Cyberwarfare / Nation-State Attacks , Endpoint Security , Fraud Management & Cybercrime
ISMG Editors: What's Next in Russia's Cyber War?
Also, Lawsuit Against Clinic With Poor Security; Gartner Endpoint Protection Trends Anna Delaney (annamadeline) • March 24, 2023In the latest weekly update, four editors at Information Security Media Group discuss important cybersecurity and privacy issues, including how Russia's invasion of Ukraine in 2022 threw Russia’s cybercrime ecosystem into a state of upheaval that still exists to this day, a lawsuit against a U.S. cardiovascular clinic that seeks a long list of cybersecurity improvements, and the latest endpoint protection technology trends in the latest Gartner Magic Quadrant.
See Also: 2024 CISO Insights: Navigating the Cybersecurity Maelstrom
The panelists - Anna Delaney, director, productions; Mathew Schwartz, executive editor, DataBreachToday and Europe; Marianne Kolbasuk McGee, executive editor, HealthcareInfoSecurity; and Michael Novinson, managing editor, ISMG Business - discuss:
- How Russia's war in Ukraine has shifted the Russian cybercrime ecosystem and how experts tracking signs of Kremlin hacking say the country may be preparing for intensified cyber operations ahead of a spring offensive;
- A proposed class action lawsuit against an Alabama cardiovascular clinic on behalf of the nearly 442,000 individuals affected by a data exfiltration breach that potentially compromised a wide range of sensitive patient information;
- Microsoft and CrowdStrike's dominance of Gartner's Magic Quadrant for endpoint protection.
The ISMG Editors' Panel runs weekly. Don't miss our previous installments, including the March 10 edition discussing the new U.S. cybersecurity strategy and the March 17 edition discussing whether the Silicon Valley Bank crash will kill cybersecurity innovation.
Anna Delaney: Hello, I'm Anna Delaney and welcome to the ISMG Editors' Panel where I'm joined by three brilliant ISMG colleagues to discuss and dissect the latest security trends and technologies. Party time again this week with Marianne Kolbasuk McGee, who leads our healthcare coverage, Michael Novinson, who heads our business analysis, and last but not least, our cybercrime wiz Mathew Schwartz. Great to see you all again today. Where are you, Michael?
Michael Novinson: I am at this DePasquale Plaza in Providence's Federal Hill neighborhood. It's about the closest you can get to Europe without actually going to Europe. It's the historic Italian American neighborhood in Providence, they got the pine cone hanging when you enter, the median and the road is painted red, white and green for the Italian flag and you can find some great ravioli and gelato so not a friend and last week took them over there had a great time.
Delaney: Yeah, it does have that Italian feel to it. It's gorgeous. And as long as there's gelato, we are all good. Marianne, a beautiful landscape again today. Is that early in the morning?
Marianne McGee: Oh, actually last evening, again, taking the dog for a walk. It's a golf course that's like not that far from where we live. So yeah, just before sundown so.
Delaney: Nice. Nice pink skies. Mathew, some street art again. Love it.
Mathew Schwartz: Thank you very much. I'm hanging out outside Shotz, which is a pool and snooker hall here in Dundee, Scotland, but I just I love the 8 Ball.
Delaney: Yeah, very cool. And I'm in Paris, why not? Outside a flower shop. I thought it was appropriately pretty, spring like. So there you go, sharing it with you today. Mathew, starting with you then. For over a year now, quite honestly, the cybersecurity world has been focused on one country and the dynamics that's caused the invasion of Ukraine, so Russia's movements and how that will impact the cybercrime world. And you've reported that some experts say that the Kremlin may be preparing for intensified cyber operations ahead of the spring offensive. So just talk to us about what they're saying. And what's the reasoning behind this?
