Reduce the hackers' advantage
How to rethink your defense with security analytics
By Ray Boisvert, President and CEO, I-Sec Integrated Strategies
In the early hours of Friday, Oct. 21, 2016, a key firm in the US internet infrastructure was hit by a distributed denial-of-service attack that overwhelmed targeted machines with malicious electronic traffic. The firm provides internet traffic optimization to some of the biggest names on the web, such as Twitter, Netflix and Visa. The full impact of the cyberattack was difficult to gauge, but internet disruption was reported across the East Coast.
Welcome to the advancing age of cyberthreats.
I started my career as an intelligence officer working the Soviet desk of the Canadian Security Intelligence Service at the height of the Cold War – a pretty intense atmosphere for security. In the decades since then, I’ve seen cyclical patterns of history and security trends repeating themselves again and again, but never have I seen a transformation of the threat environment as stark and complex as what we’re currently experiencing.
We’re seeing the return of old extremist movements and the emergence of new ones. We’re seeing shifts in the way states engage with one another, and the emergence of enterprises that are owned and protected by nation states. We’re seeing risk horizons expand with all the pathways of the internet. And we are knowingly exposing ourselves to more risk because we demand the convenience of mobile access and digital currency. In many ways, the threat landscape has expanded and intensified far beyond anything we’ve seen in the past.
Many organizations are still in denial. In my current role as a security consultant, I talk with a number of Canadian corporations and companies in the financial sector and elsewhere, and I see resistance to the belief that their organizations are in the crosshairs and will be heavily targeted. Financial institutions are more aware, but some other industries believe they are largely immune.
Take mining, for example; the extractive industries are huge in Canada. The perspective of some mining executives is that they have nothing cybercriminals would want. Not true. The products these companies extract and export (along with the valuations) have high economic importance, and the cutting-edge technologies used for extraction are vulnerable. A cybercriminal aiming to disrupt a nation’s business could have a field day with the industry’s lack of defenses.
Even if you think of your organization as a 20th-century industrial company – not a 21st century technology business – you’re still at risk. Assuming anything else could be quite perilous for your future success and sustainability.
Even organizations that acknowledge the risk underestimate it
The risk environment has intensified for a number of reasons.
There is an explosion in devices and events to protect. The average Fortune 500 company logs tens of billions of events in the network in a given day. Do you know where all these communications have traveled? A 2016 report from Digital Shadows shows that there are leaked employee credentials online for 97 percent of the top 1,000 global companies, many as a result of third-party breaches.
Who could forget the 2012 data breach where a hacker stole 6.5 million encrypted passwords from LinkedIn and posted them to a Russian crime forum? If you did forget, you got a sobering reminder in May 2016, when a Russian hacker was found to be selling 117 million email and password combinations on a dark web marketplace for a mere five bitcoins in digital currency, about $2,300. These breaches are particularly troubling when you consider how often users duplicate passwords among accounts. A breach of one account could easily lead to more.
There’s little visibility into the extended company network. Many organizations have no true sense of the scale and the size of the “internal” network. Mergers and acquisitions create a patchwork infrastructure. Workforces operate around the globe on diverse and siloed systems. Functional teams use specialized tools and systems that connect back into the corporate IT environment. Most organizations don’t treat these touch-backs into the company network as potentially hostile, yet each one represents a potential vulnerability.
People can be your weakest link. Recent research from CEB shows that 90 percent of employees willfully violate policies designed to prevent data breaches – not necessarily with malicious intent, but just to get past what they see as bureaucratic impediments to doing their jobs. Of course, there will also be those who act willfully in a way that’s adverse to the organization. Either way, even well-planned security policies have their limits.
Employees expect anywhere/anytime connectivity. Millennials in particular expect to move seamlessly from work to personal life and stay connected through their mobile devices. Organizations have embraced the productivity and convenience of mobility solutions; now they have to address the associated risks.
For example, mobile Trojans can overlay custom panels on apps to deceive unsuspecting account holders into entering their user names and passwords, elevate themselves to root-level privileges, or even remotely take over a victim’s device. The newest generation of mobile malware can let an unauthorized user access a secure platform from a device you know and trust, thereby circumventing device reputation and recognition controls.
Your organization is already at risk – guaranteed
“There are two types of big companies in the US,” says FBI Director James Comey. “Those that have been hacked, and those that don’t know they’ve been hacked.”
Four years ago, there were probably five countries in the world that could deliver an advanced, persistent threat – malware that could reside on your network in perpetuity, trade data at will, destroy data, create confusion and undermine the organization at any moment. Today there are at least five dozen countries that have or are developing that capability, according to The Wall Street Journal.
The weapons of cyberwarfare are readily available. Anybody can buy black-market software to launch an advanced persistent threat for as little as $20,000 – or up to $300,000 to $400,000 if you want a high-end tool. Even low-level, aspiring criminal groups can achieve success because they can buy, rent or acquire illicit access or compromised data. These transactions can even come with a service-level agreement that guarantees your money back if the criminal group doesn’t deliver, whether it be national intelligence, commercial insight, credit card numbers or personally identifiable information.
Malware as a commodity is the new reality. Malicious actors are already inside the wall. The pathways of the internet have given them the ability to strike out from anywhere in the world and touch any entity.
We tend to think these predators are mostly looking for high-level intellectual property – spy vs. spy activities – but often the goal is to disrupt or disable operations. Imagine the impact of corrupting a nation’s utility grid or critical communications systems. In the case of high-profile hacks of commercial and government entities in the US, we have found links to Russian and Eastern European organized crime groups. The motive is part profit, but the hacks were also deeply motivated by Russian nationalism, Western sanctions over Ukraine, and intent to disrupt US business.
