Repelling A Ransomware Attack: Den Jones of Banyan Security On The 5 Things You Need To Do To Protect Yourself Or Your Business From A Ransomware Attack
To the extent you use passwords, enterprise password managers that help ensure unique and complex passwords are important as we often use several devices and different browsers. Longer term, consider using zero trust technology to move to passwordless access, which removes the attack surface that credentials represent.
Ransomware attacks have sadly become commonplace and increasingly more brazen. Huge enterprise businesses, gas pipelines, universities, and even cities have been crippled by ransomware and forced to pay huge ransoms. What can an individual or a business do to prevent and repel a ransomware attack?
In this interview series, we are talking to cybersecurity experts who can share insights from their experience and expertise about the “5 Things You Need To Do To Protect Yourself Or Your Business From A Ransomware Attack.” As a part of this series, I had the pleasure of interviewing Den Jones.
With more than 20 years of enterprise leadership and IT/Security implementation experience, Den Jones brings an invaluable customer perspective to Banyan Security. Den’s vision and strategy for leveraging zero trust was successfully executed at both Adobe and Cisco, protecting a combined 150,000+ workers and more than 200,000 devices.
Den most recently served as Senior Director of Enterprise Security at Cisco, and prior to that, he was the Director of Enterprise Security at Adobe. Under his management, Den’s teams delivered proactive enterprise-wide security services as well as customer-facing Directory and Authentication platforms. A well-respected member of the security industry community, Den serves on the Customer Advisory Board for Identity Defined Security Alliance and is a member of Microsoft’s Cyber Security Council.
Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. Can you tell us a bit about how you grew up?
By eating lots of fruits and veggies ;-) my first piece of advice for today ;-)
I have been working in IT since 1995, running all things Infrastructure and Operations. Most of my career, however, has been at Adobe. There were lots of opportunities there and my career continuously evolved, changing roles every 3–4 years. Eventually, I found myself leading Enterprise Security. When I left Adobe in 2020, I joined Cisco to lead their IT Enterprise Security team. Recently, I joined Banyan Security as their Chief Security Officer in December 2021. During my time at Adobe and Cisco, there were common successes. I led the charge to deploy Zero Trust, which between the two companies covered over 150,000 users, over 200,000 devices, and over a thousand applications.
Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.
Originally, I was a postman walking the streets of Scotland delivering mail in the rain and snow. One of my best friends had loads of music gear (my biggest passion) and he shared how he worked in IT and how to get started. I immediately set about pursuing a career in IT. So, I really got here just so I could afford some great synths!
Can you share the most interesting story that happened to you since you began this fascinating career?
Around 2006, I ran the server team at Adobe. One of the admins ran around saying how a whole disk array had been stolen from our data center. We pulled the physical security team in, looked at the cameras, badge logs, and started to dig into the mystery. The whole time we informed our users about the outage to the platform, which was due for retirement. Anyway, it turned out as part of the retirement plan the disks had been moved and data cutover — our admin just forgot….nothing was stolen, no harm, no foul…except maybe my heart took a slight attack… ;-)
You are a successful leader. Which three character traits do you think were most instrumental to your success? Can you please share a story or example for each?
I’d never say successful, as I’m always learning and always improving. I’m nothing like the leader I was 10 years ago. Over the years I learned…
Trust is everything, hard to gain and quick to lose. I once reported to someone who threw me under the proverbial bus… and in front of my peers slandered my character. Needless to say everyone who knew me and heard him lost all trust with him that day. Banyan_6 Month PR Plan
Work Life Balance has always been something I try to practice; your people are everything so stop trying to kill them. At Cisco, I even blocked out Fridays in the calendar of my entire organization, implementing “no meeting Fridays” which was awesome. We still worked on Fridays, but there were no standing meetings so that our teams ideally could catch up on the backlog and wind down for the weekend.
Diversity is important, it’s hard and takes time, but everything from gender, ethnicity, skills, and backgrounds matter. It was always important to me to find people who covered my weaknesses and build our organization with people who complimented each other.
Are you working on any exciting new projects now? How do you think that will help people?
