Follow a comprehensive approach for cyber protection. This means include data protection such as backups, cyber security such as anti-malware and privacy protection. You have to cover all aspects of the data as a whole in order to stay on top of things and to be able to react optimally.
Get the support of the people. Make sure management understands the importance of cybersecurity. If they don’t support you, you’ll have a hard time struggling uphill battles all the time. The same is true for the employees. If they don’t see you as a disruption, but as a benefit that supports them, it is much easier to implement policies.
As a part of our series about “5 Things You Need To Know To Optimize Your Company’s Approach to Data Privacy and Cybersecurity”, I had the pleasure of interviewing Candid Wüest, VP of Cyber Protection Research at Acronis, the Swiss- Singaporean cyber protection company, where he researches on new threat trends and comprehensive protection methods. Previously he worked for more than sixteen years as the tech lead for Symantec’s global security response team. Wüest has published a book, various whitepapers and has been featured as a security expert in top-tier media outlets. He is a frequent speaker at security-related conferences including RSAC and AREA41. Wüest is an advisor for the Swiss federal government on cyber risks.
He learned coding and the English language on a Commodore 64. He holds a master of computer science from the ETH Zurich and various certifications and patents.
Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. Can you tell us a bit about how you grew up?
I was born and grew up in Switzerland when the first Star Wars movie came out. As kids, my two older brothers and I always had an interest in mathematics and electronics. Equipped with a lot of curiosity I always wanted to find out how things work. Take them apart, combine them, and make them better. Luckily for me, I could learn a lot from my brothers and my parents supported me wherever they could. At that time, most of the learning was done by countless hours of trial and error, till it finally functioned, as there was no Internet to read up on. My entry into computer science was when I taught myself the programming language Basic on a Commodore 64, although I didn’t understand any of the English keywords. Many other computer languages have followed since. I guess you could say I’m a typical computer geek.
With that background, I then went on to do a master in computer science at the ETH in Switzerland and started working at the IBM Research lab for a while. With my passion for computer security growing, I switched to work for Symantec, where I spent the last 16 years as the technical lead for Symantec’s global security response lab. In that role I was analyzing all kinds of different cyber threats and attacks around the globe, trying to come up with new protection ideas. This quest continues in my current role as vice president of cyber protection research at Acronis.
I researched a broad spectrum of threats, from attacks against smart TVs at home, to nation state orchestrated sabotage attacks in the Middle East. It was fascinating to see the evolution of cyber-attacks. From the first mass mailing worms to major DDoS attacks with TFN and Stacheldraht to the appearance of the first major ransomware threats.
Having seen the devastation that such cyber-attacks can cause in an organization or for people at home, was always heartbreaking. In some cases, mid-sized companies had to close down and people lost their jobs, all just because of a wrong mouse click. Therefore, it was clear for me that I wanted to play my part in spreading awareness and making the digital world a safer place for everyone.
Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.
I guess movies like WarGames and Sneakers or books like “The Cuckoo’s Egg” by Cliff Stoll, definitely had an impact on me. These were the days of dial-up modems connecting the big wide world. But at the latest when the Windows remote access Trojan named Back Orifice appeared in 1998, it was clear to me that I wanted to know more about how malware works and how it could be stopped. It was fascinating and scary at the same time that a small piece of software could be used to completely control someone’s computer around the world. Hence, I started to learn all I could about this Trojan. I disassembled the code and looked at the available protection methods like firewalls and anti-virus, and where they fell short.
Can you share the most interesting story that happened to you since you began this fascinating career?
In my over 20 years in cyber security there have been many interesting stories. I guess the one that gets the most interest is around the Stuxnet attack. This malware was used in a sophisticated cyber-attack against the uranium enrichment facilities in Iran. But when we first came across a Stuxnet sample in 2010, nobody knew anything about it. At first, it was just another malware sample that needed to be analyzed. Back then we saw tens of thousands of new malware sample every day. The first thing we noticed was the fact that it used a new exploit with .LNK files. That’s when my team started to dig deeper and perform a closer look at the sample by walking through the disassembled code. Soon we realized that this was not your average malware, as it had huge blobs of code for something called Step7. None of us was familiar with this, but we quickly understood that it was code for Siemens SIMATIC STEP 7 devices. This discovery opened the door to the rabbit hole and we began pursuing various possible scenarios of attacking programmable logic controllers (PLCs) used in manufacturing plants. It took us a while and the help from industry experts from the OT field to combine all the available puzzle pieces. Now, ten years later, we have a much better understanding of the Stuxnet attack, but some parts are still a mystery.
