RSA Security Summit London April 2014 – Keynote 2

The second keynote today was given by Dave Martin, VP & Chief Security Officer – EMC.

Tales From The Front Lines: Actionable Strategies for An Intelligence-Driven Security Program

This was a pretty good talk, covering at a high level a lot of topics;

The gap continues to widen!

–          Business wants faster, more agile, cheaper

  • But ‘keep us safe’
  • IT is not the only partner
  • IT is having an identity crisis (business can launch IT systems vis SaaS / PaaS etc without needing traditional IT involvement)
  • IT foundations are shaky

–          Technology change is relentless

  • Mobile, cloud, big data
  • Platforms, M&A

–          Changing compliance and standards

  • Privacy
  • Critical infrastructure

–          Attackers are getting smarter, sharing

  • Better and sharing than companies / law enforcement especially across geographic and political boarders
  • Training each other
  • Sold and free tools

Complexity will be the rule

–          Software defined Networks, data centres, everything!

–          Mobile really will be first – Pervasive access to everything, from everywhere, from everything

–          BYO… Device, Network, Data, Analytics, … Security

–          Commercial internet of things – everything from printers to vending machines want wired or wireless network and internet access.

Big is going to get bigger!

–          If you are not there already data is going to get big

  • Are you ready for this?

–          Traffic volume is going to get big

  • Can you build a big enough gateway?
  • Can you afford the internal bandwidth?
  • Will you see the traffic?
    • Will you be able to analyse and understand it??

You may hear that bandwidth is cheap, but can we scale it enough?

Monitoring and securing large bandwidth is not cheap – do your security and monitoring devices scale enough?

Can you really analyse and understand all the traffic?

What is normal?

What is abnormal / malicious?

How much traffic circumvents the main business gateways?  User with 3/4g modems, users working on their own devices connecting to cloud services?

 

The ‘Kill Chain’ now has a bad ending;

–          Recovering from a disruptive attack will mean going far beyond traditional resiliency

–          They will know your DR; failover is not enough!

–          How will you rebuild, restore when;

  • Your primary and DR is gone
  • 75% of your endpoints
  • DNS? AD?
  • Data is corrupted / compromised and this corruption is replicated to the DR copies

 

Ways to stay ahead..

Or maybe how not to drown!

Establish core tenets;

–          Traditional weapons are not going to work

  • Don’t be the cavalry, those are tanks

–          Raise the bar and don’t make it easy

–          Prevention in small doses, detection is key

–          What gives you visibility; makes you stronger (collect and analyse data)

–          When you detect, response is key (strong incident response process)

Be thoughtful and surgical;

–          Think closely about control decisions

  • What other behaviours are you encouraging or creating?
  • Are they worse than the original risk?
  • Carrots are more effective than sticks!

–          One size doesn’t fit all

  • Don’t boil the ocean
  • Perfection is a lost cause
  • How can we have the largest risk impact?
  • Target high value assets
    • Consider People, Process, Data, Geography
  • Largest population

Communicate and Educate;

–          Be transparent – let people know WHY

–          Make it personal

–          Do it often and with data

–          Business relationships

  • Change in the C suite
  • Power is shifting

Use leverage;

–          Our security teams are not growing!

  • ‘Trojan horse’ security projects;
    • SSO
    • Asset management
    • Change management
  • Embrace change- Make sure we are involved in defining requirements and design of new areas such as;
    • Automation
    • Mobility
    • Software defined
      • Networks
      • Data Centre

Areas of Focus;

Identity

–          Provisioning and onboarding

–          Role management

–          Map identity and log streams

–          Profiling; map users to

  • Devices
  • Applications
  • Systems
  • Behaviours

Data

–          DLP isn’t the final word

–          Consider data bankruptcy

–          Focus on visibility and analytics

  • High value asset
  • Point of creation or storage
  • Visibility at the large endpoint

–          Contain where possible – mobile and virtual

–          Leverage master data management programs

  • Define data owners and criticality

–          Evaluate data categorisation technology

Customer Experience

–          They have many choices and security isn’t on their list

  • Offer enterprise versions of consumer services

–          Can you trade experience for visibility?

