a security story
TRANSCRIPT
The Search for
LIFE’S MEANING In the Valley of Cyber-Security
(The story of how the world’s coolest Cyber-Threat Management Platform
was conceived)
Hi … I’m Steve, and I do
Cyber-Security stuff for a
living (Me)
I like problems… (Solving them)
That’s why I majored in Mathematical Probability and
Statistics.
(Me, at UC Berkeley)
a long time ago … I co-founded
The Cambridge
Systems Group
(Me … at Cambridge)
We created ADC2 and went
to market …
Soon, it became the
leading Mainframe Security product
(in the world)
We beat these guys …
By a lot
(a whole lot)
After that I did some other
stuff and … moved to
Santa Fe … Opened an Art Gallery …
Etc. Studio G (art gallery)
Smiling Patron
Then one day a Big Bank called…
They said they
had a
Security problem!
(It wasn’t very interesting…)
Until they told me they thought they might have unencrypted data
…
IN TRANSIT!
And would I please come take a look
and tell them what I thought.
This was suddenly VERY interesting. (I said sure.)
“How could a Bank have unencrypted data in transit?”
Their idea was to form a sort of Red Team to test
the effectiveness of their
Security before Bad Guys did it
for them.
So, I formed a company to do
just that.
STOP!
We called it Blackhawk Security Systems.
My team only had to pass a criminal
background check.
security systems
The same one the 9/11
bombers would have passed.
Right away we knew we had
entered the
Danger Zone.
AND ... We discovered
Unencrypted data everywhere. Loose access management.
Open access to file descriptions. Vintage security tools. Outdated VA software.
So, We ran a little test.
We hired a contractor. using
standard bank practices. she was given a laptop.
she was given standard access. she had file descriptions. she wrote some scripts.
She got into every system she attacked.
Two years later, we fixed all of it.
But it got me thinking. … and it was unbelievably easy.
If one of the world’s largest banks
was this porous, what must a Fortune 1000
company look like?
/
What would a $50 million dollar company look like?
What about a startup?
So, I looked around.
Sure enough.
Everybody was struggling with security issues.
Mostly,
No one understood any of it.
? ? ? ? ?
Most people had some Anti-virus
software.
Some had IDS/IPS (intrusion detection and intrusion prevention)
Others had Firewalls.
Their cyber-threat defenses were heavily
invested in the perimeter.
Not the Network.
And, not the data.
This of course, was back in the
pre-2012 computing era.
Not much was known about Network
Infections.
APTs’ didn’t exist.
Before BYOD.
Time travel was only in the future.
Some people thought they could
do it themselves.
They had IT guys. They were smart.
There were a lot
of products out there.
JP Morgan Chase spent over $200 million
On Cyber-Security in 2014 and
then got hacked.
76 million accounts compromised. They did it
themselves.
JP Morgan Chase had lots of smart guys.
So did Target.
So did Home Depot.
Something was happening here.
So, I went to RSA.
There were tons of Cyber-security
products.
Over 400 of them In fact.
There were cool ones. (Gartner said so.)
There were smart ones. (The vendors said so.)
Most just confused me.
Then, Art Coviello …
The Chairman and CEO of RSA said in his keynote address:
1) The security industry ‘state of the union’ is precarious 2) Attacks are escalating in intensity and sophistication 3) Open market for attack software makes anyone a hacker 4) We are not turning out enough skilled personnel to fight the fight
5) Most organizations are understaffed and underappreciated 6) The security technology industry has not kept up
7) The single-purpose, perimeter-oriented tools aren’t smart enough
8) No single product can provide true defense in depth
9) On balance: It’s not a pretty picture 10) Have a nice day.
Well, that framed the problem nicely. (Though it was a little frightening
considering the source.)
All we needed now was a solution.
Then I met a guy
who knew a lot about
networks.
He owned a Managed IT Services
Company.
He thought the future was Cyber-security.
(Stanley Li.)
We both agreed that in an increasingly
connected world, the Network was
central to the future
of Cyber-security.
We also knew this about the problem:
1) It is too complex
2) It’s Constantly changing 3) There are no rules
4) The bad guys are smart 5) Many threat vectors 6) No single solution
7) No skilled resources.
