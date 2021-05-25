Draw people out: Sometimes people don’t voice their opinion not because they don’t have one. I had a case where an expert on a subject was very shy, and wouldn’t speak unless asked. When asked, the ideas and thoughts he gave could sometimes vastly improve a project. So, remember everyone in the team is important.

As a part of my series called “Wisdom From The Women Leading The Cybersecurity Industry”, I had the pleasure of interviewing Netta Schmeidler, VP Product at Morphisec. She has more than 25 years of experience delivering complex enterprise applications and managing global development groups and product teams. Her broad expertise includes all aspects of defining, building and successfully bringing solutions to market. Prior to Morphisec, Netta held senior product management and engineering roles at VMware (Digital Fuel), BMC, Identify Software, and Mercury. She received an MBA from Tel Aviv University, and a BSc in Computer Science from Hebrew University.

Thank you so much for doing this with us! Before we dig in, our readers would like to get to know you a bit. Can you tell us a bit about your backstory and how you grew up?

I grew up mainly in Israel, with several years of Sabbatical Leave in the US, where my father was a visiting Games Theory professor. I wasn’t exactly encouraged to study science and math in middle school and high-school; rather it was a given as something I was going to pursue at an early age. Thankfully, STEM was something that I was both good at and loved doing. My military service in Israel was where I was first introduced to digitalization broadly and cybersecurity specifically. It opened my eyes to the endless possibilities of opportunities in security. That experience was what inspired me to pursue a BSc in computer science and work in this field.

Is there a particular book, film, or podcast that made a significant impact on you? Can you share a story or explain why it resonated with you so much?

A Room of One’s Own, by Virginia Woolf. I read this growing up. While I usually read novels, and this was an essay, it made me think and helped me crystalize the example I saw within my home of parents working in careers they enjoyed, sharing household and child-raising responsibilities. When I work with and talk to teenage girls, I remind them that having their own life, their own career, their own money is one reason I am encouraging them in the direction of STEM.

Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.

Not a specific thing, but my short time in the military showed me that the battlefield of the future is a digital one: national, and also private. It illustrated that protection is where I can do good, improve people’s lives and save them from malicious hackers. Several years ago, a friend got hit by a ransomware attack; her thesis and her patient’s notes were in peril, she was panicking, and cyber defense is really what this is about. It made me want to contribute to fighting back against the adversary.

Can you share a story about the funniest mistake you made when you were first starting? Can you tell us what lesson you learned from that?

Not a very funny mistake, but when I drove to a venue, I was very focused on the meeting — what I was going to say, how I was going to present it — I didn’t notice where I parked. At the end of the meeting, I had no idea where my car was, and a vague memory of what it looked like, since it was a rental. Lesson learned — note your car make, and make a careful mental note of its location!

Are you working on any exciting new projects now? How do you think that will help people?

Definitely. We are working on ensuring organizations without cyber expertise will get the same level of cyber defense as rich, resource-heavy enterprises without expensive forensic analysts. Being secure shouldn’t be something only afforded to the world’s largest companies with big budgets and large teams. Smaller organizations like hospitals and manufacturing companies, are also being attacked, and need the same level of protection. Our mission is about cyber defense democratization. As part of that, we enhance our protection for server workloads throughout organizations, regardless of their workload location and maturity.

Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. The Cybersecurity industry seems so exciting right now. What are the 3 things in particular that most excite you about the industry? Can you explain or give an example?

Yes, the cybersecurity industry has certainly reached new heights since the pandemic began. Attacks targeting enterprises have shot up since 2020, as has the cost per data breach, so the realization from organizations is that they need to kick themselves into gear or risk making headlines as the latest company to fall victim to money-hungry cybercriminals.

Here are three things that I’m especially excited about as the cybersecurity industry continues to grow.

Growing collaboration between vendors and government agencies.

The gravity of the pandemic has only encouraged hackers to target businesses with more sophisticated attacks. All you need to do is look at how hard the healthcare industry has been hit to get a true sense of the damage that can be done. Simply put, no one vendor can take on thwarting these attacks alone. It’s vital that the entire security community comes together to stop these adversaries from ruthlessly targeting lean organizations, and we have seen growing collaboration between stakeholders.

For example, in March, we at Morphisec were proud to become the 32nd member of the Cyber Threat Alliance, the industry’s first formally organized group of cybersecurity practitioners that work together in good faith to share threat information and stop cyber adversaries. Since then, we’ve been able to share important information around cyberattack campaign discoveries with members and contribute to what we hope will be a greater shared understanding of the cyber threat environment.