–          Provide for safe, open access

–          Leverage SSO to better map identity

 

Supply chain and third party risk

–          Understand supply chains

–          Enforce contracted policies

  • Network Access Control

–          Reduce access

  • Virtual desktops
  • Review privilege

–          Third party risk services

Incident detection and response

–          Single UI and alerting for visibility – feed in data from controls, and add context

Resiliency and Recovery

–          Non traditional DDoS targets

–          Table top based on known attacks

Threat model based on existing Business impact analysis

These 2 keynotes were a great way to start the days presentations.

K

RSA’s First UK Data Security Summit – part 1

On Monday I attended RSA’s first UK Data Security Summit at the Barbican.  Unsurprisingly this event had two main focuses;

– ‘Big Data’ – What it is, what it means to businesses and security, and how security can leverage it to look for anomalies and advanced threats.

– Security analytics – The relatively new RSA log correlation and analysis product.

The agenda from RSA was listed as;

  • Big data and the hype
  • The changing threat landscape
    • Cyber criminals, nation states, activists and terrorists
  • Balancing risk of attack and prevention against ability to perform key tasks

As with my recent Splunk Live! post, the below will be relatively unformatted, but hopefully still of use.

The day started with some keynote talks from Art Coviello, Eddie Schwartz and Andrew Rose;

Art Coviello – Intelligence driven security: A new model using big data

Arts’ talk focused on the rapid changes to the IT environment over the last few years, with predictions for the future as well, then moved into the historic and current security  model and what this needs to look like in the future.

70’s – terminals – 1000s users

90’s – PCs – millions users

2010 – Mobile Devices – billions users

Digital content;

2007 – 1/4 Zettabyte

2013 – 2 Zettabytes

2020 – 100 Zettabytes

5* more unstructured than structured data, and growing 3* faster.

Apps;

2007 – web front end apps

2013 – Theres an app for that

2020 – big data apps everywhere..

Devices;

2007 – Smart phones

2013 – dawn of really smart phones and smart phone / tablet ubiquity

2020 – Internet of things (everything from fridges to coke machines as well as all the usual phone / pc / tablet etc devices)

Social media

2007 – MySpace

2013 – Focus on monetizing

2020 – Total consumerisation of social media: absence of privacy..

Perimeter;

2007 – holes

2013 – is there a perimeter?

2020 – no direct control over physical infrastructure..

Threats;

2007 – Complex intrusion attacks

2013 – Disruptive attacks – can’t launch physical attacks over internet yet, but can be very disruptive

2020 – Destructive attacks? with no physical / user interaction required?

Historic security model;

  • Reactive
    • Perimeter based
    • Static / signature based
    • Siloed
      • Firewall, IDS, AV etc – all reactive, don’t play together or support each other

New model;

  • Intelligence driven
    • Risk based
    • Dynamic / agile
    • leveragable / contextual
      • Look for anomolys, be more heuristic / intelligent, work together – correlate events across the enterprise

Impediments to change;

  • Budget inertia: reactive model
    • 70% on prevention (likely more like 80 % in many firms)
    • 20% Detection and monitoring
    • 10% Response
    • Skilled Personel shortage
    • Information sharing at scale – industry groups, sharing data of attacks and breaches etc at ‘wire speed’
    • Technology maturity
      • Some commentary about archer, silver tail etc. RSA has bought or invested in

Look at security maturity model;

  • Stage 1 – Unaware (wish security would go away, install a box to fix it all)
  • Stage 2 – Fragmented (compliance gathering – focus on box ticking to get compliance rather than doing security right)
  • Stage 3 – Top Down (security understood but driven from management down, not yet pervasive)
  • Stage 4 – Pervasive (good security team, work with c-level on budgets etc)
  • Stage 5 – Networked  (working across the business and integrated with the business)

