The Search for

LIFE’S MEANING In the Valley of Cyber-Security

(The story of how the world’s coolest Cyber-Threat Management Platform

was conceived)

Hi … I’m Steve, and I do

Cyber-Security stuff for a

living (Me)

I like problems… (Solving them)

That’s why I majored in Mathematical Probability and

Statistics.

(Me, at UC Berkeley)

a long time ago … I co-founded

The Cambridge

Systems Group

(Me … at Cambridge)

We created ADC2 and went

to market …

Soon, it became the

leading Mainframe Security product

(in the world)

We beat these guys …

By a lot

(a whole lot)

After that I did some other

stuff and … moved to

Santa Fe … Opened an Art Gallery …

Etc. Studio G (art gallery)

Smiling Patron

Then one day a Big Bank called…

They said they

had a

Security problem!

(It wasn’t very interesting…)

Until they told me they thought they might have unencrypted data

…

IN TRANSIT!

And would I please come take a look

and tell them what I thought.

This was suddenly VERY interesting. (I said sure.)

“How could a Bank have unencrypted data in transit?”

Their idea was to form a sort of Red Team to test

the effectiveness of their

Security before Bad Guys did it

for them.

So, I formed a company to do

just that.

STOP!

We called it Blackhawk Security Systems.

My team only had to pass a criminal

background check.

security systems

The same one the 9/11

bombers would have passed.

Right away we knew we had

entered the

Danger Zone.

AND ... We discovered

Unencrypted data everywhere. Loose access management.

Open access to file descriptions. Vintage security tools. Outdated VA software.

So, We ran a little test.

We hired a contractor. using

standard bank practices. she was given a laptop.

she was given standard access. she had file descriptions. she wrote some scripts.

She got into every system she attacked.

Two years later, we fixed all of it.

But it got me thinking. … and it was unbelievably easy.

If one of the world’s largest banks

was this porous, what must a Fortune 1000

company look like?

/

What would a $50 million dollar company look like?

What about a startup?

So, I looked around.

Sure enough.

Everybody was struggling with security issues.

Mostly,

No one understood any of it.

? ? ? ? ?

Most people had some Anti-virus

software.

Some had IDS/IPS (intrusion detection and intrusion prevention)

Others had Firewalls.

Their cyber-threat defenses were heavily

invested in the perimeter.

Not the Network.

And, not the data.

This of course, was back in the

pre-2012 computing era.

Not much was known about Network

Infections.

APTs’ didn’t exist.

Before BYOD.

Time travel was only in the future.

Some people thought they could

do it themselves.

They had IT guys. They were smart.

There were a lot

of products out there.

JP Morgan Chase spent over $200 million

On Cyber-Security in 2014 and

then got hacked.

76 million accounts compromised. They did it

themselves.

JP Morgan Chase had lots of smart guys.

So did Target.

So did Home Depot.

Something was happening here.

So, I went to RSA.

There were tons of Cyber-security

products.

Over 400 of them In fact.

There were cool ones. (Gartner said so.)

There were smart ones. (The vendors said so.)

Most just confused me.

Then, Art Coviello …

The Chairman and CEO of RSA said in his keynote address:

1) The security industry ‘state of the union’ is precarious 2) Attacks are escalating in intensity and sophistication 3) Open market for attack software makes anyone a hacker 4) We are not turning out enough skilled personnel to fight the fight

5) Most organizations are understaffed and underappreciated 6) The security technology industry has not kept up

7) The single-purpose, perimeter-oriented tools aren’t smart enough

8) No single product can provide true defense in depth

9) On balance: It’s not a pretty picture 10) Have a nice day.

Well, that framed the problem nicely. (Though it was a little frightening

considering the source.)

All we needed now was a solution.

Then I met a guy

who knew a lot about

networks.

He owned a Managed IT Services

Company.

He thought the future was Cyber-security.

(Stanley Li.)

We both agreed that in an increasingly

connected world, the Network was

central to the future

of Cyber-security.

We also knew this about the problem:

1) It is too complex

2) It’s Constantly changing 3) There are no rules

4) The bad guys are smart 5) Many threat vectors 6) No single solution

7) No skilled resources.

