A better focus on protecting your data
Since I've spent so much time in the past few months shoveling snow from my driveway, I've started inviting my daughter to come 'help' me. Her help typically consists of throwing snowballs at me while I'm doing the shoveling. It's still a fun experience - although I do need to make sure she's not in danger from traffic coming down our street while we're outside.
It got me thinking about how organizations protect their sensitive data. If while shoveling the snow, I were to just watch the street and yell every time a car came by, you'd probably think I was doing a poor job as a parent (and also a little crazy). But we don't do that - we keep our eyes on our kids instead, because if we know where they are, we know if they are in danger.
Most organizations fail to take this same approach with their data. Huge budgets and significant man-hours are spent on watching things like network perimeter firewalls, antivirus alerts, and failed logins to user workstations. These are useful data sources for security monitoring, to be sure. But typically they are given the same priority - or higher - than an alert showing access to a restricted file, database, or service. Often these information sources aren't even monitored!
Take a minute to consider your organization's most sensitive data. Perhaps it's intellectual property, such as source code, engineering schematics, or chemical formulas; or financial information, such as cardholder data or bank account records.
Where does this data sit? Maybe it resides in an Oracle database, or files on a network share, or a CRM application. It's stunning how many organizations do not have this information documented somewhere!
Now, think about how your organization tracks access to this data. What accounts are accessing it? From what hosts or IP addresses? How often? What are 'normal' access times for this data – just business hours, or others? What applications or processes should be able to read or modify it? According to a study by Symantec, one in fifty files stored on a network share possess insufficient access controls and are exposed to users that shouldn't be able to reach them.
Some of these are pretty simple to investigate. If you're concerned about files on a Windows file server, for example, you can right-click on the folder in which the files sit, select "Properties" and open the Security tab. It'll tell you which local and domain users and groups have the ability to read, modify, and delete the files.
By no means should we stop watching log data from workstations, servers, network devices, applications, or security defenses. But if we're concerned with protecting data above all, we should give highest priority to logs and tools that provide us visibility into how that data is being stored, accessed, and transferred.
A data classification policy is a great first step in understanding and documenting the data that is most important to our organizations, as well as how it should be handled. Where is your focus? For more information on crafting these policies and best practices in protecting sensitive data, contact CBTS Advanced Cyber Security today.
Cyber crime and how to protect against it
Cyber crime seems to be on the tip of everyone’s tongues, but what exactly is it and how can a company defend itself against it? Despite all the hype, at its base, cyber crime is not new. It is simply a continuation of activities that have been happening for millennia. People have always stolen from others, nations have always spied on other nations and organizations have always blurred the lines as they competed with each other. The only thing that is new in cyber crime as compared to historic theft, spying or industrial espionage is the means and rate at which cyber crime allows it to happen.
What used to take a pickpocket a lifetime to steal can be obtained in cyber space within minutes. Information that used to take governments and companies decades to obtain can now be had in days. Whether for financial, industrial or national advantage, cyber crime offers a large incentive to the perpetrator.
On the other side of this coin is the victim. Companies invest millions and billions of research and development (R&D) dollars to invent the next great technology. For this investment, the inventors expect to be able to not only pay back all the investment, but also get a good return on it. If a competitor is able to obtain the fruit of that investment for the cost of a couple of computer hackers, they could be a fast follower in the market. Without having to recoup the R&D investment, the competitor could undersell the original inventors and reduce or eliminate their ability to even recoup the initial R&D investment. Where a company expected to have a multi-year payback on their R&D, cyber crime could reduce it to multiple months. After a couple failed investments like this, a once strong market leader may be struggling financially.
Outside of industry, the situation is very similar when protecting customer and financial information. In this case, instead of the invention having value, the actual data that a company holds has value. Whether it is a fraudulent fund transfer or the theft of credit card or other personal information that can be sold, the goal of this kind of cyber crime is to simply make money for the attacker. Aside from the old-fashioned, stealing-money-from-the-bank-approach, cyber crime has now created a new black market for stolen identities. This offers a quick and easy way for the cyber thief to turn stolen data into cash.
Regardless of the motivation, whether it is directly about the money or a longer-term strategy to compete within a given industry, protecting against these cyber crimes takes the same strategy. From a defender’s perspective, the factor that should distinguish cyber crime from past IT security issues is the level of targeting. In the past, defenders focused on addressing risks that many other computer users faced. When dealing with cyber crime, defenders often see attackers develop or customize their tools for each job. It’s no longer sufficient to simply protect yourself from what everyone else is seeing. The defenders now need to protect themselves against an attack that is customized.
In order to do this, a method called Intelligent Analysis and Adaptive Defense should be employed. Intelligent Analysis and Adaptive Defense essentially allows defenders to not only stop cyber attacks, but to learn from them in order to stop future attacks. By creating a feedback loop, defenders can feed learnings from every blocked attack back into their defense in order to stay one step ahead of cyber criminals. In this model, defenders actually become harder and more intelligent targets with each and every attack.
To successfully implement Intelligent Analysis and Adaptive Defense, a couple of elements need to be in place. First on the Adaptive Defense side, an organization needs to have security tools that can be changed and adapted quickly. The learnings from each previous attack need to be deployed within security tools. Because of this, the tools need to provide the defender numerous methods for detecting attacks. Whether these methods are signature based, reputational based, behavior based, or big data analytics based, the defender can use them all. In addition to having multiple methods for the defender to detect an attack, the tools also need to be positioned correctly in order to see attacks. Being able to detect an attack on the network, on the client, inside email or via DNS requests are all essential capabilities. With an arsenal full of detection methods properly deployed, the defender can quickly and easily adapt to whatever the cyber criminal throws at them.
