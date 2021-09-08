Cyber teams should remediate their sources of highest risk first. In order to have the biggest possible impact on security posture improvement, organizations need to start with mission-critical alerts. Prioritizing alerts in terms of their financial impact on the business will have the greatest effect on overall risk reduction.

Gaurav Banga is the Founder and CEO of Balbix and serves on the boards of several companies. Before Balbix, Gaurav was the Co-founder & CEO of Bromium and led the company from inception for over 5 years. Earlier in his career, he served in various executive roles at Phoenix Technologies and Intellisync Corporation and was co-founder and CEO of PDAapps, acquired by Intellisync in 2005. Dr. Banga started his industry career at NetApp. Gaurav has a Ph.D. in computer science from Rice University and a bachelor of technology in CS from IIT Delhi. He is a prolific inventor with over 70 patents.

Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. Can you tell us a bit about how you grew up?

I grew up in India. My childhood was electronics free and heavy on all sorts of books and playing cricket and squash. I first encountered a computer in 9th grade, and it was love at first sight. Long story short: I studied computer science and engineering as an undergrad at IIT Delhi. I then came to the US to do my PhD in CS at Rice University in Houston, TX.

Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.

In 2009 I was working for a company building products for the US government. That is the time that many US companies and the government suffered a massive cyber attack at the hands of a nation state. I remember thinking at that time: “Cybersecurity is going to be a real problem. It is going to threaten our digital lives. War and crime are coming online. What can we do about it?” I started Bromium, an endpoint cybersecurity company, in 2010.

Can you share the most interesting story that happened to you since you began this fascinating career?

For my most interesting cybersecurity stories, I am bound by confidentiality agreements with customers and so can’t really talk about much.

Here is one that I can actually talk about from before my cybersecurity days.

There were a few days when the production of Shrek was stalled because of a bug in the data storage system that my then employer, NetApp used to make. After many hours worth of movie frame rendering, our data server(s) deployed at Dreamworks would crash, erasing my previous day’s work. I worked every night for several nights in a row, all by myself, in an empty office in Redwood Shores, CA to find and fix the bug, and save Shrek.

None of us are able to achieve success without some help along the way. Is there a particular person to whom you are grateful who helped get you to where you are? Can you share a story about that?

I have had the privilege of numerous mentors all through my career and life, and have learnt a lot from all of them. I have always gravitated towards having multiple mentors at any given time, from whom I learn different things. Most recently, I am grateful to John Chambers (the former CEO of Cisco) from whom I learn how to be a better CEO everyday.

Are you working on any exciting new projects now? How do you think that will help people?

Actually yes, we just recently launched the Balbix Cyber Risk Quantification solution to bring new capabilities to cybersecurity posture automation. The updated platform ingests and analyzes 100s of terabytes of data from dozens of cybersecurity, IT, and business tools to produce a single comprehensive view of cyber risk in monetary terms (dollars, euros, etc).

I expect this new offering to be game-changing — one of the biggest challenges with cybersecurity is that it is complicated and has thousands of moving parts. People don’t really understand their cyber risks and fail to mitigate their biggest risks before it is too late.

By quantifying cyber risk in money terms, Balbix makes it easier for everyone to understand the degree of residual risk and prioritize the risk mitigation activities they need to do. Imagine if security managers were able to reach out to stakeholders in their organizations and quantify the benefit of their actions: “You are reusing passwords between two of your accounts. This is leading to 7.5M dollars of additional risk to the business. Please change these passwords to be unique.” OR “While this group of systems has pending software updates, there is an additional 12M dollars of cyber risk.” OR “If we buy that anti-phishing service, we will reduce our risk by 35M dollars.” This is not something companies and government agencies can do today.

Ultimately, the goal is to reduce risk. But, infosec teams are always behind on the risk mitigation tasks they need to finish. Balbix also provides the automation that assists information security teams to quickly reduce the size of their attack surface by removing most of their manual and time-intensive tasks of cybersecurity. With better prioritization and faster risk mitigation activities, they are much better positioned to stay ahead of cyber attackers.