But I guess every time when there was a huge malware outbreak, like Conficker or WannaCry, it was always a very special experience for me. When everyone is under pressure and the trained reaction plans begin, the adrenaline sets in too. I’ve always been proud to be part of a brilliant team of smart people and of course it felt good when we could neutralize the attack.
None of us are able to achieve success without some help along the way. Is there a particular person to whom you are grateful who helped get you to where you are? Can you share a story about that?
Obviously my two older brothers who made their careers in computer science and electronics helped me more than once. One of my first managers, Eric, is a brilliant mind who always asks the right questions, but also has the confidence to let you work on your own projects. This freedom and support has helped me a lot in building my career. Later in my career I met Mark, an entrepreneur who had just sold his IT security company. To this day, I have great respect for him and his achievements and I was thrilled to discuss various ideas with him. Even today, such brainstorm sessions are an incredible feeling and exciting every time. Having someone that respects you and is interested in your honest opinion is key to move forward. Of course, sometimes this means that they tell you why your idea wasn’t working or what, in your view, you missed. But this discourse is exactly what helps you to improve, either by explaining your idea better, or by reflecting and accepting that there is a better solution
My philosophy has always been that I rather be the dumbest person in the room than the smartest. There is always something you can learn from the people around you, you just need to ask the right questions and listen to their answers with an open mind.
Are you working on any exciting new projects now? How do you think that will help people?
Currently, my team and I are working on expanding autonomous cyber protection. With recent achievements in artificial intelligence and machine learning there are very interesting things that can be done with the available data. At the moment AI is often used to simply detect abnormal activity on a system and alert the administrator. The ideal next step is to have a system that automatically responds to such an event and blocks an attack, recovers data, or heals the system itself. Hopefully this will help to minimize the required human interaction, making these solutions simpler and more efficient to use. Of course, this should not just be focused on cybersecurity, but on all key parts of protection, which we call SAPAS: safety, accessibility, privacy, authenticity, and security.
What advice would you give to your colleagues to help them to thrive and not “burn out”?
Don’t lose your passion, never stop being curious, and discuss ideas with like-minded people. But in our fast-paced world it is also important to stay healthy and balanced. Get enough sleep and make sure to have some offline time as well. Having time to relax and refuel your energy, will help your overall well-being. Ultimately, this boils down to applying the right priorities and learning to say no.
Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. The Cybersecurity industry, as it is today, is such an exciting arena. What are the 3 things that most excite you about the Cybersecurity industry? Can you explain?
- Cybersecurity is a fast-changing field, there are always new things coming up, being it serverless applications in the cloud, IoT devices with 5G or e-voting. With new technologies come new challenges. Systems can get pretty complex, but I like the challenge and the constant thriving of learning new things. Take it as an opportunity to integrate new ideas into the market.
- Cybersecurity has become a basic need for organizations and people, like food and shelter. With the fast digital transformation moving forward, many areas of our lives depend on computer and data, and therefore on the protection of it. Cyber protection is important and vital and can be a real game changer. Hence it is a good feeling and I’m happy to know that my job helps protect the daily lives of many people out there.
- It’s nice to see that security and protection are finally being integrated into companies and processes right from the start. We’re not at a perfect level just yet, it’s still a long way, but it’s good to see customers starting to ask questions about privacy and security. Of course, this is a global challenge that needs to be addressed on multiple levels. This brings new possibilities as there is an appetite for solutions with a non-traditional approach or simply multiple steps are integrated and harmonized.
Looking ahead to the near future, are there critical threats on the horizon that you think companies need to start preparing for?
To be honest, most companies have not even addressed the threats from last year, so there is still a lot to catch up. We still see many organizations struggling with fast patching, proper authentication or having working backup and disaster recovery. Privacy regulations such as GDPR are also far from being implemented everywhere where they should.
One area of threats that will definitely accompany us in the future are targeted ransomware attacks. Especially since most of these ransomware groups have shifted their focus into stealing data and then threatening to publish it, if the ransom is not paid. But even if there are working backups available, it often takes multiple days to get back online. This can cost millions of dollars in damage, not to mention the high ransom money if it is paid.
In terms of techniques, the living off the land methods are still popular. The attackers abuse your own infrastructure and pre-installed tools against you. This could be a PowerShell script that installs RDP and a new account as a backdoor, or it can abuse the package distribution software to deploy malware within the company. Cyber criminals can also reconfigure these tools to weaken your defenses or turn off monitoring features.
We’ve also seen an increase in supply chain attacks, for example against open source libraries that the company depends on. This will definitely increase further as it is difficult to detect. Another area are the so-called business logic attacks, where attackers make use of flaws in the business processes of an organization. This can range from misusing automated password reset functions to get access to a customer’s portal, changing package deployment scripts to contain malware, to changing the bank account number for refunds to an account controlled by the criminals. You can count business email compromise (BEC) attacks in this category as well. One should never forget, that the attackers are researching their targets very well and know how they operate.