Next, defenders need to implement an Intelligent Analysis process. This is the process by which defenders extract all possible information from historic attacks in order to prioritize defensive actions. Should defenders spend time applying a critical patch or perhaps closing an open communication port to the Internet? The answer to that question depends on who is attacking and what they are trying to exploit inside that attack. When someone is trying to break into your home, should you lock the doors or the windows first? It depends on which the thief is trying to enter through. To answer these questions, the Intelligent Analysis process should provide the defenders multiple ways to detect and track a given attacker tool. This way, if the attacker ever reuses that tool, the defenders will be able to detect it. The Intelligent Analysis process should also provide the defender with information around who is behind the attack, other tools they have used and how to detect those other tools. This way, if the attacker reuses anything in their arsenal, the defenders will be able to detect it.
The Intelligent Analysis and Adaptive Defense strategy has been implemented at many large global organizations and has proved very effective at addressing cyber crime. The only issue is that it is resource intensive. Large organizations that are attacked on a regular basis tend to invest the resources to implement a full Intelligent Analysis and Adaptive Defense strategy. Unfortunately, organizations that are attacked only a couple of times a year cannot generally afford to create new teams with the appropriate expertise that then sit around until an attack takes place. This is where a managed service can help.
By pooling resources across multiple customers, a managed service can get an economy of scale that individual companies generally cannot. When one set of customers is under attack, another set may be not be under attack. Even when factoring in surge capacity, a managed service provider can get far better talent utilization than the average organization. In addition to this, a managed service provider also allows customers to learn from each other’s attacks in a safe, non-attributable manner. As the managed service provider learns from an attack on one customer, they can apply those learnings to all their other customers.
At CBTS Advanced Cyber Security, we offer a full range of security products and services to enable our customers to implement their own Intelligent Analysis and Adaptive Defense based security programs. Whether you are looking for technologies to help start up an internal program or a managed service provider to do it all, CBTS Advanced Cyber Security can help.
Healthcare Transforming Cloud Services
The transformation of healthcare in the U. S. is both challenging and time consuming. One way technology is helping healthcare practices move into the new paradigm of regulations is through cloud computing.
What is the cloud? It depends on who you ask and each cloud provider seems to have their own definition. In general, a cloud-based solution includes a network-based computing environment (infrastructure, hardware and software) that is usually located in a secured data center. Services are offered out of that location over a public or private network where the customers only pay for resources that they use. The cloud also offers the ability to make real time changes 24x7 to the customers’ cloud services.
Specifically there are several different cloud offerings:
Software-as-a-Service (SaaS) – This is “on-demand” software provided by an Application Service Provider (ASP). The ASP determines and manages all underlying assets (hardware, hypervisor, O/S, etc.) and they are “invisible” to the end-user or customer. Examples of SaaS include SalesForce.com, ServiceNow, and Office365.
Platform-as-a-Service (PaaS) – This is an “on-demand” infrastructure and a library of applications, middleware and/or operating systems configurable by the end-user. The service provider owns all the assets and provides day-to-day systems administration, and the focus is on middleware. Examples of PaaS include Oracle Cloud Platform, Microsoft SQL Azure Database, and IBM SmartCloud Enterprise.
Infrastructure-as-a-Service (IaaS) – This is an “on-demand” infrastructure that typically includes servers, network, storage along with the hypervisor and operating systems. The service provider owns all the assets and provides day-to-day systems administration. Examples include CBTS’ Virtual Data Center (VDC), RackSpace, and Amazon EC2.
The key to each of these services is that billing is based on short-term usage (daily, weekly, monthly), with the quantity based on either number of users or number of units (virtual machines, IP phones, etc.).
Healthcare practices are migrating to cloud services due to lack of IT resources, constrained IT budgets, and required scalability and agility to deliver healthcare services.
CBTS has consulted with over 600 healthcare practices throughout the Midwest and has been offering cloud technology to these organizations for several years. We are helping them navigate through this evolutionary transition through cloud services that include virtual data center (VDC), storage as a service (StaaS) and backup as a service (BaaS), with other platforms in development.
What's Cyber Security?
Recently, Brian Minick, VP of CBTS Advanced Cyber Security Service sat on a panel of experts to discuss cyber security challenges and strategies with Cincinnati Business Courier Publisher Jamie Smith. The topics ranged from the growing risks to cyber security and how businesses must prepare, protect, and adapt to these rapidly evolving threats.
The three-member panel included:
*Brian Minick, vice president advanced security, at CBTS. He focuses on advanced targeted attacks (ATA), and previously spent several years working in the defense industry.
*Robert Schuetter, IT security chief security officer with GE Aviation, manager internal and external threats, IP governance, data segregation, creating intelligence teams for tracking threats, and resource development for dealing with Advanced Persistent Threats (ATP).
* Kevin Cornelius, Special Agent in Charge with the F.B.I.'s Cincinnati Division, which covers Ohio's lower 48 counties and the 5.7 million people who live there, roughly from Columbus south. He has spent most of his career in the national security field, covering both cyber counter-intelligence and counter-terrorism.
Question: What overall strategy or approach would you recommend a company look at for addressing these changing risks?
Schuetter: I think it's going to be based on the maturity of your organization. So if you are just starting out, really focus on getting that instant response plan. The last thing you want to be doing in the middle of a crisis is figuring out who you should be calling, who you should be contacting, and what you should be doing from an approach perspective.
So plan it out, plan out some of the worst-case scenarios you can think through. Reach out to your local F.B.I. office early. Reach out to that service provider that you're going to rely on to do a lot of forensics and analysis. Trying to write T&C – terms and conditions - is not the best use of your time at that point, so get that done early.
For those middle-tier companies that already have an instant response plan that is pretty solid, start looking to the intelligence feeds, the sharing organizations. A lot of the ISACs out there - Information Sharing and Analysis Centers - are good to contact. The financial sector has a great one. Start building up that shared pool of resources, so that you can share within your own industry or organizations what you're really looking at and what you're seeing out there.