And … very few companies could or should

try to do it themselves.

We thought, “Let’s merge our

companies and create a

Security Services Company

That Actually Solved

These Problems”.

So, our new company remained Netswitch but we branded our

new platform:

And we began creating a 360° solution

that …

We wanted to start

with the Network…

Because we understood networks…

included the industry’s very best products

for every point of attack because we knew that:

“No single product can provide true defense in depth”

~Art Coviello,

The Chairman and CEO of RSA

And, because as Art Coviello said,

“The single-purpose, perimeter-oriented tools aren’t smart

enough.”

We set out to find, vet, test

evaluate, beat-up, stress, and prove

beyond a shadow of doubt that

we had found the …

Best Network

Behavioral Analytics Software

On The

Market.

With algorithms that used

Abductive Reasoning.

Abductive Reasoning works best in detecting

Zero-day threats because it is inclusive:

Versus deductive:

Or inductive:

When combined with context and correlation,

Abductive Reasoning yields the fewest

false positives …

Because it operates on the principle of evidence in

search of hypothesis …

versus hypothesis in search of evidence.

Ommmmm …

Yeah, yeah, yeah … What do you care,

right? Targeted APT attacks are an ongoing process and once inside your Network may take years to discover

…if ever.

Well, you should care and here’s why …

Here’s how they work ...

1. They Infect – by leveraging weaknesses and penetrating the perimeter.

2. They Expand Access – by obtaining credentials, raising privileges, establishing links, moving laterally and taking control.

3. They Prepare – by researching the targets, creating a strategy and building a tool kit.

4. They Exfiltrate – by extracting data, covering their tracks and leaving quietly.

The average dwell time for network

infections in 2015 was …..

315 days¹

¹Mandiant’s annual The State of Cyber Attacks report

That means that APT malware nested in

networks for almost an entire year before

striking.

How could we stop it?

Consider this:

Man Appears Soaking Wet With Umbrella.

You look outside. It’s raining. Conclusion:

Man Got Wet In Rain.

Deductive Reasoning = Hypothesis in Search of

Evidence.

Then, this:

Man Appears Soaking Wet With Umbrella.

You look outside. It’s raining. Upon closer examination

you see a lake and a waterfall. Conclusion: Man Is Wet.

[And, it could have been caused by rain, lake or waterfall]

You look again.

Man’s shoes are muddy. Conclusion:

Man Fell In Lake.

Abductive Reasoning = Evidence in Search of

Hypothesis.

Which One Do You Think Works Better Against Cyber-Threats?

Our Network Behavioral Analytics

software using Abductive

Reasoning is the only way to detect

lateral and anomalistic

movement within a network …

…so that became our baseline…

But we didn’t stop there, because malware doesn’t stop

either.

We also used sandboxing software to blow-up evil email

attachments and Malware that URL filtering

misses.

1) Logic Bombs: Hide malicious code until a specified time. 2) Polymorphic Malware: Change each time it is run, adding bits of garbage code in an effort to evade foil pattern and checksum-based inspection. 3) Botnet Command: Begins with a drop of clean code that connects to a URL or IP address that can download a file on command, hours, days or weeks later. 4) Sandbox Detection: APT code may contain routines that try to find out if it’s running in a virtual environment or may check for fingerprints of a vendor's sandbox.

Here are a few examples:

Augmenting Sandboxing with Network Behavioral

Analytics is necessary because cyber-thieves have

gotten really good at working around defenses.

This leads to Holistic Threat Detection …

which was our objective for the Network …

But,

We weren’t done yet.

In order to avoid these …

We needed to do more.

Because…

We knew we needed to figure out the best solution for managing this risk …

So, after more testing and vetting, we again turned to big data and behavioral analytics

…

And, using multi-variate analysis

we could compare individuals, files and devices against

their historic behavior, and automatically adjust as process, application, and

technology variables change over time

.

This way, we could detect anomalistic

behavior and identify the actors before a

breach occurs.

We also knew that email was a huge gateway for malware

……

We knew that if there was simple way to authenticate

senders and receivers, we could control malicious email , but no matter how we twisted it, we

couldn’t find a way to proof all email …

Without seriously impacting workplace behaviors.