And … very few companies could or should
try to do it themselves.
We thought, “Let’s merge our
companies and create a
Security Services Company
That Actually Solved
These Problems”.
So, our new company remained Netswitch but we branded our
new platform:
And we began creating a 360° solution
that …
We wanted to start
with the Network…
Because we understood networks…
included the industry’s very best products
for every point of attack because we knew that:
“No single product can provide true defense in depth”
~Art Coviello,
The Chairman and CEO of RSA
And, because as Art Coviello said,
“The single-purpose, perimeter-oriented tools aren’t smart
enough.”
We set out to find, vet, test
evaluate, beat-up, stress, and prove
beyond a shadow of doubt that
we had found the …
Best Network
Behavioral Analytics Software
On The
Market.
With algorithms that used
Abductive Reasoning.
Abductive Reasoning works best in detecting
Zero-day threats because it is inclusive:
Versus deductive:
Or inductive:
When combined with context and correlation,
Abductive Reasoning yields the fewest
false positives …
Because it operates on the principle of evidence in
search of hypothesis …
versus hypothesis in search of evidence.
Ommmmm …
Yeah, yeah, yeah … What do you care,
right? Targeted APT attacks are an ongoing process and once inside your Network may take years to discover
…if ever.
Well, you should care and here’s why …
Here’s how they work ...
1. They Infect – by leveraging weaknesses and penetrating the perimeter.
2. They Expand Access – by obtaining credentials, raising privileges, establishing links, moving laterally and taking control.
3. They Prepare – by researching the targets, creating a strategy and building a tool kit.
4. They Exfiltrate – by extracting data, covering their tracks and leaving quietly.
The average dwell time for network
infections in 2015 was …..
315 days¹
¹Mandiant’s annual The State of Cyber Attacks report
That means that APT malware nested in
networks for almost an entire year before
striking.
How could we stop it?
Consider this:
Man Appears Soaking Wet With Umbrella.
You look outside. It’s raining. Conclusion:
Man Got Wet In Rain.
Deductive Reasoning = Hypothesis in Search of
Evidence.
Then, this:
Man Appears Soaking Wet With Umbrella.
You look outside. It’s raining. Upon closer examination
you see a lake and a waterfall. Conclusion: Man Is Wet.
[And, it could have been caused by rain, lake or waterfall]
You look again.
Man’s shoes are muddy. Conclusion:
Man Fell In Lake.
Abductive Reasoning = Evidence in Search of
Hypothesis.
Which One Do You Think Works Better Against Cyber-Threats?
Our Network Behavioral Analytics
software using Abductive
Reasoning is the only way to detect
lateral and anomalistic
movement within a network …
…so that became our baseline…
But we didn’t stop there, because malware doesn’t stop
either.
We also used sandboxing software to blow-up evil email
attachments and Malware that URL filtering
misses.
1) Logic Bombs: Hide malicious code until a specified time. 2) Polymorphic Malware: Change each time it is run, adding bits of garbage code in an effort to evade foil pattern and checksum-based inspection. 3) Botnet Command: Begins with a drop of clean code that connects to a URL or IP address that can download a file on command, hours, days or weeks later. 4) Sandbox Detection: APT code may contain routines that try to find out if it’s running in a virtual environment or may check for fingerprints of a vendor's sandbox.
Here are a few examples:
Augmenting Sandboxing with Network Behavioral
Analytics is necessary because cyber-thieves have
gotten really good at working around defenses.
This leads to Holistic Threat Detection …
which was our objective for the Network …
But,
We weren’t done yet.
In order to avoid these …
We needed to do more.
Because…
We knew we needed to figure out the best solution for managing this risk …
So, after more testing and vetting, we again turned to big data and behavioral analytics
…
And, using multi-variate analysis
we could compare individuals, files and devices against
their historic behavior, and automatically adjust as process, application, and
technology variables change over time
.
This way, we could detect anomalistic
behavior and identify the actors before a
breach occurs.
We also knew that email was a huge gateway for malware
……
We knew that if there was simple way to authenticate
senders and receivers, we could control malicious email , but no matter how we twisted it, we
couldn’t find a way to proof all email …
Without seriously impacting workplace behaviors.
