Cloud Control: Q&A with Lou Rabon on Defending Against Nation-State Attacks and Advanced Persistent Threats

June 11, 2024

Want weekly newsletters featuring interviews with security and cloud leaders delivered right to your inbox? Sign up for Cloud Control here.

Lou Rabon on Defending Against Nation-State Attacks and Advanced Persistent Threats

Hey Cloud Control Readers 👋

We're back after an exciting New York Tech Week! I'm thrilled to bring you a conversation with Lou Rabon, the Founder & CEO of Cyber Defense Group. Lou’s got over 25 years in cybersecurity, and his insights are invaluable, especially when it comes to defending against sophisticated threats like nation-state attacks and advanced persistent threats (APTs).

In our chat, Lou dives into how Cyber Defense Group stays ahead of the curve by focusing on foundational security practices, proactive threat intelligence, and breaking down silos within organizations. He shares some eye-opening stories from his incident response experiences and offers practical advice on building a resilient cybersecurity strategy.

One of my favorite parts was hearing Lou talk about the importance of Privacy Engineering and how it combines technical cybersecurity with legal requirements, creating a holistic approach to data protection.

We also touched on the unique challenges of cloud security and how emerging technologies like AI and quantum encryption are shaping the future of cybersecurity.

Don’t miss this chance to learn from one of the best in the field. Dive into the full interview below, and stay tuned for more insights from industry leaders.

Cheers,

Ian

Question 1 💭

Lou, it’s great to have you on! With cyber threats evolving so quickly, what key challenges are you focusing on at Cyber Defense Group to stay ahead of sophisticated threats like nation-state attacks?

Answer 1 🎯

Thanks for having me! Threats are evolving quickly, so we keep an eye on discovered Tactics, Techniques and Procedures (TTPs) in the environments we are monitoring, as well as consuming information from DHS/CISA/FBI and various Information Sharing and Analysis Centers (ISAC). That being said, a majority of attack vectors relate to foundational security - basic hygiene such as access management and technical control configurations, which don’t require advanced threat knowledge.

Some key takeaways: ensure you are regularly testing your IR [incident response] plan across multiple domains (executive, technical, etc), ensure you have a unified view of your environment (to the extent possible) and break down silos when it comes to security as much as possible.

Question 2 💭

You've handled some pretty intense incident response situations. Can you share a particularly challenging incident you managed and what key takeaways others can learn from?

Answer 2 🎯

Yes, IR can be “fun”, especially as the lead, but it’s also intense and all-consuming. One of the most challenging IRs I worked on involved multiple business units of a large organization, each with their own CISO and tech teams. They operated in silos, with different technology stacks and security tools. One of the first things we did was to ensure we had full visibility into their environment by unifying their tool stack and dashboard(s). This allowed us to gain situational awareness quickly and contain the threat so they could get back to business.

Some key takeaways: ensure you are regularly testing your IR plan across multiple domains (executive, technical, etc), ensure you have a unified view of your environment (to the extent possible) and break down silos when it comes to security as much as possible.

Question 3 💭

You've got a lot of experience in both privacy and security. How do you see these fields intersecting more with increasing regulatory pressures?

Answer 3 🎯

Unfortunately, the regulatory environment for both cyber and privacy is a mess in the US right now. Cyber is under-regulated and privacy regulations have too many different rules (Global/Federal/State). Both are about data - knowing where your data is, how it’s being used and how it’s protected. So there’s a big convergence with cyber and privacy since they are interrelated. Privacy Engineering is new, and it combines the technical aspects of cyber and DevOps/IT with the legal requirements of privacy - bringing these three distinct areas together in an exciting, new way.

Question 4 💭

Cybersecurity-as-a-Service (CSaaS) is a unique offering by Cyber Defense Group. How does this model differ from traditional approaches, and what advantages does it offer to mid-market businesses?

The advantage of CSaaS is that it can be tailored to whatever aspect of a cybersecurity program is needed, and mid-market businesses can get a seasoned cybersecurity leader and team, without the overhead of full-time resources.

Answer 4 🎯

We work with many companies that have existing security teams, so what might traditionally be called virtual Chief Information Security Officer or “vCISO”, did not fit for larger organizations that have an existing CISO. Our offering is unique in that it’s custom-tailored to the needs of the businesses we work with. For instance, we have one large retail client that just needed a Managed GRC function, so that’s what CSaaS is for them. Another client needs us to run their Vulnerability Management Program. Clients that need a full security team to implement and manage their full cybersecurity program are getting CSaaS as well, but the market would call this vCISO. Although cybersecurity is complex, we have distilled it into 13 domains, like vulnerability management and incident response, which we can offer as a comprehensive program, or individually, based on the needs of each client. The advantage of CSaaS is that it can be tailored to whatever aspect of a cybersecurity program is needed, and mid-market businesses can get a seasoned cybersecurity leader and team, without the overhead of full-time resources.

Question 5 💭

Dealing with Advanced Persistent Threats (APTs) is tough. What are the most critical components of a solid APT defense strategy in your experience?