Having recently joined Banyan Security as their Chief Security Officer, I would say, yes, the whole move is an exciting project! We’re a young, vibrant company with a great product strategy and great people. We’re working in an amazing space called security, it’s challenging with a lot of work to do — but highly exciting and fun.
We focus on offering a Zero Trust Network Access (ZTNA) solution, and while there are many out there, we know ours is first class — because my team at Adobe deployed it! ;-)
For the benefit of our readers, can you briefly tell our readers why you are an authority about the topic of Ransomware?
It’s evident that ransomware isn’t going away, and is still on the rise like last year. It’s often started by social engineering and then installs malware on a single host. The issue is that we still typically operate as if the corporate network is safe, which just isn’t the case when considering the nature of the attack and how VPNs and networks are configured. Wide open VPN access for employees enables broad access inside corporate networks, which then enables rapid lateral movement. If we don’t enforce minimum security on endpoints, then it’s possible those are subject to easy attack. If we enforce device security posture and turn office networks into guest networks for all users (with no peer to peer access), then we can seriously disrupt these attacks.
Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. In order to ensure that we are all on the same page let’s begin with some simple definitions. Can you tell our readers about the different forms of ransomware attacks?
One of the earliest forms was crypto ransomware where your files and data within a system would be cryptographically locked or encrypted making them inaccessible without the decryption key. Locker ransomware simply locks the user out of their system entirely, displaying a lock screen with a ransom demand and maybe a countdown timer to increase stress and urgency. Doxware or leakware threatens to distribute or make public sensitive personal or company information if a ransom isn’t paid. We’ve seen this variant often follow an initial crypto ransomware demand. And most recently, Ransomware as a Service or RaaS is the offering of pay-for-use malware that has quickly gained popularity. This means that amateur attackers now have the ability to conduct and manage ransomware campaigns, in which the developer of the ransomware strain receives a percentage of the ransom victim’s pay for the decryption key.
Who has to be most concerned about a ransomware attack? Is it primarily businesses or even private individuals?
Everyone needs to be concerned. Ransomware doesn’t care what industry you’re in, how big or small your organization is, or where you are located. These threat actors are looking for ways to get money at the end of the day and they don’t care where they get it from. On the one hand, ransomware shuts down a business, creating a business continuity issue, which cascades into a myriad of other downstream issues. Some are even business-ending events. For private individuals, ransomware can have both personal and financial impact, depending on the attack. And let’s not forget, being a crime victim is psychologically difficult, professional or private.
Who should be called first after one is aware that they are the victim of a ransomware attack? The local police? The FBI? A cybersecurity expert?
Every ransomware incident should be reported to the U.S. government, no matter how big or how small the attack is. Victims can report their incident to the FBI, CISA, or the U.S. Secret Service. While this is a very stressful situation, it’s important to report these incidents to law enforcement to aid them in analysis, investigation and prosecution of cyber criminal activity. Additionally, reporting incidents helps update the data used to create advisories and alerts that provide organizations with critical information on different security issues, vulnerabilities, as well as current cyber crimes.
If a company is made aware of a ransomware attack, what are the most important things they should do to protect themselves further, as well as protect their customers?
Once a ransomware attack has been identified, it is important to notify employees that there’s been a breach and lay out what the plan is moving forward (which means you need a plan before an attack occurs). It is also important to disconnect devices from the corporate network given that these attacks spread via the network connection. This is especially important in today’s hybrid and remote work environments — even though you aren’t physically present in the office, you can still fall victim to the ransomware attack if you are connected to the network remotely.
As mentioned earlier, the next thing you will want to do is notify law enforcement about the incident. This is especially important if your company handles personal data on individuals and organizations as failure to notify could lead to major GDPR and/or CCPA violations, for example. This would have catastrophic consequences for the organization and its brand reputation.
Once more information about the attack is known, it will be important to notify all customers who might have had their data compromised. While this is a stressful conversation to have, it is always better to hear the bad news directly from the organization rather than a news outlet.
Lastly, organizations will want to conduct a full security audit and update all of their security systems. This will likely require a lot of time and money, but ultimately what’s most important is protecting your organization’s data and reputation.
Should a victim pay the ransom? Please explain what you mean with an example or story.
