In today’s technologically-advanced era, where more information is managed digitally, the need for advanced cybersecurity solutions will only grow. In order to protect systems, data, software and hardware from cyber-attacks, cybersecurity professionals need to handle constantly-evolving, increasingly-complex security threats, and succeed every time. On the other hand, in order to gain unauthorized access to these systems, a hacker only needs to succeed once.

Realising the need to strengthen Singapore’s cybersecurity ecosystem, NUS Enterprise partnered with Singtel Innov8 to set up ICE71 – Innovation Cybersecurity Ecosystem at Block71. This is the region’s first start-up hub that aims to attract and develop cybersecurity competencies and technologies. One of the first programmes under this initiative is ICE71 Inspire, a one-week boot-camp run by Cylon, a leading cybersecurity accelerator. During this boot-camp, four cybersecurity experts got together, to discuss the need for start-ups in developing cyber-innovations. They were Claudio Caballero (Director of Product Innovation, IAG), David Chan (Entrepreneur-in-Residence, Cylon), Sachin Deodhar (Certified Information Systems Security Professional) and Denis Donnelly (Cybersecurity Specialist, Cisco Systems).

What are the main cybersecurity threats we are facing? Are start-ups better positioned to develop innovative cybersecurity solutions? 

Denis: The phrase “What’s old is new again” comes to mind, as the most commonly-exploited vulnerabilities today are very similar to what they were 10-15 years ago: unpatched systems and default credentials. While nation-level attacks will always get more headlines, I believe that these two areas will remain significant risks well into the future. Start-ups do have an advantage to address these areas, as they don’t have the technical baggage or broad install-base of hardware and/ or software to try and update. This means they can take a truly fresh approach in helping organisations address these risks in a new and more efficient manner.

David: I recall one time when a start-up was competing against a larger, more established corporation. The fight lasted for a year, after which, the corporate gave up, as it moved to slow. Within that one year, the start-up had brought in investors, and signed up both customers and partners. All the corporate had done was assigned the necessary budget and the person in charge of the project. So it is definitely possible for start-ups to compete effectively against larger companies.

Sachin: Incident Response investigations into serious data breaches and so called Advanced Persistent Threats targeting critical infrastructure that I have been involved in over past two years have made it evident that the attacker’s tactics have evolved significantly into what is now referred to as “living off the land”. This means attackers are increasingly relying less on (relatively) easy to detect conventional malware, and more on native tools, commands, and scripting frameworks such WMI and PowerShell to achieve their malicious goals and objectives. As a consequence, it is becoming much harder to “resolve” between “legitimate use” of such tools by, for example, systems and network administrators, versus “abuse” of such tools by attackers. Secondly, the past two years, we have seen a significant rise in the number and frequency of so called “destructive malware” attacks (e.g. NotPetya, Shamoon-2, Wannacry, Gandcrab, MBR wiper, Disk Wiper Tools), and the rise in instances of Organizations “held to ransom”, failing which, attackers threaten to either proliferate stolen data in the public domain or outright delete data or damage critical infrastructure.

It must be noted that attackers evolve their tactics, techniques and procedures (TTPs) in order to defeat existing state of the art in defensive security controls, so it follows that the current approaches will not be successful in mitigating these evolving threats. Consequently startups need to think outside the box and develop disruptive and innovative approaches to counter these new attacker TTPs.

What do small, resource-limited start-ups need to do, to improve their chances of making it in this sector?

Claudio: Look for the right partners. When trying to get your foot in the door to sell your solution, sometimes a better approach may be to pitch your solution to another start-up company that is already working with your desired customer. If you’re able to partner with this start-up, you will find that it can greatly shorten the sales cycle. It’s also not enough to be super sharp technically. Another important factor is the ability to get along well with others. There was a case of a Thai start-up company that signed a great deal with a large MNC. The agreement had been negotiated and everything was settled. However, when it came to implementation, things were not moving. It came down to the fact that the person handling the project was just not a “people person” and could work well with the client. So being nice matters.

Denis: Actually, it’s a bit of common sense. Start-ups need to have a deep understanding of the market segment they wish to address. Who are the other players? Are they large or small? How easy would it be for a large player to add this capability to their existing product? What’s the value of the market? Once you’ve answered these questions, start-ups need to understand their target customer better. Who is the technical or business decision-maker that would purchase your solution? How do you get to these people to demonstrate the value of your solution?

David: A lot of corporates are setting up innovation arms. Get in touch with these people and get involved in discussions. It also helps to know the company’s sales cycles. Sometimes they may evaluate your product if you are conveniently placed.

How is Singapore’s start-up scene in terms of cybersecurity? What more can be done to improve the likelihood of a Singapore cybersecurity unicorn?

Sachin: I believe that Singapore has massive potential to innovate and develop disruptive cyber security technology and solutions; having personally mentored several ITE, Polytechnic, and University student interns at CSI, I feel that the educational institutions are doing a lot in terms of developing “cyber capabilities” at all stages. The students consequently appear to develop skills (at a very early age) that are normally seen only in others far more mature in age and experience in other parts of the world. To some extent this reminds of the Israel model of Imparting and nurturing cyber talent at early stages of learning, aka “catch them young”. Against this promising backdrop it is only a matter of time before Singapore sees its first “Unicorn” emerge.

The challenge I see is that students, in comparison to their global counterparts, appear to be somewhat hesitant to practice what they learn and adopt a more “hands on approach” to cyber security (e.g. to craft and test attack vectors, detect threats, and experiment with different defensive strategies and defender tactics). When quizzed, the students responded that they were afraid they would fall afoul of Singaporean laws in regards to cybercrime. So to a certain extent, Singapore’s strong stance against cybercrime also discourages “experimentation” which in turn acts as a negative catalyst for innovation and disruption in the cyber security space.