in a crisis - sc magazine · have earned chain of custody certification from fsc ... it’s because...
TRANSCRIPT
FE
BR
UA
RY
20
15 •
WW
W.S
CM
AG
AZ
INE
.CO
M
REVIEWED IN OUR GROUP TEST
FEATURES:
COOL How you communicate during an attack is as important as your response, says Ron Green, CISO, MasterCard. P20
Canada’s internet voting problemMany Canadian municipal officials are elected via the internet, even as agencies prohibit the practice. PC1
Unifying principleIs the time right for national data breach legislation? There are signs that this may be the year. P24
Norse P43Cadillac of cyber-threat intelligence does everything
Centripetal P40Merges cyber threat intelligence and stack management
Recorded Futures P45 Technically oriented, open source intelligence service
IN A CRISIS
VOLUME 26 NO. 2 • February 2015 • WEBSITE WWW.SCMAGAZINE.COM • EMAIL [email protected]
Cover photo by David Torrence Photography
Kristi Carrier P15
Recorded Futures P45
Craig Shumard P50
Ron Green, EVP and CISO, MasterCard P20
REGULARS
4 Editorial It’s going to take savvier preparation.
8 Threat report Russia was the top producer of zombie IP addresses
10 Threat stats There were 8,311,693 attacks in the U.S.
12 Update In Canada, Bill C-51 widens government surveillance powers.
13 Debate Mobile malware is mobile security’s biggest threat.
14 Two minutes on…Tidal waves of spoofed traffic: DDoS attacks.
15 Me and my job Kristi Carrier, quality auditor, Nuspire Networks.
16 From the CSO’s desk Breach response, by ViJay Viswanathan, CISO, HD Supply.
17 Opinion Are mobile apps risky business?, by Rich Boyer, NTT Com Security.
18 Letters From the online mailbag.
19 Analysis Usability as a protection feature, by Ian Hamilton, CTO, Signiant.
49 Calendar A guide to upcoming IT security shows, events and courses.
50 Last word The security model is broken, by Craig Shumard, principal, Shumard and Associates.
PRODUCT REVIEWS
38 Product section We are increasing the number and the space of emerging products.
39 Emerging products: Threat intelligence Solid intelligence analysis can go a long way toward protecting against the ravages of a Sony-style compromise.
FEATURES
20 COOL IN A CRISIS: Breach response How you communicate during an attack is as important as your response, says Ron Green, CISO, MasterCard.
C1 Canada’s internet voting problem Many Canadian municipal officials are elected via the internet, even as agencies prohibit the practice.
24 Unifying principle: Data breach legislation Is the time right for national data breach legislation?
28 Defense from the top: FISMA 2.0 The DHS will gain more control when a FISMA update is passed.
30 On air: Case study A radio network made certain its cloud was defended.
33 Help wanted: Hiring crisis Recruiters say that corporations need to rethink their defenses to address critical talent shortages.
36 Making the grade: Case study A Chicago-area high school found a solution to broaden its internet pipeline and maintain compliance.
SC Magazine™ (ISSN No. 1096-7974) is published monthly, 10 times a year, with combined December/January and July/August issues, by Haymarket Media Inc., 114 West 26th Street, 4th Floor, New York, NY 10001 U.S.A.; phone 646-638-6000; fax 646-638-6110. Periodicals postage paid at New York, NY 10001 and additional mailing offices. POSTMASTER: Send address changes to SC Magazine, P.O. Box 316, Congers, NY 10920-0316. © 2015 by Haymarket Media Inc. All rights reserved. Annual subscription rates: United States: $98; Canada and Mexico: $110; other foreign distribution: $208 (air service). Two-year subscription: United States: $175; Canada and Mexico: $195; other foreign distribution: $375 (air service). Single copy price: United States: $20; Canada, Mexico, other foreign: $30. Website: www.scmagazine.com.
Haymarket Media uses only U.S. printing plants and U.S. paper mills in the production of its magazines, journals and digests which have earned Chain of Custody certification from FSC® (Forest Stewardship Council®), SFI (Sustainable Forestry Initiative) and from PEFC (Programme for the Endorsement of Forest Certification Schemes), all of which are third party certified forest sustainability standards.
www.scmagazine.com/linkedin
www.twitter.com/scmagazine
www.facebook.com/SCMag
SurfWatch Labs P47
CLIENT: ATT BUSINESS SOLUTIONSPRODUCT: Revised Snake for Body Copy type changeJOB#: P46621_ZSPACE: FULL PAGE 4/CBLEED: 8.25” x 11.25”TRIM: 7.75” x 10.5”SAFETY: 7.25” x 10”GUTTER: NonePUBS: SC MAGAZINEISSUE: 2/1/15TRAFFIC: Dorothy GallardoART BUYER: NoneACCOUNT: NoneRETOUCH: NonePRODUCTION: NoneART DIRECTOR: NoneCOPYWRITER: None
This advertisement was prepared by BBDO New York
FontsOmnes_ATT (Medium, Regular, Bold), Arial (Bold)Graphic Name Color Space Eff. Res.Leaves_.psd (CMYK; 341 ppi, 343 ppi), att_myw_hz_p_lkp_1cp_sol_rev.eps
Filename: P46621_Z_ABS_ENT_V1.inddProof #: 1 Path: Studio:Volumes:Studio:MECHANIC...chani-cals:P46621_Z_ABS_ENT_V1.indd Operators: Perian, Angelique / Barrios, Maria
Ink Names Cyan Magenta Yellow Black
Created: 12-15-2014 4:33 PM Saved: 1-7-2015 3:57 PMPrinted: 1-7-2015 3:58 PMPrint Scale: None
We see the threats that others might miss.You might have missed the predator lying in wait, but AT&T wouldn’t. That’s because we built and manage a highly secure global network that serves every one of the Fortune 1000. This unparalleled visibility means we’re uniquely placed to help protect your entire enterprise, leaving you free to mobilize your business with confidence.
AT&T Security Services. We see the full picture. att.com/security
© 2014 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies.
Magazine Insertions
S:7.25”
S:10”
T:7.75”
T:10.5”
B:8.25”
B:11.25”
4 SC • February 2015 • www.scmagazine.com
Editorial
It’s going to take savvier preparation
...a major technology trend for 2015: more thorough data analytics...”
Putting aside the continuous debate on attribution of the Sony breach and, now, the discourse on possible regulatory and
legislative outcomes quickly glomming onto the massive media attention this incident gar-nered, I think it’s important to look at a few other practical takeaways from this headline-grabbing attack.
I’m not at all minimizing the importance of keeping a close watch on federal government and congressional leaders’ use of the Sony hack to push whatever specific agendas they may have – such as resurrecting a range of measures that could give government bodies the legal means to access private data about individu-als without search warrants; exempt them from citizen-protecting oversight measures, like Freedom of Information Act requests; arm them with the ability to furnish any entity that shares desirable data with them immunity from prosecution; and more. Indeed, the political, philosophical, privacy-right, U.S./nation state-relation and other potential ramifications of this breach must be monitored closely.
Putting all these concerns aside, though, a key realization for cybersecurity pros and their executive leaders alike should be to acknowledge the need for a well-practiced crisis management plan and an examination and investment in security analytics/threat intelligence gathering solutions and proce-dures. As we highlight in this edition’s cover story and our Emerging Products reviews, these areas are vital to helping organizations deal with the intensifying threat landscape that hallmarked last year and will continue to be the major characteristic of this one.
It’s because of this fact that analyst firms
like Gartner call out as a major technology trend for 2015 more thorough, well-planned data analytics and security initiatives that give organizations’ CISOs and their teams actionable security intelligence to battle known and unknown threats. This data, in turn, not only might help prevent attacks, but also aid them in mitigating the impacts of a breach when it does happen. Reducing the time it takes to detect a network infiltration should help security teams reduce the damage it may cause and more handily implement and adhere to that crisis/business continuity management plan we discuss in our feature pages.
The complexities of cyber-attacks likely will grow, impacting companies, private citizens, government agen-cies and the U.S.’s rela-tions with other nations in ways we’ve yet to imagine. The imaginable, meantime, reveals that there are areas for most companies to improve upon, lessons to be had from the many organizations victim-ized so far, and steps and support-ing technologies to implement that will enable all the prepara-tions needed to best manage and endure the calamity of the now inescapable breach.
Illena Armstrong is VP, editorial of SC Magazine.
What you don’t know
WILL hurt youIt’s time to better educate yourself on all the latest in
cybersecurity.
Visit our Whitepaper Library and learn more about what you
WILL need to know.
whitepapers.scmagazineus.com
0215 whitepaper ad.indd 1 1/6/15 2:05 PM
6 SC • February 2015 • www.scmagazine.com
EDITORIAL
VP, EDITORIAL Illena Armstrong [email protected]
ASSOCIATE EDITOR Teri Robinson [email protected]
MANAGING EDITOR Greg Masters [email protected]
ONLINE EDITOR Marcos Colón [email protected]
SENIOR REPORTER Danielle Walker [email protected]
REPORTER Adam Greenberg [email protected]
EDITORIAL ASSISTANT Ashley Carman (646) 638-6183 [email protected]
SC LAB
TECHNOLOGY EDITOR Peter Stephenson [email protected]
SC LAB MANAGER John Aitken [email protected]
LEAD REVIEWER Jim Hanlon [email protected]
PROGRAM MANAGER Judy Traub [email protected]
REGULAR CONTRIBUTORS James Hale, Karen Epper Hoffman, Stephen Lawton, Jim Romeo
DESIGN AND PRODUCTION
ART DIRECTOR Michael Strong [email protected]
PRODUCTION MANAGER Krassi Varbanov [email protected]
SC EVENTS
PROGRAM DIRECTOR, SC CONGRESS Eric Green [email protected]
EVENTS DIRECTOR Adele Durham [email protected]
EVENTS MANAGER Maggie Keller [email protected]
ASSOCIATE MANAGER, VIRTUAL EVENTS Jourdan Davis [email protected]
U.S. SALES
VP, SALES David Steifman (646) 638-6008 [email protected]
EAST COAST SALES DIRECTOR Mike Shemesh (646) 638-6016 [email protected]
WEST COAST SALES DIRECTOR Matthew Allington (415) 346-6460 [email protected]
EVENT SALES DIRECTOR Mike Alessie (646) 638-6002 [email protected]
ACCOUNT EXECUTIVE Ife Banner (646) 638-6021 [email protected]
ACCOUNT EXECUTIVE Gabby Brown 646-638-6101 [email protected] EXECUTIVE Jessica Andreozzi 646-638-6174 [email protected]
SALES ASSISTANT Kelli Trapnell 646-638-6104 [email protected] MARKETING DIRECTOR Karen Koza [email protected]
MARKETING MANAGER Rochelle Turner [email protected]
LEAD GENERATION CAMPAIGN MANAGER Jennifer Brous [email protected]
SC MAGAZINE LIST RENTAL
REACH MARKETING VP, MARKETING SOLUTIONS Wayne Nagrowski (845) 201-5318 [email protected]
CIRCULATION
AUDIENCE DEVELOPMENT MANAGER Richard Scalise (646) 638-6190 [email protected]
SENIOR MARKETING MANAGER Edelyn Sellitto (646) 638-6107 [email protected]
SUBSCRIPTION INQUIRIES
CUSTOMER SERVICE: (800) 558-1703 EMAIL: [email protected] WEB: www.scmagazine.com/subscribe MANAGEMENT
CEO, HAYMARKET MEDIA Lee ManiscalcoCOO John Crewe
Rich Baich, chief information security officer, Wells Fargo & Co. Greg Bell, global information protection and security lead partner, KPMG Christopher Burgess, CEO/president, Prevendra Jaime Chanaga, managing director, CSO Board Consulting Rufus Connell, research director, information technology, Frost & Sullivan Dave Cullinane, CEO, Security Starfish; former chief information security officer, eBay Mary Ann Davidson, chief security officer, Oracle Dennis Devlin, chief information security officer, chief privacy officer and senior vice president of privacy practice, SAVANTURE Gerhard Eschelbeck, chief technology officer and senior vice president, Sophos Gene Fredriksen, global information security officer, PSCU
Maurice Hampton, director, field operations, Qualys Paul Kurtz, partner and chief operating officer, Good Harbor Consulting Kris Lovejoy, general manager, IBM Security Services Tim Mather, chief security officer, Apigee Stephen Northcutt, director, The SANS Institute Randy Sanovic, owner RNS Consulting; former general director, information security, General Motors * Howard Schmidt, partner, Ridge-Schmidt Cyber Ariel Silverstone, chief security officer adviser, GNN; former chief information security officer, Expedia Justin Somaini, chief trust officer, Box; former chief information security officer, Yahoo Craig Spiezle, executive director and president, Online Trust Alliance; former director, online safety technologies, Microsoft Amit Yoran, senior vice president, RSA, the security division of EMC
* emeritus
SC MAGAZINE EDITORIAL ADVISORY BOARD 2015
WHO’S WHO AT SC MAGAZINE
SC CONGRESS 24/7SC Magazine has created a free virtual environment that is open year-round. Each month we host online events focused on subjects that you – as an IT security professional – face on a regular basis.
FEB. 12SIEM Deploying and managing security information and event management
systems can tax the brain and budget. However, if done right, these solutions can be a huge
benefit to the overall security stance of an organization, providing insight into what’s happening on the entire network and enabling security teams to focus on the most pressing priorities. We explore the many challenges organizations face when deploying SIEM and offer rem-edies that can optimize their use.
UPCOMINGWEB APPLICATION SECURITY We talk to experts about the trials of safeguarding web apps, finding out practical steps for protecting this entré into business networks. PCI COMPLIANCE The implementation of chip-and-PIN technologies should alleviate some threats presented by magnetic-strip technologies, but will it be enough to prevent further data breaches? FOR MORE INFOFor information on SCWC 24/7 events, please contact Jourdan Davis: [email protected].