And then of course there is privacy, which plays a huge role in all of the above. Companies need to prepare to have the big picture, so that they know what is happening with their data at all times. It is no longer good enough to know what it is happening in your own perimeter, it has to be data centric, regardless of cloud, mobile device or on-prem. Once you see what is happening, then you can start blocking or mitigating the issues.
Do you have a story from your experience about a cybersecurity breach that you helped fix or stop? What were the main takeaways from that story?
Well, I sincerely hope that the virus signatures and detection engines that I built, stopped many cyber-attacks. But one case that I remember well is a ransomware attack a few years ago. A midsize company was compromised by an attacker and they had encrypted all their servers including the backups. The ransom demand was US Dollars 200’000, which was too much for the company and would have bankrupted them. On the other hand, not being able to access their data was a death blow as well. The CISO was a friend of mine and called me for help. I could see that he was very tense knowing that his job and the entire company were at stake. After the initial discussion on what they knew so far and what their goal was, I started with the analysis. Together with the CISO I was able to figure out that the encryption key that was used, was not forensically wiped, but merely deleted from the system. This allowed us to recover the key from the system and create a small script to decrypt all the files. Restoring the servers still took the whole night, but the company was able to work again on the next day, without paying the ransom or losing their data.
Of course, the lessons learned were to have a working incident response plan that you can follow, to protect the backups from the attacker, and to prevent lateral movement. Luckily the cyber criminals did not steal any sensitive data, as this would of course have brought the incident to a whole new level.
What are the main cybersecurity tools that you use on a frequent basis? For the benefit of our readers can you briefly explain what they do?
A lot of my daily work is done with tools that we developed in-house especially for the analysis and the different needs. Like the Acronis behavior detection engine.
Some tools that I regularly use are the Sysinternals tools suite, like process monitor, to get a better understanding which files an application is modifying. The main tools log every activity from a process in regards to files, registry, network and other processes. This provides a good black boxing picture of what an application does.
Another useful tool is of course WireShark to analyse what is happing on the network and what an application is actually sending out. If it is communicating with a web service then Burp Suite Proxy can be a helpful tool to analyze and modify the transmitted data.
Of course, if I want to really look inside a binary application then I use a disassembler like IDA or Ghidra to look at the assembly code. These tools can really take a binary apart and reveal every branch of the code. Such white box analysis takes a bit more time, but can help to understand if there are specific functions that are only reached with some rare conditions.
If you only need a quick estimate then online scanners such as VirusTotal can provide you with the verdict of 70 security scanners for any given file or URL. Another option is to use online sandboxes such as Joe Sandbox, which will generate a very nice report of what an application does.
How does someone who doesn’t have a large team deal with this? How would you articulate when a company can suffice with “over the counter”software, and when they need to move to a contract with a cybersecurity agency, or hire their own Chief Information Security Officer?
I don’t think there is a one size fits all in cyber protection. It depends on the sector, the regulations, and the available resources of course. You should analyze your situation, for example, with an exercise in which you go through a cyber-attack scenario and assess how you would deal with it. If you do not have a large team available, then integration and automation is key. You don’t want your single administrator to switch between 10 different consoles and interact with 10 different providers to find out what the problem is. For some areas you can automate a lot of the day to day work so that the administrator can focus on the big issues. If your team does not have any security know-how at all, then it might be a good idea to work together with a partner like an MSSP that can help you build up a strong foundation.
As you know, breaches or hacks can occur even for those who are best prepared, and no one will be aware of it for a while. Are there 3 or 4 signs that a lay person can see or look for that might indicate that something might be “amiss”?
The visibility of your own network and systems is key, but having too many log files can also overwhelm you. Some signs of an attack in progress include failed user logins when the attackers attempt to guess passwords or move around the network laterally.
- If there still is a classical company network, then monitoring the outbound network traffic for spikes or unusual domain resolutions can be an indicator as well.
- Having an alarm on unusual network patterns can help as well. For example, in an organization the clients rarely need to communicate directly with each other. Therefore, any direct interaction is most likely an attacker trying to move laterally inside the network.
- Receiving strange error messages that you haven’t encountered before, or notifications of error messages from customers can be an indication of a compromise as well.
- Unusual logon times or source IP addresses for user accounts.
After a company is made aware of a data or security breach, what are the most important things they should do to protect themselves further, as well as protect their customers?
Hopefully you have a tested incident response plan that you can follow. Which should contain a cross department core team, which leads the investigation and updates the management on a regular basis.
