According to Ran Shahor, CEO and co-founder of HolistiCyber, a successful cybersecurity strategy should start with a detailed plan. This should place your business requirements, budget, and security posture at the forefront of any other decisions you make to keep your company assets and data secured.
How do you build your strategy? Well, for starters, you resist the urge to rush off and purchase the latest and greatest tech-tools. Instead, you look at your company’s security status from the perspective of any possible cyber attackers and start working on your most pressing organizational vulnerabilities.
For Brig. General (res.), Ran Shahor, assigning a team of hackers to breach the systems of major corporations (with their permission) is a regular part of his daily routine. In fact, he has been doing this kind of work for a long time, starting with his ground-breaking establishment of the first cyber intelligence teams years ago in the 90’s, when owning a private computer at home was just becoming popular and we were using dial-up internet for the most part.
In this interview, Shahor outlines his approach to building a solid cyber security strategy and some of the methods and best practices to get there. More than that, he shares pearls of wisdom that all CISOs can immediately put into practice to overcome major challenges and obstacles on the path to keeping their organization secure.
Q: What is the key to a successful cybersecurity strategy?
Shahor: “Considering the level of threats and attacks that we are seeing today; the most important task is to prioritize which threats to handle and when. Without prioritization organizations will not be able to secure their data and networks. This means clearly designating the areas that require protection and defense; and requires knowing the business needs and specific circumstances of the organization. This requires an understanding of the security gaps in the organization, having a clear picture of the attack record, which attack vectors are more relevant and pose a real threat to the organization and which are less crucial.
Gathering and syncing this information allows the organization to use its resources, which are never unlimited, to provide the optimal security defenses for that specific organization.
The best practice is not to try and defend your organization against all potential threats that exist out there… that is impossible to do. Even if it were possible, two days later new threats would appear on the scene, but they wouldn’t necessarily be relevant. So, the idea is to be better protected compared to others in your business environment, to be more efficient and optimize your cyber security defense budget. These are the most important things to consider. Once you have these in mind, there are other best practices which are well known, such as providing a properly layered defense that covers the full cyber security stack.”
Q: What do you first look at when building a cyber security strategy for any given company?
Shahor: “It is important to realize that there must be a planned strategy in the first place. So many companies seem to just go out and purchase the products that are available in the market, oftentimes to put out a “fire” or plug a “hole” in their security stack. They don’t look at the whole picture of the business environment, the main viable threats and come up with a relevant strategy. Building a cyber security strategy is the most cost efficient and secure way of moving forward.
The path of “plugging holes” is not only expensive but is also an inefficient and unsecure practice.”
Q: OK, so what does HolistiCyber do differently compared with other companies in the cyber security space?
Shahor: “HolistiCyber has a unique method of looking at each organization from the vantage point of the attacker. In the past we ourselves were professional hackers, working for governments, therefore we have the ability to understand in a precise and detailed way how potential attackers would tackle the organization. We consider the following – What worries them? What scares them? What could possibly make them stop working in their current environment? Based on that we build the defense plan. As a former attacker, I can let a company know very quickly if they are properly defended or not.
If you are a military attacker, you typically must go after specific organizations. However, if you are a criminal/ civilian cyber offender, then you probably do not really care if the organization you are hacking is Wells Fargo or JP Morgan, you just want to attack a bank.
So, you would typically try to attack (either manually or with specific tools) and very soon you would see if the organization were well protected or not. If it is well protected, you will move on to attack another organization and this analysis of what it takes to deter attackers is a job that we do better than anybody else.”
Q: How does your experience in the Israeli Military influence how you tackle cyber security today?
Shahor: “It is no secret that I ran a cyber-attack division in the Israeli Military. And this allows us to understand and view the organizations’ security from an attacker’s perspective. It allows us to build defenses that are not appealing in the least for hackers to crack and make their job too difficult and not worthwhile; this is how we are able to provide superior defense solutions for our clients.”
Q: Can you share an example of a big cyber challenge that you encountered while serving in the Israeli Military?
Shahor: “One of the first challenges I encountered was when I needed to establish the division of the attack teams in the Israeli Military. This was at a time when the world was in the exceedingly early stages of public internet and mobile phone usage. Many people did not really understand why this division was required. To some, it seemed to be a waste of resources in terms of money, focus, time, and manpower. There were a few attempts to shut down the project, so it was incredibly challenging. I had to explain to the decision makers at the time that the future was going to be in those areas, that the world would be vastly different in just a few years, that if we didn’t prepare today, we wouldn’t be ready for the challenges of tomorrow. Indeed, now we know that these efforts paid off, and Israel is an international leading force in cyber security. It is because we started early and dealt with it in a serious and professional manner.”
