娇色导航

Estelle Quek

Hey, welcome to CSO ASEAN Executive Session. Our guest today is Jason Merrick, Senior Vice President of Product at Tenable, Jason, welcome. Could you briefly tell our audience about your background and your role? Jason Merrick Yeah, absolutely.

First of all, thank you for the conversation today. Really been looking forward to it. I'm Jason Merrick, Senior Vice President of Product here at tenable.

I've actually been in the security, the cybersecurity industry for over 20 years, in all aspects, identity, cloud security, web application firewalls, very early in my career. And then have this opportunity at tenable, really, to help organizations deal with proactive security.

It's really, you know, this journey that tenable has been on, what we call exposure management, is helping organizations be able to find the assets that are critical to the organization, apply business context around them, and to really help with prioritization, to, you know, make certain that those critical few things are remediated that proactive security.

It's the other side of the coin of detection and response. Estelle Quek Thank you.

Well, according to the coalition of cyber security in Asia Pacific, this region itself witnessed some 57,000 ransomware incidents just in first half of 2024 alone, with attackers employing increasingly sophisticated double and triple extortion tactics this threaten data leakage alongside encryption and Indonesia, Philippines and Thailand bears the heaviest impacts from these attacks.

Could you please walk our CISO audience through a recommended Incident Response methodology when facing a ransomware attack with double or triple exhaustion tactics? Jason Merrick

Yeah, so, I mean, ransomware is a global problem, and I think that from a CISO perspective, there's several challenges that they're they're having to deal with.

I think the you know, one big thing that we have seen with our with our customers, is it really starts with having to build an inventory of your digital assets.

Have an understanding of, you know, not only your endpoints, your servers, your cloud workloads, your identities, operational technologies, business IoT really have an understanding of what assets you're responsible for. Foundational from there, you want to know, are they misconfigured? Do they have known vulnerabilities on them?

So how do you go and contextualize this information so you have an understanding, right?

Because now you know some ransomware is socially engineered, which that's an educational thing that you need to work with your employees on but another side, you know, we've had several significant breaches in the States over the last, you know, four or five years, and nine times out of 10 it was an asset that they didn't know they had, that was misconfigured, that was externally facing open ports, and had known vulnerabilities on it.

So I think for an organization, it starts with building that inventory, understanding the assets that you're responsible for. The second piece is being able to analyze that inventory, to be able to find those, you know, toxic combinations. The third piece is really also prioritization.

How do you have a communication from a business standpoint, I kind of view it as a letter grade traffic signal, high level enough that everyone understands what the issue is. But I think that there's also a technical conversation.

So the operations team may be the team that's doing the patching and the remediation they need to understand, and their KPIs are uptime and availability patching is going to, you know, become an issue for them. So, you know, and then ultimately, optimization. How are you doing?

How effective is this program? So I think, from you know, our path is, how do we prevent the ransomware event from happening by understanding that inventory? I think that's a fundamental for us, and that's our approach to helping CISOs deal with this Estelle Quek challenge.

Thank you. How then can these organizations balance an immediate containment with evidence preservation? Are there any specific recovery procedures that you recommend that can assist organizations with business continuity while preventing further exposure and reinfection Jason Merrick again?

You know, I'll take the approach that we take as an organization. One is being able to have historical information, so you know when you first detected this asset, any changes over time with this asset.

So you have the ability to collect the information, not only of current state, but past state, and be able to bring that information in. So you have an understanding that, oh, this system, you know, had a vulnerability two weeks ago, but it was patched.

You know, being able to have that evidence and that reporting is a critical component and something that we help our customers with. That's why we have the historical view for reporting and compliance requirements. Estelle Quek Okay, thank you.

Now, I.

Um A increasing concern in this region, particularly is securing critical infrastructure, which has also emerged as a top priority for ASEAN countries in 2024 particularly in response to headline making incidents impacting power grids, utilities, healthcare system and some high profile breaches, I can mention Indonesia's nation national data center and Malaysia's public transport system, which underscore ASEAN infrastructure vulnerability.