[73% of all malware attacks in 2015 started with email]
We decided the most aggressive and sure-fire
approach was to detect and identify malicious links and attachments before ALL email was opened …
And then blow them up
before they had a chance to infect anything.
And then there’s the perimeter.
We wanted to find the best Intrusion Prevention and
Detection product that also provided protection to web
applications.
How hard is that?
VERY.
We looked at 2 dozen products that identified and blocked web application threats like SQL
injection, cross-site scripting, session hijacking, parameter and
URL tampering and buffer overflows.
We identified a product that used institutional feeds and
crowd-sourced data, correlating events to identify emerging threats and adapting its
protocols over time through advanced machine learning
algorithms.
Which was very cool.
And Gartner agreed.
So, we built that into our platform and integrated its feeds into our SIEM and our SOC.
Then, on to the End-Points.
All devices with a remote connection to the network
create potential entry points for security threats.
Which is why we HATE BYOD!
[but that’s just us. .. You can keep your policies in
place if you like]
But, it was clear to us that traditional anti-virus
and anti-malware software can no longer
protect endpoints against modern threats. Sleep techniques,
polymorphism, encryption, and the use of unknown
protocols are just some of the ways that malware can
hide from view.
So, we went beyond point-in-time detection. We use a latticed grid of
detection capabilities correlated with big data
analytics.
Our solution continuously analyzes files and traffic on endpoints to determine if
advanced malware is present …
constantly re-evaluating data gathered over time to detect stealthy attacks.
And, since we are committed analytics freaks, we wanted
to evaluate tons¹ of characteristics associated
with each file to analyze and block advanced malware ...
… in real-time or retrospectively. This gives us the ability to roll back time on attacks, trace processes,
file activities, and communications in order to understand the full extent of an infection, establish root causes, and perform
remediation.
[whew] ¹ over 400 actually
So, if you insist on continuing your BYOD policies and creating
additional risk for yourself, then fine ...
We can deal with it.
And we also deploy as an on-premises, air-gapped solution so that organizations with high-privacy requirements that
restrict using a public cloud can still have confident protection.
So, we did all that and created a world-class cyber-security
technology platform that we knew
protected the network, servers, mobile devices, and operating systems
against external attacks.
A platform that could also identify internal threats before they happened and could detect
a network infection before it became a breach.
but, then we thought, “what if somehow, even with all of these safeguards some
data was stolen?
Because after all, old Art did say something about defense in
depth not being effective.
Which meant that we needed to do something about encryption
and privileged user access control.
We needed a solution that defended data across all
storage options.
So, we came up with an advanced approach to access
control.
We again relied on advanced correlation algorithms to
confirm that all data access attempts (even the ones allowed) matched up with
expected behavior, generating alerts
automatically when they didn’t.
And, our approach to encryption is to encrypt
sensitive data where it resides and to install our agents above the file system on servers or virtual machines to enforce security and compliance
policies.
This combination satisfies all compliance mandates around encryption, least privileged access, monitoring, and key
management.
We use split-key management to assure
neither yours nor ours can access data without your
direct involvement.
Which did a fine job of controlling access and
encrypting data, but we also needed a way to defeat threats that attacked our
files and locked up our data on our own premises.
Threats like Ransomware.
The combination of virtualization and system
emulation sandboxing combined with a deep
understanding of evasion and cloaking techniques allows us
to defeat evasion by ensuring the malicious code elicits enough behavior to
make an immediate determination.
Because our detection engine learns as it finds new threats
and adapts itself accordingly, we can recognize Ransomware before
it strikes.
And because we associate multiple related downloads and execute them in a separate
behavior analysis environment, we are able to instantly decrypt and
analyze multi-part threats. The ability to configure custom behavior analysis sandbox
environments mimicking actual endpoints allows us to detect
both incoming and lateral movement of malware within the
network prior to a breach.
And that pretty much wraps up the technology stack … But, what did we do about
Incident Response, Containment, Remediation and
Eradication, you ask? Well, we built a
SIEM and a SOC with 24x7x365
Monitoring, Alerting and Full Remediation …
That’s what.
24x7x365
SOC
The objective was to provide our customers with all the
benefits from a
security information and event management
system
without any of the headache or capital
investment.