For sponsorship opportunities, email Mike Alessie at [email protected] or phone him at (646) 638-6002. Or visit scmagazine.com/sc-congress-247-whats-new/section/1223/.
12
You’re invited! 2015 SC Awards
Tuesday, April 21, 2015
InterContinental San Francisco
Visit awards.scmagazine.com
to view the finalists and book tickets.
Full page dinner ad 2.indd 50 1/12/15 5:40 PM
ThreatReport
China top producer of zombie IP addressesFor the period reported, the EMEA region (Europe, Middle East, Africa) was the leading source of all zombie IP addresses. Of the countries making up the EMEA, Russia was the top-producing country. For the other regions the top producers were Argentina in South America, the U.S. in North America and China in the Asia-Pacific region. Source: Symantec
SOUTH KOREA – Researchers with Trend Micro identified a wave of bank-ing trojans targeting several banks in South Korea that use Pinterest as their command-and-control channel. Users in South Korea were observed becom-ing infected by visiting compromised websites leading to exploit kits.
ONTARIO, CANADA – It seemed that Ontario government websites were hacked, but in actuality the third-party domain routing service that routes traffic to the government’s site was compro-mised. No personal information or any government data was compromised.
DataBank
MASSACHUSETTS – TD Bank agreed to pay a $625,000 settle-ment in the aftermath of a March 2012 data breach that occurred when two unencrypted backup tapes went missing during a courier run between its offices in Haverhill and Springfield, Mass. The breach impacted more than a quarter of a million consumers across the country, including more than 90,000 in Massachusetts.
MEXICO – Government and academic websites in Mexico were taken down or defaced, or were redirecting visitors to another webpage. The attacks were reportedly carried out by members of Anonymous protesting how the govern-ment handled the abduction of 43 students.
ST. LOUIS – St. Louis Parking Company announced that custom-er credit and debit card informa-tion was compromised. Customers who used its public parking lot at Union Station between Oct. 6 and Oct. 31 may have been impacted. The affected server was identified and isolated to avoid any additional data from being compromised.
Cybercriminal activity across the globe, plus a roundup of security-related news
AUSTRALIA – New ransomware with the name ‘CryptoLocker’ – with a low detection rate on VirusTotal – is being delivered via emails that purport to come from the State Debt and Recovery Office in Australia. The email claims that the recipient was caught driving in excess of the speed limit and must pay a fine.
www.scmagazine.com • February 2015 • SC 98 SC • February 2015 • www.scmagazine.com
RUSSIA – Group-IB and Fox-IT jointly released a report on Anunak, a group of hackers targeting banks and ATMs, pay-ment providers, retailers and news, media and PR companies. The average theft in Russia and Commonwealth of Indepen-dent States (CIS) for Anunak is $2 million per incident.
IRAN – Security company Cylance identified a hacker group out of Iran that has been steadily amassing information from infrastructure-related companies, possibly in preparation for an attack. The group is believed to have infiltrated more than 50 organizations in 15 industries in 16 countries.
MEDIUM-LEVEL ACTIVITIES
LOW-LEVEL ACTIVITIES
HIGH-LEVEL ACTIVITIESColored dots on the map show levels of spam delivered via compromised computers (spam zombies). Activity is based on the frequency with which spam messaging corresponding with IP addresses is received by Symantec’s network of two million probes with a statistical reach of more than 300 million mailboxes worldwide.
DataBank
ThreatStatsUpatre Downloader trojan was the leading attack used by U.S. hackers
10 SC • February 2015 • www.scmagazine.com www.scmagazine.com • February 2015 • SC 11
Top 5 attacks used by U.S. hackers 1. Upatre Downloader trojan
2. Rerdom trojan
3. ZeroAccess trojan
4. Asprox/Danmec trojan (trojan goes by both names)
5. Allaple.A worm
1. ZeroAccess trojan
2. Butterfly bot
3. Rerdom trojan
4. Allaple.A worm
5. Bugat/Cridex/Feodo trojan (goes by all three names)
Top 5 attacks used by foreign hackers
There were 8,311,693 attacks in the United States last month, primarily originating from New York; Atlanta; Ashburn, Va.; Dallas; Redmond, Wash. There were 22,577,795 foreign attacks last month, primarily originating from Amsterdam; Tokyo; Moscow; London; and Sao Paulo. Source: Dell SecureWorks
SMS spam Volume by month for each region Top countries By attack volume
0 1B 2B 3B 4B 6B
Asia Pacific 4.2B
Europe 2.9B
Africa & Middle East 1.4B
South America 892.9M
North America 852.2M
5B
United States 74%
UK 9%
Canada 4%
South Africa 3%
0% 20% 40% 60% 80%
Zombie IPs Global distribution
Zombie IP addresses are recorded in CYREN’s database as having sent spam in the past 24 hours. These are infected computers (zombies) that are unknowingly sending spam. Based on the IP address, the company can determine the country of the spam-zombie and then sums up the spam-zombies per country. Source: CYREN (formerly Commtouch Software Online Labs)
Name Movement First observed Type Last month Months on list
1. RAMNIT.I p 12/03/10 virus 10 5
2. OGIMANT.GEN!C Same 09/17/14 downloader 2 2
3. ELKERN.B p 05/16/12 virus 6 12
4. PICSYS.C p 01/08/11 worm 1 14
5. TUGSPAY.A p 07/07/14 downloader 5 7
6. LMIR.AAV p 02/14/11 passwordstealer 0 0
7. SOLTERN.L 01/08/11 worm 12 1
8. RAMNIT.J p 12/07/10 virus 0 0
9. GUPBOOT.B p 01/31/13 bot 1 17
10. LORING p 02.06/11 downloader 9 19
Internet dangers Top 10 threats
Source: Motive Security Labs (formerly Alcatel-Lucent Kindsight Security Labs)
Source: RSA Monthly Fraud Report
Top breaches in December Data loss
Source: Privacy Rights Clearinghouse (data from a service provided by DataLossDB.org, hosted by the Open Security Foundation)
TOTAL number of records containing sensitive personal information involved in breaches in the U.S. since January 2005:
932,729,111 (as of Jan. 15)
Name Type of breachNumber of records
Sony Play Station, Microsoft xBox Networks
A group calling itself “LizardSquad” hacked both gaming networks on Christmas Day. According to Krebs on Security, the attack prevented millions of users from playing the past holiday season.
Millions
Highlands- Cashier HospitalHighlands, N.C.
Highlands-Cashier hospital in North Carolina informed patients of a data breach to its servers that contained pa-tient data. The disclosure of the data was due to an error by one of their third-party vendors, TruBridge, a subsidiary of Computer Programs and Systems, when they were con-tracted to complete some specialized computer services.
55,000
WellCare Health PlansMonroe County, N.Y.
Residents were notified by WellCare Health that some of their personal information was exposed when their Medicare re-cords were “mishandled” by a sub-contractor for the insurer.
47
The index queries information security industry professionals monthly to gauge their perceived risk to the corporate, industrial and governmental information infra-structure from a spectrum of cyber security threats. A higher index value indicates a perception of increasing risk, while a lower index value indicates the opposite. Source: ICS, www.cybersecurityindex.com
Index of cyber security Perceived risk
1.0
01/14 02/14 03/14 04/14 05/14 06/14 07/14 08/14 09/14 10/14 11/14 12/14
1.52.0
3.5
2.51,650
1,8501,950
1,4501,550
1,7503.0
2,050 4.02,1502,2502,350
4.55.05.5
2,4502,550
6.06.5
The U.S accounted for nearly 75% of attack volume in November 2014, followed by the U.K., Canada and South Africa.
Source: Cloudmark
Index value
Rate of change (continuously compounded)
Nov.
Dec.
India Iran Vietnam China Russia Taiwan Argentina
10.1%
6.4%
10.7%
7.2%
3.7% 3.3%
8.0%
8.1 7.5%
10.6
12.3%
12.6
3.8%
3.9%
Monthly evolution of mobile malware
11/11/14 11/18/14 11/25/14 12/2/14 12/9/14 12/16/14 12/23/14
896,589
906,268
916,577
924,629
936,675
949,528
971,416
1,328
November average of daily
Android samples
Source: Fortinet
1,335
December average of daily Android samples
NEWS BRIEFS
» The Canadian government
has introduced Bill C-51, an ‘anti-
terror’ bill that will broaden the
surveillance powers of government
agencies.
The law, which is the largest revi-
sion of Canada’s security laws since
it responded to the 9/11 attacks,
revises several other pieces of
legislation, including the CSIS Act
that governs the country’s national
intelligence service. Among the
measures introduced are the right
to force ISPs to remove information
deemed to be promoting terrorism.
The bill also enacts two new laws:
the Security of Canada Informa-
tion Sharing Act and the Secure Air
Travel Act.
The former empowers Canada’s
government institutions to share
information on Canadians. These
agencies range from the domestic
CSIS intelligence agency and the
Communications Security Estab-
lishment (CSE) foreign-focused spy
agency, through to the RCMP, the
Canadian Border Services Agency
and the Department of Foreign
Affairs.
Canada’s Privacy Commissioner
Daniel Therrien responded
negatively to the bill’s information-
sharing provisions. “It is not clear
that this would be a proportional
measure that respects the privacy
rights of Canadians,” he said.
Therrien added that the privacy
problems created by the informa-
tion sharing measures could be
exacerbated by gaps in the national
security oversight regime.
“Three national security agen-
cies in Canada are subject to
dedicated independent oversight
of all of their activities,” he said in a
statement. “However, most of the
organizations that would receive
and use more personal information
under the legislation introduced
today are not.”
»One of Canada’s intelligence
agencies has been secretly moni-
toring file downloads across the
world for years, it was revealed last
month. The Communications
Security Establishment (CSE)
has been analyzing metadata on
10-15 million downloads from file-
sharing sites each day.
The top secret initiative, called
LEVITATION, targets 102 file-
sharing sites, in a bid to discover
people linking documents to ter-
rorist activity. Of the downloads
discovered, it finds about 350
“interesting” downloads each
month from around 2,200 URLs,
said the report.
CSE analysts would gather infor-
mation including the downloader’s
IP address and the browser and
operating system that they were
using. They would also correlate
other data with the IP address
to gain social media IDs. It would
result in an ordered list of suspects
that would then be delivered to a
third party.
Successes from the project
included determining an Al-Qaeda
group’s hostage strategy, said a
leaked Powerpoint presentation, in
addition to finding a hostage video
from a previously unknown target.
Details of the campaign came
from The Intercept, an online pub-
lication designed as a platform to
leak information from the Edward
Snowden documents, edited by
journalist Glenn Greenwald, one
of his original contacts.
...the breach at Sony may have been led by former Sony employee(s)...”– Eric Chiu, president and cofounder, HyTrust
THE QUOTE
A third of security professionals polled believed that a loss of intellectual
property had caused a lack of competitive advantage.
Under attackCanada’s companies are ill-prepared to meet modern cyber-security challenges, according to a survey by the Ponemon Insti-tute. Only one in four believe that they are winning the cyberse-curity war, said the survey of 623 IT and security practitioners commissioned by IT services firm Scalar Decisions. Almost half of all respondents experienced an attack in the last year that exposed sensitive information.
Debate» Mobile malware is a real threat to mobile security.
Mobile devices are spreading at phenomenal rates, with more than 90 percent of people using a mobile phone and 2.3 billion accessing the web from mobile devices. However, they are very attractive targets for criminals – mobile malware grew 20 per-cent last year.
Mobile devices are the weakest point in the enterprise IT ecosystem, providing a means for app-, device- and network-based attacks. In fact, mobile devices are the least secured aspects of cloud-based APIs. Because the flood of smartphones and tablets employees are bringing to work are typically personal, IT does not get to manage them. Employees use the devices to access confidential documents one minute and untrustworthy social apps the next. Mobile devices are tied to the individual, mak-ing spear phishing and other targeted malware attacks particularly frightening: If attackers want to get data from a company’s Salesforce.com account, their easiest avenue of attack is to target the phone of the head of sales. Mobile is becoming the dominant platform for access to cloud-based computing and it requires specific protection that traditional security solutions simply don’t address.
Enterprises continue to produce more web applications in order to drive their businesses. Yet their inability to scale current application security programs means only business-critical applications are audited for security. This leaves a significant number of web applications
vulnerable, creating long-term security threats as cybercriminals attack the path of least resis-tance into an IT infrastructure, without regard to whether the application is business critical or a little-used website. While mobile devices can leak data, they don’t put bulk data and infra-structure at risk. Because of this, mobile isn’t the biggest threat to enterprise security – web applications are.
Research shows that in 2015 enterprises will leave up to 70 percent of internally developed web and mobile applications unaudited for common vulnerabilities such as SQL injection. While enterprises will produce both mobile and web applications, it is unchecked or for-gotten web applications that provide a breach path to sensitive data like corporate IP or customer information. Security testing of all web applications should be the number one security priority.
FOR
Aaron CockerillVP of enterprise product, Lookout
AGAINST
Chris Wysopalco-founder, CTO and CISO, Veracode
THREAT OF THE MONTH
Compromise, Exfil, Wipe, Repeat
What is it?The recent Sony breach has shown us a new potential future for attacks on computer networks that results in an organiza-tion being compromised, massive data exfiltration and finally systems being disabled.
How does it work?What is different is what attackers do once they get a foothold in your environ-ment. For example making the goal to get Domain Admin credentials in a Windows environment for complete compromise vs. just hunting out the SQL server that stores sensitive data.
Should I be worried?You should be worried in the context that most existing compromises related to cybercrime result in a level of access that such exfil and wipe scenarios could also have happened.
How can I prevent it?Once attackers break in you must raise the bar to detect them earlier on vs. make their job easier by storing password after password in plaintext read-able files.
