The role of advanced malware analysis in government cybersecurity

Date: 11/11/2024

In today’s rapidly evolving cyber landscape, government organizations face an increasing array of challenges that demand sophisticated, well-coordinated defense strategies. During a recent panel discussion, we had the opportunity to dive into these critical issues with Carsten Willems, CEO of VMRay, and Carlos Rivera, Senior Analyst at Forrester Research. This insightful conversation explored some of the most pressing topics for government cybersecurity today: the unique challenges faced by government agencies, the vital role of analyst experience, and the crucial balance between platform consolidation and specialized security solutions.

Our discussion covered the practical ways security teams can shift from a reactive to a proactive stance, why Zero Trust, incident response, and security operations must operate in unison, and how fostering these functions can ultimately bolster resilience. Below, we’re sharing key excerpts from this conversation that shed light on the future of cybersecurity for government agencies and beyond. Join us as we explore these insights and actionable takeaways.

Watch the full recording of the panel discussion here

What are the cybersecurity challenges of government organizations?

Alexandra: Carlos, from your perspective, from talking to all these leaders from the government and the private sector, what are the current challenges that you see? What are government agencies struggling with at the moment, especially around zero trust?

Carlos: I think that we’ve come a long way from, where we started off with the adoption of zero trust. And I think you’ll see a bit of a difference between a public sector government entity and private sector, more of a private companies and corporate organizations. The challenges that were kind of faced with zero trust were around the understanding, a lack of understanding. And that’s still very much the case when you talk to corporate and private sector.

But with the public sector, it’s a little bit different. I think initially it started off as a lack of alignment or lack of knowledge around zero trust, but has changed. It’s changed now, obviously, with these mandates that are being pushed out, guidelines and standards, there’s obviously a firmer understanding what zero trust means for the government and public sector type of entities. But there’s a challenge in terms of outdated technologies, the legacy architecture that they have to deal with, and aligning that technology with what zero trust is setting out to accomplish. And so that’s the challenge that they’re truly facing.

And it’s still a little bit of lack of alignment, which is still true because you still have that kind of mindset, especially in the public sector, that there’s individuals that are set in their way of doing things and, the whole mantra of “I don’t want to reinvent the wheel” or “don’t fix what isn’t broken” kind of situation that causes a lot of disruptions in progress towards advancing your zero trust strategy, whether that means adopting a new technology or implementing a new process for and improving your overall preventative measures.

And private sector, I think there’s a little bit more advancement, especially in the finance – financial industry. They’ve been very much ahead of the curve when it comes to adopting zero trust. In terms of modern standards and best practices and technologies, financial and just institution has been far advanced. You know, they’ve been in the cloud migration way ahead of most other verticals. They’ve been adopting other software as a service type of capabilities. So they’ve been well positioned to begin that maturity of zero trust.

So, I think that’s the difference. It’s really still kind of a little bit of a lack of an alignment from a functional perspective, but with public sector is outdated technologies and legacy architectures.

Carsten: In my view governments, on the one hand face similar challenges as the private sector, but much on a much larger scale and complexity and impact. And then there are some unique ones.

Let’s first look at these different challenges. Obviously, the attack surface that governments need to protect is much larger and much more heterogeneous than those of corporation because they need to protect their own systems, their own people, their own staff, their own infrastructure. But then they also need to protect the interests of the nation like the citizens, the corporations. Critical infrastructure is a very important aspect here. And they have a lot of these public facing systems, election systems. So it should be very hard for attackers to get their hands on these systems.

Then on the adversary side, it’s not only the criminals that have these financial objectives, but they are facing nation state actors with espionage and sabotage and all these misinformation targets. These actors obviously have much more resources, much more time, much more expertise and they’re conducting more sophisticated attacks like targeted attacks and these supply chain attacks.

And then the impact of course impact on economy, impact on the people, impact on democracy is much more critical than the impact that you would see in a private sector organization.

And then there are also some non-attack-related challenges of governments where typically the private sector is in a better position, like fragmentation amongst the different agencies with knowledge sharing, information sharing problems and unclear responsibilities. I mean we have that in organizations as well. But I think it’s a much, much larger scale. Then, governments are much more constrained by regulatory and compliance requirements.

And then the things that Carlos mentioned, legacy systems, less budget flexibility and stuff like that.

On the opposite side, when we look at the solutions and at the activities that our governments implementing for security, I think they’re more or less working on the same things like technology, processes, human centric-awareness, training, all these kind of things. But they have some special powers because governments can create regulations and by that indirectly enhance security on a large, slower but broader scale.

