Interview: Ian Pratt, HP Security

There are not many constants in the world we’re currently living in, but one thing is certain: the need for enterprise-grade security, embedded in device hardware, is greater than ever before.

Ian Pratt, HP’s Global Head of Security for Personal Systems, believes hardware-embedded security paired with a robust cybersecurity education and cyber hygiene protocols for remote employees is core to any organization’s operational resiliency. Formerly the co-founder of Bromium, acquired by HP in 2019, Pratt has spent his career spanning industry and academia, inventing new technology and bringing it to market.

Now, he works to design and commercialize next-gen security technologies for HP—all of which are core to the business’ mission to engineer the world’s most secure devices, technologies and services.

What are the long-term security impacts of the pandemic, global lockdowns and the rapid mass shift to remote work?

What we’re seeing due to COVID-19 and the rapid shift toward remote work is an acceleration of trends that were already underway. Even simple IT work practices have changed immensely in the span of six months. Now, organizations have to figure out how to get PCs to employees with all the correct compliance protocols, credentials and certificates in place without dropping it off at an IT practitioners’ desk first. This can be a major challenge given our current circumstances.

HP understands this. For our part, we are now enabling organizations to order machines not only imaged - but also provisioned - with security credentials straight from the factory so employees can use them securely straight out of the box. This is important because we are at a point where endpoints must be able to look after themselves at every stage, in every environment, on every network.

This points to another emerging trend: the centralized role of the PC in remote and hybrid working environments. PCs must protect everyday users and their wider networks to ensure business continuity and protect against emerging threats. As mentioned, this can be done through zero-touch support and zero-touch onboarding, but additionally, through elevating the security culture throughout an organization—delivering regular cybersecurity trainings to employees and establishing measures that incentivize the practice of good cyber hygiene.

From a broader perspective, I predict that as the year comes to a close, we’ll start to gain a fuller picture of the residual effects of insufficient enterprise cybersecurity in the era of COVID-19. Then, once business leaders recognize these major implications, cybersecurity will begin to be seen as an operational requirement, rather than a cost-sink or innovation inhibitor.

What’s been the biggest shift you’ve observed from the criminal element and where do you think adversaries will turn next? 

It’s important that we recognize the maturity of the criminal supply chain, the commodification of criminal activity and the implications of criminal focus on yield management. Understanding these trends will help us predict where bad actors plan to turn next.

For instance, what would have previously been regarded as a high-level, nation state attack, is now regularly being perpetrated by cyber-criminal organizations. These organizations have reached a level of sophistication that we’ve never before seen—forming complex operational structures and contributing specialist skills to find vulnerabilities, build exploits and payloads and craft cyber lures.

Yield management has become much more sophisticated, too. In the event of monetary-motivated attacks, criminals play the long game to ensure they extract as much money as possible from a victim.

I believe a few factors contribute to the rising risk that we’re witnessing. Remote work is certainly one—people simply aren’t as vigilant about their cybersecurity protocol in home environments as they are in offices. In fact, 51% of end-users feel they’re not set up adequately for remote work, according to research by HP, and widely used network security solutions, like VPNs, are not always suitable for mass use.

For this reason, 77% of IT managers believe more remote work means more security vulnerability, according to HP’s research. Meanwhile, IoT continues to be a weak link and route for extortion. This attack surface is only broadening as more enterprise devices are brought onto home networks, where often work and personal networks remain un-bifurcated.

"This attack surface is only broadening as more enterprise devices are brought onto home networks"

How can businesses ensure their employees are safe as they return to the office by using technology and innovation?

The rush to facilitate remote work over the past months will have inevitably led to vulnerabilities, omissions or trade-offs that left CISOs gritting their teeth. Now, security pros are facing a new risk profile: one that will not roll back as the infection rate subsides. Many workforces are not willing to give up flexibility, so even as some offices begin to open up and workers look to return to these spaces (even if only on part-time basis with health guidelines in place), businesses really need to consider how they manage that process from a security as well as a safety point of view. Alongside temperature screening on the door, devices should also be screened.

As businesses and institutions look to the future to prepare for either partial or permanent returns to the office, they need to review their tools and technology choices, along with their policies and procedures. Before offices reopen, security professionals should ensure they’ve bulk patched for off or idle in-office machines before a user sits down in front of them. A lot can change in months of remote working, so it’s critical to get patches installed before they become a weakness in the corporate network.

Devices that employees bring from their homes back into the corporate network should be fully scanned for presence of any malware unbeknownst to the user. They should also be patched and brought up to date on all software (including firmware) to ensure they can stay safe.

Initially, many businesses are taking a phased approach to return their employees to work, by starting off a select set of employees to be inside their corporate offices for a select few days in a week. As these early returning employees are frequently in and out of corporate networks, they can cause an increase of the attack surface.

However, this also presents a great opportunity to incorporate new security protection and tools on their machines. Most devices are not equipped to autonomously recover or defend themselves. HP Security solutions take a zero-trust endpoint architecture approach where we have engineered ways for the endpoint to protect itself autonomously without having to rely on detection. By incorporating such tools into your workforce, organizations should be able to address most of their risks from returning employees. 

Where do you believe cybersecurity is going next?

Even though we’re seeing more maturity from cyber-criminals, the fundamental models and modes of attack have not changed: cyber-criminals are still getting in through endpoints, users are still being duped and inviting the attackers in.

Therefore, I believe cybersecurity is headed toward a cultural and technological shift where endpoints must be able to look after themselves—autonomously and in every environment. This should be table stakes for any CISO or procurement officer going forward in every tech purchasing decision they make. Why is this critical? Because most security is detection based. Bad actors have done very well at evading detection, using machine learning and automation to mutate malware to evade detection. It’s a large part of their malware development process. In fact, that’s one of the specialized functions in the kill chain—to do quality assurance.

This crisis has made it clear that businesses need to be able to manage remote endpoints in a way that provides real intelligence back to the business about how they are being used and the risks they are facing. They need to understand how existing security protocols may be helping or hindering the business and employees. Changes should be made to reflect new workflows and ensure security procedures support productivity.

"Recovery and remediation would be next-to-impossible if there was an incident like the NotPetya attacks in our present-day situation"

How will CISOs, the industry, and businesses plan for future “black swan” events? 

First and foremost, CISOs need to ensure quick fixes do not become long-term crutches. Point solutions aren’t sufficient to manage the level of risk businesses are now dealing with. Multi-layered defense must be in place to prevent attacks, detect those that do make it through and get organizations back to productivity, quickly, in the event of a breach.

To prepare for a black swan event, again, it’s more important than ever that devices are equipped to protect, detect and recover from whatever is thrown at them. That is the very first line of defense.

For example, if there was an incident like the NotPetya attacks in our present-day situation—when people are locked down and social distancing is being enforced—recovery and remediation would be next-to-impossible.

Thus, organizations must not only equip themselves with the proper devices that autonomously detect and prevent attacks, but they also must completely reframe their approach to onboarding and recovery. This will become difficult with “forever remote” workforces, but certainly possible if CISOs are up to the task.

Successful CISOs know it is critical to maintain operational integrity in a compromised state. They cannot afford to trade off on security and resilience for short term gains. They must remember that every security risk is also a reputational one. The cost of a breach is simply too high.

Criminals are only getting smarter. To keep up with the pace of change, I believe that we must work together and help CISOs rise to this moment and turn this crisis into an opportunity.

What’s Hot on Infosecurity Magazine?