— Marc Maiffret, chief technology officer, Beyond Trust
Update 2 minutes on...Tidal waves of spoofed traffic P14
Me and my jobReviewing the efforts of security engineers P15
Skills in demandInformation security analyst in healthcare P15
www.scmagazine.com • February 2015 • SC 1312 SC • February 2015 • www.scmagazine.com
THE SC MAGAZINE POLL
Is it the media’s duty to inform the public of the contents of documents leaked by hackers? Dec. 14
Sony litigator David Boies demands media delete stolen information provided by hackers Guardians of Peace.
Dec. 22 Thousands of emails are stolen from Sony Pictures CEO Michael Lynton and released by Guardians of Peace.
THE STATS
To take our latest weekly poll, visit www.scmagazine.com
Yes38%No
62%
»Rick Wescott has joined Redwood City, Calif.-based ThreatStream, a SaaS-based cybersecurity threat intelligence platform, as vice president of worldwide sales. W. Todd Helfrich also has joined the company as director of federal sales. Wescott will be respon-sible for making sure the sales organization meets its goals and also for sales enablement, sales forescasting and strengthening the sales purchasing process. Helfrich will build the federal business and help identify and
close new federal opportunities. Both men have extensive experi-ence in the security field, with Wescott most recently working
at ArcSight and Helfrich most recently working at HP on the Department of Homeland Secu-rity account. »Rapid7, a Boston-based security analytics software and services provider, has secured $30 million in additional funding from its investors, Bain Capital and Technology Crossover Ventures. The investment will help Rapid7 maximize on growth opportunities and build better enterprise security programs. The company will also continue to
work on its core threat exposure management portfolio. »SiteLock, a Scottsdale, Ariz-based provider of website secu-rity and PCI compliance, has partnered with GlobalSign, the security division of GMO Internet Group. GlobalSign, a identity services provider, will bundle SiteLock’s website security products with solutions for customers who purchase specific SSL certificated in certain markets, including Latin America.
»Arbor Networks has appointed Sam Curry as its new CTO and CSO. A well-regard-ed industry technologist holding
12 patents, with 12 more pend-ing, Curry comes to Arbor from MicroStrategy and RSA. He will lead Arbor’s product strategy and innovation roadmap. »Brandon Hoffman has joined Somerset, N.J.- based Lumeta, a network situational awareness platform provider, as CTO. Hoffman will focus on busi-ness development and strategic relationships with technology inte-gration partners, consulting/advi-sory firms, cloud service providers, managed security providers and
federal systems integrators and channel partners. He will report to CEO Pat Donnellan, Previous to joining Lumeta, Hoffman worked as the federal CTO at RedSeal, where he helped define solutions and strategies to serve top govern-ment priorities. »iSIGHT Partners, a Dallas-based provider of cyberthreat intelligence for global enter-prises, has closed a $30 million Series C equity-financing round with Bessemer Venture Partners, which has helped
finance eight other cyberse-curity firms. The investment will allow iSIGHT to expand its advanced threat intelligence to fight against cyberattacks. The funding also will aid in develop-ing new integration partnerships and buildup the company’s sales and marketing engine.
While massive retail breaches dominated headlines in 2014,
with hacks involving state-sponsored threats coming in a strong second, distributed denial-of-service (DDoS) attacks continued to increase, both in the volume of mali-cious traffic generated and the size of the organizations falling victim.
Recently, both the Sony PlayStation and Xbox Live gaming networks were taken down by Lizard Squad, a hacking group which is add-ing to the threat landscape by offering for sale a DDoS tool to launch attacks.
The Sony and Xbox take-downs proved that no mat-ter how large the entity and network, they can be knocked
offline. Even organizations with the proper resources in place to combat these attacks can fall victim. But looking ahead, how large could these attacks become?
According to the “Verisign Distributed Denial of Service Trends Report,” covering the third quarter of 2014, the media and entertainment industries were the most tar-geted during the quarter, and the average attack size was 40 percent larger than those in Q2.
A majority of these insidious attacks target the application layer, something the industry should be prepared to see more of in 2015, says Mat-thew Prince, CEO of Cloud-Flare, a website performance firm that battled a massive
DDoS attack on Spamhaus early last year.
Of all the types of DDoS attacks, there’s only one Price describes as the “nastiest.” And, according to the “DNS Security Survey,” commis-sioned by security firm Cloud-mark, more than 75 percent of companies in the U.S. and U.K. experienced at least one DNS attack. Which specific attack leads that category?
You guessed it. “What is by
far the most evil of the attacks we’ve seen…[are] the rise of massive-scale DNS reflection attacks,” Prince said.
By using a DNS infrastruc-ture to attack someone else, these cyber assaults put pres-sure on DNS resolver net-works, which many websites depend on when it comes to their upstream internet ser-vice providers (ISP).
Believing these attacks are assaults on their own network, many ISPs block sites in order to protect them-selves, thus achieving the attacker’s goal, Prince said. By doing so “we effectively balkanize the internet.”
As a result, more and more of the resolvers themselves will be provided by large organizations, like Google, OpenDNS or others, says Prince.
That in itself could lead to an entirely different issue: Consolidating the internet.
– Marcos Colón
Update
2 MINUTES ON...
50% of all DDoS attacks targeted media and entertainment
Source: Verisign
Briefs Company news
Rick Wescott, vice president of worldwide sales, ThreatStream
Sam Curry, CTO and CSO, Arbor Networks
Tidal waves of spoofed traffic
How do you describe your job to average people?I’m a quality auditor at Nus-pire Networks, a managed security service provider. In my role, I’m responsible for reviewing the performance of our security engineers to ensure network security events are being diagnosed and acted upon in a timely manner that supports best practice and adheres to estab-lished guidelines.
What was one of your biggest challenges?Overcoming the general lack of education and concern regarding the need for net-work security. The aftermath of a security breach isn’t pretty and it’s paramount for organizations to not only understand network and security vulnerabilities, but also implement the necessary safeguards to mitigate such risks.
What keeps you up at night?Knowing the threat land-scape is radically progressing and attacks are becoming increasingly difficult to pre-dict and anticipate. Why did you get into IT security?It’s a space where you must stay one step ahead of offenders who are constantly employing more sophis-ticated threats – meaning
there’s always a new problem to solve. While challenging, I immensely enjoy developing solutions to address evolving threats. Not to mention, it’s very rewarding to be involved in the creation of an effective security solution. What makes you most proud?I’m most proud to work in a field that enables others to securely utilize the many advantages offered by tech-nology. How would you use a magic IT security wand?I’d use it to enlighten others of the need for implementa-tion of effective network security safeguards. Spe-cifically, pairing security information and event man-agement (SIEM) with an effective security operations center (SOC) can be the most effective line of defense for network security.
JOBS MARKET
Me and my job
Kristi Carrierquality auditor, Nuspire Networks
Skills in demand
An information security analyst in a healthcare envi-ronment is responsible for vulnerability assessments, developing and managing information systems security – including disaster recovery, network protection and iden-tity access management.
What it takesIn-depth experience with healthcare systems and a strong knowledge of HIPAA regulations and overall IT system security, including infrastructure, software, apps, audit and compliance. It is also critical to communicate well with the highest levels.
CompensationBase compensation will range from $90K-$120K, often with additional incentives.
– Domini Clark, principal, executive and technical recruitment, Blackmere
www.scmagazine.com • February 2015 • SC 1514 SC • February 2015 • www.scmagazine.com
Follow us on Facebook, LinkedIn and Twitter
...businesses must stay one step ahead of hackers.”
Opinion
Jonathan Lewis
director, product marketing,
SSH Communications Security
Rich Boyer
senior information security
architect, NTT Com Security
Information privacy & Big DataB ig Data is arguably one of the killer apps to emerge over
the past decade. The technology originated from a tech-nique developed by Google called MapReduce, which
uses parallel processing to generate analytics from massive amounts of data. An open source version of MapReduce, called Hadoop, has effectively “democratized” the availability of Big Data. With this easy-to-use platform, enterprises are finding new ways to solve problems and extract value from data.
However, Big Data analytics often involve access to data that should be protected, such as medical records, tax information and personally identifiable information (PII). Security and compliance professionals need to ensure Big Data deploy-ments do not violate access control policies with respect to this information.
Within a Hadoop infrastructure there are several levels of authorization, including access to the Hadoop cluster, inter-cluster communications and access to the data sources. Many of these authorizations are based on Secure Shell (SSH) because the authentication protocol is considered secure and has good
support for automated machine-to-machine (M2M) communi-cation. The access control issues are straightforward:
First, who sets up the authorizations to run Big Data analyt-ics? Next, we need to ask how are those authorizations and cre-dentials managed and what happens when there are personnel changes? As well, we must determine whether authorizations are based on “need to know” security principles.
To protect sensitive information accessed by Big Data analyt-ics, the following best practices are recommended:
• Discover: Take an inventory of the authorizations and iden-tities within the Big Data environment.
• Monitor: Track the use of those identities. Find out which identities are not needed and can be removed.
• Manage: Establish centralized control over identity man-agement in the Big Data environment.
Big Data has opened up new access to business-critical data. Organizations need to keep pace with resulting security concerns and bring Big Data under a sound identity and access management umbrella.
Are mobile apps risky business?While the enterprise software market
is predicted to grow to $4.5 billion by 2016, the increasing prevalence of
mobile applications is exposing new security holes for businesses. Having an app for every-thing brings many benefits, but also entices hackers to target apps as gateways to valuable data. Businesses must meet the associated security challenges head-on with structured approaches.
Both mobile and enterprise technology are exciting, well-funded IT sectors. But it’s where mobile and enterprise meet that we find the most profitable sector of all: mobile apps.
The rise of mobile has fuelled the trend towards BYOD (bring-your-own-device) as well as in-house developed applications. Apps help enterprises build identity and engage cus-tomers, as well as increase efficiency. But just as the web brought new IT security challenges, applications present fresh risks to business.
Collaborative app development poses
threats to unencrypted code which could unlock login details of cloud services – and ultimately corporate networks. Development risks must be managed in the context of com-mercial objectives, but businesses must stay one step ahead of hackers.
Over a defined lifecycle, businesses must: review corporate architecture to address all vulnerabilities; understand compliance requirements and ensure security is built-in from the very start; use best practices and tested secure modules wherever possible; test and test again in-line with emerging threats; and perform configuration management to maintain consistent application performance.
It’s inevitable that hackers will target intel-lectual property stored during app develop-ment. By addressing these complex risks, businesses will create secure applications with confidence. As a result, they’ll benefit from innovative ways to interact, without worries over unlocked back doors.
www.scmagazine.com • February 2015 • SC 17
ViJay ViswanathanCISO, HD Supply
I t’s not a question of if but rather when a breach will occur. The number of U.S.
data breaches tracked in 2014 reached a record high of 783, according to a recent report released by the Identity Theft Resource Center. While the larger incidents received a lot of spotlight, the fact remains that exposure of a single record still constitutes a data breach. With a 27.5 percent increase in incidents since the year previous, it’s impera-tive for organizations of any size to develop a functional breach response plan (BRP).
The best place to start: Your existing incident response plan. How do you manage and address a malware infection or how do you address unauthorized or elevated role privileges? Streamline your incident plan with clear IT security opera-tional definitions, develop a detailed inventory of every asset within your network and establish network entry and exit points. All these should ideally exist, but you
also want to look at it from a different viewpoint: Indica-tors of compromise (IOC). As a start, establish IOCs for high value targets (HVT) and build your inventory and focus on keeping it up to date.
Before you can actually draft your plan, you need to consider a breach response team. Develop a discussion platform to specifically talk about breach management with key constituents within the organization – legal, information security, IT, risk management, privacy and compliance and other relevant stakeholders.
One of the key aspects of the BRP is to identify an external legal counsel who will partner with you effec-tively during an active inci-dent. Consider a legal counsel with experience as breach coach with strong exposure to handling different types of security incidents and who can engage collaboratively with state attorneys general and federal regulators.
Next, engage a forensics
firm that not only has specific experience but also the neces-sary scale and operational dimension to support param-eters of your organization. Most importantly, establish a retainer and leverage the retainer for a possible annual BRP exercise.
A strong crisis manage-ment team will be a crucial differentiator during an active incident. This team would ideally include your internal and external com-munications team along with other stakeholders from the breach response team. Time-ly, precise and appropriate communication could alter the perception of a breach incident in any direction.
Finally, cyber insurance coverage may be appropriate for your organization and will also provide additional benefits, such as pen tests and access to a breach coach based on your vendor and coverage. The only right thing about a breach is the fact that you are prepared for it. Practicing these exercises makes it perfect.
From the CSO’s desk
Breach response: Are you prepared?
30 seconds on...
»Breach plan
The first step in creating a breach management strat-egy is to organize a breach management team before developing a plan, says ViJay Viswanathan.
»Hire the right help
The next step is to identify an external counsel and a breach coach, says Viswanathan. Fol-lowing that, retain a forensic firm that can scale as needed, he says.
»Get functioning
As well, establish a time-boxed approach to create a functional breach response plan that can be exercised similar to a disaster recovery or business continuity plan, he says.
Phot
o by C
hris
Volp
e/zu
ma
16 SC • February 2015 • www.scmagazine.com
»The CISO runs with it
Structure your crisis manage-ment team, he advises. And, he says that the company’s CISO should drive breach manage-ment exercises to optimize the plan regularly.
