War and conflict have evolved past guns and tanks and are now commonly fought with more subtle weapons. So, another dimension to the expanding cybersecurity threat landscape is the weaponization of computing by foreign actors on their sovereign nation enemies.
Companies in countries like the U.S. have to combat threats both from private actors and outfits backed by begrudged nations and their proxies. And unlike a physical war, these organizations have to do it mostly on their own.
“If you look at the Ukraine-Russia war, a thousand companies have decided to withdraw from the Russian economy, and they’ll no doubt be in the Russian government’s crosshairs,” said Snehal Antani (pictured), co-founder and chief executive officer of Horizon3 AI Inc. “Also it’s not just those companies, but their suppliers and their distributors. And it’s no longer about cyberattacks for extortion through ransomware, but rather cyberattacks for punishment and retaliation. The reality is that cybersecurity is the burden of the organization.”
Antani spoke with theCUBE industry analyst John Furrier at the “Cybersecurity — Detect and Protect Against Threats” event, during an exclusive broadcast on theCUBE, SiliconANGLE Media’s livestreaming studio. They discussed the weaponization of computing by an increasing number of public sector actors and how organizations are combatting it. (* Disclosure below.)
Training as though in real combat
Few people have, like Antani, made the switch from Special Operations to founding cybersecurity startups. Nevertheless, a major change of mindset that companies must adopt is preparing and testing their security models as though the threats are already on the ground — much like Special Ops forces carry out training with live bullet rounds, according to Antani.
“The whole idea there is you train as you fight, you build that muscle memory for crisis and response so that when you’re in the thick of it, you already know how to react,” he said. “And this aligns with a pain I had in the industry where I had no idea I was secure until the bad guy showed up. What I wanted to do was proactively verify my security posture and harden my systems.”
Staying proactive is central to the idea, and the absence of a platform that allowed for that was what led to Horizon3 AI’s creation, according to Antani. The platform simplifies and automates processes, such as penetration testing, especially for non-security personnel.
“There just wasn’t any way to do that where an IT admin or a network engineer could, in three clicks, have the power of a 20-year pentesting expert,” Antani said. “And that was really what we set out to do, not build an autonomous pentesting platform for security people, but to build it so that anybody can quickly test their security posture and then use the output to fix problems that truly matter.”
Lowering the barrier to entry for security
Not stopping at simplifying its platform to cater to a wider user base of people inexperienced in cybersecurity, Horizon3 also worked hard to mitigate the need for consulting. In fact, customers can wire the platform’s pentesting into their DevOps toolchain and automate it to run multiple tests during a given timeframe, according to Antani.
“If you have to consult, like when I was a CIO, it was on average at least a three-month lead time to schedule consultants to show up. And when they did show up, they’d embarrass the security team and make everyone look bad because they evaluate the entire system and just leave behind a report,” he explained. “Often, even if they fix a problem, teams don’t have the skills to verify that it has been fixed.”
The notion of “trust, but verify” with cybersecurity denotes that while organizations have faith in their in-place systems, they must continue to ascertain that those systems are continuously effective, according to Antani.
“Show me we’re secure right now, show me we’re secure again tomorrow, and then show me we’re secure again next week, because my environment is constantly changing and the adversary always has a vote and they’re always evolving,” he stated.
There exists a dichotomy in the industry, with one side viewing security as nothing more than a compliance checklist and the other seeing it as crucial.
“There is still a decent chunk of CIOs and CISOs that have the ‘security is a compliance checkbox’ mindset. So my attitude with them is I’m not going to convince you. If you believe it’s a checkbox, I’ll just wait for you to get breached,” he said.
Here’s the complete video interview, part of SiliconANGLE’s and theCUBE’s coverage of the “Cybersecurity — Detect and Protect Against Threats” event:
(* Disclosure: Horizon3 AI Inc. sponsored this segment of theCUBE. Neither Horizon3 nor other sponsors have editorial control over content on theCUBE or SiliconANGLE.)