Lack of collaboration, disclosure affecting APAC security posture

Threat actors are collaborating more effectively than legit businesses in the region, which aren't sharing enough intelligence with others in the industry, says Microsoft Asia CSO.
Written by Eileen Yu, Senior Contributing Editor

Businesses in Asia-Pacific still are not exchanging enough information and disclosing breaches in a timely fashion.

In fact, threat actors are "out-evolving" the industry not necessarily because they are smarter, but because they are collaborating more effectively, according to Michael Montoya, Microsoft Asia's chief cybersecurity officer.

"They are actively collaborating and sharing, which also makes attribution tough to determine," he said. "On our part, we don't share enough intelligence and aren't coming together as a community to share intelligence on attacks and breaches."

Elaborating on the importance of disclosure, Montoya said this would trigger the steps organisations and consumers needed to take as soon a breach was detected, such as changing their passwords.

And despite the fact that the region was the most frequently attacked globally, he said Asia-Pacific remained the least mature in terms of security posture and the technology used to combat security attacks and safeguard data.

Pointing to Microsoft's latest Security Intelligence Report, he said the region faced the highest number of ransomware attempts and locations that had the highest of such incidents included Myanmar and Bagladesh.

He noted that Asia was popular amongst hackers due to its growing middle-class and accelerated digital transformation. It also was home to some of the fastest-growing economies, such as Southeast Asian markets.

"So its attack surface are is constantly growing, but if you have an archaic defence posture, then hackers will take advantage of that," he said.

Things were starting to change, though, with ISPs and CERTs (computer emergency response teams) sharing more data and pockets of businesses within vertical industries collaborating more, he noted.

He also underscored Microsoft's belief that artificial intelligence (AI) and machine learning increasingly were essential in protecting corporate systems. Pointing to the software vendor's defence system, Montoya said Microsoft had to deal with 15 billion security alerts a day and was the second-most targeted organisation worldwide, behind only the US Department of Defense.

"Out of this 15 billion, [hackers] only need to be right once [to cause damage]". At the end of the day, it's our AI system that will help us win this battle," he said.

Apart from its ability to perform at scale, he noted that AI tools also enriched defence capabilities and offered data insights that then could be used to further beef up networks. In addition, AI helped establish attack patterns and identify new threats, as well as detect unusual user behaviour that could be flagged as a potential breach.

He added that phishing still was an effective tactic used to penetrate corporate systems because hackers aimed to exploit the weakest link of the chain--humans. However, as employees also were a company's greatest asset, it would not be an organisation's interest to hinder their ability to be productive.

Instead, businesses should deploy automated defense mechanisms including sandboxing so email carrying potential risks and malware could be filtered out before reaching the user's inbox, he said.

More importantly, employees also need to be more informed and aware of things that seemed out of place, he added.

According to Montoya, hackers were shifting their focus from file-based attacks to fileless attacks, targeting memory-based activities such as those running on PowerShell rather than using traditional methods of sending malware-laden files that had to be downloaded and executed.

Unlike file-based attacks, which could be detected by security tools, fileless attacks used applications that already were installed on the system and on whitelists.

Asked what were his key concerns as CSO, the Microsoft executive pointed to "grey areas" around government regulations that needed clarification and businesses that, worried about cybersecurity risks, chose instead to hold back their digital transformation efforts.

He also stressed the need to use AI more effectively to better predict attacks and establish better user behavioural models based on the insights.

Editorial standards