RSA’s First UK Data Security Summit – part 1

On Monday I attended RSA’s first UK Data Security Summit at the Barbican.  Unsurprisingly this event had two main focuses;

– ‘Big Data’ – What it is, what it means to businesses and security, and how security can leverage it to look for anomalies and advanced threats.

– Security analytics – The relatively new RSA log correlation and analysis product.

The agenda from RSA was listed as;

  • Big data and the hype
  • The changing threat landscape
    • Cyber criminals, nation states, activists and terrorists
  • Balancing risk of attack and prevention against ability to perform key tasks

As with my recent Splunk Live! post, the below will be relatively unformatted, but hopefully still of use.

The day started with some keynote talks from Art Coviello, Eddie Schwartz and Andrew Rose;

Art Coviello – Intelligence driven security: A new model using big data

Arts’ talk focused on the rapid changes to the IT environment over the last few years, with predictions for the future as well, then moved into the historic and current security  model and what this needs to look like in the future.

70’s – terminals – 1000s users

90’s – PCs – millions users

2010 – Mobile Devices – billions users

Digital content;

2007 – 1/4 Zettabyte

2013 – 2 Zettabytes

2020 – 100 Zettabytes

5* more unstructured than structured data, and growing 3* faster.

Apps;

2007 – web front end apps

2013 – Theres an app for that

2020 – big data apps everywhere..

Devices;

2007 – Smart phones

2013 – dawn of really smart phones and smart phone / tablet ubiquity

2020 – Internet of things (everything from fridges to coke machines as well as all the usual phone / pc / tablet etc devices)

Social media

2007 – MySpace

2013 – Focus on monetizing

2020 – Total consumerisation of social media: absence of privacy..

Perimeter;

2007 – holes

2013 – is there a perimeter?

2020 – no direct control over physical infrastructure..

Threats;

2007 – Complex intrusion attacks

2013 – Disruptive attacks – can’t launch physical attacks over internet yet, but can be very disruptive

2020 – Destructive attacks? with no physical / user interaction required?

Historic security model;

  • Reactive
    • Perimeter based
    • Static / signature based
    • Siloed
      • Firewall, IDS, AV etc – all reactive, don’t play together or support each other

New model;

  • Intelligence driven
    • Risk based
    • Dynamic / agile
    • leveragable / contextual
      • Look for anomolys, be more heuristic / intelligent, work together – correlate events across the enterprise

Impediments to change;

  • Budget inertia: reactive model
    • 70% on prevention (likely more like 80 % in many firms)
    • 20% Detection and monitoring
    • 10% Response
    • Skilled Personel shortage
    • Information sharing at scale – industry groups, sharing data of attacks and breaches etc at ‘wire speed’
    • Technology maturity
      • Some commentary about archer, silver tail etc. RSA has bought or invested in

Look at security maturity model;

  • Stage 1 – Unaware (wish security would go away, install a box to fix it all)
  • Stage 2 – Fragmented (compliance gathering – focus on box ticking to get compliance rather than doing security right)
  • Stage 3 – Top Down (security understood but driven from management down, not yet pervasive)
  • Stage 4 – Pervasive (good security team, work with c-level on budgets etc)
  • Stage 5 – Networked  (working across the business and integrated with the business)

Big data transforms security;

  • Security management
    • Scalable to analyse all data
    • generates a mosaic of information
    • accelerates responsiveness
  • Controls
    • task specific
    • behaviour orientated
    • self learning
  • enables view of attacks in real time

Need this detailed analysis in order to prevent / see sophisticated attacks such as man in the middle and man in the browser

Intelligence driven security needs to be resilient, feed into controls and in and out of GRC stack (grc feeds into and educates controls.  controls feed into GRC to confirm compliance)

 

Eddie Schwartz – Embracing the uncertainty of advanced attacks with big data

Pecota forcasts – analytics platform used by bookies to work out odds one sports / sports players – baseball – movie – money ball.

– ‘big data analytics’ changed the way baseball players were assessed and consequently paid..

Facebook data mines images as well as text on your page to drive targeted advertising

Amazon etc. – preference engine – you bought this, you want these..

* They are information rich and using high quality analytics.  Why are we not using data like this in security?

Why? – too much time having to say yes we are ok, yes we pass xx audit..

Attackers do not have these checklists – they will work hard to breach any opening regardless of whether you are complaint with whatever regulation..

  • Read ‘the signal and the noise‘ – Nate Silver – why so many predictions fail and some don’t.
    • The signal is truth, the noise is what distracts us from the truth.

How much do we really know about our adversaries?

  • Are we researching the tools, techniques and processes of our adversaries
  • Do we know who they are?
  • Insiders, hackers, hactivists, criminal organisations, nation states etc.
  • Do we know what they look like?
    • Old world (SIEM) – finite, rule sets, wait for rule to be breached
    • New world – infinite – unknown unknowns, uncertainty, hackers may look like legitimate users – what signs can we look for to identify them?
  • Do we understand the ‘Kill Chain’ – Prepare, Infect, Interact, Exploit
    • Cost to remediate goes up dramatically as you move along the chain
    • detection sweet spot – when they first exploit / attempt to exploit – they have to reveal themselves, so fast detection here will catch / print before data exfilitration.

