Interview with Vlad Iliushin at ELLIO Technology: “I regard the issue of alert overload on cybersecurity teams a ‘ticking time bomb’”

In your eyes, what is the biggest challenge for the cyber security industry today?

Cybersecurity teams (and also IT teams which were typically not structured to handle the current and escalating demands of cybersecurity) face many challenges every day. Choosing just one of these challenges would be difficult.

However, what I perceive as a “ticking time bomb” is the issue of alert overload on cybersecurity teams. In an ecosystem where every single tool in use fights for the user’s attention, this constant surge of alerts greatly complicates the crucial task of accurately identifying and addressing serious targeted threats.

Another big challenge I see is the increasing complexity and sophistication of cyberattacks, reflecting the relentless pace of this industry. Attacks are becoming more frequent and sophisticated, often surpassing the capabilities of traditional security measures, while generic automated attacks are more affordable and easier to set up than ever before. However, the battle in cyberspace is ongoing on all fronts.

You see the issue of alert fatigue among cybersecurity teams as a ticking time bomb waiting to explode…

(laugh) Not so dramatically, but I certainly perceive the overwhelming number of alerts that cybersecurity professionals have to deal with on a daily basis as a problem. If you are someone with an inbox full of hundreds or even thousands of emails, each of which is urgent, you probably know the feeling. Now imagine that this inbox is refilled every single day, regardless of the circumstances. Most enterprises handle over 10,000 alerts per day, and approximately a quarter of security teams grapple with over 1 million alerts daily. In cybersecurity, you must balance the number of sensors with the severity of each one, having enough data to protect the company on one hand, and avoiding an excessive amount of data that overwhelms the cybersecurity team on the other.

How can this challenge be addressed/solved?

Well, cybersecurity is a never-ending soap opera of sorts. There is no one-size-fits-all solution to combat alert overload. This calls for a multi-faceted strategy.

Firstly, prioritization is key. Not all alerts are created equal. Security teams must prioritize alerts based on the potential severity of the threat they pose, allowing the most critical issues to be addressed promptly.

Next, alert consolidation is crucial. A multitude of alerts often stem from a single threat or attack. By grouping related alerts into a single incident, teams can significantly reduce the overall volume of alerts to manage.

Third, Automation. Utilizing automated processes to handle low-level threats or routine tasks can free up human analysts to focus on more complex or high-level threats. And finally, advanced technologies such as machine learning can also help to fine-tune threat detection and significantly reduce the number of false positives.

That is why we, at ELLIO, are focused on cybersecurity automation, enabling the cybersecurity community to do their best work.

What benefits do you get from AMTSO?

AMTSO provides a valuable platform for both cybersecurity vendors and testers, fostering collaboration and facilitating the exchange of expertise among its members, and our involvement in creating testing frameworks for cybersecurity solutions.

What do you think fair testing should look like?

You are asking me how fair testing should look like in an environment that is changing every second – that is a very difficult question to answer. When it comes to testing in general, finding a balance between testers and solution providers is always challenging.

I personally consider testing to be very important. As a business owner, getting favorable results from third-party testing is very important, especially in B2B. As a technical person, I would liken testing to an independent peer review of science papers – with such feedback, you can identify shortcomings of your solution, get a valuable third-party perspective or validate your assumptions.

If we talk about fairness, there are a lot of challenges to overcome for a fair test. For example, one of the main principles of fair testing is repeatability. The same test under the same conditions should consistently give the same results. In cybersecurity, however, with streaming real-time updates and on-device ML engines used by vendors, as well as evasion techniques employed by threat actors, achieving this consistency becomes challenging, if not impossible. And this is just one example of how difficult it is to guarantee a good test in our industry.

Luckily, thanks in no small part to AMTSO’s efforts, we have come a long way since the darker times of vendors versus testers.

…and fair testing in a fast-changing cyber landscape?

To me, transparency should be one of the most important principles of fair testing in cybersecurity – providing clear and open information about the testing methodology, processes, and results. It involves ensuring that all relevant details about the testing procedures, including the tools, techniques, and criteria used.

Transparency helps to establish trust, allows for independent verification, and promotes accountability in the testing process. It enables others to understand and evaluate the validity, reliability, and fairness of the testing methods employed, ensuring a level playing field for all parties involved.

Are you missing testing standards for some cybersecurity solutions?

As someone who has been in the industry for quite some time, I would love to see tests comparing widely available feeds against proprietary solutions. Coming from a network security-focused team, we all know URL Haus by for example. However, having a comparison against proprietary feeds and solutions sold by vendors would provide valuable context for potential consumers and the vendors themselves. But given that the bill is usually paid by the vendor, it’s clear why this hasn’t happened yet.

You had a crucial role in developing the “Guidelines for Testing of IoT Security Products” last summer. Since then, have you seen any progress in how IoT devices are secured?

IoT security is a complex topic – it’s been discussed and worked on for years, but like security in general, it’s a process, not something you can check off.

We have witnessed some progress with the proposed EU’s Cyber Resilience Act, which aims to exert pressure on manufacturers and (re)sellers of smart IoT devices in the EU, hopefully making devices with default credentials like admin/admin or outdated vulnerable services like telnet unsellable in the EU. With some luck, this change would propagate to the rest of the world, as it should be easier for manufacturers to maintain a single secure version of their product rather than separate secure EU and poorly secure non-EU versions. However, at present, this is only a proposal.

Another potentially positive aspect we observe is the use of cloud-only architecture, which, on one hand, offers numerous security features such as no open ports, no services to hack, and no UPnP rules to propagate. However, this approach comes with a significant disadvantage. In the event that the manufacturer goes out of business, as cloud-only means controlling the device solely through the cloud, the buyer is left with essentially an e-waste. My other concern regarding cloud-only solutions (even if they are presented as local-only and always encrypted) is the user’s ability to control the data flow from such devices.

The recent Eufi scandal involving “local” only IoT cameras revealed that the unencrypted video stream was actually sent to the Eufi cloud and stored indefinitely. What’s even worse is that the short clips in the cloud were not protected by any authentication or authorization mechanism (encoding the camera’s serial number using base64 is neither).

As we can see from these examples, despite all the efforts and improvements, there is still a long way to go in achieving a good balance between security and usability in the IoT space.

ELLIO Technology is brand new in the market, could you explain what your business is focusing on?

ELLIO Technology is a tech company helping with the automation in cybersecurity. Our ML-based solutions are designed to effectively filter out generic attacks, reduce alert fatigue and false positives/negatives. We accelerate the identification of critical cybersecurity incidents in real time by decreasing the number of non-critical ones. Our primary mission is to free the overwhelmed teams’ hands and allow them to focus on investigating attacks and incidents that really matter.

Starting in July 2023, we are offering the IT community our new dynamic ELLIO: Firewall Threat List in its technical preview. Our aim is to make at least a portion of the advanced enterprise solution – ELLIO: Intelligence – accessible to smaller companies and IT teams that grapple with limited capacities, a shortage of skilled cybersecurity professionals, and a lack of extensive knowledge and experience in cybersecurity.

The ELLIO: Firewall Threat List is automatically updated every hour or every five minutes, and it is tailored to each company’s specific perimeter/s. By systematically filtering out random internet noise, we help minimize the risk of overlooking potentially serious attacks and being compromised by automated attacks and botnets that are constantly scanning the internet for an easy target.

Thanks so much for these interesting insights, Vlad, and we wish you good luck with your new business!