Additionally, we are currently working on new capabilities that will allow organizations to unify their cybersecurity posture across cloud and traditional on-premises environments.

What advice would you give to your colleagues to help them to thrive and not “burn out”?

In cybersecurity, the one thing that determines success is the time it takes to contain a new risk event, which could be a newly discovered vulnerability, an indicator of compromise, or evidence of an ongoing attack. This is typically referred to as the mean time to respond (MTTR) to an indicator of risk.. Every second that is spent not acting to mitigate such indicators of risk is a window of opportunity for the adversary. It’s crucial in cybersecurity to be fast and always on.

If I were to tell security professionals anything to avoid “burnout,” it would be to deploy some level of automation to alleviate the stress of having 10,000 things to do every day. For example, Balbix monitors our customers’ networks to automatically discover new IT assets, identify and prioritize vulnerabilities to save them from filtering through the thousands of alerts they receive a day, and kick off the workflow for asset owners to remediate them so they can reclaim a lot of their time.

Making use of automation also allows you to take time to get away from the screens. Finding time to get away from your computer is easier said than done, however, I find it relaxing and re-energizing to take a break from technology and explore the great outdoors with my family!

Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. The Cybersecurity industry, as it is today, is such an exciting arena. What are the 3 things that most excite you about the Cybersecurity industry? Can you explain?

Well, first off, I think the most exciting thing I am seeing is that more people are paying attention. Cybersecurity isn’t just an antivirus package you install on your computer, it’s much more complex. We are seeing the U.S. government debate cybersecurity policy, major corporations creating coalitions, and the general public watching, listening and caring more about cybersecurity now that they see their personal data is at risk.

Next, I would have to say emerging technologies are exciting to me. The proliferation of IoT means that cybersecurity tools now have to protect thousands of IoT devices; from the phones we are using to the cell towers they connect to, to the machinery manufacturing consumer products to the pipelines that transfer oil. The importance of applying protections to these devices and systems has been highlighted by the recent breaches of Colonial Pipelines, meat packer JBS, and several public utilities across the United States.

I think another exciting part of the industry today is how innovative it has become. When I first got into cybersecurity, it was a hardware firewall and the beginning of antivirus software — which soon became ineffective as viruses grew from a few to a few hundred. In just a few decades, cybersecurity has completely transformed. It now includes innovative uses of encryption, AI, multi-factor authentication and biometrics. But it should be noted that while the tools we use to combat cybersecurity threats have changed, the nature of cybercrime hasn’t changed all that much, it’s still the same game of cat and mouse.

Looking ahead to the near future, are there critical threats on the horizon that you think companies need to start preparing for?

I think we will continue to see more ransomware attacks, though they will change over time.. In the past, the purpose of ransom attacks was to infiltrate and lock a user out of their system. Now what we are seeing is a two-pronged approach for crippling an organization, the first is locking them out of their systems and the second is accessing and selling sensitive information — which is often more valuable than the system itself.. Unfortunately, the barriers to entry are simple for attackers to overcome; a bad actor only needs a computer and access to the internet to obtain software capable of crippling companies and other organizations and exposing millions of records.

Going into the realm of mobile and IoT security, I also think we will see a rise in the surveillance and blackmail of high profile business executives and government leaders. This threat was highlighted in the recent exposure of NSO Group’s Pegasus spyware. It could also quickly trickle down to the average consumer.

The growth of both of these attacks shouldn’t be that shocking when it comes down to it; these attacks focus on gathering information to either be sold or returned for a profit. Until we change how we approach cybersecurity, I think bad actors will continue to target critical infrastructure and high-value people.

Do you have a story from your experience about a cybersecurity breach that you helped fix or stop? What were the main takeaways from that story?

Sorry — I can’t answer this one in any specifics because of confidentiality considerations.

My takeaway from most of the incidents that I have been involved in is that the vast majority of incidents happen because of simple known vulnerabilities or human mistakes, and not because of complex, exotic methods of breaking in.

The problem in cybersecurity is that there are so many issues, and new issues arrive very fast. So even though each of these issues by itself is not that difficult to address, the overall situation is impossible. To keep up, we need to commit to maximizing the automation of cybersecurity posture management. We need to stop relying on cybersecurity methods that don’t scale. That’s the only way we’ll be able to get ahead of the adversary.