So in your view, why do legacy audits Miss third party based in today's hyper interconnected, API rich ot it and multi part, like fragmented environments, Jason Merrick

a lot of things. So I think one of the challenges that you have, specifically with operational technology, is far too often these are systems that were built and designed and still work.

And they may be 20 years old, and they may be running very, very old legacy operating systems, but you can't take them out because it's too expensive to go through and replace. So organizations really struggle with this.

And you know, even though operational technologies in itself has its own kind of contained world, there's still IT assets that touch that environment. There's still computers and servers that are within that ot environment.

So it really takes a balance of being able to understand the PLC, being able to understand the configuration.

You also have to also think about these things that you have to be able to detect these things in passive mode, because actively scanning a PLC could cause an impact, and especially when you're thinking about manufacturing or industrial controls or critical infrastructure, you know, you have to have flexible methods to go through and do discovery and do analysis.

You know, why did we suddenly have a, you know, firmware upgrade that happened at three o'clock in the morning? Did anyone know anything about this? So being able to profile the environment is really critical.

And what you wind up seeing is a lot of organizations, you know, OT and it, are really kind of coming together, and being able to have that understanding, be able to report on it, being able to drive remediations and have that proactive security is really critical.

And we're also seeing a lot of organizations struggling with business IoT or building management systems, so elevators, escalators, card readers that that crossover again, another source of you know, potential risk for an organization. Estelle Quek

Yes, totally agree with you. Well, are there any available solutions, or how do these available solutions in the market address this? It ot security challenges, while ensuring helping them to ensure business continuity or critical infrastructure operations, Jason Merrick

I can say how tenable works with our customers on this. So we do have a specific operational technologies capability.

This gives you the ability to, again, as I kind of mentioned, not only you know, active scanning, but you can also do passive scanning of environments, and it really is about providing visibility and baselining so an organization has an understanding of what their infrastructure looks like beyond the PLC, like the other attached systems, and also being able to pull in the IT information as well.

So, you know, the really interesting part is, there's companies that are still running Windows 2000 so being able to, you know, be able to have an understanding of those, what I'll call End of Life Technologies, and where they're located, and are they properly air gapped, and helping give the, you know, a viewpoint in the compensating controls, I think far too often organizations struggle with this, especially with critical infrastructure.

So our approach is helping build that inventory so you have an understanding of what assets you're responsible for, what their configurations are, and if there are any known vulnerabilities on there. Estelle Quek

Thank you so much. Let's switch gears a little bit to Singapore mandatory authority and cybersecurity agencies recent proposed rules requiring financial institution vendors to obtain certification like cyber essentials or cyber trust mark before they can even be licensed or bid for government contracts.

Now, who do these whole organizations more accountable for breaches involving third party vendors and encourage greater ownership of oversight and risk management? Jason Merrick

I'll give you a great example that we've done in the US. So the United States government created, and it's probably the most successful government program that we've had from a cost savings perspective, something called FedRAMP.

So for a vendor to be able to sell their products into the federal government, they have to be FedRAMP certified. Now, FedRAMP has multiple levels. I won't bore you with all the details, but really what it does is it forces the.

Um vendors to have proper compliance controls and policies. So instead of the the federal government having to hire people with that knowledge, they're pushing that to the vendors, and the vendors have to go through a certain set of controls, policies, procedures and and ultimately, audit of their systems.

And so, you know, I'm all for it, because I think that what that does is, as a vendor, ourselves, it, it really makes us focus on what the important, critical things are, and that we're accountable, that we're doing the right things, that we're looking at, the right policies and procedures we're looking at, you know, if, if we have a vulnerability, that it has to be remediated within a certain period of time, and we have to show audit proof of that.

So I think, as an industry, you know, having the certain certifications that are required really builds trust, and it also makes certain that as a vendor, that we're doing the right things, especially being a security vendor. Estelle Quek Thank you.

So should this be extended to critical infrastructure operators and their vendors as well? Jason Merrick

Oh, yeah, no, with, without a doubt, you know, again, using the FedRAMP example, in the United States, we have the federal op. We also have states, and states have done state ramp. So, you know, they're, they're pushing, you know, these policies and controls and into our critical infrastructure.