One of the great values is that even if you've been successful getting the attacks stopped in your organization, see who else is getting hit currently and start learning from their events. It's tremendously useful, you bring that inside and then you're ready for it. Then, for the top-tier companies, if you've gotten that information sharing and you have that Intel, then it's really looking at threat modeling. That's the one big thing that really changes from a reactive company to a proactive approach. Look at the entirety of the attack. GE uses a model created by Lockheed Martin called the cyber kill chain. It's the idea that within attacks that are looking at intellectual property, it's going to be happening in certain phases. They're going to be looking at who do they want to attack and how do they want to approach it.
For example, it could be when something arrives as "Notes from this event". So take the Notes and weaponize it. Find the audience you want to go to, weaponizing something to deliver, and then finding that delivery mechanism, whether it's an email fish or whether it's an attack against your websites that goes into some type of exploit. It has to come in and get onto one of your systems, and install some of that first stage malware.
A lot of the pieces that we're talking about with intellectual property and the safety with that are going to be beaconing back out to a command and control server. All this has happened before a lot of your mechanisms for everyday security really hit.
Then all of a sudden, post-compromise is that final piece that we get to take some action on. Now it's got command and control, now it's looking for action on intent.
The scenario of a business responding to an incident is that we go out and find that piece of malware and send it off to a McAfee or another security vendor and we get a new signature. Well, as security leaders we have to realize that is the easiest thing for the attackers to change.
When we want to be disruptive, we want to be disruptive across the entire attack. Yes, you may have that new signature and you may be protected, but you didn't close down that command and control path. We didn't close down the email address that it came from. Let's look at the entirety of the attack and try to shut down each phase of it, so we are disruptive across the entirety of the attack. That is what it means to be that next generation, to be mature in that space.
Question: Do you believe most companies these days are still stuck in being reactionary or do you think many of them have gone to a more proactive approach?
Schuetter: Very much so it's reactionary. And it is reactionary based on one small component of it. So I think that those top-tier companies out there are really looking at holistically what can we do and holistically, how can we share that information. So we are not just sharing here is the one piece of malware and here's how you find it, but we're also sharing the whole context of the attack.
Question: There are numerous companies and products out there that are advocating different incident detection approaches. There are press releases from this industry that include terms such as behavior-based, anomaly detection, and active defense. What do you think are the critical elements of an intrusion detection strategy?
Minick: I'll go back to Bob's point. It depends on where you are from a maturity perspective. The first step is just becoming aware of the risks that you're dealing with. I was just having a conversation this morning with someone about trying to determine what your risks are. It's often hard to figure it. Many of the companies I talk to don't think they have anything that is sensitive that anyone would really want. Then you start poking around and you're an international company and you're doing real estate deals in China. Maybe someone is concerned about your negotiating position.
Perhaps you are a supplier to a major company and you actually have their data on your network. Maybe it's not you, but your customers' information that they are after. There are all kinds of different factors that go into that. First off, figure what risks you're dealing with, look at what exposure you have, and why would someone care about you. Once you know that, and then look at how you protect that stuff. There are a ton of things out there to talk about. Look at what are the best ways to catch targeted attacks, what are the best ways to go after bad guys. But here is the deal: you are no longer dealing with a computer program at the other side of that computer. You're dealing with a person. I don't care how good you are or how good your product is; eventually a person is going to figure out a way around it. So, years ago behavior-based detection was the coolest thing in the world. Look at a virtual machine and see what it does and if it does something malicious we tell you about it. That's fantastic and it caught a lot of stuff. But then bad guys started figuring there on virtual machines, so they decided to put something in that makes the user click. Well, darn, now my virtual machine doesn't work.
What you really want to go after is a way to have an adaptive defense that you can change over time. It's not about having the right technology; it's about having the right framework. I think that is part of what Bob was talking about as you mature, having a framework that can take information about who is attacking me, pull that apart, and then ask how we update our defenses based on that. It's more about tailoring your environment and having tools that you can use to tailor it.
So it's great that you do behavior-based detection. It's great that you do big data analytic detection. But what's the next big thing and are your tools able to adapt to that and do they have a framework inside of them that allows you to take detection engines and switch them in and out when the latest thing we're doing today isn't working anymore because the time will come when the latest thing we're doing today isn't working anymore. So as you're looking at tool sets keep that in the back of your head. How is this thing going to change over time as the attacks change over time and as your risks change over time because they are going to change?
Question: Given the wide variety of technological solutions, how important is the human component in cyber security?
Cornelius: I think we would all agree it's critical. Just as Bob mentioned, the fishing schemes, it happens all the time. It's just a click and it's directly to someone in the company. It starts the patient zero, if you will, as far as the intrusion. On social media sites we see a lot of reconnaissance that's being conducted just on LinkedIn or other social media sites. Often we put information out there that draws them to certain specifications of our systems to be able to get further into it.
I think the insider threat is also a significant threat, just like Bob was saying, the kill chain of events if you look at it from a tactical or a military standpoint, that same idea has been around for a long time. It's commonly referred to as the 3FE - Find, Fix, Finish, Exploit, Evaluate – and then you repeat the cycle. That's what our adversaries are trying to do. If you have something valuable, then someone probably wants to get that, so where do you place it?
If you make an analogy of your company – however big or small it is – you want to segregate the things that are most important. Locally, we use the analogy that if you had a castle somewhere in the very tallest building of the castle, that's where you're going to have your most valued treasure. Then you're going to have the moat and the people and the gate that is going to be narrowly focused. You're trying to protect that with people, and the aspect of social media as it's going through. I think the defense in-depth and it's looking at not only the systems and the technology we're using, but the people who are running it or the actors that are actually trying to attack us as well.
Minick: I think there are some education pieces that we can all do as well. We've talked a little bit about the fishing piece in social media. I've talked to a lot of the companies now out there that have mature security teams, and the one thing that they all say is our communications departments, our folks who are on LinkedIn, have the things they're working on listed on their LinkedIn profiles and they are the people really getting fished.