What are the main cybersecurity tools that you use on a frequent basis? For the benefit of our readers can you briefly explain what they do?

As the founder and CEO of a cybersecurity company, I obviously want to say, “I use my own product,” but to avoid the risk of sounding self-serving, I’d rather talk about the tools that some of our customers use frequently.

When I’m meeting with customers, I hear a lot of times that they don’t know how much of their network they have visibility into, and it’s shocking. Imagine you are an air traffic controller, monitoring planes flying overhead. You are tracking their direction and watching for potential risks. What if, as the air traffic controller, you are asked, “how many planes are flying over New York City, right now?” and your response is, “I’m not sure.” This analogy applies to cybersecurity. One example of a tool used by many of our customers is a network monitoring tool. These tools actively “watch” a network, ensuring traffic can run smoothly, applications perform as expected and only approved devices are able to access documents and other sensitive information. Security teams need to be able to see how big a company’s network is, who’s on it and what are those devices doing. Network visibility is one of the most important tools for security which gives enormous insight into potential breach risks.

I also commonly see next-generation firewalls. Firewalls act as a filtration system for data entering a network. By scanning software code and unauthorized network packets, firewalls are designed to deny access to any potentially dangerous code entering your network. While a firewall seems like a simple tool, it reaps massive benefits as the front-line security tool to keep bad actors at bay and your network secure. The other commonly used solution is an endpoint protection tool.

How does someone who doesn’t have a large team deal with this? How would you articulate when a company can suffice with “over the counter” software, and when they need to move to a contract with a cybersecurity agency, or hire their own Chief Information Security Officer?

One important criterion for moving to hire cybersecurity experts is when a company stores or handles a lot of personal information on behalf of customers. When that number reaches such a size that it has an economic value to cyber criminals, companies must employ professionals to protect it and ensure they are complying with global regulations for personal information. If a business is centered on the data of others, then it must make security a central part of their business strategy and employ a CISO or CIO and robust security tools from the very beginning of formation of the company.

As you know, breaches or hacks can occur even for those who are best prepared, and no one will be aware of it for a while. Are there 3 or 4 signs layperson person can see or look for that might indicate that something might be “amiss”?

What I would say is that if you do not have appropriate cybersecurity data, or if you know that not much has happened in the way of cybersecurity investments, you should assume that the enterprise has already been breached.

To get visibility, organizations should deploy an asset discovery and inventory solution and then perform continuous vulnerability assessments. Organizations can then figure out where they are weak. As they take steps to deploy protective controls, they might be able to eject the adversary from their network.

After a company is made aware of a data or security breach, what are the most important things they should do to protect themselves further, as well as protect their customers?

First and foremost, after a breach, take the network offline, disconnect auxiliary devices, and isolate the devices which have been infected. This step is crucial to stop the spread of a virus or to stop a hacker from moving around your network.

Next, they must inform any employees, customers or partners whose data has been impacted. This is key in maintaining good relationships and building trust as they work through a challenging event. Some of the largest security companies have been breached themselves. Their proactive outreach after a breach — they were quick to admit the issue and worked with competitors to alert the industry — actually increased their reputation and business.

Third, after they have isolated the infected part of their network and informed their stakeholders, it comes time to remove the malware and compromised accounts, and begin the recovery process. Hopefully the company was prepared and the recovery process is relatively simple. The IT team restores critical systems from a previous backup while ensuring that forensic images and data have been collected to facilitate better security practices.

How have recent privacy measures like The California Consumer Privacy Act (CCPA), CPRA GDPR and other related laws affected your business? How do you think they might affect business in general?

Privacy is closely related to cybersecurity, and many of the things you need to do to comply with privacy regulations are the same as what you should be doing to decrease your breach risk. Privacy regulation is yet another reason to do cybersecurity — the only difference being that now it is being mandated by the government: an organization is breaking the law if they don’t take their cybersecurity responsibilities seriously.

What are the most common data security and cybersecurity mistakes you have seen companies make?