Big data transforms security;

  • Security management
    • Scalable to analyse all data
    • generates a mosaic of information
    • accelerates responsiveness
  • Controls
    • task specific
    • behaviour orientated
    • self learning
  • enables view of attacks in real time

Need this detailed analysis in order to prevent / see sophisticated attacks such as man in the middle and man in the browser

Intelligence driven security needs to be resilient, feed into controls and in and out of GRC stack (grc feeds into and educates controls.  controls feed into GRC to confirm compliance)

 

Eddie Schwartz – Embracing the uncertainty of advanced attacks with big data

Pecota forcasts – analytics platform used by bookies to work out odds one sports / sports players – baseball – movie – money ball.

– ‘big data analytics’ changed the way baseball players were assessed and consequently paid..

Facebook data mines images as well as text on your page to drive targeted advertising

Amazon etc. – preference engine – you bought this, you want these..

* They are information rich and using high quality analytics.  Why are we not using data like this in security?

Why? – too much time having to say yes we are ok, yes we pass xx audit..

Attackers do not have these checklists – they will work hard to breach any opening regardless of whether you are complaint with whatever regulation..

  • Read ‘the signal and the noise‘ – Nate Silver – why so many predictions fail and some don’t.
    • The signal is truth, the noise is what distracts us from the truth.

How much do we really know about our adversaries?

  • Are we researching the tools, techniques and processes of our adversaries
  • Do we know who they are?
  • Insiders, hackers, hactivists, criminal organisations, nation states etc.
  • Do we know what they look like?
    • Old world (SIEM) – finite, rule sets, wait for rule to be breached
    • New world – infinite – unknown unknowns, uncertainty, hackers may look like legitimate users – what signs can we look for to identify them?
  • Do we understand the ‘Kill Chain’ – Prepare, Infect, Interact, Exploit
    • Cost to remediate goes up dramatically as you move along the chain
    • detection sweet spot – when they first exploit / attempt to exploit – they have to reveal themselves, so fast detection here will catch / print before data exfilitration.

Need to move to more spend and more intelligence on ‘internal’ protection / detection / capture – away from the traditional perimeter.

What are your drivers for IT security investment?

34% compliance, 16% audit

ONLY 6% strategy!

Big data transforms security – 4 areas for shift..

  1. Security management
  • Comprehensive visibility – not just event logs – what are my critical processes, what information do I need to see to understand if they are at risk.
  • Actionable intelligence – must be available in a timely manner
  • Agile analytcs – security environment must be able to change as the environment changes – your environment is at least somewhat unique, also threat landscape changes
  • Centralised incident management – can security teams follow an incident from end to end? – many point solutions.. Do logs all go to one place, can they be effectively analysed?

2. Intelligence driven security

    • Ah-hoc – Bystander – End User – Creator; Crawl – Walk – Run – Advanced – World Class
    • Monitoring and detection, incident response, threat intelligence, systems and analytics; Where should we be – risk based – do you need to be world class in everything? Where do we need to focus, what are our risks?
    • Critical Incident Response Centre (CIRC) – Cyber threat intelligence, Advanced tools, tactics and analysis; Critical Incident response team, Advanced specialists

3. Live intelligence

 

  • Threat intelligence, rules, parsers, alerts, feeds, apps, directory services, reports and custom action.
  • Need long term technology, process and architecture plans
  • Visibility, control, governance, intelligence are all interrelated and must be considered as parts of a whole.

4. Risk based authentication

 

  • Active input – username, password, one time password, certificate, out of band, security questions, biometrics
  • access time, access location, geo location by IP, location by access point,
  • What does ‘good behaviours’ look like vas. ‘bad behaviour’; profile behaviour
  • Criminals cannot replicate your unique use profile.
    • Velocity, page sequence, origin, contextual information; velocity, behaviour, parameter injection, man in the middle, man in the browser.