Alexandra: I would like to follow up with one more question Carlos. My perception is that Zero trust was at the beginning a lot about the parameter identity and access management in practice and is only now starting to shift towards detection response capabilities, and actually looking at what is the analyst doing in this. How practical and implementable is this actually?

Carlos:

I think that’s kind of another debate that we have even amongst myself and my colleagues in Forrester: where do we draw that line in between, or where does that intersect begin. Where does Zero Trust architecture end and where does incident response and SOC operations begin?

Because some of the other misconception was does zero trust replace incident response or does it take the position of the SOC? And no, the answer is no it does not. Because first and foremost, Zero Trust as an architectural information security model is a preventative approach. It’s a way of improving your preventative measures and controls and reassessing how you deploy those controls in the most effective and efficient manner.

I like to think that the intersection or the touch point for where Zero Trust and incident response kind of interact is going to be visibility analytics and that’s where you start getting that information and telemetry because one, it’s going to inform the automation orchestration that is part of Zero Trust, but it’s part of improving the policies. How do you, how do you streamline those onboarding processes, offboarding processes for user devices, improving your policies throughout different various enforcement points.

But it also that telemetry and visibility needs to be collected and informed the SOC and inform the incident response so that they have more insight as to what is going on, who’s doing what when, where and why to make more real time responses to those to those incidents and be able to focus on the things that matter the most.

What are the key pillars of implementing zero trust?

Alexandra: Carlos, in your view what are the key pillars for rolling zero trust successfully?

Carlos: I think that it’s always going to be people, processes and technology. Those are the three things you need to improve within an organization and keep in alignment and have holistic viewpoint when it comes to beginning your zero trust journey.

It’s people because it ultimately comes down to a cultural and change management that the organization need to kind of get over. And it’s still processes going on even still on the government side. It kind of to your point Carsten that some functions still have a disconnect and there’s a reason why we emphasize the need for collaboration for zero trust to be successful.

I was recently working with a client in the government sector and I had them perform an assessment of their zero trust maturity. And the difference between how the C-level leadership and top tier leadership viewed their maturity of the architecture versus the more technical management level was very different. C-level side believed the architecture was still beginner. But the more technical, well-versed backgrounds and architects viewed as intermediate which told me you guys are not talking.

There’s a lack of understanding of what are the capabilities that exist already in architecture that perhaps you’re just not leveraging in the most effective and efficient manner. Yes, there’s emerging technologies out there, but that doesn’t necessarily mean you have to go out and procure that technology to begin your zero trust journey. You start leveraging the tools and solutions you have in place and reassessing how you are deploying that.

Why analyst experience matters and how to improve it?

Alexandra: Carsten, can you tell me what is it that customers especially, maybe also different levels in the organization, maybe from an analyst perspective, specifically, what benefits do people get out of working with a platform that VMRay provides?

What we do is called behavior-based detection, or advanced threat detection, or automated malware analysis, or sandboxing. We’re performing a deep analysis on suspicious content in order to identify zero-day threats and generate threat intelligence.

So the different use cases for these kinds of automated deep analysis, like improving your detection capabilities as a second line of defense, and obviously, improving your incident response. Because if you can get threat insights within two minutes instead of after a few hours or a few days, and if you can scale that up, that dramatically increases the speed at which you can handle an incident response.

And then there is kind of a new trend that threat intelligence is being used on a large scale where you can learn from other victims, successful or non-successful, it doesn’t matter. But just that there was a cyber attack on one of your peers next to you and you can prepare yourself against likely or the same attack in the future. So, this is what I meant earlier with this information sharing, we need to combine that what we see in the field with what others see in the field. We need to exchange information very quickly on ongoing cyber-attacks and only then we become really successful.

And that one aspect on what the analyst. I really like that Forrester term “analyst experience” because it’s perfectly suited to explain one of our main strengths and we call that – clarity. It’s not about having a super fancy UI or dashboards that look like a computer game or like from the future, but it’s all about how we collect data, how we structure data, how we present data, and how we make that data accessible to the analyst and walk him or her through the process and guide the attention instead of throwing all the data at once in one long sequence.

No, no. Data needs to be structured and there is certain order of questions that you have to ask like is it bad? Is it known? What are the high-level techniques being applied? And then, you can go deeper and deeper and deeper and deeper. And I believe that is something that really makes VMRay unique. The way how we provide data and we separate relevant data from irrelevant, high-level from low-level and really provide not only the relevant data but also make it very easy to guide the attention and make it accessible.

It only takes a few minutes instead of hours to read the report. And that is specifically important in the current times of skill shortage. Because skill shortage typically is not about the number of people, it is about or often is the skill level. That is the problem here. And if you have a junior, it takes forever to separate signal from noise. It’s easier for an expert, but it’s really hard for a junior.