Schwartz: Yes, so it's been over a year now since Russia intensified its invasion. And what happens next isn't clear, although there is open-source intelligence and reporting, for example, from the British military, about what they think Russia might be preparing to do. And so British intelligence has reported that since early January, there have been signs the Russian military's attempting to restart major operations, in particular, to try to recapture an area in the eastern part of the country. Now, one of the fascinating things to me about cyber operations during this conflict: there's two main things really. One: the cyber war everyone was expecting never came to pass. And I think there's going to be volumes of PhD theses written about why this didn't happen. But the short version seems to be it's easier to use things like missiles and artillery to hit targets than to expend valuable zero days to attempt to achieve the same effect. So we've seen cyber used in more supplemental ways throughout the conflict. And the other really interesting thing to me is we've seen organizations such as Microsoft, which has a massive in-house intelligence, Threat Intelligence Division. Among other organizations, Google's another, really sharing some interesting insights about what exactly is going on when it does come to these cyber operations. So Microsoft has just put out a report recently: We're seeing an uptick in, for example, ransomware being used in the conflict, not as part of a money making scheme, but rather for destructive activity. There are signs that Sandworm, a well-known Russian state attack group, has been honing its destructive malware capabilities. Again, everyone was expecting destructive malware, they were expecting reprisals against the West or anybody who helps Ukraine. Largely, we haven't seen this come to pass, thankfully. We did see some wiper malware, but it seems too spike. So, with the invasion last February 24, we saw a lot of wiper malware in March and April, and then it really declined. There is a small surge, however, at the end of 2022, and their suggestion that maybe Russia has gotten its wiper malware reserves back up and is ready to use them again. But what seems to be happening - and the Ukraine Government said this as well in a report that it recently released, recapping what it has seen during 2022 - what seems to be happening is while Russia has got some really great cyber capabilities, it's keeping them for stealth. And that means for cyber espionage efforts, which it will attempt to run over the long term, as we saw, for example, with SolarWinds, which has been attributed to the SPR, Russia's foreign intelligence service. So, to again, with Sandworm, which is part of Russia's GRU, military intelligence agency, when they have these capabilities, they like to keep it low, slow, quiet, so that they can use them, in particular, against organizations that are supporting Ukraine, not necessarily to disrupt their systems, but for classic intelligence efforts, meaning trying to divine what decision-makers are thinking, what they're planning on doing, which is the role of intelligence. Intelligence helps organizations - not organizations - helps keep countries from going to war, or if they are at war to hopefully make the conflict less intense, because if you know what they're going to do, you can react, hopefully in a more low-key manner. And so this is Russia wielding its intelligence capabilities. Again, we have seen cyber, it hasn't been the flavor of cyber or the extremes of cyber that some may have thought. But we're continuing definitely to see that. And Russia is refining its efforts, still seeing phishing attacks, all that sort of thing, but espionage over outright hitting-you-over-the-head-with-the-cyber-operations. That's what we've seen so far in the conflict. And that's what these experts are predicting we'll see more of.
Delaney: Very interesting and I recommend anybody watching this now to go and watch your interview with Alexander Leslie, analyst researcher at Recorded Future. I thought that was fascinating. And it looks at how this space has evolved, how the cybercrime, especially for Russian cybercriminals, how they've shifted over the year. And what I found fascinating, in particular, this talent drain from Russia and Ukraine, the role of hacktivism. And the impact on the Russian speaking Brotherhood is very interesting. So what was your main point of interest from that interview or anything that surprised you? Love your perspective.