So they're making certain that there are certain requirements that are met and certain audit and compliance is being done in accordance with the with the rules. Thank Estelle Quek you.

Now let's talk a little bit about talent shortage in this region, particularly Malaysia, exemplifies this region's crisis, where almost 85% of organization really struggle to find certified cybersecurity professionals. What sort of training certification programs and mechanisms might help organizations address cybersecurity skills gap while maximizing their security investments?

Jason Merrick You know.

So there are several certifications that are definitely known CIS CISSP is a perfect example of one. That is, you know, where you're a security practitioner and you've got a certain set of knowledge.

I think that the other thing, there's an opportunity for school systems to actually have cybersecurity classes or programs or even degrees, because I think it's something that really hasn't been hugely taught, that universities could be offering programs like this.

The other side is that you can also leverage mssps, so managed security service providers that will have that level of capabilities, because the talent is very hard. Malaysia is not alone in having a challenge finding skilled workers to be able to go through and deliver that.

I travel the globe. It's a global challenge. It's very, very hard to find those cybersecurity. So I kind of view it as there's really, you know, one the education system, you know, having schools provide a program to get you know, students to go.

I think companies funding education and having you know the money set aside that someone can go and get their CISSP.

But I also think as a vendor providing MSSP capabilities, where you've got managed security service providers that are able to go and deliver this capability so you don't have to go and don't have to go and spend the extra money, at least the approach that we see in the industry.

Estelle Quek Thank you.

Now, Jason, before we part, do you have any advice for our CISOs out there, or aspiring CISOs on navigating operational reality, which is becoming even more complex these days. Jason Merrick

Well, it's, you know, I it's one of those things that it's an interesting trend that I've been saying, you know, if you think about, you know, four or five years ago, a lot of CSOs were not responsible for cloud security, for instance, or they may not have responsibility over identity.

That could have been the CIOs organization. So more and more CISOs are having to accept more risk. And, you know, not to oversimplify it, but a CISOs job is to accept risk and reduce risk.

So, you know, we've seen this explosion in asset classes that CISOs are now responsible for. Ot being a great example where it was, you know, the manufacturing plant manager that was responsible for the OT security environment, and not the CISO.

So now the CISOs are having all this responsibility. I think that you know the first thing, and not to oversimplify it, is having a dashboard that has your all of your inventory, far too often.

I think organizations go, I'm only going to focus on the critical assets for my organization.

But there, that's again, a miss, because if you look at the ransomware example that we used far too often, organizations didn't know that they had, you know, a Citrix Server externally facing, misconfigured and had known vulnerabilities on it, and the attackers based.

Went breach that and move laterally within the organization. So have that inventory, analyze that inventory to understand what misconfigurations, what risks.

I like to call them toxic combinations, you know, this asset plus these cohort of users that have access that's bad, something that you need to go and focus on. I also think that building a baseline of how you want to go through and communicate with the other teams.

It's one thing for the security team, they probably have a very good technical understanding. But how are you going to communicate with the operations team? How are you going to drive that efficiency?

Because unfortunately, the operations team, they're about uptime and availability and patching that goes against it, they're going to have to take downtime. So and then ultimately, how do you drive and explain this to the organization? How do you report on this?

How do you make show how effective it is having a business conversation? You know, trend that I'm seeing is more and more CISOs are reporting directly to the board.

They're reporting into the CEO in some cases, and we're seeing CISOs actually join boards now, because cybersecurity is no longer an insurance policy, it's a critical business process. So I think for the CISOs out there, I think that's kind of the baseline fundamentals.

It's the other side of the coin of incident response is exposure management. It's how do you do proactive security? How do you understand what your risk is. How do you mitigate that risk? And I think that's the give and take. Estelle Quek Yeah.

So if I can summarize, it's actively stock take your assets, communication throughout the organization, and also proactive exposure management. Thank you so much, Jason, it's been a great pleasure having you on our seesaw ASEAN executive session. I hope to speak to you again sometime soon. Jason Merrick

Thank you very much. I really appreciated the conversation.