It's not necessarily the top vice presidents and executives all the time, it's a lot of the individual staff level people who have their names out on these social media sites that really are getting targeted.
Cornelius: Every year at the F.B.I. we have to take a training course that is mandatory training, and it is that knowledge that the individuals have that is going to keep you from having a zero day fishing scheme, so you don't open that email or you make sure that you're protecting the information that you're downloading and how you are carrying it.
Minick: I think even on the security side, having people involved in that process, I think many people want to say what tool do I buy and put out there that is going to make me secure. Going back to the nature of the threat, you're not up against a computer anymore; you're up against a person who has actively tried to figure this out. You need intelligent analysis, people looking at what you're finding to draw conclusions and figure out what you're next steps are. At CBTS we're trying to advocate something we call intelligent analysis and defense. You have good people looking at that and what's happening in your environment and that drives your defenses as you go forward. It allows you to tailor that environment.
Question: Brian, even with a strong IT security program in place, is it reasonable to think that a company today is never going to be breached, and if not, what are the strategies that can help them with the impact of that breach?
Minick: I suppose it is possible to say that I'm going to architect my environment in such a way that I am not going to be compromised. The problem is that company is not going to be able to do business. So, yes, you can secure it until it dies. Think about it, is it possible to keep someone out of your home, someone who is really determined. Is it possible? I lock all the doors, so they break a window and they come in. Ok, so I put boards over my windows, so they cut a hole in your roof. I reinforce the roof. At the end of the day they are going to get in there or you're not going to want to live in that home.
I think the challenge there is to figure out how do you balance that. What is the risk and reward? Business leaders are good at doing that. That's what business is about. I'm looking at the risk of a certain venture; do I invest in this new product? What is the risk involved in that. Security is the exact same way: do I want to assume this risk by leaving this open, by not protecting this, by creating a certain functionality that I'm going to get productivity out of, there is probably risk associated with that. But you have to put it in business terms to figure that out. So, can you secure a company and never get breached? No, you always face that risk.
Strategies for abating that and trying to manage as much as possible, again, come back to understanding what those risks are. Why would someone come after me? What is the most critical piece of information that I'm going to put in the tallest tower out there?
Protecting the flyer to the company picnic doesn't make sense, right? But protecting the piece of information that you just spent $1 million in research and development, or maybe my customer information, that does demand and justify more investment infrastructure around that in and due diligence on your part.
Understanding what you have in your environment and what you want to protect, and standing up an intelligence-based process that recognizes that there are people who need to have this information, so let's form a relationship with them. Let me also form some relationships with people who are familiar with the risks that are out there with some of this stuff, and just becoming more informed about what's there, and what you're dealing with is critical.
Schuetter: I think that's part of what we need to flip with the security classic model is we're very tool-focused, very IT-focused, and I think one of the most valuable pieces we got into working with the business on who is trying to target you and what are they trying to steal, things like that, is not necessarily critical to maintain viability. I think that is where a security practitioner can really increase their overall value to the company if they start talking on that business level and some of the impacts and risk factors. That leads you into, quite honestly, very different things like the insider threat risk.
You start broadening out what you're trying to protect and how you're protecting it.
Cornelius: Brian mentioned relationships and I think that is key. As far as the cyber security aspects of the Bureau, we have a new mantra and it's called Next Generation Cyber. What it's really looking at, beside how we're going to attack some of the actors who are attacking us from a national security perspective and then our goal in the F.B.I. is to prosecute people, for the most part, to put people in jail.
How we identify those actors, wherever they are globally, and bring them to justice, that is our primary focus, I think right alongside of that is our ability to build relationships and partners within communities, within different sectors, if you will. And taking those sectors, in Bob's case, career defense contractors, they have targeted technologies, and then building those relationships and seeing how we can assist to build relationships within that sector. The same thing with critical infrastructures as far as government, gas, oil, electric industry or universities being able to take intellectual property rights and being able to protect them.
For relationships, if I were to go back to 2003 to two years after 9/11 the relationships that we build in the joint terrorism forces were just beginning to mature. I think today the response that you see from those relationships, maybe in the act of shooting – even though it wasn't categorized as an act of terrorism yesterday (recent Naval Yard mass shooting) and probably will not be, that response of those relationships is very quick. It's the unified command structure that is there.
I think we're in about 2003 in our relationships right now with the cyber community. And we're looking to go forward to detect, or deter or disrupt any type of actors that would be taking information date, ideas, innovation away from our companies in the United States.
Schuetter: I think a lot of the business leaders have a real good handle on what is their competitive edge. I don't necessarily know if we know where it actually lives. So as you start to identify that and do that discovery, it will be interesting to see how much of that is actually outside of your company, how much of that is shared with your partners, how much of that is spread across different areas on PC's, or on removable media drives. That is one of the learning pieces for us as well. You think that everything is in the tower and you find out that they're creating things out in the foyer and they're moving it into the tower.
Minick: But you mentioned a number of resources available to the defense industry, energy, and critical infrastructure, things like that, I think I want to emphasize to everyone – because I know not all of you are in those spaces – just because not all of you are in those spaces and have those resources available, does not mean that there is nothing available out there for you.
That's where I think building relationships with people who do understand the risk, and may be able to have conversations with them may open your eyes to some of the possibilities of what's going on.
This here is the thing, a lot of the people who have been dealing with this for years were dealing with it and didn't even know it for years because it was going on under the covers. Unless you're looking for it, it could be there. And that's part of the whole strategy of how it's being implemented. It's slow and low. You're not supposed to know that it's happening. And it's being siphoned off.
Talk to people because the risk that you may face may be bigger than you think it is based on whom you're doing business with, the type of work you're in, even personal information if someone is trying to make money off of that. It's not all just defense secrets; it's not all national interests or national security.
Cornelius: If it's valuable, chances are someone may want it.
Minick: Most of us have something that is valuable, that's why we're in business.
