March 7, 2024

12 min read

What Doesn’t Kill You Makes You Stronger

Maryna Hornieieva
Content Writer in Lviv IT Cluster

In an era where warfare has transcended traditional weaponry, entering the realm of technology, the significance of cybersecurity has reached unprecedented levels. Beyond targeting individuals, hackers now pose threats to enterprises and entire nations. Mykhailo Kropyva has devoted his career to cybersecurity and currently holds the position of AVP of Information Security at SoftServe, a globally recognized software development and consultancy company with Ukrainian roots. Now the company has over 11,000 professionals worldwide.

Our discussion with Mykhailo delves into his pivotal role in overseeing a robust cybersecurity department, addressing prevalent cyber threats faced by SoftServe, and reflecting on the transformative aftermath of the 2020 hacker attack. Additionally, he shares insights on the development of cybersecurity education and highlights Ukraine’s resilience in the face of adversarial cyber threats. As the cyber landscape evolves, Mykhailo provides valuable perspectives on navigating the challenges and ensuring a secure digital future.

How does SoftServe’s InfoSec Department work 

I started my career as an engineer after obtaining a Master’s degree in Information Security from Lviv Polytechnic National University in 2005. Later, I became the head of the Information Security department at a governmental organization, where I worked for eight years. For the past decade, I have been working at SoftServe in various IT and cybersecurity roles. Currently, I am the chief of SoftServe’s Information Security.

A decade ago, our cybersecurity team was a modest group handling a broad spectrum of tasks. Over the years, we’ve evolved into a fully-fledged department, adept at responding to diverse cybersecurity challenges. Each team member now occupies a well-defined role with distinct responsibilities, enabling us to function seamlessly. This structured approach empowers us to collaboratively address and mitigate cybersecurity threats at every level of our organization.

At present, our team protects the company through different levels of support. The first support level entails round-the-clock event monitoring. Engineers must adhere to SLAs (Service Level Agreement), responding to events and following specific playbooks for each event type.

We analyze automatically hundreds of thousands of potential events, differentiating between real attacks and routine events that fall beyond the standard system understanding.

We analyze automatically hundreds of thousands of potential events, differentiating between real attacks and routine events that fall beyond the standard system understanding. Typically, among all the noise the system tracks, there might be a few dozen actual events per day that are related to potential or real attacks.

If the first line confirms the fact of an attack after signal analysis, we engage our Tier 2 leading experts in various directions and promptly resolve the issue.

The second level has more senior engineers who delve deeper into the logic of these systems. Their daily tasks involve investigating the actions taken by the first level, reducing the rate of false positives, and enhancing specific criteria related to visibility and reaction. This continuous effort aims to keep the team alert and prevent any cyber incidents.

There are specialists who analyze events directly reported by our company employees, either through creating tickets or by helping to handle requests reported by various other teams.

The Security Research & Implementation team operates as a separate mini-department within the InfoSec department. Its specialists research toolsets available on the market, compare them with our own tools, and manage security configurations in those tools. For example, within the Office 365 console settings, we configured it in such a way that an individual can only share a file with specific addresses instead of a link, available for everyone, even outside of our company. Another good example is advanced configurations on top of our identity services, which automatically block access to the internal systems and information in case of cyber anomalies like suspicious IP addresses, atypical geo-location, etc.

We have an expert handling the Vulnerability Management process daily: scanning and reporting newly seen vulnerabilities to the relevant stakeholders. We also control the time it takes to fix vulnerabilities within the defined SLAs.

Also, there is a specific process in the company, which involves annual penetration tests with external companies to assess our ability to withstand attacks. 

We practice various types of tests in accordance with global standards, including “black box” testing, where ethical hackers assess our defenses from the outside without having internal access; “red teaming” tests, where they have internal access, and “purple teaming”, where ethical hackers

perform an activity comparing visibility with internal cybersecurity operations center (“Blue team”). That helps us identify potential gaps in our defense, compare the steps of the attacking party with the reaction of our unit, and improve visibility and reaction.

We also have a sub-team that utilizes Breach Attack Simulation service. It helps constantly run the simulation of newest attacks against our environment and identify potential gaps on different levels. We can select what to test on any given day, whether it’s email systems, workstations, or networks, depending on the predefined scenarios. These scenarios are non-harmful to the organization as they do not extract data or make a negative impact on our infrastructure. This approach is also used to assess the quality and effectiveness of our security controls.

Additionally, we have a Leadership and Coordination tier, which includes several security coordinators and InfoSec business partners. These individuals manage the day-to-day operations within the team, coordinate the team’s activities in case of cybersecurity incidents, initiate investigations as needed, and prepare incident reports. They also assist businesses with security-related tasks, review and approve security architecture for new products, explain our security structure to the clients, and provide support for specific decisions. I lead this direction and report directly to the C-level executives regarding the security status based on specific criteria.