So I believe in terms of the analyst experience, it really makes a difference between just 100 pages of PDF or an interactive report where all the data is enriched and annotated and systematically presented.

Carlos: Analyst experience is something that has been coined here at Forrester and it’s been a topic of interest for us in our evaluator research as well. Because there’s a reason why we’re starting to include analyst experience as a criteria in many of our evaluating research for various different technologies.

Because what we’re looking for is how can we gain that information, the insights that these other platforms are providing to make actionable decisions for the analyst. It’s one thing to gain that visibility, it’s another to do something with that information.

Carsten: For 10 years now, since the inception of VMRay, we’ve been talking about full visibility and I really like that term. But just over the recent year or so I learned that visibility is one thing, it means the data point is there. Perception is another thing. That means I see the data point amongst all the other data points. And comprehension is what we really want to achieve, that I understand and can act and respond and use that data point.

How to balance platforms and best-of-breed security solutions

Alexandra: So, there are a lot of large platform vendors out there. And of course, government entities tend to turn to them because, homogeneity of the platform may be makes it easier to roll out. Do you see that as a good idea, a bad idea?

Carlos: For me, it depends on who you’re talking to and what are the requirements of the organization.

Because you need to have a balance of both worlds. You need to have a balance of here’s a platform and this is within our security stack. This is where it makes sense to have a platform offering. But if it makes more sense in terms of comfort and skill and comprehensiveness for your workforce, does it make sense to have a best of breed in this area, especially if it’s to fill a gap.

All these platforms have multiple offerings, but they’re always going to have a gap in coverage. How are you going to fill that gap? And this is where this best of breed kind of solutions can come into play. You may have a platform that may be offering a form of advanced malware analysis or sandboxing capability, but if it’s not to the degree or up to the par that you prefer, and maybe you want something that’s best of breed, that’s what you’re going to start looking at.

You start looking at that balance and integration, interoperability of a best of breed solution with a platform offering.

Carsten: My view is clear. What we typically see and what we recommend is combining platforms with best of breed point products for mission-critical use cases. I mean, I hate complexity, I love simplicity. So, I totally get the point why platform makes a lot of sense for different reasons.

However, I the platform vendor can never be laser-focused on one thing because they do 20 things. And also security is a team play, that’s for sure. Each vendor, each vendor, no matter how large, how experienced, how old, whatever that is, each vendor has its strengths and its weaknesses and its focus areas and its blind spots.

And the only way how we can increase and get to the best security posture is by combining different technologies, different approaches. I mean, we don’t want to have a single point of failure.

What it takes to get from reactive to proactive cybersecurity

Alexandra: How can we find the balance between proactive and being reactive. So, incident response by definition is reactive. And zero trust, has always propagated the idea that assume breach, right? You’re going to have to assume breach no matter which platform you actually have or no matter how much money you invested into it. So, what’s the role of incident response? Or where does it sit? Where does also maybe where do the sandboxing or the advanced malware then need to sit in the architecture?

Carlos: I believe that Advanced Malware Analysis (AMA) is still going to be a SOC capability because you have those preventative measures and firewalls are a preventative type of tool from the get go. They have that capability but that’s informed through other analytics such as AMA, right? Those are going to be informed by that machine learning and information and telemetry that they collect to make more decisions.

But I believe that AMA can exist in both in that kind of sense. It could most primarily in the SOC. But like I mentioned before, zero trust is primarily going to be a very preventative type of approach to your architecture. And AMA is in taking advantage of that visibility. There’s going to be gain through all those various different controls and enforcement points to start, you know, making sense and turning that information into human readable information, making it more comprehensive, to Carsten’s point.

But it’s ultimately, it’s to enhance the incident response. It’s to improve the overall experience for the analyst. When you have this information, you’re getting all this noise. Where does it make sense to make it more automated in terms of the firewall to respond to and respond and address a basic and more known kind of threat that is detected versus an analyst can actually focus on a zero take, zero-day type of incident and then to invest that time and effort in doing that investigation with that.

Carsten: Sandboxing was invented in the 2000s, mid of 2000s. And the main idea was incident response. So, incident response was the main use case. And then, it’s being used for generating threat intelligence. But at least with our solutions, we see more and more use cases in the SOC.

Also with other security functions where in the past only analysts could have done that work manually. And either you put those analysts there, which was super expensive, or you said it’s too expensive, I don’t do this job. And now with sandboxing capabilities that produce much less noise, that are much more trustworthy, that are much faster, we see that our solutions at least are being used for use cases that were not on our radar years ago, like for threat hunting, detection engineering, user reported phishing.