Schuetter: Even on the supply chain side now, we're seeing a lot of movement out of top-tier companies that have a lot of good protections in place and into those suppliers, those third parties that you're doing business with.
Question: There is a debate in industry when a person gives his or her notice that they are leaving. Should you ask them to leave immediately or give them a day? My attitude is that they already have anything that they want (to take with them from their current employer). How do you prepare yourself so you don't have to worry about what they want?
Minick: The industry statistics of how many people, when leaving a company, take something with them, is 30%-40%. It's incredible to talk to companies who say, "We have the best people. They're fantastic. They wouldn't do that to us." Then you start taking a look at reports when people leave and what files they copied, and then eyes get opened.
Question: Bob, let's talk a little bit about pending legislation and regulatory changes out there. What is your take on some of the House and Senate activities? And how are they going to impact business?
Schuetter: I won't get into a lot of specifics of it, but overall, I think that we need to figure out a way to interact, both within the industry and up to the government sector. And that's really one of the key pieces. Not everyone can have a clearance. Not everyone can have the true scoop of what is going on. But we need to be able to find a way to share back and forth because one company cannot stand alone, we just cannot.
From a country perspective, a lot of the targeted attacks aren't necessarily targeted at a business; they're targeted at a technology because that technology is shared between companies. So you have to figure out a way to protect the overall sector from sharing that information, not having that liability because we did the right thing and figure out how do we share it backwards as well. How do we take some of that information, declassify it and get it down into the private sector to utilize all of our capabilities as a whole because a detection engine as a whole are phenomenal; as individual pieces, those dominoes will eventually fall.
Cornelius: I will be the first one to say that the F.B.I. doesn't share completely, and we can't to some extent. Things that are classified, to get those declassified, we are going to be very slow to provide that information out, but I think that as we're building relationships, particularly as the business community is building relationships with each other, you're going to be much quicker, faster, agile. The government is not always agile and everybody knows that, right?
That is when we sit down in our Infoguard meetings - and Infoguard was started probably just before 2001- to review cyber. It was really looking at the critical infrastructure that we have and it really has evolved to where it's looking more at cyber and our sectors, and how we divide that up. How do we take flash messages that we have and we'll send that out over a VPN network that's at kind of a higher level, it's not classified, it's unclassified, but it's still at a need-to-know-type basis. Trying to get that information out quickly is always frustrating to a high-end, high-performing cyber security group, but by the time they get that information it is fairly old.
That's our challenge to take information, turn it around quicker and have every data network so we can actually house the most recent malware. There is a difference and we're trying to work through. The difference between working with state and local law enforcement, that's something that we do all the time. Working with competitive business is a little different from a legal standpoint, and it gives us some angst: how do we share information with one business and not all of the businesses? That is something that we are still trying to work through.
Question: Is it true that many companies are reluctant to contact the F.B.I. after they've been hacked?
Cornelius: I think there is a fear. When the F.B.I. shows up at your house, it's not like everybody is, "Oh, thank God, the F.B.I. is here!" But we are here to help. I think a lot of people are afraid because they think the business is going to be exposed in some way, negatively. We work with businesses all the time. And even from a prosecutor's standpoint, there are steps that we take to ensure that that business doesn't lose credibility in the community. You truly can trust us. We're looking for the betterment of the victim that is out there, and the last thing that we want to do is put them in a worse position than what they were when, maybe, they were victimized.
Question: Are there steps the F.B.I. has taken to make people feel more comfortable, so they will disclose things to you?
Cornelius: I think it is going to come from building relationships, building trust over time. I think it is the same within the public community. The public being able to talk with state, local, and federal law enforcement, that comes with time. In Boston (the Boston Marathon bombing) or the incident last night (Naval Yard mass shooting), we can say we're looking for information about an individual. We can do the same process through cyber. It's just a matter of getting the information out there. And when we collect it, we can share it back or we can do something to remedy it.
Question: With all the news around intelligence-gathering capabilities, what role does intelligence play in securing corporations and what kind of intelligence does come into play?
Minick: I think you've heard it here throughout the morning. Understanding the risks, understanding what's coming at you is critical; broadly I would consider that intelligence. Beyond that, you want to be able to dig into, under the covers, not just what is the risk and what's coming after me, but how is that coming at me? How is it being used? What, specifically, are these actors doing, whether it's in my industry, whether it's in my environment, whatever it may be. That is what I would consider intelligence, understanding what's happening in your sector, in your environment.
It's that intelligent analysis and adaptive defense piece, and building it back into your defenses. We talked about legislation a second ago. In my opinion, legislation is kind of a double-edged sword. You have to set a bar everywhere, where people have to measure up to, or inevitably, you're going to just have people ignore the things all together. But at the same time, legislation could actually be detrimental as someone focuses on hitting on this thing that someone picked as a good thing to do in a security, as opposed to implementing something that is going to deal with a specific threat that I am dealing with today. It's a double-edged sword, so you have to draw that line. But at the same time, it's not necessarily helping you with the specific threats that you are dealing with, so having that intelligence and knowing what you are dealing with helps you prioritize within your environment.
We used to talk about the intelligence-driven processes and using the intel to set priorities within the overall security program, what am I going after? The auditor came in and said this password reset policy has got to be revamped, but at the same time I've got a known hacking organization banging away at my VPN, which one am I going to go after? The VPN, right. There are a lot of intelligence services out there and they'll give you a feed of intelligence. They're going to give you things like file hashes – things like – if you see this file, it's bad. If you see this URL, it's bad.
To the point Bob made earlier, that's very easy for an attacker to change. How hard is it to change the hash of a file or to change the URL that you're using? It's very easy. What you want in the intelligence piece is something that is more on topic, something that has more longevity. It's core to how the attack works. So if you can get to that – how the attacker is actually operating – so in order for them to change it they're going to have to completely rewrite their attack, that's the intelligence that you want, that provides value. You can track them, you can follow them, and they have to change it. They have to really do a lot of work to change that. File hackers, newsfeeds, things like that, you can put the label of intelligence around it, you can put the label of basic intelligence around it, but really what you want is that core information about how does this work? How can I track this over the long-term? And then you turn this into how do I prevent it, how do I put up substantial roadblocks. You want to look at bang for the buck. If it is going to take me five weeks to implement this protection measure, is it going to cause the bad guy an hour of rework or is it going to make him completely go back to the lab for two months? That's the one you want to go after.
