of the malware, right? Now the underlying vulnerability was SMB protocol vulnerability that was discovered through that, from the breach. And it was patched by Microsoft two weeks later in March. Now the earliest news we saw WannaCry hit was sometime in May, and I think it was probably roughly around six to eight weeks before it spread like wildfire.
Satinder: So if you look at the timelines, Microsoft had already disclosed that vulnerability. There was a patch available from Microsoft. So if any of the organizations had deployed that patch, they wouldn't have been affected by WannaCry. So it's not just about the type of threats, it's also about how you respond, what's your medication strategy as a customer, right? How quickly are you able to patch your systems? It will circle back to the other challenge that the industry faces on a whole, is lack of skilled staff. Because you have very few people, you want to make sure that you're prioritizing those people and focusing on the right places.
Satinder: And patch management is an issue for a lot of our customers, right? It's typically when there's a threat that's disclosed, the first 48 hours are the most critical time where it has the highest probability of being exploited. So that's where we always tell our customers is, "How good is your patch management, right? Your risk assessment, your security depends on your maturity model of how quickly can you patch things, how quickly are you able to prioritize assets and how quickly are you able to remediate against those threats."
Satinder: The unknowns ones are, yes, we see unknowns as well. We see them occasionally. The undisclosed ones are pretty rare to see in the wild because what that means is that was a very targeted attack. So imagine you are an organization and you see an undisclosed threat. That means that researcher created that threat specifically for your organization and not for anybody else.
Matthew: Yeah, that makes sense.
Satinder: So that's how we see our customers respond to these three categories.
Matthew: So can I ask, is patch management an issue globally for customers or does certain countries, say... because I knew it was definitely a problem in Australia, but yeah, I wasn't sure does America and the US or... Do they have the same challenge? Is it global?
Satinder: Absolutely. I think that it transcends boundaries. We've met customers, and it doesn't even matter the size of the organization. Typically you would say, any organization that's above 20,000 seat or employees, you would say it's considerably hard, right, to patch. And now with the bring your own devices, it's becoming harder and harder. But we've seen across the entire spectrum, whether it's a small customer or a large customer.
Satinder: And the reason why it's a little bit harder for customers to wrap processes around this is it involves people. You know, I'm an employee. My IT team has deployed a patch and I don't know how many times I can tell you during the presentation that patch has popped up saying, "Do you want to deploy the patch? Do you want to update your machine?" And I hit ignore. So that's the people like me involved who are pushing it up, right? So it isn't an overall problem in how we do it, but it's the semantics, right? It's you can't control anybody [crosstalk 00:14:35] patch.
Matthew: Yes. You're talking about the end user as well.
Satinder: End user, absolutely.
Matthew: You can't sort of automatically send. It's not just... Yeah. Understood, understood. So do you have any advice for customers looking to improve their patch mitigation strategies
Satinder: Yes. There's no single bullet that can solve this problem. We'll have to tackle it across multiple levels. I think number one is definitely that are things that are in your control, the administrator running an organization or supporting an organization. You might want to consider into solutions that give you that coverage at the global or network level. So that meanwhile, yes, your end user might not be able to patch that machine while he or she is traveling, but it's at least you will get coverage at the network level when it should not impact the network.
Satinder: And we call it a virtual patch. That's a terminology very well used in the industry, but you want to deploy that patch at the network level so that none of the end users get impacted. But ultimately, yes, somebody has to physically patch that machine, end user machine, maybe whenever the user gets time to update the patch, right? So ultimately that will need to happen to give that foolproof security. But having those controls at the network level network layer, what we call, they just let the teams buy out more time, right? You get more time saying, "Yes, you know, these 10 people are out of country. I cannot patch their machines. And there is this critical machine for which we should be looking to work now."
Satinder: And the way we call it is all about prioritization. You want to prioritize which assets are critical, which assets you want to patch first because there's no coverage or no support there, and then build a process around, you know, here's the other assets for which we have coverage.