[73% of all malware attacks in 2015 started with email]

We decided the most aggressive and sure-fire

approach was to detect and identify malicious links and attachments before ALL email was opened …

And then blow them up

before they had a chance to infect anything.

And then there’s the perimeter.

We wanted to find the best Intrusion Prevention and

Detection product that also provided protection to web

applications.

How hard is that?

VERY.

We looked at 2 dozen products that identified and blocked web application threats like SQL

injection, cross-site scripting, session hijacking, parameter and

URL tampering and buffer overflows.

We identified a product that used institutional feeds and

crowd-sourced data, correlating events to identify emerging threats and adapting its

protocols over time through advanced machine learning

algorithms.

Which was very cool.

And Gartner agreed.

So, we built that into our platform and integrated its feeds into our SIEM and our SOC.

Then, on to the End-Points.

All devices with a remote connection to the network

create potential entry points for security threats.

Which is why we HATE BYOD!

[but that’s just us. .. You can keep your policies in

place if you like]

But, it was clear to us that traditional anti-virus

and anti-malware software can no longer

protect endpoints against modern threats. Sleep techniques,

polymorphism, encryption, and the use of unknown

protocols are just some of the ways that malware can

hide from view.

So, we went beyond point-in-time detection. We use a latticed grid of

detection capabilities correlated with big data

analytics.

Our solution continuously analyzes files and traffic on endpoints to determine if

advanced malware is present …

constantly re-evaluating data gathered over time to detect stealthy attacks.

And, since we are committed analytics freaks, we wanted

to evaluate tons¹ of characteristics associated

with each file to analyze and block advanced malware ...

… in real-time or retrospectively. This gives us the ability to roll back time on attacks, trace processes,

file activities, and communications in order to understand the full extent of an infection, establish root causes, and perform

remediation.

[whew] ¹ over 400 actually

So, if you insist on continuing your BYOD policies and creating

additional risk for yourself, then fine ...

We can deal with it.

And we also deploy as an on-premises, air-gapped solution so that organizations with high-privacy requirements that

restrict using a public cloud can still have confident protection.

So, we did all that and created a world-class cyber-security

technology platform that we knew

protected the network, servers, mobile devices, and operating systems

against external attacks.

A platform that could also identify internal threats before they happened and could detect

a network infection before it became a breach.

but, then we thought, “what if somehow, even with all of these safeguards some

data was stolen?

Because after all, old Art did say something about defense in

depth not being effective.

Which meant that we needed to do something about encryption

and privileged user access control.

We needed a solution that defended data across all

storage options.

So, we came up with an advanced approach to access

control.

We again relied on advanced correlation algorithms to

confirm that all data access attempts (even the ones allowed) matched up with

expected behavior, generating alerts

automatically when they didn’t.

And, our approach to encryption is to encrypt

sensitive data where it resides and to install our agents above the file system on servers or virtual machines to enforce security and compliance

policies.

This combination satisfies all compliance mandates around encryption, least privileged access, monitoring, and key

management.

We use split-key management to assure

neither yours nor ours can access data without your

direct involvement.

Which did a fine job of controlling access and

encrypting data, but we also needed a way to defeat threats that attacked our

files and locked up our data on our own premises.

Threats like Ransomware.

The combination of virtualization and system

emulation sandboxing combined with a deep

understanding of evasion and cloaking techniques allows us

to defeat evasion by ensuring the malicious code elicits enough behavior to

make an immediate determination.

Because our detection engine learns as it finds new threats

and adapts itself accordingly, we can recognize Ransomware before

it strikes.

And because we associate multiple related downloads and execute them in a separate

behavior analysis environment, we are able to instantly decrypt and

analyze multi-part threats. The ability to configure custom behavior analysis sandbox

environments mimicking actual endpoints allows us to detect

both incoming and lateral movement of malware within the

network prior to a breach.

And that pretty much wraps up the technology stack … But, what did we do about

Incident Response, Containment, Remediation and

Eradication, you ask? Well, we built a

SIEM and a SOC with 24x7x365

Monitoring, Alerting and Full Remediation …

That’s what.

24x7x365

SOC

The objective was to provide our customers with all the

benefits from a

security information and event management

system

without any of the headache or capital

investment.