I don’t think there’s ever been a more important time for the security community to come together and do this, and it’s something I’m massively excited about.

2. WFH encouraging enterprises to swap outdated, reactive cyber approaches for proactive defense.

As organizations shift between work-from-home and hybrid environments, many IT teams have taken an important step to replace ineffective legacy and next-generation antivirus (NGAV) with innovative technologies that offer proactive prevention against unknown and zero-day attacks. This is exciting as enterprises have historically settled for low efficacy, high-cost solutions like EDRs, behavioral, and signature-based approaches. But now that their workstations and servers are distributed between the cloud, physical, and virtual environments, they’re increasingly turning to solutions that effectively and automatically stop the most dangerous attacks against workstations, VDIs, servers, virtual machines and cloud workloads.

Even Gartner has highlighted this as an integral step for enterprises looking for optimal protection against advanced attacks, admitting that organizations’ reliance on runtime protection instead of exploit prevention is a major vulnerability. They recommend that security and risk management leaders exploit prevention and memory protection before any virus or EDR tool. I think that as cybersecurity continues to prove its worth to C-suites — and they realize that cutting-edge cyber prevention is no longer a nice-to-have, it’s a need-to-have — we’ll continue to see this shift away from reactive approaches to proactive defense.

3. Enterprises with smaller budgets gaining access to world-class prevention.

What this pandemic has also highlighted is just how big the gap is between mid-sized enterprises and large deep-pocket organizations when it comes to access to first-rate cybersecurity. Organizations with lean security teams have been largely neglected to date as they’ve only had access to cost-prohibitive tools that are not only difficult to manage but actually force IT teams to sacrifice performance for protection. The challenges for these companies have only increased in the last year with work-from-home employees using unsecured devices and connecting to an endless array of cloud-based applications.

I think the tide is beginning to change, however, and that these organizations are starting to push back and demand complete security that stops advanced attacks in their tracks before they breach, and at a cost that fits into their existing budget. Considering the size of this market in the US, with hundreds of thousands of businesses categorized as mid-sized, this could actually transform the cybersecurity market for the better.

What are the 3 things that concern you about the Cybersecurity industry? Can you explain? What can be done to address those concerns?

The escalation and severity of attacks against enterprises.

The increase in new and unknown threats targeting organizations is a major worry. It seems like everyday we shop online, we’re greeted with a headline of a new attack. And the damage left behind seems to be getting greater and greater. Take the SolarWinds attack, for example, that compromised thousands of businesses all over the world. Its fallout will likely be felt for years to come, with the company’s customers still falling victim to cybercriminals who have been able to gain access to their servers and steal their credentials.

The hackers’ success with this will only inspire them to boost how frequently they plan to attack organizations and also upgrade their methods to inflict the most possible damage.

2. Critical infrastructure being compromised.

Even more worrying, is the harm that these cyberattackers can inflict far beyond the bottom line of a business. We saw this in 2016 and again in 2020 when the threat of state-sponsored attackers targeting voting infrastructures caused great concern. My team at Morphisec has actually been working with the Department of Homeland Security to better protect their critical infrastructures.

But the threat doesn’t stop there. Every industry with valuable infrastructure is being targeted. Just look at the manufacturing industry. They’ve been targeted more than other industries since the onset of Covid-19, mostly because cybercriminals understand just how much damage they can cause if they’re able to gain access to their critical infrastructure. It would actually debilitate them and force them to shut down production on potentially life-saving healthcare treatments or other vital goods. Cybercriminals are crafty, and they understand that targeting critical infrastructures like these could result in larger payouts.

3. The human fallout of a cyberattack.

For the same reasons listed above, cybercriminals are also setting their sights on hospitals and other healthcare organizations that are critical 24/7 and therefore can’t afford a second of downtime. And the cost associated with this is much more severe — human lives. We saw this in Germany last fall when a ransomware attack turned fatal for the first time when a hospital’s IT system failed and forced a critically ill patient to be routed to another city. Even though the healthcare industry has quite honestly been battered since Covid hit, I think this was a major wake up call as it highlighted just how willing hackers are to go after our most vulnerable members of society, as long as they think there’ll be a big payout at the end of it. The ordinary American has certainly taken notice, with a recent Morphisec study finding that 6-in-10 are more worried about a ransomware attack shutting down access to care tin their time of need than they were a year ago.