Answer 5 🎯

Catching and containing the initial compromise early is the best way to prevent an APT. Having a mature cybersecurity program with repeatable processes and conducting regular reviews is essential as well. Finally, having proper visibility into your environment, and understanding anomalous behavior can ensure that anything that might get past your initial defenses will be detected before the attackers can gain a foothold and take action on their objectives.

Attacks are getting more sophisticated and “hiding in plain sight” (i.e. using legitimate services and protocols) so organizations that are likely to be targeted for APTs need to have a very in-depth understanding of their environment and use proactive defense techniques such as decoys and continuous threat hunting.

Question 6 💭

You’ve seen many companies struggle with cybersecurity maturity. What are the most common pitfalls you notice, and how do you help organizations overcome them?

Answer 6 🎯

The biggest issue we see is either underinvestment into cybersecurity or overconfidence in technology alone. That means many companies are either not investing enough, asking one or two people to do the work of an entire team, which has a number of issues such as expecting them to cover strategy and governance, operations, security architecture, third party risk management, compliance, and incident response. That’s a lot for 1-2 people.

The other issue, overconfidence in technology, means that companies tend to invest most of their cyber budget into technology, such as endpoint, SIEM, etc, without a clear strategy or understanding of what the major risks are. Cybersecurity consists of people, process and technology, and most organizations are just concentrating on the technology part, which is what gets them into trouble

The other issue, overconfidence in technology, means that companies tend to invest most of their cyber budget into technology, such as endpoint, SIEM, etc, without a clear strategy or understanding of what the major risks are. Cybersecurity consists of people, process and technology, and most organizations are just concentrating on the technology part, which is what gets them into trouble. To solve this, we conduct Security and Risk Assessments for organizations to help them understand where they are as a first step. This helps benchmark their cybersecurity program. We also provide a roadmap as part of this exercise, so they can align business objectives with their risk appetite, and ensure they are not wasting money on things that may not have as much of an impact as they think.

Question 7 💭

With your global experience, how do you tackle the unique cybersecurity challenges different regions face? Can you share an example where regional considerations significantly impacted your strategy?

Answer 7 🎯

Most regions these days are under constant attack. Although geopolitical conflict can make it more likely that you are getting targeted with attacks (think Ukraine and the Middle East), the world is essentially equal these days when it comes to getting attacked.

Question 8 💭

Cloud technologies are everywhere now. What are the top security concerns you encounter with cloud-focused businesses, and how do you address them?

Answer 8 🎯

Cloud-native or cloud-focused businesses usually have a DevOps function, which means they’re pushing code, so securing their SDLC is a big concern. Also, if a company hasn’t started in the cloud but they are migrating to it from a legacy, on-premise environment, then there are misconceptions, especially about security, that need to be addressed. For instance, an IT person that has been managing on-prem infrastructure for a decade is going to need some training when it comes to cloud networking and access control configurations. Understanding what is where in the cloud environment, and properly segmenting access and data, is a big concern as well.

Question 9 💭

Cyber Defense Group has grown rapidly and been recognized for it. What strategies have been crucial to scaling your cybersecurity services while keeping high standards of security and customer satisfaction?

Answer 9 🎯

This has definitely been a challenge, and we’re still learning! We are attempting to automate parts of our internal processes, such as client onboarding, which allows for a more predictable and smoother experience for our clients, and allows us to scale as we grow. Our goal is to treat our services like a product, which can be challenging when one of our other value propositions is custom-tailored services. Ultimately, the thing that has enabled us to scale with high standards is our people: we have some of the most talented resources in the industry. Finding the right people has been a challenge, but we’ve determined that the best fit for an employee at Cyber Defense Group is someone with an entrepreneurial mindset - someone that can wear multiple hats, doesn’t need too much hand holding, and can get stuff done. Our current team is what has led to our success.

Question 10 💭

Looking ahead, what emerging trends or technologies do you think will have the biggest impact on cybersecurity? How is Cyber Defense Group preparing to integrate these advancements into its services?

As for post-quantum, we are at a point where certain entities, namely nation states, are storing petabytes of encrypted data so they can decrypt it once quantum computers become useful enough to do this on a regular basis. That’s why it’s important to start using quantum-resistant encryption as soon as possible.

Answer 10 🎯

There are two big things happening now that will affect cybersecurity: AI and post-quantum encryption. AI is overhyped at the moment, but when you think of an expert, automated system that can find vulnerabilities 24x7 - that’s a scary proposition for anyone, and our best defense against this is ensuring that our clients are continuously improving their defenses and minimizing their attack surface. AI is also great at social engineering, so awareness and training is becoming even more important.

As for post-quantum, we are at a point where certain entities, namely nation states, are storing petabytes of encrypted data so they can decrypt it once quantum computers become useful enough to do this on a regular basis. That’s why it’s important to start using quantum-resistant encryption as soon as possible. There are a number of solutions out there and we are advising our clients to start thinking about this and how to pivot from current encryption algorithms to the new quantum-safe ones.