But you started the question with being proactive. The imminent problem and challenge of security, that it’s normally reactive because it’s easy for the attacker just to find one way the defender needs to protect all possible ways, and it’s always typically one step behind.

However, using a solution like VMRay, advanced threat detection already shifts a bit from reactive in the direction of proactive, because now you detect something that has never seen before on Day 0… and not only after a week, after a month, after a year. And what I already mentioned before, I think that is even more important is the usage of threat intelligence. Organizations use the IOCs for detection engineering, for threat hunting, for blocking, and they’re using threat intelligence also on a more strategic level to assess their defense capabilities against the techniques that are being used in the wild right now.

So I believe leveraging threat intelligence really puts you into a position where you can predict and preempt if that works.

And last but not least, the number of attacks is increasing, the number of victims or targets is increasing, the number of attackers is increasing, but the number of defenders is not increasing at the same speed. So, in order to get rid of that backlog and this endless incoming stream of alerts, we need other ways, we need automation, we need powerful tools, we need to make better use of our very scarce security people and staff, to put them into the position to become proactive. Otherwise, they will always be reactive.

So I believe it’s a combination of different things that is needed here. And sandboxing – or advanced threat detection, can play a role in different pieces. It’s not the silver bullet like nothing else out there, but it’s a very critical capability that is needed in so many different places to automate and accelerate experts and enable juniors.

And that is what we need.

Why you need a combination of on-prem and cloud for security deployments

A question from the audience: How do you think the balance between on- premise and cloud capabilities is working out now? Obviously there’s a push in various government entities, for example in the United States to go cloud. What is a smart way to approach that?

Carsten: There’s a simple view like the Americans are in the cloud and everyone else is not. But obviously, that is not the case. So we see also in Europe a lot of shift already to the cloud. We also see that a bit in Asia, and Middle East.

But we also have a lot of US Government customers who want to still remain on on-prem or even we have one customer who moved back from cloud to on-prem. I mean there are these compliant things and stuff like that, but still for very sensitive and very critical use cases which we more find with governments than with the private sector.

Carlos: I think that for a while earlier on there was such a huge drive globally to be in the cloud, right? Because there was a lot of good selling points and benefits from migration to cloud. But especially with the public sector it was cheaper. Allegedly, it was cheaper.

But we’re starting to see that it’s kind of balancing out, costing the same thing. But the thing is, is with, especially with the public sector, and at least from my experience, there’s a portion that you could probably say, this is going to be cloud. We can, we can migrate this, this, this portion of our environment to the cloud because it’s unclassified in nature, but we just have to make sure we have some controls around it and it’s public facing.

But there’s other aspects such as a critical sensitivity, secret, top secret type information. These are entities that are not going to be like, “let me throw that in Azure, let me throw that in Google Cloud platform, throw that into whatever public cloud service provider that’s going to host my services.”

For me there’s a, essentially because trust is a big play in here and I know we’re talking about zero trust, but there’s a level of trust that the government has with letting their data exist in an environment that they don’t have control over. And that’s pretty much where we’re at.

We’re going to live in a world of hybrid architecture, meaning we’re going to have a foot in both doors. We have some portion of our environment, it’s going to be cloud and some portion of our environment is going to be on prem. Looking at manufacturing, utilities, services and government, they are probably going to be the more prominent verticals and use cases where there’s going to be an on prem need. There’s going to be a need for these controls to be deployed on prem, but they’re also going to have a percentage of cloud that needs to be addressed as well.

And that’s why I always mention invest in a solution that can be interoperable and flexible and adaptable based on your environment and where you’re deploying when you need to have coverage on.

Tags : best-of-breed, consolidation, government, government cybersecurity, malware analysis

Get The Latest Update

Subscribe to our newsletter

Keep up to date with our weekly digest of articles. Get the latest news, invites to events, and threat alerts!

products

use cases

Find yours

Why VMRay

Customer Success Stories

By CAtegory

Featured Integration

Insights

Latest Malware Analysis Spotlight

NEWS

ABOUT US & CONTACT

CAREERs

The role of advanced malware analysis in government cybersecurity

Get The Latest Update

Subscribe to our newsletter

Panel - featuring Forrester

The role of advanced malware analysis in government strategies

Table of Contents

Share With Others:

You May Also Like:

Subscribe to our Newsletter:

Solutions

Products

Why VMRay

Resources

Missed the headlines?

We’re featured in:

ThreatFeed

products

use cases

Find yours

Why VMRay

Customer Success Stories

By CAtegory

Featured Integration

Insights

Malware Analysis Reports

cybersecurity glossary

Latest Malware Analysis Spotlight

NEWS

ABOUT US & CONTACT

CAREERs