What’s incredibly important to alleviate concerns around all of the above is an active defense strategy. No longer can organizations rely on legacy antivirus tools that are easily bypass-able. Rather than depend on technology that just tries to remediate attacks after they hit, technology that stops attacks deterministically and automatically, without requiring knowledge of threat type or manual oversight, and which are effective against advanced attacks such as zero-day and unknown threats. The cybersecurity landscape is evolving quickly and introducing more sophisticated methods and techniques of attack. With so much on the line in terms of the financial damage they can cause and of course, the human lives they can take, it’s vital that enterprises make these necessary changes.

Looking ahead to the near future, are there critical threats on the horizon that you think companies need to start preparing for? Can you explain?

Not only are they on the horizon a lot of these critical threats are already here. We’re seeing threat groups come together on joint attacks and also working alongside nation-states. And just like other businesses, ransomware groups now seek to make more money by expanding their attacks to a broader landscape of targets. This often means hospitals, schools, and local governments, who are the most resource-constrained segments of our societal infrastructure and the ones least able to accept downtime.

Obviously having the world go digital in the last year has leveled the playing field in favor of cyberattackers and bad actors looking to leverage the chaos for their personal gain. However, the long-term repercussions of said crisis have certainly been prevalent and as we’ve seen, ransomware has been at the forefront of cyberattacks recently.

Can you share a story from your experience about a cybersecurity breach that you helped fix or stop? What were the main takeaways from that story?

Last year, our threat intelligence team thwarted a ransomware attack on a Morphise customer. Our team analyzed the Egregor attack and was able to compile detailed new evidence on how their latest attack chain is carried out.

Not only were we able to stop the attack before it ever happened, we were also able to generate a detailed report that sheds light on some very different techniques for initial access, persistence, and exfiltration than what is typically reported on with respect to the Egregor group.

Our incident investigation revealed that the Egregor threat group most probably exploited a VPN vulnerability to access the internal network from a Tor exit node. The attackers then scanned the network while looking for a vulnerable server. They quickly identified and exploited a second vulnerability on an old 2003 application server. This application server became our patient zero. The attackers then moved laterally between file share, application, virtualization, update, and secondary AD servers until they infiltrated to the AD. Next, they exfiltrated data through known services such as Mega Upload directly from the AD. As a final step, they encrypted the network.

As can be seen from the latest waves of ransomware campaigns; extortion, human-operated propagation,

exploitation of VPN applications, and meteoric encryption are a landmark change in the current attack landscape.

As you know, breaches or hacks can occur even for those who are best prepared, and no one will be aware of it for a while. Are there 3 or 4 signs that a layperson can see or look for that might indicate that something might be amiss?

We specialize at Morphisec in securing the enterprise, but we certainly see cases where human error by employees leads to major beaches and lateral movement by cybercriminals. Although most employees, regardless of industry, know better than to engage with any email that, for lack of a better term, appear sketchy (misspellings, vague CTA’s from management, etc.). However, as enterprises look to become more connected, they have to be especially vigilant of vendors that are outside of their organizations. Therefore, it’s not only necessary for businesses to set a robust cyber hygiene among their employees, but make sure that third parties that operate outside of the immediate business are also firmed up from a cybersecurity POV. This means being constantly wary of which email attachments they click and being on the lookout for spoofing — two prevalent methods of deploying ransomware.

After a company is made aware of a data or security breach, what are the most important things they should do to protect themselves further, as well as protect their customers?

It varies by the type of security breach. For instance, there are best practices for responding to ransomware attacks versus responding to a campaign that was designed as an infostealer. For example, we have developed our incident response team, so people know when and how to respond to a breach of any kind. The Morphisec Incident Response team works collaboratively with client organizations to triage critical security incidents and conduct forensic analysis to solve immediate cyberattacks and provide recommendations for reducing an organization’s risk exposure.

Obviously, when it comes to breaches that involve ransomware, organizations are just warned not to pay the ransom. However, the reality is that organizations would benefit more from deploying the right tools that stop cyberattacks before they actually happen. That way, knowing how to respond to a breach is less of a concern.

What are the most common data security and cybersecurity mistakes you have seen companies make? What are the essential steps that companies should take to avoid or correct those errors?