Shift discussion in GRC from meeting compliance regulations to focusing IT and security staff on the key work

  • right assets and processes based on criticality and importance
  • assest intelligence, threat intelligence, event focus, investigations – Analyst prioritisation
    • requires accurate, timely and complete data.
  • read – Big data fuels intelligence driven security – RSA white paper

US – Data sharing bill – both businesses and liberal groups have objected.

  • how to share without compromising privacy.
    • criminals already violating our privacy every day
    • who should protect our privacy – benign government, corporations, criminals?
    • laws protecting customer privacy can make it hard not to breach laws protecting employee privacy in the EU?

 

Andrew Rose – principle analyst – security and risk management – Forester – ‘An external perspective’

Information classification – how mature

  • 26% have a policy that’s widely ignored, 28% have a policy for some data or systems..

The world we live in (largely as previous presentations)

  • Increasingly capable attackers (threat is real – activists, china etc..)
  • Budgets relatively static or slow growth, enough for triage of known issues, not whole treatment and improving security posture.
  • ROI – hard to define / prove – if not breached are we good or just lucky.  No good model seems to exist yet.
  • Yes rather than no security culture – have to work with business and enable – increase risk and complexity to deal with, but not necessarily staff and budget..
  • Competitive recruitment environment
  • Even the best firms have flawed security – e.g. RSA breach – have to prepare to fail!

Forester and IBM reports has IT at the top of the list of most important reasons for business success.

However business and IT (business especially) do not rate the success / competency of IT very highly – not agile, can’t accommodate change, can’t deliver projects on time etc.

 

RSA yearly IT security challenges included;

  • Third highest issue (76%) – changing business priorities
  • Forth (74%) – day to day tasks taking too much time
  • 8th (55%) lack of visibility of security – fixing this one will likely improve other issues at lot.
  • adoption of ISO / cubit etc not helping these keep getting higher up the issues scale

 Business innovation does not slow down because of security threats…

Complexity vs. manual ability – can better analytics help?

Vendors – vendor space is buzzing..

  • security commercialisation is in full swing
    • But what are the differentiators – everyone users the same buzzwords to sell products (e.g. big data, threat intelligence etc.)
  • Disruptors needed
    • need innovation, not re-hash or updates
    • services, not more hardware
  • solutions fragmented
    • how many products required to ‘solve’ security
    • what do I need now
    • what order should I buy them
    • what is the value / roi?
    • how much resource does it take to manage?
    • too many niche products – e.g. IAM, remove admin rights etc.  Need a ‘BIG’ tool / solution, to solve many / most issues and integrate existing products / solutions.

SIEM

5% get great value, 30% have not implemented, 65% get little or limited value

So is Big data the solution?

  • Big data just means lots of high velocity, structured and unstructured data – it is there to be used – so it is what you do that counts with it, not it in its self (my comment, not speakers)
  • supply chain complexity
  • technical complexity
  • internet of things

 

For me same conclusion as before – need something to aggregate and bring all the data together from apps, security tools, systems and then analyse it.  intelligent, fast correlation – look for real connections and real relationships – be mindful of coincidences in the noise.

 

2 books – anti fragile, signal to noise.

Common pitfalls –

  • starting with the data – need context and understanding as well.
  • overlooking the value of metadata.  data tagging increases value of data
  • believing more data is better
    • think simplicity and actionability

 Take away points;

  • Understand and identify your data
    • information classification is key – get this accepted and rolled out across the business
  • Be ‘hypothesis-led’ – think of what you cold do, not just what you know – then see if you can find the data to achieve it
  • Look for business partners for any big data initiative – again – one engines / dwh etc.

I’ll complete my write up of the day shortly, I hope you’re finding it useful.

K

Cloud Security Alliance Congress Orlando 2012 pt3 – Day 1 closing keynote

Next Generation Information Security – Jason Witty

 Some statistics and facts to set the scene;

–          93.6% is the approximate percentage of digital currency in the global market!

–          6.4% cash and gold available as a proportion of banking and commerce funds..