Schuetter: We need to be historians. We're GE, so we love data, right? But we really do need to understand the history of the attacks. I can guarantee that if you've had a compromise and you've done nothing but just put that environment back up, they'll come back in and it will be compromised. They'll change one or two other things because they're expecting you to have just a signature update to your anti-virus. So understand what accounts have been compromised. Understand what servers have been compromised before because those are very interesting to you. Maybe you put those in more of a tower. Change the user names, obviously change all the passwords. Have more defenses around those components because you will see that hit again, you will see the attempt go back.
The more history and the more data you have behind it, as well, also helps you in those conversations with your auditors or compliance or whoever else they may be, say here is what priority really means to me. A lot of what we've done in focusing our different teams is based on the history of all the attacks. Based on that I can look at my tool sets that are working and that aren't working. For every attack, I'd love to say go through every tool you have and figure out which ones fired and which ones didn't fire. Go have talks with your vendors, go have talks with your intel teams to figure out how to improve that tool set. I think that's really a valuable piece of it, that post-incident type of review. Review it with your IT group to figure out how you change that structure to interrupt that attack.
Minick: You know it is interesting. You're tracking your tools sets. Let's face it. I'm sure all of us have a wad of security tools in the environment. Tracking those against the attacks that you have, and mapping out the grid, tools down the side, attacks across the top, which tool detected or would have detected this attack. You might find out that you have a descent number of tools that haven't done anything for you, and you're spending a descent number of resources in maintaining those things that are one, either not doing anything, or worst case, generating false positives and consuming resources on your team. That is some resources that you could free up, so just dump that tool and go after something that is a little more valuable for you, graphing it out that way, putting it in that grid is extremely insightful. Oh, my gosh. I'm spending how much on that? It's a work generation tool. I'm actually paying for it to generate false positives and work for my team. Let's get rid of it.
Schuetter: And the flip side of that is that you can measure security awareness training. So we measure each tool set and the effectiveness of each tool set. Yes, some attacks will get right through your tool sets. How often did your user population catch that for you? That's really the value of that security awareness piece, that fishing awareness piece, to bring up some opportunities for you to look at because you can really start to measure how good your overall program is for security awareness and what value the training really has within your environment.
Cornelius: In the F.B.I., just solely looking at intelligence, we say often that intelligence drives operations. And for us, it truly does when we're looking at a prosecuted finish. Again, so I'm taking the kill chain that people are using against you in cyber, now I'm using it from a proactive standpoint for the F.B.I. I want a find, I want a fix on a target, and I want a prosecuted finish because I can't actually put a missile inside of a keyboard and send it to the user on the other side, but that is coming. But actually, we want that prosecuted finish.
So the intelligence, the historical gathering of information becomes, for us, evidence, it becomes a prosecuted end to our means. We have three different lanes in the road as far as the United States government, so the F.B.I. is looking at that establishing a specific cyber intrusion squad, and that's what they're looking at all the time. They're collecting information. They're building cases. We also have that public outreach and then through Homeland Security, that other government agency, they're pushing that information out to our partners.
At the higher level, the agency that shall never be named, the National Security Agency, they are protecting America's greatest secrets and ensuring that those things are not passing our borders through cyber intrusions that are coming into the United States. So working together, staying in our lanes, the F.B.I. is looking at collecting that, working with communities, working with law enforcement, with business to be able to provide that prosecution finish as well.
Question: It's amazing that with IT, the three of you have used the word "relationship" more than I think I have ever heard. When I think of IT, one just thinks there is a bunch of machines back here that is going to do everything. But the message that is here is that you have to build those relationships so you are prepared. And once something happens you have to have that relationship to quickly be able to react.
Minick: And I think that is how the space is changing. If you look at traditional security people and their mindset is not that I'm in a dark room with the shades down, heads down, just trying to do something. That worked great when you were dealing with a virus that everyone else is dealing with and you do the same thing over and over and it works over and over again. But now that you're dealing with people, on the other end of that, you have to have relationships to see what's going on out there. A lot of times as you look across the industry whether it's vendors, providers, whatever, they don't understand that change. They have been in the space historically and they haven't gotten their heads around that. And what you're seeing with the panel here today is that you need a new approach, based on the risks you're dealing with today.
Question: Brian, there have been reports on everything from cars to insulin pumps being attacked. How seriously do you think companies are taking product security and what can they do to better protect their products?
Minick: I think it's something that people are starting to come to grips with now. There is a lot that can be in that space. You take your typical product engineer, they haven't been trained on security. They haven't had to think about it. It's all about getting the function out there, in time. To hit the market at the right price point, things like that. That's what they're thinking about. And now you're starting to see reports about these things, these new technologies being used in a nefarious way, if you will. I think it's become a big challenge. And the skill set is still lacking out there. There are not a lot of people who understand those risks and can articulate that, back to a technical community, such as product engineers, things of that nature.
Yeah, I know within GE we put a huge focus on security and product safety, it is one of those things as we start talking about the Internet and anything with a power cord is going to be connected into the Internet, if you will, because of this idea of big data analytics. Everyone wants as much data as they can get so they can really look at modeling, understanding how people are interacting with their products, understand really how they can help out. So it makes sense from a business perspective, part of what we figure out is that shift of the security job, how do we enable products? How do we enable folks to go to the market faster? That's a tough thing to figure out right now. As you're going with rapid prototype and rapid development, how do you get security review, how do you get security analysis in and done on that on security features.