We see a lot of unnecessary duplication of efforts to block common attacks, coupled with unpreparedness to address unknown attacks and those that emerge through the use of unsecure suppliers. The Sunburst and Supernova attacks that leveraged the SolarWinds supply chain, which impacted 18,000 companies, have demonstrated that zero-trust needs to extend beyond the network and onto the endpoint. Zero-trust endpoint security means you are protected at runtime even when trusted signed applications like SolarWinds are the source of damage.

In a supply chain backdoor attack, the compromised software comes from a high reputation source with a trusted certificate, bypassing detection-based defenses. That trust of signed software is only at rest with the source supplier. Zero-trust endpoint security looks past this completely and assumes no historical or implied trust, protecting the software at runtime.

Let’s zoom out a bit and talk in broader terms. Are you currently satisfied with the status quo regarding women in STEM? If not, what specific changes do you think are needed to change the status quo?

Short answer: no. In fact, last month, Pew Research found that while women are well-represented in the healthcare industry, there’s still a noticeable gap between women and other job clusters like physical sciences, computing, and engineering.

For Morphisec as a company, and for me, attracting more women to cybersecurity isn’t just a question of altering sad statistics — focusing on diversity is good for business. Varied backgrounds, experiences, education and leadership roles create a stronger infrastructure for innovation.

Our CEO, Ronen Yehoshua, put it this way: “Women are severely underrepresented in the field of cybersecurity to the detriment, we believe, of the industry as a whole. Morphisec would not be on the growth and innovation trajectory it is today without the amazing women on our team.”

While women face multiple barriers to entry into cybersecurity including the deep-seated perception that STEM disciplines in general — and cybersecurity in particular — are inherently masculine, I was lucky to get first-hand experience in the field during my time in the army.

Even though I was already set on a different path, a group of bright, talented soldiers in a cyber unit opened me up to the world of computer science. As I watched their passion and dedication to working through challenges and experienced the thrill of seeing my own code run, I knew I was hooked. Today, my time in the army marks the first step in building the foundational knowledge that has accompanied me in my career over the past two decades.

What are the “myths” that you would like to dispel about working in the cybersecurity industry? Can you explain what you mean?

There’s a myth that it’s an industry for hackers only. If Ida is not your first tool of choice, you don’t belong in this industry. That’s so very wrong, there are so many different roles, in so many areas, starting from hacking and reversing, through pen-testing, development, customer support, marketing and sales, compliance, regulation, soc, threat intelligence — you can find a role that matches your strengths and aspirations.

Another common myth is that companies need to spend a lot of money to be secure. The truth is there are too many tools, too much alert noise, and too much time wasted reacting and responding to every little event. An incredible amount of cost savings can be made by just focusing on preventing the breach from happening in the first place, and there are much more accessible and cost-free ways to do so.

Thank you for all of this. Here is the main question of our discussion. What are your “5 Leadership Lessons I Learned From My Experience as a Woman in Tech” and why? (Please share a story or example for each.)

1. Listen, listen and listen: Even if you think you already know, start by listening. People have different outlooks and experiences, you can only gain by hearing from others.

2. Constant education is key: In an industry like ours, the picture keeps changing. You need to keep up, you need to be on the cutting edge. Read, sign up for courses, encourage your team to self-educate.

3. Don’t assume others know what you want: If you want a specific role, say it. In my first management role, others were offered the role. I finally got the courage to ask why I wasn’t, and my manager was pleasantly surprised to hear I wanted it.

4. Draw people out: Sometimes people don’t voice their opinion not because they don’t have one. I had a case where an expert on a subject was very shy, and wouldn’t speak unless asked. When asked, the ideas and thoughts he gave could sometimes vastly improve a project. So, remember everyone in the team is important.

Don’t be afraid to ask what you don’t know: People are sometimes afraid to appear stupid. When you ask, you would often find others didn’t know or understand either, or that people see and understand things totally differently. Some of what my role is about is ensuring the same level of understanding.

We are very blessed that very prominent leaders read this column. Is there a person in the world, or in the US with whom you would like to have a private breakfast or lunch, and why? He or she might just see this if we tag them 🙂

I follow some interesting hackers — Keren Elazari is one inspiration, Eva is another. I really enjoy reading your Inspirational Women in STEM and really liked the most recent article about Karrie Trauth of Shell and relating how her life experiences formulated her leadership path.

Thank you so much for these excellent stories and insights. We wish you continued success in your great work!