Emerging tech helps companies but also enables criminals: McAfee’s Ian Yip

Emerging tech helps companies but also enables criminals: McAfee’s Ian Yip
Ian Yip
18 Oct, 2018

Enterprises are increasingly becoming aware of the need to protect against rising cybersecurity risks. In April this year, cybersecurity solutions provider McAfee surveyed 300 senior security managers and 650 security professionals in public and private sectors around the world and found that automation and gamification are key to beating cybercriminals at the workplace.

Automating processes and running gamification exercises at companies frees up time for innovation and make employees more aware of how to deal with cyber breaches.

Given the proliferation of connected devices in enterprises and the complexity of workflow processes, the cybersecurity firm recently launched a new enterprise security portfolio called MVision, a software-as-a-service (SaaS) offering that provides a single console to manage security across devices.

The company has also partnered with Satya Nadella-led Microsoft to protect Azure, its cloud services platform.

In a telephonic conversation with TechCircle, McAfee’s Asia-Pacific tech chief, Ian Yip, spoke about how cybersecurity is getting more complex as enterprises keep adapting emerging technologies rapidly. He also expanded on the security risks that blockchain and Internet of Things pose for firms. Edited excerpts:

There has been a lot of talk about how artificial intelligence can be used to battle cyberattacks and how hackers can use it to identify vulnerabilities first and then exploit them. How will this war be decided? What is McAfee doing about it?

In the field of cybersecurity, reliance on technologies such as AI and machine learning amplify the capabilities of humans, but this is true for both sides—security teams as well as cybercriminals.

When it comes to ML, good algorithms and large accurate data sources are crucial for it to work effectively. Organisations need to thus work with partners to ensure they can use this to their advantage. At McAfee, we are focused on remaining at the cutting edge of AI research and development and we continue to embed these capabilities across our solution set. We are driving an automated, integrated, collaborated approach to cyber defense to help facilitate better information sharing between security components within and across organisations.

Also, edge computing and Internet of Things are becoming necessary evils for today's enterprises. IoT is known as one of the weakest links when it comes to cybersecurity. How is McAfee solving this issue?

IoT devices are ubiquitous today and so are the potential security issues related to them. We need to look at IoT security issues as a larger societal system problem. To really solve it will take continued education and awareness, regulation, and ultimately, an over-arching focus on cyber safety culture to help ensure that security-and-privacy-by-design principles are embedded into the way that things are built.

This is different from the approach today when security is an afterthought and hence a built on. At a tactical level, cyber defenses should be architected in a resilient way that assumes the environment is already compromised and focuses on how risk can be managed in a way that protects the most critical assets.

At McAfee, we have various initiatives and research and development efforts to address both the systemic and tactical ways of tackling the problems. We are also working with manufacturers to understand their security concerns and build relationships with them to invent some of our capabilities so that they have basic protection capability to ensure security by design.

There is growing rhetoric in the industry about a shift from protection and prevention to detection and response. What are your thoughts on the same?

The conversation around cybersecurity is really one of risk – how can companies minimise the risk of data loss, downtime, user outages and more. Identify your most important assets and build defenses around those first. When framed from the perspective of risk, cybersecurity becomes the responsibility of more than the CTO/CIO/CISO and is shared by all business leaders as well as employees. Companies need to ensure a holistic approach across people, process and technology and develop an intrinsic culture of security and privacy by design is vital. It’s no longer enough to just have security systems in place.

Organisations can also consider using cyber maturity framework that consists of standards, guidelines and best practices to manage cybersecurity-related risk (e.g. NIST-CSF). They should also evaluate new technologies to automate tasks as much as possible to make security teams more effective and efficient. This, in turn, allows more time to be spent on ensuring that the security framework is providing a maximum level of protection and value to the organisation.

As India looks to join the digital revolution with the government and enterprises are turning to newer technologies such as AI, blockchain and IoT, what are the security issues that may arise? How can we better tackle them?

Blockchain holds some promise but it’s still at a very nascent stage particularly when it comes to cybersecurity. Currently, adopters of blockchain technology are prime targets for attackers due to the hype, lack of awareness around security risks and a widespread startup mentality in which security often takes a backseat to growth; cryptocurrency companies often fall in this category.

According to the McAfee Blockchain Threats Report, primary attack vectors on blockchain include phishing, malware, implementation vulnerabilities and technology. We can, therefore, say that emerging technology can be a double-edged sword as it is easily available to both defenders and offenders. For example, while on one hand AI/ ML can alert organisations of a possible breach, it can also help hackers understand breakable patterns. With emerging technologies gaining prominence, in-depth defense today is far more complicated than five years ago and it takes a lot of knowledge to understand all the moving parts.

To really tackle new emerging threats, companies need to evolve with the threat landscape and embrace digital revolution/transformation to wholly understand the inherent risks new technologies can pose.

Blockchain is another technology which everyone is talking about. It seems to be the panacea that can solve all issues existing today over a variety of threat landscapes. How secure are blockchain-driven networks? How can we use them in India to make certain sectors secure?

As I said earlier, blockchain implementations are still nascent but the point I would like to stress is that companies shouldn’t look at blockchain to solve a security problem. Blockchain presents a whole bunch of unknowns. Security issues with an application don't go away just because you've put it on the blockchain. The technology is useful when a trust problem needs to be addressed with multiple intermediaries but even then, there's only trust if you know that the blockchain hasn't been overwritten.

That said, from an implementation standpoint and not security, blockchain is transforming the way we conduct business by allowing customers to cut out the middleman in numerous vital services, reducing costs and boosting efficiency.

India is toying with the idea of utilising blockchain for land records, cross-border transactions and to combat counterfeit drugs among others. Indian banks can deploy blockchain for shared KYC details of customers, reducing the paperwork and ensuring the safety of personal information.

Another important area of application is for land records. Due to the immutability of transactional records, a single source of truth of ownership status is developed and reduces property frauds.

Other sectors that can benefit from blockchain include education. The Indian government is already in the process of implementing blockchain-based governance for digital certification.