Need to move to more spend and more intelligence on ‘internal’ protection / detection / capture – away from the traditional perimeter.

What are your drivers for IT security investment?

34% compliance, 16% audit

ONLY 6% strategy!

Big data transforms security – 4 areas for shift..

  1. Security management
  • Comprehensive visibility – not just event logs – what are my critical processes, what information do I need to see to understand if they are at risk.
  • Actionable intelligence – must be available in a timely manner
  • Agile analytcs – security environment must be able to change as the environment changes – your environment is at least somewhat unique, also threat landscape changes
  • Centralised incident management – can security teams follow an incident from end to end? – many point solutions.. Do logs all go to one place, can they be effectively analysed?

2. Intelligence driven security

    • Ah-hoc – Bystander – End User – Creator; Crawl – Walk – Run – Advanced – World Class
    • Monitoring and detection, incident response, threat intelligence, systems and analytics; Where should we be – risk based – do you need to be world class in everything? Where do we need to focus, what are our risks?
    • Critical Incident Response Centre (CIRC) – Cyber threat intelligence, Advanced tools, tactics and analysis; Critical Incident response team, Advanced specialists

3. Live intelligence

 

  • Threat intelligence, rules, parsers, alerts, feeds, apps, directory services, reports and custom action.
  • Need long term technology, process and architecture plans
  • Visibility, control, governance, intelligence are all interrelated and must be considered as parts of a whole.

4. Risk based authentication

 

  • Active input – username, password, one time password, certificate, out of band, security questions, biometrics
  • access time, access location, geo location by IP, location by access point,
  • What does ‘good behaviours’ look like vas. ‘bad behaviour’; profile behaviour
  • Criminals cannot replicate your unique use profile.
    • Velocity, page sequence, origin, contextual information; velocity, behaviour, parameter injection, man in the middle, man in the browser.

Shift discussion in GRC from meeting compliance regulations to focusing IT and security staff on the key work

  • right assets and processes based on criticality and importance
  • assest intelligence, threat intelligence, event focus, investigations – Analyst prioritisation
    • requires accurate, timely and complete data.
  • read – Big data fuels intelligence driven security – RSA white paper

US – Data sharing bill – both businesses and liberal groups have objected.

  • how to share without compromising privacy.
    • criminals already violating our privacy every day
    • who should protect our privacy – benign government, corporations, criminals?
    • laws protecting customer privacy can make it hard not to breach laws protecting employee privacy in the EU?

 

Andrew Rose – principle analyst – security and risk management – Forester – ‘An external perspective’

Information classification – how mature

  • 26% have a policy that’s widely ignored, 28% have a policy for some data or systems..

The world we live in (largely as previous presentations)

  • Increasingly capable attackers (threat is real – activists, china etc..)
  • Budgets relatively static or slow growth, enough for triage of known issues, not whole treatment and improving security posture.
  • ROI – hard to define / prove – if not breached are we good or just lucky.  No good model seems to exist yet.
  • Yes rather than no security culture – have to work with business and enable – increase risk and complexity to deal with, but not necessarily staff and budget..
  • Competitive recruitment environment
  • Even the best firms have flawed security – e.g. RSA breach – have to prepare to fail!

Forester and IBM reports has IT at the top of the list of most important reasons for business success.

However business and IT (business especially) do not rate the success / competency of IT very highly – not agile, can’t accommodate change, can’t deliver projects on time etc.

 

RSA yearly IT security challenges included;

  • Third highest issue (76%) – changing business priorities
  • Forth (74%) – day to day tasks taking too much time
  • 8th (55%) lack of visibility of security – fixing this one will likely improve other issues at lot.
  • adoption of ISO / cubit etc not helping these keep getting higher up the issues scale

 Business innovation does not slow down because of security threats…

Complexity vs. manual ability – can better analytics help?

Vendors – vendor space is buzzing..

  • security commercialisation is in full swing
    • But what are the differentiators – everyone users the same buzzwords to sell products (e.g. big data, threat intelligence etc.)
  • Disruptors needed
    • need innovation, not re-hash or updates
    • services, not more hardware
  • solutions fragmented
    • how many products required to ‘solve’ security
    • what do I need now
    • what order should I buy them
    • what is the value / roi?
    • how much resource does it take to manage?
    • too many niche products – e.g. IAM, remove admin rights etc.  Need a ‘BIG’ tool / solution, to solve many / most issues and integrate existing products / solutions.

SIEM

5% get great value, 30% have not implemented, 65% get little or limited value

So is Big data the solution?