From the online mailbag In response to a Nov. 24 Opinion: PCI 3.0: The good, the changes and why it’s not ugly, by Greg Rosenberg, security engineer, Trustwave
The part I don’t understand: Do they [third-party service providers, online retailers and merchants] keep the credit cards numbers in clear text to start with? Even some simple encryption would help limiting the exposure. Even better, when the card system does the authorization for the repeated use (such as an automatic bill pay), it should be fairly easy to generate a hash that includes both the number of the credit card and the merchant ID and use it for any future transaction. It’s like issuing a one-time credit card that can be used only by this particular merchant.Sergey Babkin
In response to a Nov. 14 news story, U.S. spy program targeting Americans’ mobile phones, report says:
Professor Hayes is naïve in his comment: “Ultimately, the FBI and similar agencies have no inclination or even the resources to analyze the general public’s communica-tions and are only interested in finding criminal suspects.” He has left specific groups and people who are not
criminals that members of the U.S. government want to target, such as the abuses by the IRS reported over the last couple of years, as well as the more recent revelations that the White House was illegally receiving confidential tax return information from the IRS.Dirk Bell
Ok...Tell me something I didn’t know. You would have to be naïve to think that the gov-ernment is not tracking your cellular data, location and anything else they can glean from the electronic leash that most of us carry. And don’t get me started on the new driver’s license/ID card systems in place since 9/11. Everything about you has been declared “open season,” and your only choices are: a) get rid of everything and fall off the grid; or b) get used to it.Philip Scott
In response to a Nov. 20 news story, USPS draws ire of Congress over data breach response:
If Congressman Stephen Lynch [D.-Mass.] is so con-cerned about the U.S. Postal Service employees, then why doesn’t he get the “postal reform” bill passed? # just sayingChuck Roche
In response to the November Debate: Should you pay a cyber ransom?:
Paying $500 is often less costly than losing business and serves as a reminder that security practices need to be kept up to date. Investing in prevention is different than paying for resolving the issue.Sergio Galindo
Completely disregarding the option of paying ransom does not take into account that many organizations with ransomware infections are confronted with backup that turn out not to work, and lose weeks, months (or more) of work. Paying $500 to get your files back is a business deci-sion that’s not hard to make in a situation like that. It also serves as a shot across the bow to get your best practices truly applied, which means step your users through effective security awareness training so that future ran-somware infections are much less likely.Stu Sjouwerman
In response to a Nov. 10 news story, Mobile fraud report notes reliance on OTPs as top concern:
OTPs are generally run on tokens or phones, which are easily lost, stolen and abused. Then the password would be the last resort. It should be strongly emphasized that a truly reliable two-factor solu-tion requires the use of the most reliable password.
At the root of the password headache is the cognitive phenomena called “interfer-
ence of memory,” by which we cannot, on average, firmly remember more than five text passwords. What worries us is not the password, but the textual password. The textual memory is only a small part of what we remember. We could think of making use of the larger part of our memory that is less subject to interference of memory. More attention could be paid to the efforts of expanding the password system to include images, particularly known images, as well as conven-tional texts.Hitoshi Anatomi
In response to a Nov. 21 news story, ‘DoubleDirect’ MitM attack affects iOS, Android and OS X users:
“...traffic from Google, Face-book, Twitter, Hotmail, Live.com, and Naver (a Korean internet company) was detected as being redirected using the technique.”
All those domains imple-ment HTTPS, rendering the attack useless.Antoun Beyrouthy
In response to a Nov. 7 news story, Slew of black market-places, including Silk Road 2.0, go dark in Fed sweep:
I love that [Homeland Security Investigations, an investigative arm of the U.S. Department of Homeland Security] used social engi-neering to gain access.Robert Emmons
The opinions expressed in these letters are not neces-sarily those of SC Magazine.
Letters
Got something to say?Send your comments, praise or criticisms to [email protected]. We reserve the right to edit letters.
18 SC • February 2015 • www.scmagazine.com
P sychological accept-ability may not sound like a term that’ll hold
much significance for the future of secure file sharing. But don’t sell it short. The term refers to the concept that a system should be as easy to use in a secure state as in an insecure state – or users will default to the insecure state.
In this era of cloud services, where users have a plethora of ready-to-use SaaS options, the psychological acceptability principle can be extended to say that secure services must be as easy to use as insecure services or users will gravitate to the insecure alternative.
What should IT do about this problem? It can resort to the “big stick” approach of enforcing which tools can and can’t be used. But this is becoming less and less effec-tive as teams are increasingly distributed and empowered by SaaS options. Information security leaders are finding that they have more success substituting “carrots” for sticks to guide users to the right solutions by choosing those that are easy for their constituents to use.
Another corollary of the psychological acceptabil-ity principle is that human interfaces for security features must be easy to use so users don’t make mistakes in applying security features. If the user has to map their mental image of their protec-tion goals into a convoluted technical model, they likely will either forgo protection or make mistakes applying it.
File system access control (ACLs) are a classic example of exposing a flexible technical model without any abstraction. As a result, users simply don’t use file system ACLs – and if they do, they often don’t apply them cor-rectly. Privacy controls in social media have attempted to address this by translating technical ACLs into plain English options that capture the resource being protected and the access right being given to a trustee.
For example, choosing an option like “my contacts can see my contacts” makes your “list of contacts” (resource) “readable” (access right) to everyone in “your contact list” (trustee), rather than pre-senting it in some underlying highly flexible but also highly technical-based ACL model.
Role-based access con-trol approaches attempt to simplify underlying fine grain access controls through abstraction, but they often don’t address the fundamen-tal problem of mapping the user’s mental image of the protection goals onto avail-able options.
Another related secure design principle is “secure by default.” One approach to making systems more usable is to disable security features in the default configuration.
To make the system secure, users must then enable spe-cific security features. Often this allows a vendor to claim that the system is both secure and usable without investing in making security functions intuitive and easy to use.
As the name implies, the “secure by default” design principle states that a system should default to the most secure state possible. That said, the definition is com-plex and needs to take into account user behavior when interacting with features. When users are forced to create complex passwords on a regular basis for every system they use, they often resort to reusing passwords and writing passwords down. Offering web-based single sign-on using an external identity provider as the default authentication option can be a more effective meth-od of addressing password fatigue issues in infrequently accessed systems.
Carrots work better than sticks. The time has come to fully embrace usability as an important aspect of security. By doing so, we can advance the security agenda and also make users happier and more productive at the same time.
Ian Hamilton is chief technol-ogy officer of Signiant, a provider of technology solu-tions with U.S. headquarters in Burlington, Mass.
Analysis
Usability as a protection feature
...secure services must be as easy to use as insecure services...”
Usability as well as security must be factored into the equation, says Signiant CTO Ian Hamilton.
www.scmagazine.com • February 2015 • SC 19
And the fallout didn’t stop at those numbers. The year that can be viewed as the one where IT security finally got taken much more seriously by upper management was also characterized by C-suite shake-ups, security department reorganiza-tions, lawsuits, high-level pink slips, disappointing financials and plummeting customer confidence. In other words, data breaches caught the attention of, well, the world – as did the way they were (and were not) handled.
But it was the revelation before Thanksgiving when Sony Pictures was crippled by a breach that
derailed the company’s operations for a full week that eclipsed other major hacks, and served as a lesson to Corporate America on how not to handle crisis communications by bungling relations with key stakeholders (e.g., employees, former employees, creative talent, theater owners) and damaging reputation nearly every step of the way (see sidebar, page 23).
“How to communicate publicly is as important or more important in crisis situations,” says Jim Haggerty, CEO of Crisis Response Pro, a web-based entity for crisis and litigation
Ron Green, CISO, MasterCard
Phot
o by D
avid
Torre
nce P
hoto
grap
hy
www.scmagazine.com • February 2015 • SC 21
Daniel Fetterman, partner, Kasowitz Benson Torres & Friedman Ron Green, executive vice president and CISO, MasterCardSteven Grimes, partner, Winston & Strawn Jim Haggerty, CEO, Crisis Response ProTom Kellerman, chief cybersecurity officer, Trend Micro John Otero, security consultant; former lead, New York City Police Department’s computer crime squadEric Warbasse, senior director, financial services, LifeLock
OUR EXPERTS:Handling the situation
Breach response
20 SC • February 2015 • www.scmagazine.com
COOL IN A CRISISHow you communicate during an attack is as important as your response, says Ron Green, CISO, MasterCard. Larry Jaffee reports.
Data on 70 million customers stolen, 76 million accounts af-fected, 44 lawsuits filed, 1.1 million customers exposed, 7 million business accounts compromised. That’s just some of
the alarming damage done by data breaches at Target, Home Depot, Nieman-Marcus and JPMorgan Chase in 2014.
communications whose clients include several financial firms that have had breaches in the past year. “There’s a sense in crisis situations that communications is the icing on the cake, it’s what you do after everything else. My view is communication is the cake.”
Ron Green, MasterCard’s executive vice president and CISO, agrees. “Communications is usually the last thing that you’ve thought of,” he says. “But it’s the first thing the public – your customers, your clients and your investors – are going to see. You have to prepare and engage not just what you’re going to do from the security side; you have to know what you’re going to do from the communications side, and have prepared messaging.”
Typically, an organization’s IT security staff will handle incident response, but the responsibility and effort can’t just lie with that team, Green points out. “Security for a company is not just the security team, it’s the whole company,” he says. When it comes to executing that crisis plan, people must be sure what their role and their position is, and what they should be doing, he adds. “You should always prepare like [a breach is] inevitable.”
Security consultant John Otero, who formerly led the New York City Police Department’s computer crime squad, cites the reverberations felt by top management everywhere following the Target CEO losing his job after mismanaging the retail chain’s breach and the “black eye” the retailer suffered.
In the wake of siphoned employee personally identifiable information (PII) and customer credit card numbers or passwords, companies need to be prepared with credit monitoring or identity protection services, notes Eric
Warbasse, senior director, financial services for LifeLock, a Tempe, Ariz.-based provider of identity theft
protection.Further, public
statements should not speculate as to the responsible party. Hacked companies with potential regulatory enforcement exposure especially “need to be extremely careful about what they say and ensure what they issue publicly is accurate,” points out attorney Daniel Fetterman, a New York-based partner with
Kasowitz Benson Torres & Friedman, a national law firm primarily focusing on complex commercial litigation, and a former federal prosecutor and trial lawyer.
“In the rush to publicly get out a positive, reassuring story to make stakeholders feel better, companies should proceed cautiously and be careful not to get it wrong,” says Fetterman.
The consensus of our experts it that it behooves organiza-tions to have top management, legal, IT security and PR work together on a message that strikes the proper balance.
“You need to reassure the public that you have control of the situation,” says Haggerty at Crisis Response Pro. “Data breaches are becoming so common that they resemble product recalls in the auto industry, whereby a system or structure comes into play for proper notification
when something happens.”Davia Temin, a marketing, media and
reputation strategist, crisis manager and CEO of Temin and Company, a boutique management consultancy focused on reputation and crisis management, says technology experts often urge delaying the initial announce-ment until the security folks have had time to learn more and maybe try to trace the culprit. “But that’s at odds with the public wanting to know the minute that their information may have been compromised,” she says, adding that the public has an expectation to know as soon as possible so they can change passwords, etc. Temin advises clients to communicate that: “We don’t know the total parameters yet, but we know
we had a breach. We’re doing everything humanly possible to close it and understand the magnitude of it. And we’ll be in continual contact with you.” In this day of social media and immediacy, if you wait, it looks like you’re stonewalling the truth, she says.
MasterCard’s Green agrees. “If you’re not confident about the information you’re going
to present, you shouldn’t present it. Let everyone know you’re aware of it and are working diligently on it,” he says.
As far as the legal ramifications, there’s quite a difference of opinion about whether a breached company must follow law enforcement’s lead on when information can be released to the public.
Tom Kellerman, chief cybersecurity officer of Trend Micro, a developer
...we know we had a breach.”– Davia Temin, CEO, Temin and Company
22 SC • February 2015 • www.scmagazine.com
Breach response
In a Nov. 25 statement, Sony Pictures Entertainment announced it was investigating “an IT matter.” Since then, the hack has
proven that fact can be stranger than fiction – even in Hollywood. That Sony Pictures did not anticipate vulnerabilities after
producing a movie – The Interview – antagonistic to a volatile government should cause all organizations to pause and reassess whether they’re prepared for such a worst-case scenario.
Obviously, Sony’s biggest failure was not protecting its intel-lectual property (including unreleased movies) and personal data (including employee PII and health records), especially in face of
a 2011 hack of its PlayStation Network affecting consumer data of 77 million users. As class-action lawsuits pile up, a source familiar with Sony says its insurance would cover losses associated with “incidents like this.”
Only time will tell whether the company will be able to defend itself given the assertion by Mandiant CEO Kevin Mandia, “This was an unparalleled and well-planned crime, carried out by an or-ganized group, for which neither Sony Pictures Entertainment nor other companies could have been fully prepared.”
That Sony was so unprepared is curious considering that Sony Corp. general counsel Nicole Seligman – in charge of the com-pany’s information security – has sat on the advisory board of the Council on CyberSecurity since 2013.
It wasn’t until Dec. 15 that Sony Pictures posted a message on its website for current and former employees and dependents that the company had learned on Dec. 1 that their health PII may have been compromised.
“[Sony] was slow in communicating, and it didn’t reflect an adequate level of compassion for the people who were the victims,” says crisis manager Jonathan Bernstein. “This is Crisis Manage-ment 101.”
Bernstein considers Sony to be the biggest example of corporate incompetence in terms of reputation management. “If they were being graded, I’d give them an F in the crisis prevention category. And crisis response was mediocre at best.” – Larry Jaffee
TROUBLE FOR SONY: New poster child for breach crisis
of security solutions, advises breach victims to ask the FBI and Secret Service, based on the stage of their investigation, when to notify the public.
Not all experts agree with that strategy. Jonathan L. Bernstein, president of Bernstein Crisis Management, says waiting for the FBI or Secret Service before saying anything publicly doesn’t make sense. “I’ve worked on a lot of these,” he explains. “The FBI will always make that request, but the FBI is not responsible for protecting the reputation of the organization. The FBI doesn’t particularly care about the reputation of the organization. So the FBI’s request is the same as a lawyer who says, ‘don’t say anything because you’re risking liability.’ You have to look where is the biggest liability: court of law or court of public opinion.”