Matthew: Okay. No, fantastic. All of this discussion that has... or when it comes to patching, that solves the problem for known threats. How can customers solve the problems for unknown or undisclosed? Is there a strategy that they could go about?
Matthew: First of all, actually, I know that you said 99% of the threats are going to be known anyway. So should they even worry about the unknown and undisclosed threats?
Satinder: Yeah. That's a great question because the way we look at it is it's all about risk-based approach. I've talked to a lot of customers. For them, the potential impact of a breach is huge. You know, if they have whatever reason, it might be a one small unknown that caused that breach and the impact is huge. So they cannot take that risk. Versus there are organizations who are saying, "Yes, you know, I know I might get breached," but the cost for that breach isn't big enough for them. The way we put it is based on the risk assessment for the organization. And every customer will have a different risk assessment, how they respond to these threats.
Satinder: Most of them would like to have the known covered. So once the known is covered, they're happy. But for those that really care about security, and specifically for someone like in healthcare, government, paid utilities-
Matthew: The highly targeted.
Satinder: ... highly targeted, where the impact is huge. You attack a power plant, you know the whole city's without power. So for those kind of industries, there's no let-down. You cannot let down your guards for just saying that "I'm covered at the knowns." So you need to use different techniques like a sandbox to say, "Okay, this threat comes in. Let me detonate it in a very safe, controlled environment and see how it behaves." Right?
Satinder: And if it's malicious, because it's all about unknowns, you don't know if it's good or bad. So you want to let it execute or let it play around in a custom sandbox where it doesn't affect your network, doesn't affect your environment. And once you discover, "This is a bad malware, this is trying to download something on my network, trying to take control," then you can put in the controls for your enforcement saying, "You know, this is bad. Next time, it's a no." So definitely we would advise or recommend customers to make sure that you have strategies in place to discover those unknowns because yes, there will be targeted attacks that will just target you.
Satinder: The undisclosed is probably similar as well, right? If you are a large organization, you know, you already have a target on your name. You definitely want to take every step. And the way we look at it, how many different layers of defenses can we put in so that each layer will give us enough time before the next layer to catch it. So ultimately it's all about catching it before it can have a huge impact.
Matthew: Yeah, and that's a term I hear you guys use, defensing depth [crosstalk 00:00:19:12]-
Satinder: Absolutely. Yeah.
Matthew: Fantastic. So can I ask, say if you have two customers, right, using your solution and one is in America and gets an undisclosed threat, works out that it's now going to be a known, would someone in Australia be protected from that in... Do you know what I mean? Does it talk?
Satinder: Yeah. Absolutely. And you know, this is what we call connected threat defense. So again, our products are able to share that intelligence across the board. You know, we have thousands of sensors or customers across the globe. We get some of the telemetry back from them in an anonymous way. So we keep the data anonymous and we also have a lot of threat intelligence feeds that come into our product, and we share that intelligence. So if somebody in US discovered that this is a malware, we have a patch for it. It'll be cross borderless. So all our customers will get that coverage regardless of whether it was caught in Australia or in the US.
Matthew: I know. I like that. I like that a lot. Yeah, I think that's about it for today. Was there anything else that you wanted to add when it comes to threats?
Satinder: All we would say is that our CEO, Eva Chen, has a great philosophy. Chen has a great philosophy, and that philosophy is all around protecting your enterprise. And the way we look at it internally is our competitor is not the next vendor that we compete against. Our competitor is the bad guy. When we talk about security, we talk about in holistic terms. We want to make sure that we are right every single time because that bad guy has to be right only one time and he'd be able to breach. So as an industry on the whole, we need to work collectively, use open standards, share information, and that's how we will be able to deliver that security to our customers.
Matthew: No. Awesome. Once again, Satinder, thank you very much for coming on to the show today. It's been a real pleasure having you on.
Satinder: No problem. Thank you so much for having me.