The result is a comprehensive SIEM
solution, fully hosted in our secure and compliant cloud to manage and monitor all
critical systems regardless of where they may be.
Some of the benefits of our fully Hosted and Managed SIEM Platform: • Replication to Secondary Datacenter • Data & System Backups • Comprehensive Device Support • Event Log Consolidation and Management • Network, Virtualization, and
Application Intelligence • Configuration Change Management • In-Depth Database Security, Availability, and Anomalous Activity Monitoring
• Compliance Automation • Solution Setup and Device Onboarding • Weekly Device Discovery Validation • Proprietary, Pre-Tuned Rules Matrix and Customized Rules • Ongoing Rule Tuning and
False Positive Reduction • Integrated 3rd Party Threat Feeds • Automated Alerts and Notifications • Over 2,200 Pre-Built Compliance and Standards-Based Reports
And we built the SOC to meet and exceed all
regulatory requirements such as PCI, FFIEC, and
HIPAA.
We assign a dedicated team of our security analysts
to each customer to perform daily reviews of all logs and notifications, 24x7x365.
All critical issues are immediately alerted and
notified.
Daily tracking and logging proves and satisfies
regulatory compliance.
Which brings us to the overall issue of regulatory
compliance.
We knew that 95% of our customers would not be able
to afford a formalized compliance program let alone
a full-time CISO.
But we also knew that the issue wouldn't go away.
So, we assembled a team of professional CISOs from every major industry and made them available on an
on-demand basis.
At a fraction of our cost to help our customers assess and address regulatory compliance issues ...
And avoid the ever-increasing fines for compliance failure.
So that we could truly be a one-stop solution for all cyber-security issues
including operational and administrative ...
As well as technological.
We also created a straightforward penetration and vulnerability assessment conducted by the guys who won the Capture The Flag
Tournament 3 years running at DEFCON...
Until they asked them to please …
stop competing!
Now they entertain themselves
trying to penetrate perimeter
defenses like yours.
In addition, we added a bunch of ancillary functions like the ability to mask and redact personally identifiable and health information on
document images like medical bills, x-rays, hotel room bills,
sonograms, W2’s, bank deposit slips, etc., so that even the theft of the actual document images will prove
useless to the thieves.
Over 49 different unstructured data types like PDF, XML, JPG, PNG, TXT, etc. and structured data in databases from Mainframe, iSeries, Distributed, to Handheld and Embedded
systems.
And, the ability to protect your cloud data against employee negligence by automatically enforcing
sharing policies on all your files, stored in places like
Google Drive, Box and Drop Box.
A simple way to make sure that employee mistakes will never compromise your cloud
data again.
Oh, no!
We’ve also developed and applied for a few patents like
one for an IoT Cyber-Security Architecture that addresses the problem of a Universal Data Interchange
architecture …. … and one for a true Cyber-Threat
Intelligence Platform that correlates raw data
feeds and creates actionable intel …
… and a third for Remote Access Multi-factor
Authentication based on Adaptive Machine Learning.
The point is that we haven’t just been thinking about how to solve
today’s problems …
But we also invest a lot of time and energy in working on
solutions that will address future operational landscapes and
Cyber-threats.
We should point out (I suppose)
that the Securli® platform has won many industry awards and
has vaulted
to rank 4th among the MSPMentor 501
Managed Security Services Companies in the world.
and
has named us as one of the Leaders in Managed Detection and Response for 2016
th
50 USA 501
And, there’s more, but
really? Enough is enough, right?
… for those of you who have stayed with us through these last 74 slides …
Thank You!
We’re pretty sure we have told you our whole story or
have at least given you enough background to see what it takes to create a holistic managed security services platform that can
protect against and deal with all cyber-security threats
All the time.
The End
(A Netswitch Production) Our Web Site
But, if you DO have concerns about your ability to manage your own cyber-security operation, OR you realize that it costs way too much AND you're not sure you have all your bases
covered, please contact us and
we can talk.
We don’t charge you for that.
Oops …
Bonus Slide! For a FREE poster
like the one next door (HERE) Click:
register for poster
and enter the word “POSTER”
in the message box (No salesman will call)