The result is a comprehensive SIEM

solution, fully hosted in our secure and compliant cloud to manage and monitor all

critical systems regardless of where they may be.

Some of the benefits of our fully Hosted and Managed SIEM Platform: • Replication to Secondary Datacenter • Data & System Backups • Comprehensive Device Support • Event Log Consolidation and Management • Network, Virtualization, and

Application Intelligence • Configuration Change Management • In-Depth Database Security, Availability, and Anomalous Activity Monitoring

• Compliance Automation • Solution Setup and Device Onboarding • Weekly Device Discovery Validation • Proprietary, Pre-Tuned Rules Matrix and Customized Rules • Ongoing Rule Tuning and

False Positive Reduction • Integrated 3rd Party Threat Feeds • Automated Alerts and Notifications • Over 2,200 Pre-Built Compliance and Standards-Based Reports

And we built the SOC to meet and exceed all

regulatory requirements such as PCI, FFIEC, and

HIPAA.

We assign a dedicated team of our security analysts

to each customer to perform daily reviews of all logs and notifications, 24x7x365.

All critical issues are immediately alerted and

notified.

Daily tracking and logging proves and satisfies

regulatory compliance.

Which brings us to the overall issue of regulatory

compliance.

We knew that 95% of our customers would not be able

to afford a formalized compliance program let alone

a full-time CISO.

But we also knew that the issue wouldn't go away.

So, we assembled a team of professional CISOs from every major industry and made them available on an

on-demand basis.

At a fraction of our cost to help our customers assess and address regulatory compliance issues ...

And avoid the ever-increasing fines for compliance failure.

So that we could truly be a one-stop solution for all cyber-security issues

including operational and administrative ...

As well as technological.

We also created a straightforward penetration and vulnerability assessment conducted by the guys who won the Capture The Flag

Tournament 3 years running at DEFCON...

Until they asked them to please …

stop competing!

Now they entertain themselves

trying to penetrate perimeter

defenses like yours.

In addition, we added a bunch of ancillary functions like the ability to mask and redact personally identifiable and health information on

document images like medical bills, x-rays, hotel room bills,

sonograms, W2’s, bank deposit slips, etc., so that even the theft of the actual document images will prove

useless to the thieves.

Over 49 different unstructured data types like PDF, XML, JPG, PNG, TXT, etc. and structured data in databases from Mainframe, iSeries, Distributed, to Handheld and Embedded

systems.

And, the ability to protect your cloud data against employee negligence by automatically enforcing

sharing policies on all your files, stored in places like

Google Drive, Box and Drop Box.

A simple way to make sure that employee mistakes will never compromise your cloud

data again.

Oh, no!

We’ve also developed and applied for a few patents like

one for an IoT Cyber-Security Architecture that addresses the problem of a Universal Data Interchange

architecture …. … and one for a true Cyber-Threat

Intelligence Platform that correlates raw data

feeds and creates actionable intel …

… and a third for Remote Access Multi-factor

Authentication based on Adaptive Machine Learning.

The point is that we haven’t just been thinking about how to solve

today’s problems …

But we also invest a lot of time and energy in working on

solutions that will address future operational landscapes and

Cyber-threats.

We should point out (I suppose)

that the Securli® platform has won many industry awards and

has vaulted

to rank 4th among the MSPMentor 501

Managed Security Services Companies in the world.

and

has named us as one of the Leaders in Managed Detection and Response for 2016

th

50 USA 501

And, there’s more, but

really? Enough is enough, right?

… for those of you who have stayed with us through these last 74 slides …

Thank You!

We’re pretty sure we have told you our whole story or

have at least given you enough background to see what it takes to create a holistic managed security services platform that can

protect against and deal with all cyber-security threats

All the time.

The End

(A Netswitch Production) Our Web Site

But, if you DO have concerns about your ability to manage your own cyber-security operation, OR you realize that it costs way too much AND you're not sure you have all your bases

covered, please contact us and

we can talk.

We don’t charge you for that.

Oops …

Bonus Slide! For a FREE poster

like the one next door (HERE) Click:

register for poster

and enter the word “POSTER”

in the message box (No salesman will call)