TahawulTech.com Interview with Anomali: Cyber Threats Facing the Middle East
Transcript
Hi.
We have with us Andrew de Lange Intelligent Solutions Architect Anomali to talk to us about the unique threats facing the Middle East and what businesses can do to remain protected.
Tell us, when it comes to cyber threats, what organizations in the Middle East are up against?
Well, I mean the Middle East in general and the UAE where we are based, the threat landscape has evolved quite significantly in the last couple of years because of the digitization.
So the rest of the threats that the world have been facing have kind of migrated to the Middle East.
And with the massive influx of businesses that are popping up across the Middle East, I mean, this-- the Middle East is becoming a bit of a business hub.
And a lot of companies are coming here and moving their activities here, which increases the likelihood of a cyber event.
So the general threats that have been in existence for so long, the social engineering threats like phishing, the malware threats like ransomware, which is a big thing.
Currently, there's a lot of ransomware attacks happening globally.
These things all kind of filter down.
But then you have a more significant nation-state type of threat as well, which we've been seeing of.
And a lot of activity, especially around like the SolarWinds attack.
But much more focused in the Middle East, we have got the threat groups like the OilRig or APT 34 threat group that are likely from Iran.
So we have that specific regional threat also.
So look going after government data, going after financial services, they seem to be going across many verticals and doing some widespread attacks over there.
So, yeah, it's quite a significant job to try and juggle these attacks that are coming from all sides.
Yes, absolutely.
So, I mean, has the global pandemic changed the threat landscape across the region?
I mean, I know it has changed, but how much has it changed?
Oh, absolutely.
With everyone kind of working remotely, we predicted this back when this whole thing started that the social engineering threat where you have got these pandemic themed or COVID-19 themed lures being sent an email which would obviously compel people to click on that.
So those social engineering campaigns have significantly spiked.
And now, with the added, let's call it bonus to the cyber attackers that people are working from home, which means that in many instances working from home policies and security policies that have regard to working from home, they aren't in place.
So you have got these kind of weak points now where you have got people that are so spread across and trying to access work resources, but in many instances, they don't have access to VPN, corporate VPNs.
They don't have access to the corporate protection, where-- which the companies have obviously spent a lot of money on to make sure that the perimeter is protected and the assets inside the perimeter are well protected.
Now all of the sudden, you take those assets out of the network, and you have to not do business.
I mean the ease of attacks has just increased so much.
Now adding on top of that, after a year of 2020 where there was a massive pandemic all of a sudden in 2021, these high profile data breaches and these high profile attacks are coming to the front.
Like obviously FireEye discovered that they were affected by the SolarWind.
Now I mean we're not naming SolarWinds here, but you know at the end of the day it that's what kind of is synonymous with the attack that happened there.
And then know the very recent Microsoft Hafnium malware that we're seeing.
These are very sophisticated nation state and highly, highly, highly dangerous cyber attackers that are attacking and breaching companies all over the place.
Security companies or even or even being breached.
I mean you can count, I mean on two hands almost now and we're not even halfway into the year, how many high profile breaches have occurred.
So if you think kind of 2020 was the layup, I think 2021 is definitely there's going to be a lot more interesting things that are going to come out, I believe.
Absolutely, now Anomali provides organizations with access to intelligence.
So can you tell us something more about what threat intelligence is and what the Anomali offerings are.
Sure so threat intelligence is a broad concept.
Now threat intelligence think about it just in terms of those to which threat intelligence is being a bit more smarter about what it is you are trying to do when it comes to using data to protect your organization.
So you have got vendors in the market that are purely providing threat data.
So they have got sensors across the globe and they're collecting a whole bunch of threat data and then they push that down into a feed, a threat feed.
So you'll see vendors that sell threat feeds as or threat intelligence feeds and then you'll see vendors that provide access to the threat intelligence portals, you will see things like open-source intelligence.
Now in standing on its own feet is not intelligence, but a threat feed in a contextual environment where you bring it inside of your environment and take that with your internal telemetry data and kind of marrying the context and everything together, all of the sudden you're starting to look at threats more intelligently.
Now that's kind of a brush stroke as I would define threat intelligence.
Now adding data on top of threat information because threat data which they feed, turns into threat information when you contextualize it and then kind of making it more applicable to yourself and to your own organization, that turns it into threat intelligence.
And for that you'd need an actual program with human analysts and people that can actually do something with the data.
Now where Anomaly fits into that picture as we provide the technology that supports that.
So our technology is an enabler for a threat intelligence program.
So I mean, if you think about our platforms.
So we're kind of a three solution company at this point, we have got a threat stream which is our threat intelligence platform where basically all the situational awareness threat data from what we collect, from what our partners collect and we have a massive, massive partner ecosystem of the threat intelligence provider vendors out there, from what they collect.
And we can give access to our customers very quickly and very easily to that specific data from our side or from our partner ecosystem side, as long as they obviously have licenses.