Schwartz: Right, so yeah, I was talking about Microsoft's threat intel, Ukraine's threat intel, so many fascinating aspects have come out of the conflict. Horrible, though it is. One of the upsides we've seen, though, is, as you mentioned, Alexander Lezlie, Recorded Future, he's deep into the Russian cybercrime underground and analysis. And he's seen a brain drain, an IT brain drain from Russia, Ukraine and some of the neighboring states. And this brain drain has included criminals. And he said a lot of criminals, it's not clear what's going to happen. They fled. And so these local networks they were plugged into are gone. And maybe they're turning up in other countries, maybe they've immigrated to Western Europe, for example, and they seem to be keeping their head down. So that's been one of the main takeaways for me is we just don't know how this is going to shake out. So much cybercrime is associated with Russian speakers. But when those Russian speakers are no longer in Russia, in this safe haven they have had - provided, they don't attack Russia - what happens next? Hopefully, there'll be a diminishment in cybercrime. Obviously, where crime is concerned, we don't know. Thieves love to thieve. So we'll see what happens.
Delaney: As ever, great work, Mathew. And yeah, I look forward to hearing about what happens next. As you say, not great news for the world. But interesting in terms of threat intelligence and where this is all moving. Marianne, you have written this week about an Alabama cardiovascular clinic, which is facing a proposed class action lawsuit. What are the details?
McGee: Well, as we often see in large data breaches, you know, once there's a large data breach reported, and particularly in the healthcare sector, there's sort of a race to file class action lawsuits against the breached entity. And as you mentioned, the case that I wrote about this week - and there's been so many of these cases - but I'll tell you why this is unusual. This case involved on a Alabama-based cardiovascular practice called Cardiovascular Associates. And the lawsuit was filed by one of nearly 442,000 individuals who are affected by this data exfiltration breach that the clinic reported last month to the Department of Health and Human Services. Now in this breach, there was a wide range of sensitive patient data compromised, including personal, clinical and financial information. And like other proposed class action lawsuits, they get filed in the aftermath of data breach, the plaintiffs and class members in the CVA lawsuit are seeking monetary damages. But what stood out to me in reading the lawsuit complaint was there is also a long list of very detailed kinds of security improvements that the plaintiffs and the class members are also seeking from CVA as part of injunctive relief. That includes CVA implementing and maintaining a comprehensive information security program, encrypting old data, implementing data segmentation, but then also requiring 10 years of annual court-monitored SOC2-type attestations that would be conducted by an independent third-party assessor. Now it's become more common for class action lawsuits in breach cases to include demands that a breached entity improve its security. But this was one of the more detailed requests that I've seen in a lawsuit complaint. So far, not much has been revealed by CVA about what happened in the security incident. CVA reported the breach to federal regulators as a hacking incident involving a network server and CVA said in its breach notice that the incident involved unauthorized access and removal of a copy of data from the network between November 28 and December 5 of last year. But beyond that, the organization has not been very forthcoming about other details, such as whether ransomware was involved or something else. So because we don't know exactly what sort of incident occurred that could explain why this lawsuit against CVA pretty much throws the kitchen sink at the entity in terms of all the security improvements that are needed. That lawsuit includes allegations as many other lawsuits often do in the healthcare sector that CVA failed to implement security guidelines called for under the Federal Trade Commission, HIPAA regulations, and also the NIST cybersecurity framework. But also in the future, it'll be interesting to see if these kinds of lawsuits also end up citing other regulatory failures by breached entities, such as failures to implement any of the yet defined minimum security standards that are being called for under the Biden administration's National Cybersecurity strategy, especially as it involves two critical infrastructure sectors like healthcare. So it's sort of an interesting case, there's so many of them, but like I said, this one's pretty detailed in what it wants this entity to do.
Delaney: So many of them, as you say, and so what can other healthcare entities take away from this?
McGee: Well, you know, again, some entities are more forthcoming than others in terms of how much information they'll, you know, divulge about their breach. You know, whatever the failings were of CVA, they might be similar to what other entities are facing, you know, and not only in their day-to-day operations, while they might be avoiding a breach, and sooner or later, something like this could happen to them, too. So it's, you know, it's just one of these things that you don't want it to happen to you next sort of thing.
Delaney: Absolutely. Thank you, Marianne. Well, Michael, you were looking at the Gartner Magic Quadrant for endpoint protection. What are some main takeaways for you?
