Andreas Schneider, Group CISO at TX Group, tells us how the Swiss media company required a threat detection technology that could secure its Zero Trust deployment and more importantly, take automated responses. The organisation was looking for a simple and modern solution that could be primarily operated centrally, but also decentralised for those who require it and it found this in Cybereason.
Andreas Schneider, Group CISO at TX Group, is tackling one of the greatest unsolved problems in cybersecurity today: ‘how can we thoughtfully automate our security team?’
This is a tall order, especially in light of our ever-evolving world. The pandemic has not only changed the face of remote work, but has forced nearly every company today to re-evaluate their development, IT and security strategies. Adversaries are launching more attacks with automation and have become ruthless with data theft and extortion to achieve ransom demands.
Since 2018, TX Group has worked to be a cloud-first company, adopting a Zero Trust framework and an agile security strategy. This means that instead of a hardened perimeter with firewalls and VPN, users should be able to access all of their business applications from any device, any time and anywhere.
In order to secure a work anywhere environment, Schneider wanted a solution that not only provided direct visibility into global endpoints, but could monitor and understand access to critical applications across cloud and on-premises. For example, if an unknown or Bring Your Own Device (BYOD) is being used to access an application, always require Two-Factor Authentication (2FA). Or, if malicious operations have been detected on an asset, automatically limit the associated user’s access to critical applications.
In the past, Schneider and his team had used multiple security information and event management (SIEM) tools. The data lake approach didn’t meet the company’s needs: there were visibility blind spots, manual work when reconciling events and there wasn’t a reduction in mean time to respond (MTTR). TX Group didn’t want to centralise log data in a single place — it wanted a threat detection technology that could secure its Zero Trust deployment and more importantly, take automated responses.
Since 2018, TX Group has looked to Cybereason EDR to protect Windows, Mac and Linux endpoints across the company and its subsidiaries. Cybereason was originally chosen for its flexible support for on-premises and air-gapped environments, strong pre-built detection coverage, and because Cybereason exposes Malops (malicious operations), a fully correlated narrative and deep context about an attack as opposed to individual alerts and alarms for each detected behaviour.
The two teams worked closely together to extend TX Group’s detection and response capabilities across cloud services and infrastructure. With the direct integrations with Okta, Google Workspace, Digital Shadows, Fortinet and AWS, Cybereason XDR automatically surfaces anomalous user behaviour, insider threats and makes it easy to understand the full attack story behind any incident.
Since expanding to XDR in Summer 2020, the team has gained more visibility, identified multiple suspicious behaviours including MFA bypasses and other Okta intrusion attempts, and has already set up a first Slack notification and response bot to reduce remediation time and efforts. Unlike SIEM tools, Cybereason correlates endpoint telemetry against user identities and access behaviours. This approach detects threats that would otherwise be overlooked as weak signals and greatly accelerates incident triage and investigation times.
Schneider continues to update the board at TX Group on the implementation of its agile, Zero Trust security strategy. Because it chose cloud-first, the TX Group team reduced its overall attack surface, friction to end-users and even its number of incidents — in spite of the pandemic and rise in cyber-attacks. Instead of investigating individual alerts and tools, the team is focused on the broader mission: ‘Which of my users and assets are at risk? Did our user click on a phish and enter credentials or download malware? If yes, automate the response where best feasible’. Both teams are looking forward to expanding the XDR deployment across more TX Group brands and adding new use cases that enable focusing on the relevant chain of events.
We caught up with Andreas Schneider, Group CISO at TX Group, to find out more about the solution and its benefits.
Can you tell us about your role as Group CISO and the scope of your responsibility?
My mission is simple – make sure that we are not getting hacked. We are the largest private media group in Switzerland. Our business is diverse – including FinTech, traditional paid newspaper, free news apps, online marketplaces, a realtor platform, job searching sites, advertising services and many more. We also act as a VC in Switzerland, looking for inspiring startups that fit our portfolio and vision. In regard to cybersecurity, I am responsible for all of it, starting with due diligence reviews for potential investments, then of course our overall infrastructure, and I am also deeply involved in our product security.
What challenges were you looking to overcome ahead of the implementation?
Every company in our group has their own CTO, a unique technology-stack and a unique culture. We were looking for a simple and modern solution that can be primarily operated centrally, but also decentralised for those who require it. We are a cloud company, but for some areas like newspaper printing, we need on-premises deployments. Due to the difficulties in rolling out several security solutions, we tried to find the one tool that is the most effective.
Why did you decide to work with Cybereason on this occasion?
We did a PoC with several vendors out of which Cybereason had the best cultural fit. Technologically, we had several vendors that were very good. Cybereason, however, quickly understood our cybersecurity vision and our company’s challenges. When it shared its vision, we were able to see we would match well in a partnership.
How important is having a robust Zero Trust security strategy and how does this contribute to business success?
We use Okta as an identity provider (IDP) with the features ‘device trust’ and ‘IDP Factor’ in combination with a mobile device management solution. Cybereason is the core element in our Zero Trust approach. An access attempt to our cloud applications requires the device being managed by the MDM to be ‘compliant’. A device is considered compliant when it has Cybereason installed. On top of that, we’ve partnered with Cybereason to help build-out its XDR product. With Cybereason XDR, we cover Google Workspace, Okta, Slack, AWS, our firewalls and cross-correlate with our EDR telemetry.
How has improved visibility enhanced TX Group’s performance capabilities?
We are able to create a security stack and culture that is not blocking or slowing down our business. Speed is essential for our competitive advantage and by focusing on detection and smart automation for response, we’re able to use security as an enabler of the business.
How has the implementation benefitted your end-users?
For the end-user, the solution is hardly visible. All it takes is a lean sensor on their device. Without getting in their way, end-users benefit from a secure environment which allows them to work with any device, from anywhere, at any time securely.
What does your technology roadmap look like for 2021?
Our focus certainly lies on XDR as this will be the key to finding the security events that really matter to the organisation. We do not want to look at a huge haystack of alerts, but rather want to find the needle in the haystack.
For example, it is not important to know if a user has received a phishing email. It is also not important if the user clicked on the link. What is important is to see any login attempts after such an email. Creating such a story of an incident is at the core of the Cybereason Malop.
With XDR, we are able to tell this whole story and yet give a single event a much broader context. Then we can identify and take the most effective response to such an event. It might not be important to isolate the machine, run forensics and send our security army to solve the incident. It could be just enough to enforce additional factors with Okta. Another area to focus on is protecting our Kubernetes environments with Cybereason. We also plan to expand our existing Bug Bounty Programs, rollout a new Risk Management solution (what we’re calling the Risk Tower) and share with our end-users a SlackBot that informs and enforces security best practices, exciting projects that we built in-house.
What best practice advice can you offer other CISOs?
Be bold, be authentic, take over responsibility and don’t shy away from making tough decisions. It is easy to hide behind someone else higher up in the hierarchy or behind compliance and to only make recommendations. Claiming your seat as the CISO, however, requires you to always ask yourself what your main mission is. In my opinion, it should always be to add value for the business and to not get hacked!Click below to share this article