–          45% US adults own a smartphone – 21% of phone users did mobile banking last year.

–          62% of all adults globally use social media

–          Cloud ranking as #1 in top strategic technologies according to Gartner – 60% of the public cloud will serve software by 2018

–          2015 predicted as the year when online banking will become the norm..

–          Nielson global trust in advertising report for 2012;

–          28,800 respondents across 56 countries – Online recommendations from known people and review sites 80-90%+used and trusted, traditional media, falling below 50% used and trusted.

–          NSA were working on their own secure smartphone.  Plans scrapped and now they are working on how to effectively secure consumer smart phone devices.  Consumer mobile devices are everywhere!

Emerging innovations; cloud computing..

–          IDC forecasts $100bn will be spent per year by 2016, compared to $40bn now.

–          By 2016 SaaS will account for 60% of the public cloud

Cost savings often cited as reason for moving to the cloud; however other benefits like agility, access to more flexible compute power etc. often mean cloud migrations enable better IT for the business and thus you can do more.  So increased quality and profit result, but casts likely remain flat.

Trends in Cybercrime;

Insiders – can be difficult to detect, usually low tech relying on access privileges

Hacktivists – responsible for 58% of all data theft in 2011

Organised crime – Becoming frighteningly organised and business like

Nations states – Since 2010 nation state created malware has increased from 1 known to 8 known with 5 of those in 2012.   Nation states now creating dedicated cyber-warfare departments, often as official, dedicated parts of the military.

 

Organised Crime – Malware as a Service

Raw material (stolen data) – Distribution (BotNet) – Manufacturer (R&D, Code, Product Launch) – Sales and support (Delivery, Support (MSI package installation, helpdesk), Marketing – Customer (Affiliates, Auctions / Forums, BotNet Rental / Sales)

Crime meets mobile – Android – patchiy updates as vendor dependant, many pieces of malware, but play store security getting better.

Nation states becoming increasingly active in the world of malware creation..

 

So, Next generation Information Security;

–          Must be intelligence driven

  • Customer
  • Shareholder
  • Employee
  • Regulatory
  • Business line
  • Cyber threat

–          Must be comprehensive

  • Anticipate – emerging threats and risks
  • Enable –
  • Safeguard

–          Must have excellent human capabilities

–          Must be understandable – need to explain this and ensure the board understands the risks and issues – PwC survey – 42% of leadership think their organisation is a security front runner.  8% actually are.  70% leadership thing info sec working well – 88% of infosec think leadership their largest barrier to success..

–          We cannot do this alone: Strong intelligence partnership management

Pending cybercrime legislation;

–          White house has stressed importance of new cyber security legislation.

–          Complex laws take time to review and pass; technology environments change fast.

–          Various Federal laws currently cover cybercrime – Federal computer fraud and abuse act, economic espionage act etc.

–          Likely executive order in the near future with potentially large cybercrime implications.

While this is a very US centric view, many countries or regions are planning to enact further, more stringent laws / regulations that will impact the way we work.

 

Intelligence driven: the next phase in information security;

–          Conventional approaches to information security are struggling to meet increasingly complex and sophisticated threats

–          Intelligence driven security is proactive – a step beyond the reactive approach of the compliance-driven or incident response mind-sets

–          Building and nurturing multiple data sources. Developing an organisational ability to consolidate, analyse and report, communicate effectively and then act decisively benefits both operational / tactical security and strategy.

–          Establish automated analytics and establishing patterns of data movement in your organisation

I recommend you review – Getting ahead of advanced threats: Achieving intelligence-driven information security – RSA report, 2012.  This can be downloaded from here;

http://www.rsa.com/innovation/docs/11683_SBIC_Getting_Ahead_of_Advanced_Threats_SYN_UK_EN.pdf

K

RSA Conference Europe 2012 Keynotes; day one part one

The first two keynotes were from RSA and were both very interesting with a LOT of valid points;

Keynote 1 – Art Coviello, Executive Chairman RSA.  Titled ‘Intelligence-driven security: The new model’

The vast majority of security spend is still for edge security and edge focussed monitoring, which is failing in this open world where attacks and breaches are to be expected.