  • Big data just means lots of high velocity, structured and unstructured data – it is there to be used – so it is what you do that counts with it, not it in its self (my comment, not speakers)
  • supply chain complexity
  • technical complexity
  • internet of things

 

For me same conclusion as before – need something to aggregate and bring all the data together from apps, security tools, systems and then analyse it.  intelligent, fast correlation – look for real connections and real relationships – be mindful of coincidences in the noise.

 

2 books – anti fragile, signal to noise.

Common pitfalls –

  • starting with the data – need context and understanding as well.
  • overlooking the value of metadata.  data tagging increases value of data
  • believing more data is better
    • think simplicity and actionability

 Take away points;

  • Understand and identify your data
    • information classification is key – get this accepted and rolled out across the business
  • Be ‘hypothesis-led’ – think of what you cold do, not just what you know – then see if you can find the data to achieve it
  • Look for business partners for any big data initiative – again – one engines / dwh etc.

I’ll complete my write up of the day shortly, I hope you’re finding it useful.

K

RSA Conference Europe 2012 – They’re inside… Now what?

Eddie Schwartz – CISO, RSA and Uri Rivner – Head of cyber strategy, Biocatch

Talk started with some discussion around general Trojan attacks against companies, rather than long term high tech APTs, with the tagline; If these are random attacks.. We’re screwed!

Worth checking the pitch, but there was a series of examples from the RSA lab in Israel of usernames and passwords and other data that Trojans had sent to C&C servers in Russia.  These included banks, space agencies, science agencies, nuclear material handling companies etc.

So what to the controllers of these Trojans do with the data?  Remember these are random attacks collecting whatever personal data they can get, not specific targeted attacks.  A common example is to sell the data, you can find examples of the criminals on message boards etc. offering banking, government and military credentials for sale.

Moving onto examples of specifically targeted attacks and APTs..  Examples of targeted attacks include; Ghostnet, Aurora, Night Dragon, Nitro and Shady RAT.  These have attacked everything from large private companies, to critical infrastructures to the UN.  All of the given examples had one thing in common – Social Engineering.  Every one used Spear Phishing as their entry vector.

From this I think you need to consider – Do you still think security awareness training shouldn’t be high on your organisations to-do list?

The talk went onto discuss Stuxnet and Duqu, along with their similarities and differences, largely what was captured in my last post.  The interesting observation here was their likely different plaes in the attack process.  Stuxnet was at the end and the actual attack, Duqu likely much earlier in the process as it was primarily for information gathering.

A whole lot more targeted malware examples were given including Jimmy, Munch, Snack, Headache etc.  Feel free to look these up if you want to do some further research.

A very recent example of a targeted attach that was only discovered in July of this year is VOHO.  This campaign was heavily targeted on Geopolitical and defence targets in Boston, Washington and New York.  It was a multistage campaign heavily reliant on Javascript.  While focused on specific target types the attack was very broad, hitting over 32000 unique hosts and successfully infections nearly 4000.  This is actually a very good success rate, with the campaign no doubt considered a success by those instigating it..

In light of this evidence it is clear we need a new security doctrine.  You will get hacked despite your hard work, if it has not yet happened, it will..  Learn from the event, an honest evaluation of faults and gaps should result in implements.

Things to consider as part of this new doctrine;

–          Resist – Threat resistant virtualisation, Zero day defences

–          Detect – Malware traces, Big data analytics, behavioural profiling

–          Investigate – Threat analysis, Forensics and reverse engineering

–          Cyber Intelligence – Threat and Adversary intelligence

Cyber Intelligence was covered in some more specific details around how we can improve this;

–          External visibility – Industry / sector working groups, Government, trusted friends and colleges, vendor intelligence;

  • Can this information be quickly accessed?  For speed should be in machine readable format, but use whatever works!

–          Internal visibility – Do you have visibility in every place it it needed, HTTP, email, DNS, sensitive data etc.

  • Do you have the tools in place to make use of and analyse all of these disparate data sources

–          Can you identify when commands like NET.. and schedulers etc. are being used?

–          Do you have visibility of data exfiltration, scripts running, PowerShell, WMIC (Windows Management Instrumentation Command-line) etc?

–          Do you have the long term log management and correlation in place to put all the pieces of these attacks together?

Summary recommendations and call to action..

–          Assume you are breached on a daily basis and focus on adversaries, TTPs and their targets

–          Develop architecture and tools for internal and external intelligence for real-time and post-facto visibility into threats

–          Understand current state of malware, attack trends, scenarios, and communications

–          Adjust security team skills and incident management work flow

–          Learn from this and repeat the cycle..

Next steps (call to action!);

–          Evaluate your defence posture against APTs, and take the advice from the rest of this post

–          Evaluate your exposure to random intrusions (e.g. data stealing Trojans), and take the advice from the rest of this post

Useful presentation from a technical and security team standpoint, but completely missed the human and security awareness training aspect – despite highlighting that all the example APTs used spear phishing to get in the door.  I’d recommend following all the advice of this talk and then adding a solid security awareness program for all employees and really embedding this into the company philosophy / culture.

K