Interview: MENA cybersecurity and crucial client blindspots

NetWitness has been an important partner of the Black Hat Network Operations Centre (NOC) for the past six years, working with Black Hat Europe, Black Hat Asia and Black Hat USA. As Abdullah ALSaadoun (Manager, GCC & LEVANT at NetWitness) noted, NetWitness has helped the NOC team “maintain network stability and monitor threats in one of the world’s most challenging IT environments.”

So we asked ALSaadoun to share his perspective on regional cybersecurity requirements in the Middle East, as well as the crucial things that most businesses don’t understand about cybersecurity.

How is NetWitness working to serve specific regional requirements in the Middle East?

“Our ability to stay close and listen to our customers in the Middle East region, and having the agility to transfer these customer needs and requirements that are specific to our region into the product has allowed us to provide products and services that solve real problems specific to the region.

“For example, even though there is a global trend towards cloud, we understand that in the Middle East, some businesses, due to their nature, will remain fully on-prem; while others will follow a hybrid approach. This is why all features and capabilities of NetWitness can be run fully on-prem without any reliance on the cloud, or could be fully run from the cloud, or could follow a hybrid approach, based on the specific needs of each organisation in the region.

“This also applies to specific features that have been released in the solution based on regional needs and requirements from our customers in the Middle East, or the introduction of value-add services, such as based on the need for Managed Detection and Response that follow and achieve the regional needs (whether onsite, remote or hybrid, as well as availability of resources in-country).”

What makes NetWitness XDR security different from competitors?

“Today, with sophisticated attacks and threats, log-centric or end point-centric visibility are no longer enough to detect those threats. It is crucial to have every single aspect of the infrastructure visible to cyber analysts, and visibility by itself is not enough – it needs to be augmented with behaviour analytics and threat intelligence in order to maximise the efficiency of the detection and response.

“To understand and appreciate Netwitness added values let’s first identify what Cyber analysts needs to perform their job:

1. End-to-end visibility
2. Instant reach to forensics data
3. Simplification!

“Having an end-to-end visibility that covers logs, packets, endpoint, UEBA on a single pane of glass platform will definitely accelerate the process of detecting threats and coming up with response decisions. During compromises, time is your enemy – so Netwitness will allow corporates to complete the forensics process faster than any other technology, due to the comprehensive visibility it provides.”

Have you found that certain types of cyberattack have become increasingly prevalent for your customer companies lately?

“Evolution from Ransomware as a Service (RaaS) to Extortion as a Service (EaaS), and the return of data exfiltration.

“Ransomware started by encrypting files and asking for a ransom to get the decryption keys, and was run end-to-end by the same threat group. Then some parts of the attack, such as the initial access, started being provided by different threat groups who resell the access to the ransomware gangs, leading to a supply chain model and the Ransomware as a Service (RaaS) trend, which is now more or less the norm.

“As companies became more prepared to respond to these threats, and consequently less likely to pay the ransom, threat groups started adopting double extortion practices – where in addition to encrypting files, they would also exfiltrate sensitive data to blackmail the company and/or resell it. Now we're seeing an increased number of groups focusing on Extortion as a Service (EaaS), who in some cases completely dropped the encryption part and solely focus on data exfiltration for extortion.

“Therefore, data exfiltration is back to being a focal point, whether it is related to APTs, state sponsored attacks, cyber espionage, RaaS, EaaS.”

What are three things most businesses don't understand about cybersecurity?

“One, there are no shortcuts to security and no silver bullets, cybersecurity is not a tool. Many organisations look for simple ‘deploy and forget’ solutions in the hope they would solve their security challenges with little to no overhead on security teams. But threat actors are very agile, constantly evolving, adapt quickly to new trends, and are able to very quickly adopt new techniques and exploit within their toolsets. The question is not whether a breach will happen, but when it will, and once it does, are we able to detect and investigate it.

“Two, over-reliance on automated detection and prevention. Even though these are extremely important, there is still a crucial need for forensics and visibility. Detecting a threat is only the 1st step (even if it has been prevented or blocked). Being able to fully investigate it and get to both the root cause and business impact of the breach is equally, if not more important. Without proper root cause analysis, infections and re-infections will occur again. Without being able to trace and see what the attacker is after, it makes it more difficult to anticipate their next move, forfeiting an advantage security teams could have.

“Three, different organisations might have networks with multiple similarities, but they’re also all unique ecosystems that are continuously evolving. And therefore, there is no one-size-fits-all solution to cybersecurity.

“Also, what works well today might not work tomorrow, since both network environments and threat actors are continuously evolving and changing. There is lots of marketing where nowadays most security solutions will include buzzwords like ‘XDR’, ‘AI’ and ‘Machine Learning’ (including NetWitness). Lots of businesses are following these marketing trends and focus on the buzzwords instead of looking for the actual capabilities that fit their requirements and needs.

“For example, there is no clear definition of what XDR is or should be, but businesses would still look for ‘XDR’ solutions without having a clear understanding of what problems they have, and which requirements are needed to solve their specific and unique challenges. We’ve seen multiple cases where a customer purchased AI-based solutions that worked great during a Proof of Concept or when it was first deployed, but then had much less value a year later, or who purchased XDR solutions without really assessing the critical capabilities they would need within the ‘XDR’ concept.

“Cybersecurity is not a single department working in silo. Every department, employee, contractor, third party provider…has a role in the security of the organisation, hence the need for continuous awareness, training, assessment; and unified full visibility across all users and functions, whether on-prem or in the cloud.”

Finally, why is an event like Black Hat MEA important for your company, and/or for the industry more broadly?

“With six years as a premier partner for the Black Hat NOC, we know the event very well. It’s the right place to stay for us, as a key player in the cybersecurity environment. With Black Hat MEA, we want to stay close and listen to our customers in the Middle East region, learning from them and transferring these customer needs and requirements, that are specific to our region, into the product. Only our proximity to the needs of our market allowed us to provide products and services that solve real problems specific to the Middle East region.”

Thanks to Abdullah ALSaadoun at NetWitness. Join us at Black Hat MEA 2023 to learn more.