Q: OK, let’s jump back to today. What is the meaning of the name “HolistiCyber”?
Shahor: “We believe that cyber security should be viewed in a widely holistic manner rather than pinpointing specific spots without proper analysis. So rather than purchasing products to cover specific security gaps, we first recommend a holistic approach. Oftentimes, the most difficult gaps are in the periphery of an organization’s IT systems, such as in supply chains, human resources, etc. We handle these gaps and the analysis better than anyone else, therefore we decided to go with the name HolistiCyber.”
Q: What should companies be most concerned with in the sphere of cyber security today? What are the biggest challenges?
Shahor: “One of the biggest challenges is with third party supply chains, such as with the SolarWinds cyberattack. We all buy computers, servers, mobile phones, etc., and the hardware and firmware themselves can be penetrated and cause unimaginable damage. For many years, organizations have not dealt with that. Today, we know that this is one of the biggest security gaps in organizational cyber defenses, because it is difficult to scrutinize vendor products; and if left unchecked, vendors can cause damage to many companies, so clearly this is an important area to focus on.
Another challenge lies with the CISO’s ability to navigate his/her way and to be able to see the broad picture of his/her cyber security stack. There really are many different types of threats and attack vectors and it is difficult to create clarity when it comes to prioritization. It requires a great deal of skill. Oftentimes, they rush to purchase tools to handle specific needs, but sooner or later they realize that this isn’t enough.
A CISO’s ability to create a coherent security policy for his/her organization is often hindered because of the complexities and the multitudes of threats that are being showered down by cyber offenders. This is another area where HolistiCyber can really provide value because we can give the CISO a clear perspective of the most viable threats to their specific organization, while adhering to their budget and business workflow requirements.”
Q: Tell us about a situation where HolistiCyber did something outstanding.
Shahor: “Recently, we worked with a rather sophisticated client on red team and blue team simulations. They were amazed. This company spends approximately $6 million US per year on red-teaming and penetration testing. We started with a short red team simulation, and within less than two weeks we took complete control over all their systems. This included extremely sensitive customer data.
Within a week, the CEO called us in for a meeting, and he wanted to know how, after years of spending so many resources on this we were able to penetrate all their systems so quickly. The answer is simple. We have the ability and the know-how to use the same techniques and resources that are available to the most sophisticated and dangerous cyber offenders in the world. Whereas 99% of our competitors are using techniques, tools and skill sets that were used by attackers 2-3 years ago.
Another customer, a bank, emailed us that we shouldn’t be disappointed, but they expect us to hit a brick wall. We hacked into their network within 20 minutes, and within half a day we took complete control over all systems, including showing the CEO and his entire team the security footage of them working in their own office.
In another incident, a customer of a client of ours had been breached and an incredible amount of damage had been done. That company was about to sue our client who was a supplier of theirs, believing that they had been the weak link through which the attack had taken place. Our forensic team was sent in to investigate, and within two days we discovered that our client, the supplier, was not connected to this attack.
These are just a few small examples from our day-to-day activities, all of which our clients consider to be outstanding.
Q: You are one of the founding fathers in the cyber security industry. Can you share an important life lesson with us?
Shahor: “One of the important lessons I learned was to think out of the box. I learned to observe the current reality, but then instead of doing what everybody else is doing, to offer a different, fresh, and effective approach. The idea is to avoid doing more of the same and to offer ingenuity and new ideas. This is the reason why large and well-known organizations have chosen to use our services instead of large companies such as IBM, Accenture and others.
If we would offer what everybody else is offering there would be no reason to choose us. Our clients consistently tell us that they get solutions from us that they can’t get anywhere else.”
A successful cyber security strategy means that your top security vulnerabilities get priority, and that you handle the rest over time, as your budget and business needs allow. The main point is to be proactive in evaluating your current security status and in crafting your plans before you run out to buy all the latest tech gadgets.
Questions? Ask us anything here.
Want to try some of HolistiCyber’s secret sauce? Simply click here to set up a call.
We’d like to hear from you.