Attorney Steven Grimes, a partner with the Chicago law firm Winston & Strawn, says it’s a case by case determina-
tion whether a hacked company will wait to hear from the authorities before telling the public anything. Litigation, he adds, is a very likely outcome.
Hacked companies need to keep in mind various legal ramifications, such as the Federal Trade Commission (FTC) and states’ attorneys general bringing lawsuits, respectively, for their failure to provide adequate security measures and failure to report in a timely fashion in violation of data breach notification laws, Grimes points out.
Ideally, attacked companies are working with a proper crisis response plan. “That doesn’t always happen,” he admits, noting that many companies
don’t reach out for outside legal help experienced in this area until later in the game, while in-house counsel didn’t have the required level of coordination.
MasterCard’s Green adds that listening to the authorities makes sense so as not to say anything that’s going to upset or derail their investigation. “When you make your notification, you have to think about what you’re going to provide,” he says.
Temin knows a CEO of a retailer who, after a hack, considered his biggest mistake was not that he didn’t get better systems or pay attention to vulnerabili-ties more closely early on. It was that he didn’t come out quickly enough. n
...you have to think about what you’re going to provide.” – Ron Green, EVP and CISO, MasterCard
www.scmagazine.com • February 2015 • SC 23
Davia Temin, CEO, Temin and Company
Steven Grimes, partner, Winston & Strawn
CANADA’S
INTERNET VOTING PROBLEM
Many municipal officials are elected using the internet, even as some agencies prohibit the practice as insecure,
reports Danny Bradbury.
In Canada, over two million voters had the option of voting for their mayors and local councilors via the internet
last October. Next October, none of them will be allowed to vote for their MPs that way.
Elections Canada, the organization that oversees the electoral process there, had originally planned for an internet voting trial in a by-election sometime between 2008-13. In 2012, it changed track, citing budget cuts and security issues.
“Current internet voting systems carry with them serious, valid concerns about system security, user authentica-tion, adequate procedural transparency and preserving the secrecy of the vote,” the group said in an April 2013 report exploring new voting models.
There have been no moves toward internet voting at the provincial level, either. “The provincial governments would have to decide to move forward,” says Nicole Goodman, assistant professor of political science in the University of Toronto’s Munk School of Global Affairs.
Goodman predicts that if any provinces move forward with such an
initiative, Ontario might be first. Currently, though, Ontario has misgivings. “In short, this is because we have not yet identified a viable method of network voting that meets our criteria and protects the integrity and security of the electoral process,” says Elections Ontario spokesperson Andrew Willis.
Willis lists several issues that would prevent the province from adopting internet voting. Security breaches could jeopardize vote integrity, he says, as could the lack of secure digital authenti-cation mechanisms. The absence of a paper trail is another issue with internet voting, he says, because it means that the vote isn’t transparent.
Barbara Simons is a strong critic of internet voting. A former president of the Association of Computing
Machinery, she has spent over a decade exploring the
validity of electronic and online voting systems. Co-author
of the book Broken Ballots,
she also participat-ed in President
Clinton’s National Workshop on Internet Voting in 2001, and conducted a security peer review that shut down the U.S. Department of Defense’s own voting system, called SERVE.
Simons agrees with Willis on the paper trail issue. “There’s no way to do a recount,” she said, because there are no paper ballots to reference. “There’s no way to verify that the winners won and the losers lost. There’s no way to check that if I voted for candidate A on my computer, that this is what was sent out over the internet.”
Other provinces are equally concerned about the security of
C1 SC • February 2015 • www.scmagazine.com
Electronic elections
Nicole Goodman, assistant profes-sor of political science in the University of Toronto’s Munk School of Global AffairsTim Kidd, senior director of outreach, policy and communications, Elections SaskatchewanKimberley Kitteringham, city clerk, Markham, OntarioBarbara Simons, former president of the Association of Computing MachineryDean Smith, president and founder, IntelivoteAndrew Willis, spokesperson, Elections Ontario
OUR EXPERTS: Internet voting
internet voting. “At this time, and with the current state of technological development, there are simply too many vulnerabilities and threats that have been identified to such systems that could compromise the integrity of the electoral system as we know it,” says Tim Kidd, senior director of outreach, policy and communications, Elections Saskatchewan.
The province of BC, too, recently issued a report on internet voting, in which it recommended that the technology not be used, arguing that the risk to the accuracy of the voting process remain substantial.
This hasn’t stopped municipali-ties from giving internet voting a try, though. Ontario and Nova Scotia have both experimented with the technology, with Ontario being the larger adopter. In the most recent municipal elections in October, 97 of the province’s 414 municipalities used the technology.
Goodman created the government-funded Internet Voting Project, which has produced a report exploring attitudes to internet voting among voters using these services, election officials, and candidates in Ontario. It explores attitudes to voting and experiences from users, rather than the technical aspects of voting security.
Municipal authorities – who will likely express a high level of satisfac-tion with Goodman’s report – stand by the security of the internet voting process. “Extensive testing of [city of] Markham’s processes and technology is completed prior to every election,” said Kimberley Kitteringham, city clerk for that municipality in Ontario, via a spokesperson.
She cited security and integrity measures – including a mock election designed to test the system, a third-party security audit, and a city invitation to all candidates to review the technology. The municipality also includes anti-malware protection on its own computers, she added.
ACM’s Simons protests that
protecting election officials’ computers is only part of the challenge. “There’s something that none of those systems can deal with, and that’s the computer of the voter,” she says. “There’s no way to protect that computer from malware that can change that person’s vote.”
The security of voter clients was one of several issued raised by experts at Concordia and Western University, who reviewed the online voting system used by Markham along with several others in a separate evaluation for the city of Toronto. The reviewers recommended that Toronto not proceed with internet voting in municipal elections because none of the solutions provided adequate protection against the inherent risks.
Dean Smith is president and founder of Nova Scotia-based Intelivote. “I’d be lying to everybody if I said that it was as secure, but there is a level of tradeoff against convenience,” he said.
He admits that there are risks
associated with internet voting, but urges voters to compare them with other methods, specifically the vote-by-mail systems that many internet voting systems are designed to complement.
“When vote-by-mail comes back, you never know whether your vote has come through,” he says, arguing that ballots returned by mail will often arrive late and won’t be counted.
Regardless, Smith remains convinced that in spite of the risks associated with internet voting, it’s worthwhile as it increases the level of convenience for voters. “Electoral authorities are prepared to assume that level of risk,” he says.
Who gets to supervise that decision? Municipal election guidelines are laid out in each province’s Municipal Elections Act, which must be worded to allow for alternative election procedures at the local level, says Goodman.
Perhaps one of the most worrying aspects of the move to internet voting in Canada is the lack of standards governing how this technology is implemented. Canada has the highest number of internet voting-enabled municipal elections in the world, but there are no regulations explaining how to choose the systems that run them, or how they should be implemented.
“One of the things that is important moving forward is to develop some standards, with respect to legal, operational and technical. And when I say technical, that would relate to the security component,” Goodman says.
In the meantime, the stable door is open. With no regulations in play, and with some municipalities having run three sets of elections on the internet already, the horse may already have bolted. n
...there is a level of tradeoff against convenience.”—Dean Smith president, Intelivote
www.scmagazine.com • February 2015 • SC C2
UNIFYING PRINCIPLE
Is the time right for national data breach legislation? There are signs that this may be the year, reports Steve Zurier.
would set a federal standard for defining the parameters of a breach and the timeframe in which companies must report a breach to law enforcement authorities and consumers. The hope among many business groups is that a national law would also preempt an unmanageable patchwork of 47 state laws and instead replace them with a uniform set of statutes that companies would have to follow.
If the national law is enacted, companies will benefit from “the certainty of a single, national standard,” the White House said.
“We support a national data breach bill so companies can respond to breaches in a consistent manner,” says Tiffany Jones, senior vice president and chief revenue officer at iSIGHT Partners, a Dallas-based security firm.
Jones, who has testified before Congress on the growing malware threat landscape and the need for national data breach legislation, says companies can spend millions of dollars complying with all the state laws. Tack on the cost of a breach, the cost for cleanup, lost revenue and lost market share, and Jones says there’s very strong sentiment in the business community to finally get something done this year.
Lobbyists from groups such as the Direct Marketing Association and National Retail Federation would love to get a bill done this year, but they are realistic. Officials from these trade groups readily acknowledge that they’ve been building coalitions to support national breach legislation for nearly 10 years now, but some say following the high-profile Target, Home Depot and Sony hacks of the past year, this time could be different.
“It’s become very complicated for companies to comply with all the different state laws,” says Rachel
24 SC • February 2015 • www.scmagazine.com
Breach law
I would welcome comprehensive federal legislation...”– George Jepsen, attorney general, state of Connecticut
www.scmagazine.com • February 2015 • SC 25
Addressing the Federal Trade Commission (FTC), the agency that has aggressively pursued companies that it feels have not properly safeguarded customer data, a week before delivering the SOTU, the President envisioned a national law that would clarify and
strengthen “the obligations companies have to notify customers when their personal information has been exposed.” A key part of that law would be “a 30-day notification requirement from the discovery of a breach.”
National data breach legislation
Nyswander Thomas, vice president of government affairs for the Direct Marketing Association, one of the trade groups leading the charge for national legislation for the past decade. “With all the cases of new breaches in the news, it has become clear that both consumers and businesses have become victims. Plus, companies are global let alone national.” She adds that the need
for a national standard would reduce some of the complexity.
Dave Frymier, chief information security officer at Unisys Corp., a global information technology company based in Blue Bell, Penn., says the Sony hack may be a taste of what’s ahead. Lost in the uproar over the release of the movie The Interview
were the hacks into Sony’s corporate offices and intellectual property.
“In the past we’ve had to worry about nation-states stealing intellectual property or organized crime groups that were in it for the money, but the Sony hack was different,” he says. “This was a case of disruption of operations for political or ideological purposes.”
Some consensusOn the optimistic side, those who argue for a national law point to general agreement at both the state and national level as to what constitutes a breach. Just about every state law and the many competing national bills define a breach as when a person’s name is compromised electronically along with one or more of the following pieces of personally identifiable information: a Social Security number, driver’s license number
or financial account number, such as a bank card or credit card.
Unfortunately, that’s where the agreement stops. While the Direct Marketing Association (DMA), National Retail Federation (NRF) and various business groups are pushing hard for a clause that would preempt the 47 state statues on the books, attorneys general have expressed concern that a national law could inhibit state efforts to effectively respond to breaches.
“I’ve found that the state attorneys general are not crazy about a national law,” says Jonathan Spruill, managing consultant, incident response - U.S., at Trustwave, who adds that states can’t just wait around for a national law to pass, plus they are concerned that any national law would be watered down and ineffective.
George Jepsen, the state of Connecti-cut’s attorney general, for example, favors national legislation, but remains concerned about preemption. “I would welcome strong and comprehen-sive federal legislation in this area, particularly given the national scope of some of the data breaches we have seen and, unfortunately, are likely to see again,” Jepsen says. “However, it would be a critical mistake for federal law to supplant state enforcement authority. It would be counterproductive to reduce the number and effectiveness of regulators who can combat data breaches.”
States are vital, experienced and active participants in responding to these breaches and other privacy violations, he adds. “There is enough enforcement work to go around, and we can be most effective by working as partners among the states and between the states and the federal government.”
One bill that many believe has
Tiffany Jones, iSIGHT Partners
C ould a national data breach law be just around the corner? President Obama’s call for a Personal Data Notification and Protection Act during his State
of the Union (SOTU) may be just the kick the 114th Congress needs to hammer out legislation by midyear.
response to law enforcement due to the new notification requirements,” he says. “If they reach out to law enforcement for assistance in investigating a breach, would the ‘30 day shot clock’ for breach notification kick in at that point? Would there be a line of communication with law enforcement where information can be exchanged in confidence?”
Noting that companies may have good reason not to notify within 30 days, Westin says, “These are all items I believe that will need to be hashed out before this is rolled out.”
Besides the point?Still, there are those who say that a national data breach law is besides the point. “The problem I have with a national data breach law is that the horse is out of the barn by the time a company does a breach notification,” says Frymier of Unisys.
“The Sony hack is a good example of why breach legislation primarily oriented toward notification alone can’t be the answer,” Frymier says. “The goal of the Sony hack wasn’t monetary; it was to embarrass. No notification was needed because it was already out there. What Sony really needed was better security.”
That’s why Mike Brown, VP and GM of the global public sector at security company RSA, says national data breach legislation is merely one piece of the puzzle. First, both the House and Senate passed – and President Obama signed into law – the Cybersecu-rity Enhancement Act of 2014, which authorizes the National Institute for Standards and Technology to develop voluntary guidelines for cybersecurity. The new law promotes cybersecu-rity research, private/public sector collaboration on cybersecurity, and education and awareness of technical standards. T
Along with the Cybersecu-rity Enhancement Act, Congress also passed – and President Obama signed into law – an update to the Federal
Information Security Management Act, better known as FISMA. The update gives the Department of Homeland Security a clear oversight role in federal cyber efforts, as well as authorizes federal agencies to deploy automated security tools to fight cyber attacks.
“I know it’s easy to be cynical – and Congress certainly doesn’t have a strong recent track record – but our progress at the end of the year gave me some cause for optimism,” says Brown.
He says he’s hopeful that the end-of-the-year success could lead to what he views as four important pieces of IT security legislation. The first two, the Cybersecurity Enhancement Act and FISMA are in place. Next up for 2015 is data breach and information-sharing legislation. Diane Feinstein (D-Cal.) was quoted in the press at the end of the year saying that she plans to re-introduce the Cybersecurity Information Sharing Act when the new session convenes, and Senators Lindsey Graham (R-S.C.) and John McCain (R-Ariz.) have expressed support for another law that would encourage companies and federal
always possible that cybersecurity could become the political football that net neutrality deteriorated into last year.