Novinson: Absolutely. And thank you for having me, Anna. So I think the top of the latest in Magic Quadrant for endpoint protection is not a huge surprise. The category leaders at this point are pretty clear, it's CrowdStrike and Microsoft. You look at market share data, you look at growth rates, they are head and shoulders above the rest of the field, growing much faster than the endpoint security market as a whole. Market share is double or triple than any of their competitors. And the Gartner Magic Quadrant is firm, from a technology standpoint, that their analysts and the customers they interact with find it superior in terms of the range of use cases it can address, in terms of the different form factors, in terms of its efficacy at stopping threat actors. So, the top was not a huge surprise. What was interesting is as you started to move down, how they saw the rest of the market shaping up, but there certainly was some just disalignment between kind of market share data versus where the MQ was. And I guess that makes sense that the MQ is trying to predict where the market is going rather than simply telling you, "Here's where the market is today." So they really are leaning into these next-gen pureplay EDR providers. You saw SentinelOne is up there, which they had been last year, too. You saw Cybereason move up into the leaders quadrant, while even though they're not in the top 10 of market share whatsoever, and they have had some layoffs in the past year. And then you saw in the other direction, you saw Trellix ended up as a niche player, even though a year ago, they were evaluated as McAfee before their merger with FireEye and they were a leader. So you're seeing longtime companies at the leaders quadrant, Symantec under Broadcom's ownership is not a leader, even though both of those companies have pretty large market share. So I think they are looking for companies who have focus in the market. Some of the things that were relevant to the Gartner analysts were really around who is adopting this technology at this point is that the endpoint protection market's fairly mature that large sophisticated organizations with decent-sized security budgets have either a next-generation offering or they have a cloud-based offering. And really at this point, what the remaining adopters who are still maybe on a more conventional on-premises, antivirus signature-based platform are really some of the smaller, less sophisticated, more resource-constrained companies. So really, what Gartner put a lot of weight on is how capable a vendor was in supporting smaller, less sophisticated buyers. So they really were looking for MDR, they actually held off on publishing the MQ because they wanted to take a deep dive into what companies were doing around MDR, how many customers were consuming their endpoint, their endpoint protection on a managed basis, as well as what the road map looks like around MDR. So that really did help a company like Cybereason, which, according to Gartner, has a larger percentage of its customers consuming employee protection via a managed service than any other vendor who they evaluated. Conversely, Trellix who had historically, on the FireEye side, had a large managed security division through the fact that you had FireEye products, and then Mandiant services. But since FireEye was split off from Mandiant, they're no longer together. Gartner, I thought that over time that would really impede their ability to deliver as a managed service, especially since there's only, the two are only really tied together for three years at this point. So that was a big deal. Then obviously, the other thing that's hanging over this is really the question of standalone EDR versus XDR. And certainly, some of the broader platform vendors had some quibbles with Gartner saying that if you really only have native endpoint telemetry, if you're CrowdStrike or SentinelOne or Cybereason, and you're really focused on the endpoint, how can you do what we're able to do at Trend Micro or Microsoft or at Sophos, where we get network telemetry, and we have email telemetry, and we have all these different points, which we're able to natively ingest and reach broader conclusions. So there's really, I think, a question of how are customers procuring this technology, are people really procuring endpoint protection, separate of XDR. Are they looking to buy their endpoint and their network in their cloud security from a single vendor? So the consolidation question is always top of mind.
Delaney: So, you said it also looks at the year ahead, how the space will evolve. What's going to happen?
