CISO Insights – Dr. Markus Schmall

Nov 09th 2021

Executive Summary

The ongoing shift to cloud-based offerings – SaaS, IaaS and PaaS – provides major advantages to customers. These include fast deployments, a modern & effective environment and enhanced security capabilities that traditional IT organizations cannot deliver on their own, due to high investment costs, fast-changing technology and gaps in expertise.

However, cloud-based solutions also create a situation where customers are increasingly reliant on a provider’s certifications, not only to demonstrate compliance but to provide assurances that the environment is in fact secure. In general, this also applies to complex commercial of the shelf (COTS) software packages. Certifications as used to confirm security such as ISO 27001 unfortunately doesn’t say, if the supplier has an effective security model in place.

Unfortunately, spectacular breaches like last year’s SolarWinds hack remind us that compliance-driven, checklist-based inhouse security on the customers side is not enough. Defenders also need to carry out an extensive monitoring program in a thoughtful and holistic way. Otherwise, you’re doomed to endure breaches where skilled attackers penetrate the network undetected and stay as long as they remain concealed.

How we got here: A brief recap

Since the 1980s, threats have steadily evolved and grown more diverse, starting with simple boot sector viruses that were extended in varied ways: by polymorphic, metamorphic, cavity[1] and stealth capabilities.  The techniques have improved and grown more sophisticated, but the core definitions remain largely unchanged. Overall, we have seen a trend towards trojan horses and ransomware. (see data from Darktracer showing the ongoing development in the ransomware area,

The game between attackers and defenders has evolved too. What started as a good-natured contest between hobbyists and security teams soon expanded to include two hardcore attack classes: organized crime and state-sponsored actors. Already in 1986, cyber legend Clifford Stoll documented his cat-and-mouse battle against state-sponsored hackers trying to compromise Berkley Labs (source:, source:–_Nichts_ist_so_wie_es_scheint)

What has changed from an attacker’s point of view?

Given the ongoing digitalization of all industry domains, the attack landscape continues to grow significantly. As previously isolated systems become connected to the Internet, virtually all data is digitally available. A well-known example is the SS7 protocol / signaling network used by the telecommunication industry. Previously “hidden” from the public, it can nowadays be analyzed by a broader audience resulting in the detection of previously hidden vulnerabilities (see e.g.

Also, traditional Operational technology (OT) will be targeted by researchers more heavily, as it becomes more and more connected to the internet and consequently will be targeted by attackers. Stuxnet ( may still be one of the most prominent attacks against OT / control systems, but it marks only the beginning of trend (see e.g. recent Amnesia – 33 publication, revealing 33 vulnerabilities that affect open source TCP/IP stacks put millions of IoT and Operational Technology devices at risk of being compromised. (source:

As also communication behavior changes, e-mail has become a major platform, replacing traditional mail and fax service and opening additional attacks pathways.

What has changed from a technology landscape point of view?

SAAS usage is increasing

With the rise of SAAS, defenders have to trade detailed knowledge about architectures against ISO 27001 (27K1) certificates, pen-test reports and sometimes even interview based impressions about the capabilities of the vendors. A traditional look at the software byte by byte or the kind of deep platform knowledge that’s possible in a traditional IT setting is in SAAS not possible anymore. Vestiges of the legacy environment continue to disappear as first vendors start discontinue boxed versions of traditional server products and move those offerings to the cloud.

Traditional hosting is being replaced by IaaS and PaaS

Initially, cost arguments were the main driver for migrating to IaaS and PaaS solutions. I think focusing here on cost alone is misguided.  The case should be made more in the direction of faster time to market, faster deployments and better defenses. Where security is concerned, major IaaS/PaaS players can make game-changing investments much larger than what the average company running its own IT shop can afford — and leverage those investments across their whole customer base.

If you look at AWS, for example, I truly believe their enterprise customers’ security can heavily benefit from platform features like Inspector (, GuardDuty ( and the supporting tooling such as Cloudtrail( and Cloudwatch (


What does this increasing dependency on certifications mean now for your security model?