Schuetter: Also, I can see a day when security features in a product become a competitive advantage. A company can sell that their product is more secure than my competitor. I can see that coming.
Minick: I think product security really is that next big generation, evolutionary change within security. It's going to be something that we all are immediately dealing with. The Black Hat presentation on smart TVs and taking over the camera of your TV sets was an eye opener for me. Now we really have to look at the privacy perspective as well. How can that be used within my department as a company?
Question: How does a CISO educate senior management and board on cyber security and privacy issues?
Minick: I've had a saying for a while, and that is never let a good disaster go to waste. And whether that is your disaster or someone else's, get that in front of people and help them understand that the risk is real and I think there's still a descent number of people who believe that's all crime novel stuff, or for spy things like James Bond, but it's real. It's happening every day. There is not a day that goes by that you cannot pick up a paper, a technical publication and hear about the latest breach of some sort in some industry. It probably applies to you.
So whether it's within your environment or in your industry, never let a good disaster go to waste. Take that, help them understand what has gone on out there. Make it real to them. Help them understand that this is impactful to us and we need to care about it.
A lot of senior executives are going to conferences or reading trade rags, or whatever. Taking those real situations that are analogous to your company and saying hey, this is what's going on out there. And be prepared for the question that comes back: what do we do about it? Don't go in there unarmed and unprepared for the follow-up, and I guess that's where relationships come in, to be able to talk to people like us who understand what's going on there.
Schuetter: I think the opportunity is back to the history, know the history within your company. If you've seen attacks and can then start to quantify what we're starting to see. The more you can come out with real details, real data, that says exactly who is targeting us. We work with the F.B.I. They've given us at least a broad range of folks who are interested in this type of technology, especially if you have some of the examples, especially if you have sharing partners out there, those conversations are really valuable. The other part of never let someone else's disaster go to waste either. In our industry, here is what the leading companies just saw, here is the volume of attacks that they're dealing with. If you don't have the capability yet to what is in your space, I think the conversation of here is what my partners are seeing within the industry and here is what the F.B.I. or the government entities are telling us about. It's not one industry leader, they're targeting everything. Here is what's happening and here's as much detail about it.
Question: Do you always know you've been breached and how often does it happen?
Cornelius: You do not always know you're breached, but it really depends, as both Bob and Brian are bringing up, how good is your reconnaissance, how good is your scanning mechanisms in place, whether it's outside the company. How quickly can you come together when you realize that there's a breach? And then identify how long has this been going on. I think if you're in Bob's circumstance, you're actually able to watch that take place and you're able to shut it down at a certain point in time. So the answer would be no. If you don't have your sensors out, you may not know that you've been breached. Sometimes if you don't have your sensors out, you may not know that you've been breached.
Schuetter: Getting back to Brian's point: what do you have at risk. So if it's true APT (Advanced Persistent Threat) perspective, true government entities looking at stealing important property, if it's truly that component, they already have one of everything. They have your anti-virus platform, your firewall already, and all your intrusion detection devices. They know the threat is going to go right through, especially if you are in one of those industries that are highly targeted that is kind of the tough part of it. As companies are starting to get the knock on the door from the F.B.I. or government entities, that is the eye opener right now. And trying to figure out how to get ahead of that is really the challenge for everyone, I think. That's where the industry sharing, the working with some of the top industry partners out there, you can learn a lot from benchmarking and their capabilities and experience.
Minick: Coming from the defense industry, and moving more into the services space, and trying to help people with security, it's interesting we would contact people that you've got an issue on your network and it's like watching them go through the stages of mourning.
Denial. No, I ran my anti-virus. There's nothing wrong in my environment. Then you show them some information and kind of validate that this is what I saw. And then they start getting angry. How could this happen?
Finally, there becomes acceptance with the whole thing. Now what do I do. And it follows that model, a lot, and it is almost every company that I am aware of was introduced to this risk by someone else, not themselves. So, yes, I would say the vast majority of the time people are compromised and don't know it, at least initially. And then there is also another saying in the security industry, for a CISO when they get "the call", a year from then either their budget will have been doubled, or they will have a new job. And that is true from many interactions I've seen. So never let a disaster go to waste, once you get that call. Or if you want to be proactive to help you, bring in someone who has seen it before and can help you do that is probably worth it.
Schuetter: It's a much better standpoint to say we caught this, than to say we were just informed of this.
Minick: As much as we like Agent Cornelius, a 3:30 p.m. Friday call from him is not what you want.
Schuetter: Do you have that instant call plan in place? Do you know when the officer of the company says what do we do, do you know what that is? Can you say we already say that we have a relationship with the F.B.I. We already have a relationship with a security company that can come in and do forensics for us. I just need this amount of money and that is then that they are going to be able to show exactly where the attack happened and where we need to improve our defenses already in place and ready to go is really valuable.
Question: With smart phone, laptops, people on VPN, people working from home, it has to just increase the threat tremendously. As a company, what is the deciding point on how much control you let out? What is the deciding factor? How much control do you let out of the four walls of your office?
Minick: There are two ways to look at that. Yeah, especially with Cloud, which is huge right now. But it is outside of your area of control. If you are a new company starting out with not as much of a security routine, that Cloud provider may have better security controls than you have, honestly. If you are a highly targeted area, the Cloud provider may not have the intel to know what is really impacting your industry. What you have to really ask is how much risk are we willing to go with to get that reduction in cost?
A lot of companies that I've seen out there have taken this idea that crown jewel data, the thing that you want to put in that tower, it just doesn't go into the Cloud, it just doesn't. But the photo to the company picnic, some of these lower level pieces, from a competitive advantage perspective, aren't going to impact you as much as possible. And if you can go through and work with your business and identify what is the crown jewel and should have extra protections and what is commodity level, Power Point and Excels, things that aren't directly showing what your competitive advantage is, that is the kind of stuff you really want to have targeted, let's get that on the lower level cost platform out there. Mobile is a whole different world, mobile is a tough game right now.