We’re losing the asymmetric war
We’re in an age where one person can have disproportionate capacity to harm others. Ventures that once required the backing of a nation – or, in cyberwarfare, a group of 20 or 30 highly skilled hackers – can now be launched by an individual. Just as a malcontent armed with a bomb or automatic weapon can kill dozens of people, a hacker with purchased software can wreak havoc on a global financial institution, critical utility infrastructure or a national retailer. The age of asymmetrical threats is here.
For traditional crimes, the security establishment has made huge advances in identifying the perpetrators and bringing them to justice. There’s very little hope we’ll reach that point with cybercrime. Attribution is almost impossible. In most cases, threat actors can hide and remain anonymous for as long as they wish.
Law enforcement is really hamstrung. For example, the UK is in the higher echelon of capability and awareness on this issue. Yet a 2015 report by HMIC showed that only three out of 43 police agencies in the UK had a capability to deal with advanced cybercrime, and only 20 percent of reported cybercrimes were passed to police forces.
The good news that there is work being done to establish diplomatic agreements among national governments to agree not to hack each other’s systems and read each other’s email. The bad news is that these international agreements have had little effect. So if you’re waiting for the US cavalry to come over the ridge and make the Wild West of the internet safe and predictable, don’t look for it in our lifetime.
It’s not realistic to prevent 100 percent of attacks and
exfiltration, but you can certainly reduce the impact by anticipating
when and where those threats are likely to be.
Launch a defense with advanced analytics
The hackers certainly have all the advantages at this point. Using readily available technology, they have been able to create an environment where they can exist in our network in perpetuity. But the technology exists today to elevate our security defenses to the next level and fight back.
At its core, this new level of defense is about data that can provide sightlines into what’s going on in networks – not days from now, but right now, or very nearly so. That intelligence is hidden in the vast amounts of syslog information that computer systems and networks churn out every second of the day – the data stream for auditing system activity, identifying anomalous activities and assessing the damage done by intruders.
With all that data, analysts have been overwhelmed by noise. There are signals everywhere in that noise, but how do you see them? That’s where security analytics comes in. With a combination of data quality/management capabilities, predictive analytics and machine learning, security analytics delivers the situational awareness that has been missing. Once you understand what’s going on in the network and have a good sense of how and why somebody might target you, you get closer to what they’re going to do. From there, with a little bit of luck, you can get closer to where and when that might happen.
Building the fortifications
The security vendor landscape is crowded and suffers from a gold-rush mentality. More than 500 companies claim to have some level of functionality, but most are addressing small, basic or niche pieces of the much larger, complex puzzle. There are diverse sources and software for data security, application security, anti-virus, firewalls, VPN gateways, perimeter security, security assessment and so on.
CIOs naturally don’t want to jettison everything they have already invested in, but organizations are doing themselves a disservice if they keep bolting on more of these little haphazard, ad hoc solutions. The greater the diversity of vendors involved, the less chance of achieving collaboration and cohesion (and protection) among them. Over the long run that’s very counterproductive.
From what I’ve seen, probably 80 to 90 percent of security software vendors do not have the capabilities required to keep a constant level of vigilance on the network at all times.
The security industry has to reflect changing times. We are at a state where we can provide a higher and more holistic level of network visibility for threat assurance. A comprehensive security platform provides flexibility in:
- How you investigate the data (data quality and enrichment).
- Timing (how and when that happens in the process).
- Analytics approaches (anomaly detection, predictive analytics, machine learning, etc.).
- How the analytics will be applied (batch, in memory or in stream).
The business case is there. The cost of storage and processing capacity have plummeted, so we can collect, store and analyze security data more economically.
There’s no need to completely dispose of the traditional security tools. Most of the malware out there is still pretty low level, and many system vulnerabilities are not new. But getting to the new level requires advanced analytics.
Toward a total protective defense
Consider that there is malware on virtually all corporate networks, and employee credentials floating around on the open internet. Your organization is already compromised. To understand and mitigate the risks, you have to invest in new technology that will allow you to see your entire network in its true normative state, monitor it in real time, and identify the point at which malware that could devastate the organization is likely to emerge.
You won’t get there with small bits of software – multiple components that people are buying and slapping together, each offering a portion of a total, protective defense. These tools provide a good first line of defense, but it’s time to assess the state of things, determine whether these tools have been appropriately maintained and whether the organization should make further investments in those things. Then be bold and take a look at some of the more creative, innovative approaches that are being offered in the marketplace. The new level of security defense is going to be a cohesive solution that can go the distance.
In a fragmented and high-pressure security environment, you need to be more proactive in shoring up defenses and taking a risk-based approach, instead of just reactively patching gaps where breaches have occurred.
It may take a few more catastrophic breaches to nudge security operations centers into this new realm, but it’s happening. Boards and the C-suite expect it as a matter of protecting organizational assets, customers and reputation. When a breach happens, executives will be asking, “What was your level of diligence prior to the event? What did you do? What decisions were made, based on what insight?”
We need to be well-positioned to withstand that scrutiny.
About the author
Ray Boisvert, SAS Partner and President, I-SEC Integrated Strategies (ISECIS)
The formation of ISECIS builds on Ray Boisvert’s career of almost 30 years in both operational and executive roles with the Canadian Security Intelligence Service (CSIS), where he retired as the Assistant Director of Intelligence. Additional roles within CSIS included leadership of the international counterterrorism branch, as well as key organizational programs, including operational security, risk management, internet operations and data exploitation efforts. With his extensive and specialized knowledge, Boisvert has uniquely positioned ISECIS to identify global risks, convey privileged insights and create intelligent organizational resilience – including enhanced cyber and insider threat defense.