Novinson: So, good question. I mean, I think certainly at the top, I think there's little doubt that as contracts come up and folks look for renewals, that CrowdStrike and Microsoft are the top choice. What the analysts from Gartner outlined, there's just kind of how - which companies appeal to which buyers the most. CrowdStrike is really that technical buyer, those large, sophisticated companies in sectors like financial services, whether it's somebody who's really looking at the efficacy of technology, then CrowdStrike is just the Ferrari and those people love it. Microsoft tends to be most popular with kind of a non-security buyer. If you're having a CIO or you're having other members of the C-suite, the CFO and they are in really the consolidation so that they're able to do with those E3 and E5 licenses, where they're able to bundle some of the office productivity with some of the security and you reduce your vendor staff and that's really appealing to maybe a non-security buyer. And then SentinelOne, who really came in in third place essentially in the quadrant, has done a lot around on-premises deployments and being able to support not just Windows OS but through a lot around like above legacy and current generation Linux and Apple, then SentinelOne tends to be a popular choice for folks in manufacturing or maybe in retail, who have a little bit more specialized need. SentinelOne has a pretty broad range of environments that they can support. So that was certainly one piece of it. And then I think the other piece is really just going to be around how this market shakes out that you have companies who've been around a long time. And you also have companies like Cybereason who aren't yet public. We've seen a lot of consolidation already in this market, with the formation of Trellix, with Broadcom Symantec, now with potentially VMware and Broadcom coming together, which would bring together the legacy Symantec Endpoint with the legacy Carbon Black Endpoint. And so I think just watching continued consolidation and how vendors can manage bringing two disparate platforms together while minimizing disruption for customers is going to be interesting in the year ahead.
Delaney: Very good, thorough analysis, as always. Thank you, Michael.
Novinson: Welcome.
Delaney: So finally, as spring is in the end, the day is beginning to feel brighter and lighter. I'd like you to share something we can all feel positive or hopeful about as an industry.
Novinson: I could start. So this is going to be a little sneak peek. I might go into this in more detail in the future Editors' Panel. But I've been crunching some data around headcount in the security industry, particularly with public companies. And good news is that despite all the layoff announcements, headcount is growing and among publicly traded security companies, the average public company grew their headcount 15 to 20% last year, despite the odd, despite the economic headwinds. So I think really, the big point is that headcount is much more tied to revenue than stock price. So even though public companies stocks took a major beating, if companies were growing the revenue by 20-25, 30%, they need additional boots on the ground, feet in the SOC in order to support all these new customers in the expanded deployment. So hiring is continuing aplenty in cybersecurity.
Delaney: Interesting observation. Thanks, Michael. Mathew, go ahead.
Schwartz: Sure. So one of the things that gives me hope is the continued disruption by law enforcement of cybercrime groups or individuals accused of being involved. For example, we just recently had the takedown of the alleged administrator of BreachForums, aka Breached. And after he got arrested, it was taken over by a new admin, who subsequently shut it down because he reported seeing something unusual that made him worry it had been infiltrated by law enforcement. Was it or wasn't it? Who cares? Because it's ended up in this disruption, not just the alleged administrator, but of this cybercrime forum he was running - was allegedly running - that was buying, selling all kinds of information. So I love this law enforcement disruption model where they don't just arrest the alleged perp. But they managed to inject some uncertainty into the proceedings, to the point where, yes, this may get restarted in a different guise. But the more disruption we see, the better it is.
Delaney: Very clever and positive news. Absolutely. Marianne?
McGee: Well, I don't think anyone likes more regulation. But, you know, coming, the spring, probably into summer, we'll see maybe some more clarity from the Department of Health and Human Services about some of its plans for the HIPAA rules moving forward. They've been kind of floating, you know, so-called modifications for a while. And then also there's some new guidance that will be coming out, joint guidance that's been developed by the Department of Health and Human Services and the health sector coordinating council for healthcare industry, cyber best practices. Again, you know, probably some heavy reading there, but it could be helpful to the industry.
Delaney: Absolutely. Positive news all round. This is great. Fun, as always, as well. So Michael, Marianne, Mathew, thank you so much for joining me.
Schwartz: Thanks, Anna.
McGee: Thanks, Anna.
Novinson: Thank you.
Delaney: And thanks so much for watching. Until next time.