Deceptive tactics

Attacks can be categorized into several groups. One of them is phishing, as compromising individuals is somewhat easier than systems. While we constantly enhance our systems, individuals may still fall victim to deceptive tactics. For example, a user clicks on a link, being redirected to a legitimate site in the end, but a hacker steals their session even with the second factor of authentication enabled.

Read also:

November 20, 2023

Pioneering AI and Data Science in Ukraine

 

Another group of attacks involves attempts to scan and identify vulnerabilities. In our network, this happens non-stop 24/7, with various types of scanners that we constantly block. Through scanning, they attempt to identify and exploit existing vulnerabilities, i.e. weaknesses in the security system.

Supply chain attacks can occur even when your infrastructure is secure enough, but your software contractor or vendor gets compromised. This way, attackers gain access to your system. An example is the attack on SolarWinds in 2020. The attackers integrated malicious data collection software into their Orion software, which is widely used for infrastructure monitoring and management. And thus stole a large amount of data from numerous public and private organizations in the United States and around the world.

Lessons learned from the 2020 incident

[In September 2020, SoftServe experienced a breach by hackers, which led to the disruption of several company services. The very next day, some repositories of projects, supposedly developed by SoftServe for its clients, surfaced online. Subsequently, hackers exposed personal information belonging to around 200 individuals, presumably SoftServe employees.]

The SoftServe incident in 2020 revealed numerous lessons that cannot be learned theoretically. Every action we took was thoroughly audited after the incident. A leading global cybersecurity company thoroughly reviewed every facet of the incident and our response. We have an official certificate and a comprehensive report confirming that everything we communicated to the press and in internal investigations is indeed factual. We did not attempt to hide anything or release any information that did not correspond to reality.

Fortunately, no significant damage occurred during that time. Neither client data nor projects were compromised. To some extent, luck was on our side, as the repositories that the attackers encountered contained data used by our academy solely for student training purposes. Real client data was absent, a fact that was verified. We received no claims from any of our clients. There was indeed a minor data leak involving our employees’ records, which were stored in an improper location. As a company, we acknowledged this issue and promptly informed the affected individuals and appropriate authorities. From a legal perspective regarding personal data storage, we fulfilled all necessary requirements to address this incident appropriately.

I was taken aback when individuals I deeply respect in the security field wrote baseless claims, asserting that all client repositories had been compromised and all data had been stolen. They expressed this from a seemingly expert point of view. As a member of the company’s leadership, I understood that this had no= relation to the truth. During such incidents, many individuals fan the flames, exaggerate, and tell tall tales. It’s disheartening to see that among them are individuals with extensive professional experience in the field, and a certain level of reputation, and their statements are taken seriously.

Cybersecurity events and incidents happen every year to a greater or lesser extent. There’s probably no company that has never encountered cyber incidents. If you search for it, you’ll find that it happens annually even in companies with big names like Microsoft, Google, Adobe and Facebook. The human factor is always at play, and it’s simply impossible to entirely eliminate all attacks. However, it is possible and necessary to learn and continuously improve.

Cybersecurity events and incidents happen every year to a greater or lesser extent. There’s probably no company that has never encountered cyber incidents.

Before this incident occurred, we were progressing at our own pace. Surprisingly, this incident had a very positive impact on how we accelerated the development of our security and IT teams. In some respects, we outpaced companies much larger than us in terms of maturity and understanding of how we need to evolve, which areas are well-covered, and what requires further enhancement. This allowed attracting significant investments in cybersecurity. 

In any organization, security practically does not exist without IT. We teach students about IT infrastructure in an enterprise, including ITIL practices. Many cybersecurity incidents were prevented just because certain practices were followed. As an example, companies affected by the Petya virus had essential security measures, such as firewalls and antivirus software, but they didn’t detect the virus. However, the presence of change management processes in many cases saved the companies. 

Reforming tech education, one step at a time

Attackers always try to trick people’s minds, to find some breaches in cybersecurity. To minimize risks, it is important to implement cyber literacy for everybody. I am also a lecturer of a subject called “Information Security Standards” at the Ivan Franko National University of Lviv. Also, I headed the cybersecurity education program at Lviv educational institutions. Our Lviv IT cluster makes a great contribution by helping to promote our programs to applicants, organizing various events for students, finding mentors, and much more. As a result of this cooperation, we developed and launched cybersecurity degree programs at Lviv State University of Life Safety and Ivan Franko National University of Lviv. I also support the cybersecurity education program at the Lviv Polytechnic National University. We have been involved in this process for over 5 years.