First things first. On national data breach legislation, the Direct Marketing
Association’s Thomas says much has changed. Number one, people have the benefit and experience of having worked on this issue for 10 years. Number two, especially with all the news around the Sony hack, there’s finally a chance that business interests can align with privacy advocates on identity theft and get something
done for the country. And finally, as RSA’s Brown points out, national data breach legislation is part of a comprehensive effort by lawmakers to pass a series of common sense laws around cybersecurity.
Add to that Obama throwing in support to kickstart the legislative process and this Congress may be able to do what the 113th Congress and others before it could not: pass a reasonable, bipartisan national data breach law.
While the consensus for action builds, many in the security industry,
... our progress...gave me some cause for optimism.”– Mike Brown, VP & GM of the global public sector, RSA
www.scmagazine.com • February 2015 • SC 27
some legs is the bipartisan legislation developed by Sen. Tom Carper (D-Del.) and Senator Roy Blunt (R-Mo.). Known as the Data Security Act, if enacted into law it would require companies to notify federal agencies and consumers of a breach that affects more than 5,000 consumers.
Senator Carper says that while Congress waits, the frequency and severity of the attacks grows. In a statement prepared for SC Magazine, Carper says that he and Sen. Blunt have proposed legislation during several consecutive Congresses that would update and streamline the nation’s standards for protecting Americans from fraud and identity theft.
“As hackers and their operations become more sophisticated, our security measures must evolve as well,” points out Sen. Carper. “The approach Sen. Blunt and I take, which has bipartisan support, would ensure that businesses and government agencies manage personal and financial information more securely and that they respond quickly and effectively if and when a breach occurs. The longer
we wait to act, the greater the risk of damage to Americans and American businesses. I hope that a new year brings a new focus on this issue that will allow
us to move forward on smart legislation that will offer greater protection for companies and consumers alike.”
While many agree with the general parameters of the bill, the proposed Carper-Blunt law would give the FTC rule-making authority while the trade and business groups want all specifications written
into the law. In some ways, that may make sense.
Some issues yet to be worked out include the timeframe companies are required to report a breach. The Carper-Blunt bill does not specify a timeframe and leaves it up to the specific regulator overseeing the institution where the breach occurs.
Which leads to another unresolved issue: which branch of government should be notified? For example, should companies first notify the FBI or the Department of Homeland Security? On the other hand, the Secret Service has been given a great deal of responsibility to investigate hacking attacks and it’s still unclear what their role would be. The Carper-Blunt bill just says that the regulating agency will determine which law enforcement agency needs to be informed. Clearly, some of these issues need to be sorted out.
Obama’s proposal advocates a 30-day reporting deadline but is otherwise short on details. Ken Westin, senior security analyst with Tripwire, hailed the president’s efforts in comments sent to SC Magazine, but cited trust and privacy challenges of private industry collaborating with law enforcement. “When a breach has occurred companies may think twice before contacting law enforcement when there is a compromise, at least delaying their
What Sony really needed was better security.”– Dave Frymier, CISO, Unisys Corp.
26 SC • February 2015 • www.scmagazine.com
Breach law
Law firm Baker and Hostetler, which has 14 offices nationally, keeps a running chart of all the state data breach statutes. While state laws vary on the need for a risk of harm analysis and require-ments to notify the state attorney general, here’s a quick look at how a sampling of state laws are all over the map when it comes to notification.
California: Under the state’s Medical Information Specific Breach Notification Statute, for the vast majority of licensed clinics, health facilities, home health agencies and hospices, the law requires licensees to notify both affected patients and the California Depart-ment of Health Services no later than 15 business days after the unauthorized access, use or disclosure has been detected by the licensed medical facility.
Connecticut: All entities licensed and registered with the Con-necticut Insurance Department are required to notify the agency of any information security incident which affects any Connecticut residents as soon as the incident is identified, but no later than five calendar days after the incident is identified.Maine: If after the completion of an investigation notification is required, the notification may be delayed for no longer than seven business days after a law enforcement agency determines that the notification will not compromise a criminal investigation.Vermont: Notice of the security breach to a consumer shall be made in the most expedient time possible and without unreason-able delay, but not later than 45 days after discovery.Wisconsin: Notice shall be provided within a reasonable time, not to exceed 45 days after the entity learns of the acquisition of personal information. A determination as to reasonableness shall include consideration of the number of notices that an entitymust provide and the methods of communication available to the entity.
STATE BREACH LAWS:Are there too many?
Mike Brown, RSA
Sen. Tom Carper (D-Del.)
agencies to share information about cyber attacks.
So what’s going on here? Can it be that Republicans and Democrats will actually put their partisan differences aside and do what’s best for the country when it comes to cybersecurity? It’s possible that there’s enough consensus that the problem is severe enough that something has to be done. On the other hand, it’s
government and private sector are hoping that leaders will stay proactive and cybersecurity remain bipartisan and not another opportunity to score talking points in the daily news cycle. If that happens, the Sony hack really will be the beginning of a dangerous new escalation of cyber attacks – and business and government still won’t have a uniform way to respond. n
A fter years of proposed changes, FISMA is finally morphing. What entered the legislative record in 2002 as the Federal
Information Systems Management Act is almost certain to become the Federal Information Systems Modernization Act under the new Congress, following passage by its predecessor in December.
The name change highlights a major shift, says Maria Horton, who was CIO for the National Naval Medical Center as FISMA made its way into law. “By modernization, Congress and the president are looking how to modernize in order to protect our security,” says Horton, currently founder and CEO of EmeSec, a Reston, Va.-based consultancy with federal government clients. Under FISMA 2.0, as it is commonly known, “agencies themselves must be prepared to report on a breach, how large it is, how many people are effected, and the circumstances surrounding it,” she says.
FISMA 2.0 would replace what has typically been federal agencies’ triennial cybersecurity compliance assessment. More frequent reports, with a strict deadline to report data breaches, would supplant the older system. It further calls for “automated security tools to continuously diagnose and improve security.” The Department of Homeland Security, which played a coordinating role for compliance with little authority under the original legislation, would play a more formal and central role under the proposed legislation, with the department’s $6 billion “Continuous Diagnostics and Mitigation” contract providing federal departments and agencies with a range of choices for cybersecurity products and services.
To appreciate the impact of the changes, it’s useful to step back and look at the history, says Juanita Koilpillai, CEO and president of Waverley Labs, a Waterford, Va.-based consultancy that often works
with clients in the federal government. “With the current FISMA evaluation, it is hard for implementations to be consistent across the board,” she says. “Systems that are in compliance are not secure and vice versa. Even checking for four of the 20 critical controls proposed by SANS Institute is an expensive exercise.”
FISMA: The next generationCritics of the original FISMA implemen-tation acknowledge that its complexity and shortcomings are the result of its rapid rollout amid a major political and bureaucratic transformation. At its outset, FISMA was essentially a post-9/11 mobilization of the feds’ IT teams to systematize and generalize cybersecu-rity practices and performance across disparate federal agencies. The armed forces and national intelligences agencies were carved out of the new law and given their presumed IT security proficiency and requirements for ultra-secrecy.
28 SC • February 2015 • www.scmagazine.com
Federal law
But every other federal entity – from the sprawling array of agencies and bureaus to the massive Department of Veteran Affairs (VA) – had to get on board. Inspectors general were charged with issuing letter-grade reports to be filed with the Office of Management and Budget (OMB). The then-new Department of Homeland Security (DHS) was subsequently designated to oversee the process, but the department lacked administrative authority – and, initially, at least – the technical expertise to do so.
In the decade-plus of FISMA’s existence, critics have complained that agencies had an interest in dumbing down their compliance reports, says Larry Ponemon chairman and founder of the Ponemon Institute, a North Traverse City, Mich.-based firm that conducts research on privacy, data protection and information security policy. “Historically, a lot of organizations would do poorly on this, with a letter grade of C- or D,” Ponemon says. “The lower the grade, the more money you would get from Congress. If you get an A, Congress would say, ‘we don’t have to fund you.’”
But FISMA’s critics often lose sight of the fact that the act was originally under the umbrella of the General Services Administration before DHS was created, says information security veteran Karen Evans, who oversaw its initial implemen-tation as administrator of the Office of Electronic Government and Information Technology at the Office of Management and Budget. Another problem: the requirement that compliance grades had to be completed at least every three years.
The three-year reporting timeline may appear to some as evidence of bureaucratic inefficiencies. But, in fact, most agencies had a difficult time securing the IT and IT security talent and resources to perform a complex and time-consuming task, says Richard Schaeffer, who heads Riverbank Associates, a Severna Park, Md.-based cybersecurity consultancy and was
a former senior executive with the National Security Agency (NSA).
“I think actually the grading was incredibly uneven, not because of FISMA, but because of people implementing it,” he said. “Very few federal agencies had a good idea of what their infrastructure looked like, how it was configured and how access control and so forth was really done,” he says.
DHS takes chargeThe need for a FISMA overhaul was voiced more frequently with every documented vulnerability and data breach involving federal agencies. But as the Bush era gave way to the Obama years, the effort was stalled. Some of the delay was due to general Washington gridlock, but there was an intense debate specific to FISMA over how to both boost DHS’s authority over implementa-tion while preserving OMB’s ultimate authority, says Evans.
FISMA 2.0 resolves the long-running dispute by giving DHS meaningful operational oversight while tasking OMB with charting progress in compliance,
governance, risk and compliance at MetricStream, a Palo Alto, Calif.-based service provider. That, she adds, points toward the increasing use of analytics to help agencies move from basic FISMA compliance to risk assessment and reduced incident response times.
Federal agencies should beware of FISMA 2.0 solutions that may constrict their ability to defend against evolving threats, says Suni Munshani, CEO at Protegrity, a Stamford, Conn.-based provider of data security solutions. “The first question is about transparency,” he says. “Is this something I can change without being beholden to some black box technology?”
One of the biggest obstacles to data security improvements in civilian federal agencies is the reluctance to collaborate across bureaucratic lines, says David Monahan, research director, risk and security management at Enterprise Management Associates, a Boulder, Colo.-based industry analyst and consulting firm. “Security people are notoriously bad at sharing information, mainly out of fear or arrogance,”
FISMA 2.0 wants to get to insights and agility.”—Yo Delmar, VP for GRC, MetricStream
www.scmagazine.com • February 2015 • SC 29
DEFENSEDEFENSEFROM THE TOPThe DHS will gain more
control – and federal cybersecurity likely will be improved – when a FISMA update is passed, reports
Lee Sustar.
Evans says. “It allows [OMB], with variants, to measure incremental improvements from year to year. That is the key change.”
To meet those more stringent FISMA 2.0 requirements – including reports to Congressional committees – federal agencies are expected to go shopping-for technical hardware and software information security solutions.”
Leading information security providers say they’re ready. “FISMA 2.0 wants to get to insights and agility,” says Yo Delmar, vice president for
he says. “The government agencies have traditionally been well into the arrogance and fear part of the equation.”
FISMA 2.0, with its rigorous monitoring and reporting requirements, just might change that. “With their collective resources and the right tools, they have the capability to share information to vastly improve their overall defense posture,” Monahan says. “Even if one falls victim to a particular attack, the others can use the shared information to prevent – or at least limit – the scope of their own compromises.” n
ON AIR 30 SC • February 2015 • www.scmagazine.com
Case study
While these new avenues are efficient in shooting out up-to-the-minute messages to increase awareness and help the audience become engaged, for security personnel the use of social media opens up a whole new can of worms.
Rocklin, Calif.-based EMF Broadcast-ing owns and operates the K-LOVE and Air1 radio networks, which combined have more than 700 radio and broadcast-ing stations spread throughout 45 states across the United States.
With the phenomenal growth of social media, EMF needed visibility and control over social networking applications used by its personnel.
The challenge for Juan Walker, principal security strategist at EMF Broadcasting, and his 40-member IT team, was to manage the radio network’s approximately 500 employees by protecting cloud applications from unauthorized access and account takeover attacks. “For example, if a radio personal-ity had their social media account compromised this could create a public
relations crisis for EMF,” Walker says.The prospect of a hacker hijacking a
staff member’s social media account and posting inappropriate content attributed to the organization could have disastrous effects on the network’s reputation and relationship with its donors, he says.
“Social media challenges EMF in many exciting and unexpected ways,” Walker says. “A small percentage of companies have a documented social media policy and EMF is one of them. We want added protection when engaging with listeners and donors through social media platforms.”
A search began for a technology solution to assist. When he and his IT team were introduced to SkyFence, they thought its cloud-protection capabilities would fit into their social media protection strategy. “The cost per user really made the solution attractive,” he says.
“Skyfence is a proxy-based solution that provides cloud app discovery/risk scoring, analytics and protection,” says Frank Cabri, vice president of marketing for Skyfence. “It does not require any endpoint software.”
The solution uncovers cloud apps by inspecting and aggregating data in user access logs from enterprise web-proxies and firewalls, Cabri explains. An app discovery report is generated using a locally executable tool that scans existing logs files (from firewalls or web proxy systems) either manually or on an automatic schedule. The process does not require any installation of agents or changes to applications.
Skyfence automates the process of determining which cloud apps users are accessing and details the number of users, activity level, traffic volume and usage hours for each app.
Further, it performs a risk assessment and categorizes each cloud app as high, medium or low risk. Risk metrics, such as the status of service provider audits (e.g., SSAE-16), compliance
requirements (e.g., PCI attestation of compliance) and many other critical criteria are consolidated and measured so organizations can use the risk score of each app to prioritize their risk migration efforts. In addition, the advanced risk metrics feature lets organizations customize risk weightings so app metrics can be adjusted to reflect the risk to their specific business operations, Cabri says.
