Do you remember the scene from The Empire Strikes Back where the Millennium Falcon is trying to escape an Imperial Star Destroyer? Han Solo says, “Let’s get out of here, ready for light-speed? One… two… three!” Han pulls back on the hyperspace throttle and nothing happens. He then says, “It’s not fair! It’s not my fault! It’s not my fault!”
Later in the movie when Lando and Leia are trying to escape Bespin, the hyperdrive fails yet again. Lando exclaimed, “They told me they fixed it. I trusted them to fix it. It's not my fault!” In first case transfer circuits were damaged, and in the second case, stormtroopers disabled the hyperdrive.
Ultimately they were at fault; they were the captains of the ship, and the buck stops with them. It doesn't matter what caused problems, they were responsible; excuses don't matter when a Sith Lord is in pursuit.
I am seeing a trend where breached companies might be heading down a similar “it’s not my fault” path. Consider these examples:
We have even seen law enforcement documents on threat actors. In August, Mr. Su Bin, a Chinese national, was indicted for the theft of Boeing’s trade secrets. The criminal complaint regarding Su Bin’s activities became public in June and offers a fascinating perspective into espionage as a service.
Does something like this sound familiar? "We need to find, fix, finish, exploit, analyze, & disseminate this intrusion set along the kill chain via force multipliers so we can observe, orient, decide, and act according to tactical, operational, and strategic priority intelligence requirements." I bet that part of it does.
I think that it is important to keep in mind that we aren't the military and don't have the resources of the military. While military concepts can be useful, buzzwords won't secure your environment; you could become distracted and utilize your limited resources in the wrong manner. As I was sorting out my Black Hat calendar tonight, I fortuitously saw a talk that is very applicable to this topic: "The Library of Sparta," with David Raymond, Greg Conti, and Tom Cross. Here is part of their abstract:
During the past 18 months or so, we have seen the emergence of innovative endpoint security solutions. The list is long; it is hard to keep track of all the solutions in the space. In no particular order, here is a sampling: Bromium, Invincea, IBM Trusteer, Cylance, Palo Alto Networks Next-Gen Endpoint Protection (Cyvera), Microsoft Enhanced Mitigation Experience Toolkit (EMET), Bit9 + Carbon Black, Confer, CounterTack Sentinel, Cybereason, CrowdStrike Falcon Host, Guidance Software Cybersecurity, Hexis HawkEye G, FireEye HX, Triumfant, Tanium, and Verdasys Digital Guardian.
I take many briefings from these types of vendors (primarily the ones I cover in Forrester’s Endpoint Visibility and Control category) and within the first 5 minutes of the conversation, the vendor mentions that their solution has a “small footprint.” The use of this phrase is the equivalent of nails scratching their way across a chalkboard for me. When was the last time you heard anyone say that they have a “large footprint?” Please provide more information: Do you run in user or kernel land? What are the impacts to utilization? Even if a vendor truly has a “small footprint,” when that new agent is deployed to a host that already has four or five agents running, the collective footprint is far from small.
The sharing of threat intelligence is a hot topic these days. When I do conference speeches, I typically ask how many organizations see value in sharing, and most in the room will raise their hand. Next, I ask how many organizations are actually sharing threat intelligence, and roughly 25% to 30% in the room raises their hand. When our 2014 Security Survey data comes in, I will have some empirical data to quote, but anecdotally, there seems to be more interest than action when it comes to sharing. I wrote about some of the challenges around sharing in “Four Best Practices To Maximize The Value Of Using And Sharing Threat Intelligence.” Trust is at the epicenter of sharing and just like in "Meet the Parents," you have to be in the circle of trust. You can enable sharing, but automating trust does take time.
Critical infrastructure is frequently on my mind, especially the ICS/SCADA within the energy sector. I live in Texas; oil and natural gas are big here ya'll. I'm just a short distance away from multiple natural gas drilling sites. I cannot help but think about the risks during the extraction and transport of this natural gas. North Texas has seen an attempt to bomb the natural gas infrastructure. In 2012, Anson Chi attempted to destroy an Atmos Energy pipeline in Plano, Texas. As a security and risk professional, I wonder about the potential cyber impacts an adversary with Chi's motivations could have.
We recently published part 1 of a new series designed to help organizations build resiliency against targeted attacks. In the spirit of Maslow, we designed our Targeted-Attack Hierarchy Of Needs. One factor that significantly drove the tone and direction of this research was Forrester client inquiries and consulting. Many organizations were looking for a malware sandbox to check off their targeted attack/advanced persistent threat/advanced threat protection/insert buzzword needs. Malware analysis has a role in enterprise defense, but focusing exclusively on it is a myopic approach to addressing the problem.
Part 1 of the research is designed to help organizations broaden their perspective and lay the foundation for a resilient security program. Part 2 (currently writing at a non George R.R. Martin pace) will move beyond the basics and address strategies for detecting and responding to advanced adversaries. Here is a preview of the research and the six needs we identified:
Fifty organizations representing 95 countries were included in the data set. This included 1,367 confirmed data breaches. By comparison, last year’s report included 19 organizations and 621 confirmed data breaches.
In a significant change, Verizon expanded the analysis beyond breaches to include security incidents. As a result, this year’s dataset has 63,437 incidents. This is a great change, recognizes that incidents are about more than just data exfiltration, and also allows for security incidents like DoS attacks to be included.
The structure of the report itself has also evolved; it is no longer threat overview, actors, actions and so on. One of the drivers for this format change was an astounding discovery. Verizon found that over the past 10 years, 92% of all incidents they analyzed could be described by just nine attack patterns. The 2014 report is structured around these nine attack patterns.
Some of the highlights in case you haven't read it yet:
Six months before the incident, Target invested $1.6 million in FireEye technology.
Target had a team of security specialists in Bangalore monitoring the environment.
On Saturday November 30, FireEye identified and alerted on the exfiltration malware. By all accounts this wasn't sophisticated malware; the article states that even Symantec Endpoint Protection detected it.
Last week I attended the RSA Conference (RSAC) Innovation Sandbox for the first time. Not only was I an attendee, but I also was fortunate enough to host a CTO panel during the event. For those that aren’t aware, the Innovation Sandbox is one of the more popular programs of the RSAC week. The highlight of the Innovation Sandbox is the competition for the coveted “Most Innovative Company at the RSA Conference” award. This is basically the information security version of ABC’s Shark Tank. If you want to learn about the up-and-coming vendors and technologies, this is one place to do it. To participate, companies had to meet the following criteria:
The product has been in the market for less than one year (launched after February 2013).
The company must be privately held, with less than $5M in revenue in 2013.
The product has the potential to make a significant impact on the information security space.
The product can be demonstrated live and on-site during Innovation Sandbox.
The company has a management team that has proven successful in the delivery of products to market.