At Ivan Franko National University of Lviv and at Lviv State University of Life Safety, we developed a program from scratch, making every effort to include subjects that are truly essential. We incorporated best practices from various organizations. At Lviv Polytechnic National University, we assisted in enhancing the existing program.

Universities often struggle to maintain a laboratory with the necessary toolkit and all the required software because universities don’t have a separate large IT department dedicated solely to this task. In this regard, it is more convenient for us to adopt some SaaS solutions. We chose the RangeForce SAAS education platform. Our sponsors covered the licenses for students. A student doesn’t need to have a super-powerful computer or laptop; they only need access to a browser.

Unfortunately, there are indeed complex issues in education. One of the critical challenges is the lack of motivation for young, talented individuals to pursue a career in teaching. On average, teachers receive a salary of about $200-300, which is inadequate for meeting their basic needs. In my opinion, this is unacceptable. I currently have no idea how to address this problem at the level of tech companies, as it requires fundamental changes at the state level. For example, for comparison, similar salaries in Europe are at least 10-20 times higher.

We are trying to solve this problem in different ways, for example, by offering various public grants for teachers who have interesting programs but lack the means to implement them.

For example, recently we were offering grants in the range of $2,000. However, these were one-time things.

Speaking of a more permanent basis, we collaborate with international universities. Last week, I had a conversation with a Swedish university that has a well-developed cybersecurity program, and they agreed to share their experience and provide our students with a dual degree. Also, our students were enrolled in the Swedish student team and participated in Capture the Flag (CTF) cybersecurity competition that is used to test and develop cybersecurity skills.

We offer courses that fall into four categories. The first category – GRC (Governance, risk management, and compliance), includes courses that provide a general understanding of cybersecurity and IT. We are also exploring frameworks such as ISO27001, ISO27002, NIST 800-53, MITRE ATT&CK and OWASP frameworks.

The second direction, SecOps, encompasses programs and tools for log collection and analysis, scanning, vulnerability detection and many other technical solutions for “Blue team.”

A specific direction is penetration testing. We train students in ethical hacking techniques based on Mitre, OWASP, Metasploit and other frameworks. We study the path a hacker goes through the whole attack kill chain. This covers techniques and tactics for compromising systems, but it should only be practiced in isolated laboratory environments and should never be attempted on other companies’ websites, as it could be considered a potential crime. 

The fourth category focuses on secure software development, known as the software development lifecycle. We teach programs and techniques for checking code security, and various software that assists in code review.

We have incorporated the maximum number of subjects possible into the curriculum. The next question is how effectively teachers deliver this information. Whenever possible, we hold sessions with teachers every year to review their syllabi and provide recommendations for improvement. I organize internships for students within our company. In collaboration with our Academy we assist in organizing lectures and practical assignments for them.

One of the most interesting and productive disciplines is “Team work”. We introduced it in collaboration with the Lviv IT Cluster, which helps us find mentors who are working in tech companies. Our students split into groups of five to six people, and use practices similar to teams in technological companies. This ensures that they not only understand certain methodologies and practices but can also implement them in conditions closely resembling real-world scenarios. For example, someone in the team takes on the role of a project manager, someone – QA, someone – a developer, someone – an analyst, depending on the assigned tasks. Together with the mentor, they work on very interesting projects and learn to collaborate in a team. Students defend their projects in front of teachers and representatives of the tech industry in the office of a tech company.

We also organize summer internships where students have an active practical intensive for 1-2 months with daily activities. Talented students are hired, and they may go into the different directions: SecOps or GRC analysts, ethical hackers, DevOps, developers, etc. 

Rising awareness about cybersecurity

It may sound surprising, but both my grandparents were teachers. I have a desire to share knowledge and a strong belief in the importance of cultivating a new generation of well-educated individuals. I have conducted numerous interviews with candidates, many of whom were recent graduates from our universities. Unfortunately, lots of them struggled to answer even the most fundamental questions, which pushed me to cooperate with our universities.
One of the primary motivational factors for me is witnessing how individuals find their paths in life. In our case, this largely revolves around volunteering. Our goal is to have a positive impact on students’ future choices, or at the very least, to provide them with guidance for their development.

I see truly talented students who are currently working in our company. Not all university students end up working in the field they studied, but we can provide guidance and support to those motivated individuals who genuinely express interest.

I always tell my students: “Set a goal and examine what you do each week, determining the percentage of your activities aligned with those goals. Typically, this percentage is quite small, and it’s something you should strive to increase. You must go against the current, exert effort, sacrifice some things, and invest time in what truly matters to you. The results you showcase will pay off in potential opportunities.”

Copied!