Seamless integrationSkyfence, he adds, delivers a complete picture of cloud app risks and operational intelligence through detailed analytics of cloud app usage. “It aggregates the output of multiple app scans and app risk metrics with detailed monitoring and analytics of user, app and endpoint usage,”
www.scmagazine.com • February 2015 • SC 31
The goal when implementing a solution from Skyfence, says Juan Walker, principal security strategist at EMF Broadcasting, was to protect:High-profile employees, such as CEOs and official spokespeople, who will attract more attention than most. Their role requires extra guidance.Officially recognized channels, such as the company’s Twitter feed and
Facebook page. These channels require more guidance, and should be used only by designated people.Privileged information of any sort, in-cluding customer or patient identification.Enterprise financials.High-profile topics, such as safety, product recalls, mergers and acquisitions, and compliance. Natural disasters or politi-cal events that can affect the company.Dramatic events that affect the organi-zation’s brand, competitors or the industry as a whole.
PROTECTION:Covering the bases
Frank Cabri, VP of marketing, Skyfence
To avoid brand damage, a radio network made certain its cloud was
defended against unauthorized access. Greg Masters reports.
W ith the assortment of today’s communication technologies, even major radio stations supple-ment their broadcasts over the air with tweets,
posts to Facebook and other social media venues to help promote their programming and, thus, grab the attention of their audience – however they’re staying connected.
Cabri says. The solution also generates consistent user activity logs for IT staff across the entire cloud environment – critical for effective risk management and for correlation with existing SIEM environments. Additionally, Skyfence has built-in enterprise integrations that make it simple to integrate with enterprise directories and market leading SIEM solutions from Arcsight, Splunk and Q1 Labs, adds Cabri.
The implementation at EMF went smoothly, says Walker. “We used the Skyfence cloud deployment option so there was no on-premises equipment required and support was seamless.” And, it’s very easy to manage, he says, since it does not have any API dependencies and does not use any agents. “It provides seamless interoperability with single sign-on vendors for easy integration. Also, because it is application agnostic, Skyfence can support any current and future cloud applications that EMF implements.”
An added value is that the offering does not store payment card information in the cloud, so there are no compliance requirements at this time.
The Skyfence tool currently reaches across EMF’s entire network supporting all cloud applications and users at EMF.
The radio network plans to enforce the same levels of security monitoring and protection across all cloud applications so it will expand its use of Skyfence to new users, apps and endpoint devices as they are introduced into its environment.
“Our policies have changed to focus on extending the same security measures we use in the datacenter to cloud apps,” says Walker. “Skyfence helps us ensure that the same security best practices used in our on-premise datacenter are being applied to our cloud environment.
Cloud app usage had created a security
blind spot for us, Walker admits. “We lacked both the visibility into what cloud applications our employees were using and the ability to monitor activity and unauthorized access.” But, the implemen-tation of Skyfence provided the ability to automatically identify managed and
unmanaged mobile devices accessing cloud apps and to enforce specific access policies based on whether a device is managed by IT or not, he explains.
A detailed profileThe solution includes dynamic user and device fingerprinting technology to quickly establish a complete and detailed profile of behavior based
on the normal patterns of use for each user, department and device, says Cabri. “Any access that fails the fingerprint test can be configured to immediately alert, block or require two-factor identity verification in real-time, giving IT staff at EMF the ability to strongly authenti-
cate users performing higher risk activity while automatically enforcing security policies across all their cloud services.”
Additionally, Skyfence provides a variety of deployment options – whether cloud, on-premise virtual or physical appliance inline and non-inline). No agents are required on endpoints and there is comprehensive support for any application. Further, it provides contextu-al user information from AD, and not just IP addresses. Too, it fingerprints each users’ unique identity and behavior to profile how they access cloud applications in order to automatically look for atypical behavior indicative of compromised credentials or a malicious employee.
Skyfence Cloud Gateway is available as a cloud service, on-premise appliance or virtual appliance, and as a managed service. When using the gateway on-premise, inline and offline configura-tions are supported. Updates (including new features and new risk information) are made automatically via the internet.
The cloud is no longer a future technology, says Cabri. “For many organizations, the move from on-premise to software-as-a-service (SaaS) applications – such as Office365, Salesforce.com, Google Apps, Dropbox, NetSuite and others – can result in significant cost savings and increased flexibility.” But, he points out, it also introduces business and security risks as SaaS applications create “blind spots” that cannot be addressed by traditional on-premise monitoring and security solutions.
“While cloud apps and services are changing the computing environment, IT requirements for safe and productive use of resources have not changed. With Skyfence, users get the apps they want and IT gets the visibility and control they need. n
The solution generates consistent user activity logs for IT staff...”– Frank Cabri, VP of marketing, Skyfence
32 SC • February 2015 • www.scmagazine.com
Case study
According to Frank Cabri, vice president of marketing for Skyfence, the tool’s analytics provide critical insight and intelligence into:Data usage: Who performed actions, viewed or modified what, when, and how often;Privileged user monitoring: Including data access, configuration and user permission modifications;API activity: Cloud app and services data accessed via APIs.
HANDS-ON:Insight
Juan Walker, principal security strategist, EMF Broadcasting HELP
WANTED
Recruiters say that corporations and government need to rethink their
defenses to address critical talent shortages, reports
Larry Jaffee.
www.scmagazine.com • February 2015 • SC 33
Hiring crisis
The continuing jobs crisis regarding the availability of quality IT security profession-als can be summed up with an old adage:
Penny wise, pound foolish. That’s because workers in the field are in greater demand than ever before,
but companies often don’t invest in them until after a crisis strikes.
According to specialized recruiters, the talent dearth lies with a general failure to make security an utmost priority to develop and retain skilled experts charged to protect the family jewels. Unfortunately, corporations usually wait until they’re hacked and then overpay for outside consultants, rather than prepare proactively in-house for the real possibility – or more accurately, inevitability – they might be a target for a major breach. Experts by and large concur that better recruitment at the university level may improve the future situation, which these days increasingly includes going overseas for qualified candidates.
Moreover, it behooves the industry to promote IT security as a hot, well-paying career to young computer/mobile enthusiasts before they even graduate high school and, ideally, instill that philosophy within education curricula as early as possible.
information security. In order to satiate the more immediate
need, Malanaphy advises making available more certifications at U.S. colleges and universities, with special emphasis on guidance departments to understand the viability of the job market. “Internal recruiters should focus their time on key universities offering advanced degrees,” Malanaphy says. He admits that at his firm the focus is not on recent grads, but on candidates who are currently working in these positions. Education and experience are not equal in the real world.
“When a society becomes too focused on passing a test, as opposed to actually doing stuff, then you have a real problem,” says Lee Kushner, president of LJ Kushner & Associates, a Freehold, N.J.-based executive search firm specializing in the information
security industry. “Information security is more of a learned skill. Certified is not qualified. That is really the wrong way of looking at this problem.” Kushner squarely places the blame on HR
departments that historically have not given information security the respect it deserves – and absolutely requires at this juncture. He’s seeing HR departments combining roles – choosing from applications, security, engineering, development and architec-ture – into one position.
“The people capable of doing all those things generally outstrip compensa-tion,” he says. “They’re in high demand. Talented people have a lot of choices.”
Instead, corporations should be patient when recruiting talent in the same way corporate leadership programs recruit MBAs from grad schools, Kushner advises. Corporations recruiting for information security need
Certified is not qualified.”– Lee Kushner, president, LJ Kushner & Associates
34 SC • February 2015 • www.scmagazine.com
Hiring crisis
We talked to two security experts at Veri-zon Enterprise Solutions and while each earned a CISSP certification from (ISC)2, they both had a slightly different take on the value of certifications.
“People in my area are working on very practical day-to-day security skills,” says Fawaz Rasheed, managing director, global security solutions engineering at Verizon Enterprise Solutions. “So I would say if they are looking at adding on a certification they pick just a couple of very targeted certifications such as the hands-on train-ing from GIAC or the CISM or CISA from ISACCA. Of course, as you get into the second level and move into management, the security certifications tend to level off,
which is why I’m going for a master’s in busi-ness information technology at DePaul University in Chicago.”
Maureen Kaplan, managing director and chief operating officer, global security at Verizon Enterprise Solutions, agrees for the most part with her colleage, but has a slightly different perspective. “What I have found is that taking a different course that may not be directly related to the job may give you an opportunity to uncover emerging technologies and look at your company’s security in a different light and then be able to relate to our customers in a different way.”
– Steve Zurier
VIEWPOINTS: Value of certs
to put grads into a path that earn X, then 18 months later 20 percent more, and in 36 months plus, another 20 percent. “And they should be telling the new hires ‘we’re going to train you in a whole bunch of different disciplines with security compliance and regulation and stuff like that, and you’re going to become a fabric of our company,’” he says.
Such a pitch would be enticing to somebody seeing that kind of runway, says Kushner. But, he cautions, treating IT security profession-als the same way they do lawyers or accountants could upset the internal HR applecart. “Companies don’t understand the value of talent and the resource,” he says. “They put IT security into general HR buckets. That’s the problem. Companies don’t have the mechanism to get out of that kind of thinking.”
Jeff Snyder, president of Security-Recruiter.com, of Woodland Park, Colo., agrees with Kushner that companies are going to have to build talent from within. “This means that they need more strategic talent acquisition programs
salaries will never rise above the level of a security professional’s peers in IT.”
Jeff Combs, principal of J. Combs Search Advisors, which recruits information security and IT risk management pros, believes that higher salaries may not be the overriding factor in finding and keeping talented security people. “Money is only part of the equation,” he says. “Companies need to provide a security-supportive culture, an opportunity to do meaningful work and career growth opportunities.”
The ramifications of such skills shortage can impact the nation’s critical infrastructure, Combs believes. “It means that U.S. companies will always be playing catch up when it comes to the global technology arms race. Lack of a supported, well-staffed security
www.scmagazine.com • February 2015 • SC 35
Nearly all IT security recruiters agree that one way to tackle the lack of qualified professionals is to find and nurture talent at a young age. So we asked a recently retired high school teacher what he thought about the prospects of getting whiz kids to think about computer careers other than programming video games. Chuck Goodman, who taught computer science at the Manhat-tan Center for Science and Mathematics, believes it’s a great idea to offer a computer course focusing on security. His former East Harlem school, once beset by drugs and dropouts, within four years of its creation was considered one of the public school system’s best turnaround examples. Goodman would open the school’s four computer laboratories at 7 a.m. and it would remain packed into the evening.
“We don’t allow games on the com-puters, games don’t get you into
college,” Goodman told The New York Times in 1986. Today, the need for skilled computer techni-cians is even greater, he believes, because of the sophistication of hackers, who clearly have an un-
derstanding of the inner workings of computers. “That’s how these
bad guys get in. They know where the holes are,” says Goodman, who wrote
the NYC Board of Education’s first treatise on computer viruses 20 years ago. Recent high-profile hacks, such as those hitting Target and Home Depot, should be enough incentive for today’s bright high school students to realize that there are well-paying IT security jobs ahead, he adds.
GET THEM YOUNG:Filling IT positions
that focus on a job candidate’s aptitude and talent rather than focusing on a job candidate’s particular skills at the
moment,” Snyder says. “Education supports experience. Education without experience is not of great value.” Too, upper management must be alerted to – and address the need – of compensat-ing security talent, which will ultimately help the organization’s bottom line.
“What needs to happen first is that critical infrastructure
companies need to step into the current century and recognize that they need to devote budget to information
Besides revamping upper-and-lower education, Adam Malanaphy, managing director of Montclair, N.J.-based IT recruitment firm Glenmont Group,
believes solving the shortage will take a change in public perception of the information security job market. “One way to bring this issue into the limelight is to pressure politicians to highlight the demand for skills in information security,” he says. Introducing specialized courses at STEM high schools is
an initial step that will pay off in the future, says Malanaphy, whose firm is actively working on around 125 open positions, of which about 20 percent are in
Adam Malanaphy, managing director, Glenmont Group
Jeff Snyder, president, SecurityRecruiter.com
Companies don’t understand the value of talent and the resource.”– Jeff Snyder, president, SecurityRecruiter.com
security,” Snyder says. “Only after senior executives recognize the need to support information security strategy, can talent be addressed. As long as information security is thought of as a piece of IT,
program, which includes recruiting efforts, will lead to more companies and their customers being affected by significant security breaches, brand risk and loss of intellectual property. n
Young students are more sophis-ticated in their use of computers than we may be willing to admit.
They have, after all, been plugged in since birth, perhaps more comfortable with remote controls and game consoles than their parents. So, it’s no surprise that they can easily find ways to circum-vent restrictions put in place to prevent their accessing inappropriate material on their school computers.
One high school in the Chicago area put a technology solution in place to both broaden its network capacity and restrict the dissemination of inapproprite material to savvy computer users. Minooka Community High School (MCHS), comprised of about 2,500 students, is situated southwest of Chicago. Its central campus is located in Minooka, a south campus is in Channahon and its administrative offices are in Shorewood.
Les Kern, director of technology at
MCHS, had become frustrated with the school’s legacy web filter because it couldn’t stop web filter avoidance by his students using SSL connections.
Although with this system in place he hadn’t encountered any serious issues, he began a search for a solution – as students were able to access inappropriate content jeopardizing the school’s compliance to The Children’s Internet Protection Act (CIPA) and putting subsidy funding at risk. Of course, the school had to be in compliance with CIPA, which addresses concerns about children’s access to inappropriate material over the internet. The act levies a number of requirements on schools and libraries which, through an E-rate program, receive discounts for internet access or internal connections.
Kern was responsible for reviewing and choosing a solution. He, along with his five-person IT team – an IT specialist, two technology assistants and a technology aid – asked their IT services partner, Sentinel Technologies, for a
solution and it recommended a network appliance called Internet Content (IC) Control from Untangle.