This is totally a business decision based on the event, and there are many considerations. In some countries, there are legal implications to such payments. There have been a lot of reports of payments being made to restore data. However, there’s evidence of there being additional demands where the victim may need to pay again, otherwise the data may be published on the internet. If you’re a U.S. company, I’d recommend contacting your local FBI field office and/or a reputable security incident response company. Of course, there are some who advocate that the act of paying a ransomware demand should in itself be illegal, as it then funds further attacks. It’s complicated, for sure.
What are the most common data security and cybersecurity mistakes you have seen companies make that make them vulnerable to ransomware attacks?
One of the biggest mistakes I see today is still an overall lack of basic cyber hygiene and technical knowledge. Today’s employees who have access to the corporate network need to have a basic understanding of cybersecurity as well as how social engineering attacks such as phishing occur. Knowing what to look out for is critical, which is why it’s important to have special training and workshops set up for all employees. Executive leaders and other decision makers also need to have cybersecurity literacy, knowing when to step in and be proactive rather than reactive. This involves keeping employees up to speed on the latest threats and what to watch out for while also updating all systems and hardware on a continuous basis, amongst other operational duties.
Another common mistake I see is organizations using outdated operating systems. Today’s cybersecurity threats are becoming more sophisticated and spreading quicker than ever before, meaning that the patches and updates to deal with vulnerabilities expand along with them. Having an outdated system essentially paints a giant, red target on your organization, as this is one of the primary things that threat actors look for when scanning the internet for targets.
What would you recommend for the government or for tech leaders to do to help limit the frequency and severity of these attacks?
My recommendation goes back to what I was talking about earlier regarding basic cyber hygiene. If you take a look at some of the largest ransomware attacks that we’ve witnessed, basic cyber hygiene could have prevented a majority of them from occurring. We all need to be more proactive when it comes to maintaining cyber hygiene. This means continuously updating applications and operating systems on all corporate devices, changing passwords regularly and using multi-factor authentication, as well as conducting vulnerability management and continuous monitoring. Having this basic hygiene in place also paves the way for successful adoption of zero trust.
Ok, thank you. Here is the main question of our interview. What are the “5 Things You Need To Do To Protect Yourself Or Your Business From A Ransomware Attack” and why? (Please share a story or example for each.)
In no particular order:
1. Change the wide open office network (or large networks where users and workstations are) into guest-like networks with no peer-to-peer access. Enable restricted access to very limited services (ideally that access is via your zero trust platform of choice). We’re trying to achieve what’s called Least Privilege Access, giving people access to only what they need to do their jobs.
2. Ensure Multi Factor Authentication (MFA) is required for all applications and services (especially internet-facing ones like VPN or support platforms).
3. Ensure your account hygiene is in order — disable any unused accounts (often generic, ex-employee, vendor, or API are forgotten about). Removing access to applications and services that haven’t been accessed in the past 90 days is also an important practice
4. Enforcing device posture is important to ensure things like a supported OS, patching, and endpoint security are in place and current.
5. To the extent you use passwords, enterprise password managers that help ensure unique and complex passwords are important as we often use several devices and different browsers. Longer term, consider using zero trust technology to move to passwordless access, which removes the attack surface that credentials represent.
You are a person of enormous influence. If you could inspire a movement that would bring the most amount of good to the most amount of people, what would that be? You never know what your idea can trigger. :-)
There are many perspectives on zero trust, but I like to think the area I’ve focused on has huge value. Improving both the employee experience and security at the same time is very rare.
Here are a few things we accomplished during my leadership at two global companies: In 5–7 months, we delivered zero trust to over 150k users and 200k devices. This meant no more need to VPN in or use Usernames and Passwords as the 1st factor during login. Implementing zero trust eliminated 90-day password rotations, which reduced password-related service desk tickets by more than 60%. Zero trust enabled application access to hundreds of employees during a M&A event without connecting our networks. It also enabled networks to be converted to internet access only.
How can our readers further follow your work online?
They can visit our website at: https://www.banyansecurity.io/ for all of our latest news, blogs, and more.
This was very inspiring and informative. Thank you so much for the time you spent with this interview!