Question: The Cincinnati Business Courier has a program called Fast 55. They start out very small, one or two employees, but within a year they have had 300%, 500% or 1,000% growth. What would you say to that CEO who goes from two employees to 80 in a year? What are the steps?
Minick: I would say it comes down to business decisions, leaders are used to making decisions based on the business and this is the exact same thing. So security leaders in the past, I believe have not framed security conversations in the right light, here's the risk, here's the reward, the potential payoff. It's almost like putting a business case together. So, for them I would say look at it that way. What do you think are the risks you're dealing with based on the industry that you're in? Have some conversations.
And if you're thinking about going into a new venture, whether it's developing a new product, going into a new market, what are you going to do? You're going to do some analysis to see if this makes sense, to understand the risk of that, to understand the potential reward of that. Exact same thing here. Talk to some people who are out there to understand some of the risks. Assess that and then you can make an intelligent business-based decision about is the productivity there, if I want to bring mobile onto my phone? Is it worth the risk or not? And that's going to be very situational. It's going to be like any business decision, should I branch out and move into this market in which we have never done business before? That depends on your business. It's the exact same situation. It's the same type of analysis that you're going to do in that same space.
Schuetter: I'll also say again, back to the people, regaining resources in this space, right now it's a very competitive landscape. Holding on to those security resources once you have them, are also difficult. One of the things I would say is that a lot of the companies ask which source of intel should I buy, and what tool set can I buy. I'd much rather to tell you to put those resources and that money into building up a good team, into the people.
Find those one or two seeds that can really build up your overall organization. You don't have to have all rock stars in it, but two or three people who have been there and understand some of your industry's best practices, can be really valuable. They can then start to train and bring up some of the other talent that you have in the organization. So back to how do you retain resources, how do you attract resources, which are really one of the big games that we're going to be playing out there from a security perspective. So I really think that does leapfrog you into that space, especially as you're growing tremendously.
Information contained in this discussion is meant to raise important issues with this topic, but is not intended to take the place of individual advice provided by qualified cyber security professionals familiar with the particular needs of your business.
What to do with Threat Intelligence (II)
This is the second article in a series regarding security threat intelligence.
To be sure, security intelligence isn’t easy for a new or under-resourced program to undertake - but it’s far from impossible. Let’s look at where to start.
First, decide how deep you want to be.Those looking to simply gather threat information and make informed risk management decisions could take a very simple approach, choosing to focus on, for example, high-profile data breaches against others in their industry.
Some organizations may be ready to monitor their environment for specific technical indicators; others may want to begin with more general behavior. Financial institutions might look for patterns of transactions that indicate fraud. Manufacturers might use data loss prevention (DLP) tools to monitor network traffic for theft of intellectual property. Software developers might set up search engine alerts to see if their source code has been posted online.
If looking for technical identifiers is within your capability, it might be good to start with a limited scope in mind. Do you want to examine network traffic? Are you most interested in one specific protocol or application - just email or web traffic - or more? Would you limit yourself to a certain location on your network, such as the internet perimeter or the DMZ? Maybe you want to monitor endpoint systems - but just critical servers? Eventually, you might expand to user workstations or mobile devices.
Next, choose your sources of data. How will you learn about the threats that could affect you? The low-hanging fruit in this step comes from news headlines. When a breach hits the front page of the New York Times, scour the article for technical details. How did the attackers gain access to the data? What tools and techniques did they use? When the Times doesn’t have the information you need (they probably won’t), search further, or find the company that discovered the breach. As you read about the attack, ask the question, “If this happened to us, how would we know?”
Security researchers often discuss new and interesting attack techniques, online via social media or industry publications, or at conferences like Derbycon (www.derbycon.com) and Blackhat (www.blackhat.com). A few hours at a conference will leave you with more than enough threat intelligence to worry about for the next few months! The trusted reputation of the researchers you choose to listen to is key for the credibility of this source.
Collaboration has become more common. Security and technical staff from peer businesses - even competitors - in some industries have formed casual birds-of-a-feather relationships that meet regularly to share intelligence. This might include recently seen attack techniques (“check out this phishing email we just got hit with”) or even breach details (“they raided our source code repository to find all the bugs in the application we’re working on”). Hesitation to share and mistrust of peers has begun to give way to a “united we stand” approach that has been extremely effective - especially in the financial services and defense industries.
Law enforcement may also have useful information about recent attacks they’ve investigated. While sharing specifics about the target organization is typically frowned upon, they may be willing to reveal how attacks happen and key indicators to watch for.
Internal research is probably the most effective way of obtaining threat intelligence. As attacks occur, security research teams will review the details of each tool or resource used by the attacker, and document it for future use. The documentation would include network identifiers, such as command and control hosts or protocols used; host-based identifiers, such as common storage locations for tools or registry keys left behind; or descriptors of binaries that would be obtained from reverse engineering malware, such as a common code-signing certificate or imported library.
It will be helpful to prioritize your data sources. You may consider certain sources, including peer intelligence or internal research as more trustworthy than others, such as public research.
Then, determine how you will track your intelligence.It should be stored in a secure location accessible only to the security staff that uses it; but it should also allow for easy collaboration and use by the organization’s tools. Common storage systems range from low-tech spreadsheets to password-protected wikis.
Noted security research firm Mandiant has pioneered an open standard called OpenIOC (IOC standing for Indicators of Compromise) to describe technical threat identifiers. This standard enables you to write simple or complex descriptors in a file. This file can be edited using their IOC Editor. Endpoint systems can be reviewed to see if IOCs are present with their IOC Finder tool. Both of these tools and the schema can be downloaded for free from the www.openioc.org website.
Threat intelligence does require some care and feeding. A process to decommission intelligence that is no longer useful or stale should be implemented - otherwise an organization’s database will quickly grow too large to be effective. You may consider eliminating indicators after a certain period of time, or a set number of weeks or months after its last detection in the environment.