They might even consider taking the network or services offline in order to prevent further damage, but they can only do so if they previously have decided on a proper process to do so.
The company must evaluate what information has been accessed or manipulated. Depending on the result of this brief investigation they might need to inform official entities under privacy regulations and also the customers. Which means you should also bring legal into the investigation, as data breaches can become messy. The same holds true for PR. Many companies treat communication with incidents very poorly, creating even more problems.
Once the post-mortem analysis is finished, then the team needs to improve and fix the way that the attackers came in, so that it doesn’t happen again, like for example reset passwords, patch vulnerabilities and block network ports.
It’s now been 2.5 years since the GDPR was implemented and unfortunately, we still see a lot of companies unprepared. It is good to have such privacy policies and regulations as they have definitely helped raise awareness. Especially the potential for high fines with GDPR has helped data privacy officers to get the attention of the management level and with that some needed resources. The CCPA does not have the same teeth as that penalties are much lower, but it’s a start. Some companies struggled as getting compliant required a lot of training and resources, which many did underestimate.
Unfortunately, many companies still don’t see privacy as a major issue, which can be seen in the repetitive news articles that show that we are far from having no data breaches.
What are the most common data security and cybersecurity mistakes you have seen companies make?
The fundamental mistake is not to take cybersecurity seriously or to believe that the attackers don’t care about you.
When we dig deeper, we find that many companies have moved to the cloud but have not configured their services properly. This resulted in a lot of misconfigured S3 buckets or cloud databases that anyone could access. Which in turn led to data breaches.
Other mistakes are weak authentication processes without MFA or waiting too long to implement patches. Both mistakes that make it easy for attackers to get to your data. Just keep in mind, security is not something you implement once and then forget about it, you need to revisit and tune it over time.
Since the COVID19 Pandemic began and companies have become more dispersed, have you seen an uptick in cybersecurity or privacy errors? Can you explain?
Yes, I’ve seen cyberattacks increase as attackers take advantage of users’ insecurity and fear during the pandemic. I already mentioned that the move to the cloud has exposed many new services to the attackers.
Another area are the collaboration tools such as video conferencing services or file sharing applications.
Acronis conducted a survey during the pandemic and 39% of all companies reported, that they encountered video conferencing attacks during the pandemic. Cyber criminals are quickly adapting to new environments and shifting focus to grow their profits. Unfortunately, we have also noticed that many employees started sharing sensitive data on unsanctioned sharing platforms or created unencrypted backups on private UBS drives at home. This distribution and scattering of data can result in sensitive data getting leaked from placed that the IT department was not even aware of.
Ok, thank you. Here is the main question of our interview. What are the “5 Things Every Company Needs To Know To Tighten Up Its Approach to Data Privacy and Cybersecurity” and why? (Please share a story or example for each.)
- Increase your visibility. You don’t need to be flooded with data, but you need to know what is happening to your data. This includes both monitoring and logging so you have an audit trail. It’s best to automate as many steps as possible to make your life easier. Many data breaches could have been prevented as the attackers had been in the organizations for months, but no one had noticed them.
- Prepare for the incident. Attacks and data breaches will happen. Make a contingency plan and practice it. That way, you can go through it like a checklist and make sure you don’t miss a point under stress.
- Follow a comprehensive approach for cyber protection. This means include data protection such as backups, cyber security such as anti-malware and privacy protection. You have to cover all aspects of the data as a whole in order to stay on top of things and to be able to react optimally.
- Get the support of the people. Make sure management understands the importance of cybersecurity. If they don’t support you, you’ll have a hard time struggling uphill battles all the time. The same is true for the employees. If they don’t see you as a disruption, but as a benefit that supports them, it is much easier to implement policies.
- Review your identity and access control management. User identities are the new perimeter. Wherever possible, multi-factor authentication should be implemented. It won’t prevent all attacks, but it will make it a lot harder for the attackers.
You are a person of enormous influence. If you could inspire a movement that would bring the most amount of good to the most amount of people, what would that be? You never know what your idea can trigger. 🙂 (Think, simple, fast, effective and something everyone can do!)
I firmly believe of being respectful of others and happy with myself. Seeing a movement around this would definitely make me even happier. You realized that being happy is very important to your health. Having a positive attitude can change the world around you. Sometimes a little smile is enough to change someone’s day for the better. So how about as a start, we try to start each day with a smile.
How can our readers further follow your work online?
People can either follow me on Twitter, my handle is MyLaocoon, based on the Greek mythology, or on LinkedIn https://www.linkedin.com/in/candid-wueest/. You can also read my articles on the Acronis Blog (https://acronis.com/en-us/blog/).
You can also follow our company pages here
This was very inspiring and informative. Thank you so much for the time you spent with this interview!