SolarWinds: “One of the biggest attacks of the last years”

SolarWinds software is widely used by businesses to manage / monitor their networks, systems, and IT infrastructure. The company has globally more than 18000 customers and serves a vast number of Fortune 500 companies. It is ISO 27001 certified and SOC 2 reports for certain products are available. What does this say about the security level ? What needs to be done by customers when deploying COTS packages?

The massive SolarWinds supply-chain attack – first detected based on a possible sloppiness of one of the attackers and reported in December 2020 – ( exemplifies some of the security challenges for defenders in trusting solely in certifications.

What had happened ? The attackers gained access to the build system and were able to manipulate the build process of the software “on the fly”, which shows a high level of internal knowledge.

The attackers inserted malicious code in especially targeted classes of the software package, which was then was made available to the SolarWinds Orion customers.  The stunning attack, described here ( combined a high level of technical expertise, very detailed target research and a 15-month “non detection” period.

The attackers knew the targeted companies and government structures would likely be hard to breach. So they choose a software that is widely used, can be reused as a Trojan horse, and typically runs on a trusted system, which has broad network accessibility.


Additionally, the malicious code was programmed to evade detection by not performing any malicious action for two weeks after installation and by staying quiet when it encountered test systems. Consequently, within typical QA phases, the malicious behavior was not detectable.

What does increasing dependency on certifications mean for your security model?

Risk reduction vs. concrete security

Certifications can help an organization point the way to reducing risk in a very formal structured way. It can also create a false sense of security for the people evaluating protections and for decision makers who want assurances their environment is safe (as certifications become more and more a go/no go decision criterium within purchasing processes). A good, effective security model can clearly be build without a ISO 27001 certification, as here a lot of formal aspects / processes need to be considered. A ISO 27001 certification doesn’t say whether you have an effective security model in place.

A get-out-of-jail card

In many organizations, you can save your job by ensuring you only buy software that is fully certified. That’s your get-out-of-jail card.

Establishing a little bit more security

But if your goal is to really protect your company, reliance on certifications isn’t enough. Doing security right means understanding the technology and how to detect a potential threat coming from the software. You must elaborate and elevate monitoring to generate SIEM use cases that indicate anomalies and trigger your monitoring approach.

It’s essential to strengthen monitoring from varied angles:

·       System behavior via EDR (Endpoint Detection and Response) tooling

·       Classical antivirus

·       Monitoring outbound DNS traffic

·       Monitoring inbound http traffic (inbound e.g. extended with sandboxing approaches)

·       Monitoring outbound http traffic (e.g. ransomware data exfiltration detection via statistical analysis such as “more than normal traffic to one target or from a dedicated user”, if you have a good understanding of all your internet breakouts and traffic patterns.)

·       Monitoring email traffic (e.g. extended with sandboxing approaches)

·       Monitoring account usage / usage patterns (e.g., impossible travel scenarios, suspicious login times out the normal and such)

There are best-of-breed tools for all these purposes.

Some examples: Most SIEM vendors offer Artificial Intelligence / Machine Learning packages to detect anomalies. It helps also to have an effective sandbox solution you can plug into your email solution or web proxy solution. Sandboxing is not the solution for everything, but a good system will detect the majority of malicious software.

To be able to think on this kind of defenses, you must really understand technology. To be very clear, monitoring itself is not also enough, you must have playbooks, incidents plans and such available and test these in intervals. Otherwise, the best monitoring setup is ruined by not working incident response routines. Red teaming (“pentesting during operations without pre-warning”) is an additional helpful module here, replacing or at least amending classical penetration test procedures. It also can help to optimize your security monitoring setup, which overall helps to increase the security of your company. Because one thing is clear, monitor or be doomed !


About the author

Markus Schmall started his security work in 1987, developing his first AV solution on the AMIGA platform (“Virusworkshop”) and continued this path. He received his PhD in 2003 from the University of Hamburg under the supervision of Prof. Dr. Klaus Brunnstein (“Classification and identification of malicious code based on heuristic techniques utilizing Meta languages“). He was a founding member of the Deutsche Telekom early warning/ honeypot activities and held various management positions in the security area. Currently Markus is working as CISO for Covestro.

Calculate how much malware false positives are costing your organization:
Malware False Positive Cost Calculator