Although difficult to believe, one of the most significant drivers of breaches that involve personal data is simply not putting a password on the database. Systems with millions of personal records are accidentally left completely unsecured on the Internet and are open to any cybercriminal that wants to take them. This oversight comes from inexperienced developers or understaffed security teams that miss a configuration setting in a database. These systems are found in minutes by profit-seeking criminals, and then they are sold to the highest bidder while the company’s reputation is often permanently ruined.

The simplest way to mitigate this problem is to have employees buy into security and help secure the organization. By doing so, it not only frees up IT teams but completing these easy tasks greatly improves overall security posture.

Since the COVID19 Pandemic began and companies have become more dispersed, have you seen an uptick in cybersecurity or privacy errors? Can you explain?

Yes, absolutely. With a dispersed workforce, I think we all have seen an increase in phishing attacks. These can be malicious emails or texts disguised as a message from someone you know or trust, asking you to click a link, download software or log into your account. If you click on a link, a bad actor has the ability to gain your login credentials or personal information and can carry out a broader attack. It gets particularly dangerous when bad actors get access to employee credentials. They can use those credentials to freely move through a network without suspicion, executing malware and accessing sensitive company information.

To help mitigate the risk of phishing attacks, cyber security teams can start by training employees on how to recognize these types of attacks and how to properly escalate them to the security team. Not only will this help employees feel empowered to protect the organization, but it will also protect the organization from being the next victim in the string of cyber-attacks.

Ok, thank you. Here is the main question of our interview. What are the “5 Things Every Company Needs To Know To Tighten Up Its Approach to Data Privacy and Cybersecurity” and why? (Please share a story or example for each.)

Security leaders need to discuss cybersecurity posture in monetary terms when presenting to the C-suite and the Board. Cybersecurity requires buy-in from the whole organization and starting from the top ensures security teams have the resources they need to stay secure. Executives and board members make decisions based on dollars and cents. To get started, security teams can download a CISO board presentation that the team at Balbix has put together. It is a 9-slide template that has been downloaded thousands of times. A presentation quantifying cyber risk in financial terms empowers security leaders — CIOs and CISOs — to present the actual costs of a potential cyber-attack to the board with clarity and accuracy. By doing so, security leaders are much more likely to receive the financial support they need to be effective Security teams should work with IT and other stakeholders to inventory all of their IT and IoT assets. On average, our customers’ guesses about the number of assets in their network are 25–35% lower than what is actually on their network. Having an accurate inventory of all assets allows companies to start to improve their security posture. You can’t protect what you can’t see. Cyber teams should remediate their sources of highest risk first. In order to have the biggest possible impact on security posture improvement, organizations need to start with mission-critical alerts. Prioritizing alerts in terms of their financial impact on the business will have the greatest effect on overall risk reduction. Establish strong user identity via multi-factor authentication. The ability to identify users who are trying to access enterprise resources or applications is extremely important. Strong user identities can be established using an enterprise identity and access management (IAM) product like Okta for robust multi-factor authentication and policy control where possible, combined with a password manager like 1password to enable good password hygiene across managed and unmanaged applications. Finally, organizations should add automation to their security practices wherever possible. By implementing automated processes, they can reduce the strain on security teams allowing them more time to focus on the most important issues.

You are a person of enormous influence. If you could inspire a movement that would bring the most amount of good to the most amount of people, what would that be? You never know what your idea can trigger. 🙂 (Think, simple, fast, effective and something everyone can do!)

Two things:

People should spend some time understanding how their brain works, perhaps by reading Thinking, Fast and Slow by Daniel Kahneman, to become more aware about the strengths and weaknesses of human intelligence. They may find this understanding useful for life in the age of cyber, where digital technology can make anything sound real or reasonable and trick you, or hack you. Some technical tricks. Turn on multi-factor authentication. Use a password manager. Turn on software auto-updates where possible. People should make sure they have backups for their devices. Always think before you click — it might not be what you think.

How can our readers further follow your work online?

At Balbix.com/blog/ and on LinkedIn

This was very inspiring and informative. Thank you so much for the time you spent with this interview!