Then we have the match solution which takes that data and brings that into your organization.
So now what you're doing is you're bringing it and not just integrating it by protecting yourself and putting it into like a firewall rule, you're actually bringing that data into environment into our match solution and then match runs real time correlation against the threat intelligence that you have inside of your environment and the threat intelligence situational awareness data that you are collecting via our platform or some other platform that you may have access to.
And then we have the lens a natural language processing plugin that can bring those two things together.
Now there are some resources on the internet, which we will share that people can go and have a view on how to deal with, for example, like Hafnium.
And do something that a thread analyst would do and we take them days to do, we can basically do that in kind of a minute or so.
So that's kind of where we stand.
So Anomali provides the access to the tool sets that can make lives a lot easier for a threat analyst and for a security team, but what we also do is we provide guidance on how to build a program.
So we have got skilled people that have been building threat intelligence programs for many years.
I myself come from a customer side when I used to live in South Africa, so I was working in the banking sector in South Africa.
And I built great intelligence programs for my own companies that I worked for and now after joining normally, we do that for our customers as well.
So we have massive success by that approach because building a program isn't as easy as just putting a technology down and then walking away from it.
It's building a program, putting a technology down, and then making sure that technology is being used as an enabler and also the processes are being driven by threat intelligence.
So if you have a threat intelligence team, they need to be plugged into the organization and we provide the guidance and the assistance to our customers who make sure that there is a successful threat intelligence program inside of the environment, not just looking at what tools they're using.
Right.
So it sounds like threat intelligence is more about than just a single solution.
So how important are partnerships in this whole space.
Absolutely vital in terms of vendor partnerships, like we have an extensive vendor a partner ecosystem which makes it easy for vendors to work with us and for us to work with vendors.
But looking from looking away from that, if you are looking to build a threat intelligence program the partnerships that we are talking about there are sharing communities.
So threat trade data and trade intelligence information and kind of things that you detect on your network.
That's not going to give you the upper hand competitively against, for example, if you are a bank and that there's obviously multiple commercial banks.
If one bank decides to share with all the other banks some threat data that they have or they can help the community grow, that is absolutely monumental because once you can set up these sharing communities.
Now these are industry sharing communities that we run within our platform called trusted circles.
And you see a lot of these ISEC kind of popping up.
These are just communities, I mean people have communities on their phones.
So where you have one analyst from one company and another and from another company sharing information back and forth, there's no intellectual property being shared, there's no actual competitive edge being handed over to my competitor, the thing that's happening is that we are fighting a fight against an attacker or an adversary that doesn't care about policy or what do we call this.
Things like not being able to share data, the red tape.
They don't care about the red tape, they don't sit through change controls.
These guys are just always trying to fire the bullets, we are always trying to deflect the bullets.
Now if my detection can help another bank inside of the UAE, for example, and this is where we have got the UBF sharing platform which is driven by Anomali.
So we have got the UBF and the banks inside of that community that can share threat intelligence with each other to make sure that they are well protected.
This creates a stability in terms of the financial sector as a whole.
And that's essentially, what you need to do is.
If you're going to go up against a very, very skilled attackers, you need to be able to defend against them and if I can't defend on my own, I need people behind me and I need, obviously, a community behind me that can help me defend, because today I am going to find something that can help another bank or another organization.
I'm just using banks as an example because banks are kind of at the forefront of sharing.
So if I'm one government organization and I share information with another government organization in the Middle East, those two things are imperative.
Right.
So those two things about sharing data back and forth is something that can absolutely give the upper hand.
So I mean long answer to your very short question.
Sharing is caring basically and we should all kind of think about doing that when it comes to cyber threats.
Right.
Anomali has a very active presence in the region.
So can you tell us about some of your customers here.
Sure, we service customers across all business verticals.
These are customers that are like I said, previously from banking to government, to customers that are in retail space.
So we don't focus on a specific vertical.
Obviously threat intelligence and our platform does not specifically need to be in a specific business vertical.
So we service a lot of different customers.
They all have what we call PIRs, called prioritize intelligence requirements and that's one of the key reasons why we are so successful is because we helped to build these PIRs for them.
So a bank and a government organization won't have the same PIR, there might be some overlap in terms of the regional threats that are targeting them because they're in the Middle East, but there are some other factors that may be more important for a government organization then there will be for a financial organization provide them with the skills and the know how to basically build on their platform.
So some of our customers, we have got in Saudi Arabia, for example, we have a big presence there with telecommunications, we have got the UBF banking federation, ISEC that's driven by a Anomali here, we have got obviously customers across oil and gas.
Just about us that it's good to say or it's nice to say that you are good or you have a good product, but when your customers do that for you.
And you just receive a phone call that someone else is wanting to partner with you, money can't buy that.
So we are absolutely driven for our customers and we are absolutely thankful to all of our customers for making us what we are, not just in the region but globally.
So yeah, and you hopefully we can continue on the same route.