Currently many people think that the security risks are overhyped, but is this true?  Organisation don’t like to reveal that they have been breached so how many breaches go unreported?  Verizon survey has also revealed the majority of breaches go undetected for a long time, if they are ever caught.  So how many organisations have been breached without even knowing it?  This was referred to as ‘the PR gap’ with the tip of the iceberg being what is known, but the unknown massive underwater part of the iceberg is the reality.

We must gain a better understanding of the situation.  How mature and sophisticated is your organisations security?

Proposed four levels of cyber security’

  1. Control – these likely have already been hacked and just don’t know it!
  2. Compliance – likely heavily regulated, but focus on compliance and tick boxes rather than stong governance leading to compliance.  Often caused by management and budgetary pressures
  3. IT risk – good understanding of IT risk, only slightly behind 4, but more tactical and IT focused than strategically aligned with the business.
  4. Business risk – This is where you should aspire to be, security fully aligned and working with the business, leveraging technology and processes in line with business strategy.

How do we get there? – Understand the issues;

–          Budget – pressures, how to best use it, how to justify it and highlight benefits and business cases

–          Security Talent – ensue your team is as good as it can be, are they passionate, engaged, and have an understanding of your industry.  The right team will drive security benefits and change, not just sit back, tick boxes or point further up the chain for reasons they are not acting.

–          PR Gap – explained above

–          Privacy Regulations – understand the regulatory environment your business is operating in.

Keynote 2 – Tom Heiser – President RSA – Intelligence Driven security.

–          Reconsider – our risks.  Move to a risk based approach to security. Understand regulatory challenges to this approach

–          Rethink  – Detection strategies and deploy continuous monitoring.

–          Harden Authentication and tighten access controls

–          Educate.. Educate.. Educate.. – Users, staff, regulators, media, auditors.  Obviously your business will focus on your staff and users, but the security industry also needs to get better at the wider piece.  Consider cyber security education around risks and phishing etc.  This point resonated with me as I come from an environment where we had various security awareness strategies from awareness weeks to educational phishing emails, and I have proposed this approach to my current employer.

Inevitability of compromise – Does not equate to accepting loss – New tactics and tools.  Moore’s law can apply to criminals as much as processors – criminals have more and more tools, last years military grade attack is this years scripted attack tool in the wild.  Example that Stuxnet derived attacks have been found in the wild and used against banking customers.

Improved monitoring and understanding will reduce ‘dwell time’ – how long the criminals can reside on your network.  If we assume breaches will occur (and they will), then minimising this dwell time is key to minimising risk.

This does require new tools.  Consider how we re-distribute budget spend.  Reduce spend on lower value services and premium priced tools such as AV and perimeter security.  Re-allocate spent to more advanced security solutions.

How to we access security knowledge?  How do we share information?  How do we ensure we protect privacy while we do this?  Currently nation states and criminals have much much better intelligence and information sharing processes than legitimate governments and organisations.

We need standardised ways to share information, ideally at machine speed – ‘standardised share act’.  This must be understood and driven from board level down, we as a security industry need to ensure we educate the board in business terms around policy and business risk.  How much does your board currently know about your organisations security stance and the risks you currently face?

We also need to be mindful of managing compliance and risk.  Just focusing on compliance does not necessarily reduce risk.  Remember the criminals can read the same compliance requirements you are meeting, so they know exactly what you are doing if you do not have a risk management / security program in addition to just meeting regulatory and compliance requirements.  This can be a challenge given the volume of compliance projects and budgetary constraints in many organisations, but needs to be considered.

We need a more proactive stance that focusses on intelligence, understanding, and education from user to board level.

Keynote ended with some comments on new RSA products and tools.

I really liked both of these talks, and think we really need to consider the points raised.

K