“Sentinel recommended Untangle’s IC Control specifically because of its ability to do a full SSL decrypt and re-crypt,” says Kern. They informed him that the tool has a patented technology, called Anonymous Proxy Guard, that ensures all ports and protocols would
be examined and handled appropriately based on the school’s filtering policies.
“IC Control helps network administrators diagnose and resolve internet traffic problems – such as bottlenecks, over-saturation of recreational traffic, application performance, optimization of hosted and cloud services, and prioritization of critical traffic – ensuring network
performance, reliability and stability,” says Bob Walters, president and CEO of Sunnyvale, Calif.-based Untangle.
The tool, he says, is available to customers on network appliances and offers a single-interface, turnkey internet management solution that includes network monitoring, internet traffic analytics, bandwidth management and traffic shaping, application prioritization, cloud optimization and web filtering. “It is a highly scalable solution appropriate for large organizations with bandwidth
36 SC • February 2015 • www.scmagazine.com
Case study
Les Kern, director of technology, Minooka Community High School Bob Walters, president and CEO, Untangle
OUR EXPERTS: Safe port
up to 10 Gbps,” he says.The solution is intended for medium
to large organizations in all vertical markets that need a purpose-built, highly scalable appliance which can be run as a transparent bridge to provide granular, dynamic reporting, he says. “It gives immediate insight into where and how network problems occur – resulting in improved internet performance and lower bandwidth costs.”
Deployment of the Untangle tool went smoothly, says Kern, and his team is pleased with the deployment. “It’s very easy and quick to diagnose and solve internet-related issues,” he says. “The appliance saves me time in managing the internet connection to handle the school’s bandwidth, and it definitely gives me peace of mind. Since filter avoidance is no longer a problem, the school’s network remains
The appliance saves me time...”—Les Kern, Minooka Community High School
www.scmagazine.com • February 2015 • SC 37
MAKING THE GRADE
CIPA compliant. Because of IC Control, our students can’t use SSL or other techniques to access restricted content.”
Untangle IC Control reaches across the district’s network of 1,100 devices – including desktops, laptops and iPads – in its three locations.
“IC Control’s real-time, rich data reporting gives network administrators an unprecedented view of layer 7 traffic,” says Untangle’s Walters. “This gives them insight into what data is flowing over their network at any given moment so they can set policies that make sense.”
Customers of the offering can opt into software updates as they become available, he adds. All of the security databases (like virus definitions and URL categorization) are updated in real-time.
One other reason Kern and his team chose the tool is that it can handle the school’s anticipated future growth, and the evolution of both the internet and the students’ technological sophistica-tion, he says. “IC Control provides historical data for long-term diagnostics of traffic and bandwidth use for the district.” n
Bob Walters, president and CEO, Untangle
A Chicago-area high school found a solution to broaden its internet pipeline and maintain compliance, reports Greg Masters.
Product SectionThreat intelligence emerges
W ith this issue we are starting a bit of a makeover for the emerging products. We listen to what you tell us and you
tell us that for these products you want more depth. Done. We are reducing the number of emerging products groups to two per year and increasing the number of products. Most impor-tant, though, we are increasing the space we are giving the products. So now you get a full page.
Our group this month is threat intelligence. This is a truly emerging market space. It’s looking for its wings and customers across all verticals are starting to realize the value of action-able intelligence and cybersituational awareness. There are lots of ways to skin this cat and we had the opportunity to see and play with most of them.
A word about ratings. As a general rule we don’t give star ratings, Best Buy or Recommended designations for emerging products. That won’t change as we move forward. However, sometimes we run into a special product or service and we want it in our lab. For that we give the SC Lab Approved rating. We will move that into the emerging products issues because some products we see are pretty spectacular.
It’s a new year and with the new year we have new projects. So here are some things to keep your eyes open for. There will be more content on our website, scmagazine.com, perhaps including my blog, Threat Hunter.Also, we’ll be leveraging the site to nimbly add small emerging product reviews throughout the year when we think a particular sector is appropriate to cover. This will allow us to stay current with the rapidly evolving marketspace and keep you better informed. Even though some emerging product types have, as yet, just a few players, if they are worth your time they’re worth our space.
As well, I invite you to follow me on Twitter – @nuciso – where I am keeping followers up to date on current technical issues in the worlds of digital forensics, cyber threats and other rather geeky stuff – pointers to good, solid, useful technical articles, often in SC Magazine.
So, welcome to a new year here in the products section of SC Magazine and to SC Labs. After well over 20 years writing for SC, I really am look-ing forward to some of the things we have on tap for you in 2015.
– Peter Stephenson, technology editor
How we test and score the productsOur testing team includes SC Labs staff, as well as external experts who are respected industry-wide. In our Group Tests, we look at several products around a common theme based on a prede-termined set of SC Labs standards (Performance, Ease of use, Features, Documentation, Support, and Value for money). There are roughly 50 individual criteria in the general test process. These criteria were developed by the lab in cooperation with the Center for Regional and National Security at Eastern Michigan University.
We developed the second set of standards specifically for the group under test and use the Common Criteria (ISO 1548) as a basis for the test plan. Group Test reviews focus on operational characteristics and are considered at evaluation assurance level (EAL) 1 (functionally tested) or, in some cases, EAL 2 (structurally tested) in Common Criteria-speak.
Our final conclusions and ratings are subject to the judgment and interpretation of the tester and are validated by the technol-ogy editor.
All reviews are vetted for consistency, correctness and com-pleteness by the technology editor prior to being submitted for publication. Prices quoted are in American dollars.
What the stars mean Our star ratings, which may include fractions, indicate how well the product has performed against our test criteria. ★★★★★ Outstanding. An “A” on the product’s report card.★★★★ Carries out all basic functions very well. A “B” on the product’s report card.★★★ Carries out all basic functions to a satisfactory level. A “C” on the product’s report card. ★★ Fails to complete certain basic functions. A “D” on the product’s report card.★ Seriously deficient. An “F” on the product’s report card.
LAB APPROVED
What the recognition meansBest Buy goes to products the SC Lab rates as outstanding. Recommended means the product has shone in a specific area. Lab Approved is awarded to extraordinary standouts that fit into the SC Labs environment, and which will be used subsequently in our test bench for the coming year.
iSIGHT PartnersAdds a lot of value to your stack P42
SilobreakerSolid open source intelligence gathering P46
SurfWatch Labs Provides a view of cyber threat intelligence P47
38 SC • February 2015 • www.scmagazine.com
Emerging products: Threat intelligenceHaving the right products to provide solid intelligence analysis can go a long way toward protecting you against the ravages of a Sony-style compromise, says Peter Stephenson.
Regardless of who or what you believe hacked Sony, it was a
massive cybercrime. Was it an act of cyberwar? That’s not for us to determine, but regardless, laws were broken and the attacks came via cyberspace. So we have, at the least, a very serious and rather complex cybercrime.
Why does this lack of distinction matter? First, it matters because there is an emerging pattern of attack: whether nation-state, sub-state, criminal enterprise or individual, criminal hack-ers are the executors. That pattern is characterized by Lockheed Martin as the cyber kill chain. The term gives us a clear way to visual-ize what really goes on in a cybercampaign.
One of the things that we especially like about the kill chain is that it gives a concise, no-nonsense definition of advanced persistent threats, particularly “threat.” We tend to confuse threats with malware. So if we are hunting threats we are hunting mal-ware. While it certainly is true that malware may be involved, Lockheed says – and we agree – that a threat is a person or persons with intent, opportu-nity and capability.
That sounds a lot like the motive, method and oppor-
tunity that defines the likely perpetrator of a crime. And that is exactly what it is. At the end of the day we must start to think of cyberattack campaigns as crimes carried out by people – not machines – with motive, method and opportunity. Understand-ing who these people are through their attacks is a sort of Holy Grail for cyber-analysts and investigators. Without that there is no attribution. And, as a chal-lenge, attribution is about as difficult as it gets.
Understanding the kill chain for a particular type of campaign is a huge step toward protecting and responding. And that is where cyberthreat intelligence comes in. Cyberthreat intelligence is the meat and potatoes of this month’s emerging prod-ucts group. This likely is the newest product classification in our field and it certainly has become one of the most important in its short lifetime.
Strangely, several of the companies we are looking at this month have been around a while doing something that relates to what they are doing now. The leadership in most of these companies comes from some sort of intel-ligence background. And, importantly, these intel folks have teamed up with – or
are themselves – some pretty impressive software develop-ment talent.
There is a concept called crime assessment that says look at the crime, understand it and from that understand the criminal who commit-ted it. We look at the crime scene and we ask: Why would someone do this? Do we have a starting point for attribu-tion? And so on.
A lot of these questions can be addressed – if not always answered completely – through solid intelligence analysis. And if all goes well and you have the right prod-ucts, knowing these answers in advance can go a long way toward protecting you against the ravages of a Sony-style compromise.
What is even more inter-esting is that organizations are finally coming around to the fact that without cybersituational awareness they are in very treacherous waters. Still, this is not a journey for the faint-hearted. Having data is not even close to having enough of the tools needed to break the kill chain. You have to understand the data in the context of the overall threat-scape. That is a lot easier to say than it is to do, but this month’s offerings are a solid step in that direction.
Twice a year, Technology Editor Peter Stephenson and his team at the SC Lab address emerging
technologies and markets. The pur-pose is to look at segments in the information assurance space that represent new technologies, needs and capabilities. In those emerging areas there always are new entries and old pros that want to expand into the space. We will be looking at both – and bringing you the compa-nies, products and services that we believe will shape the future.
SOMETHING NEW
www.scmagazine.com • February 2015 • SC 39
EMERGINGPRODUCTS
This is an interesting product. It col-lects threat intelligence data from a variety of sources, including its
own organization, and applies that intelli-gence to manage network protection at the enterprise. By partnering with a number of threat intelligence providers and several technology vendors, Centripetal’s Network Protection System (NPS) provides what the company refers to as Active Network Defense.
NPS operates in such a way as to provide support for analysts, systems operators, CxOs and executive management. That means that it produces the sorts of outputs that are uniquely useful to each of these groups. Because the difference between actionable intelligence and the flow of threat data from internet sensors is noise, the object is to get rid of the noise so that the actionable data is exposed. That is an important layer of NPS functionality.
In each of the cases above, NPS not only provides the unique kind of data needed by the particular audience, it focuses that data in the ways most useful at that level. So, for example, for the analyst, NPS focuses on the data, matching the analysis to the expected analyst workflow. For the system operator, the focus is on managing the security stack. And for the executive, NPS provides situational awareness and presents data in the form of effective use
of resources and budget. These varying perspectives result in a completely unique approach to actionable cyberthreat intel-ligence.
The heart of the NPS is the RuleGate threat intelligence security layer. This is an appliance that manages five million threat indicators at wire speeds up to 10Gbps. It is policy driven and enforces its policies across the enterprise correlating internal hosts and external threats. It is not intended to be a standalone solution to the security challenges of the enterprise. Rather, NPS works with other network security components to improve its overall security posture.
There are some intelligence feeds from external sources, including open source and Centripetal’s own, but you can pur-chase commercial feeds through the plat-form itself. Those feeds integrate into the system, which consumes, integrates and correlates the data as part of QuickThreat.
Rule sets are easy to use and the user interface is comprehensive. The system looks at both inbound and outbound data flows and tracks TOR exit nodes. The UI is web technology, but it is a custom imple-mentation that uses a wrapper for browser compatibility. This is a serious system built from the ground up – no customized off-the-shelf appliances here – by Centripetal in the United States
Centripetal Networks Network Protection System v2.1
40 SC • February 2015 • www.scmagazine.com
DETAILSProduct Network Protection System v2.1
Company Centripetal Networks http: www.centripetalnetworks.com/
Price Starts at $60,000.
What it does Active network defense merging cyber threat intelligence and security stack management.
OUR BOTTOM LINE
This is an industrial-strength integra-
tion of cyber threat intelligence with
system management. It plays well
with other network security tools
because it was designed from the
ground up to do exactly that. As well,
it consumes threat intelligence and
converts that into actionable intel-
ligence that can be applied to a SIEM
or other tool. It is easy to configure
and has a rich feature set at the
executive, system operator and
analyst levels.
There is a lot to do and see here,
and the complexity of the threat-
space is reflected somewhat in the
system and its tools.
So, our bottom line here is this is a
notable tool and certainly one of the
best integrations of intelligence and
security stack management we’ve
seen. However, it is not for the faint-
hearted. But then, playing in today’s
threatscape isn’t either.
FireEye Threat Intelligence is part of the overall FireEye suite of security products. It is, in fact, the primary
intelligence component and is used to help drive other FireEye products providing active blocking at networks, endpoints and mobile devices. The service – avail-able as a subscription – has three available levels: Dynamic Threat Intelligence (DTI), Advanced Threat Intelligence (ATI) and Advanced Threat Intelligence Plus (ATI+). The differences among these three services are largely based on the level of detail in the reports you receive and the number of included services. In addition to proactive notifications and alerts, there is a portal from which users can access significant threat intelligence and conduct their own research.
The resources are prodigious. The system conducts more than 50 billion virtual machine analyses per day, includ-ing 400,000 unique malware samples and more than one billion non-malware events. This all is possible due to FireEye’s deep insertion into the global threatscape. We liked that it updates every hour. With the speed at which cybercrime is moving, that level of update frequency is not, by any means, overkill.
The relationships of the three levels of service to each other is part of the strength of the threat intelligence suite. DTI largely
is a machine-to-machine connection that enables detection and response when con-nected to the FireEye products. By adding ATI, you add context.
Users access the Threat Intelligence sys-tem through the FireEye Intel Center. This is a way to get direct intelligence from Fire-Eye and gives users the ability to document, manage and share their own intelligence with other users. In the Intel Center users can look at current threats and drill down for more information.
The primary focus of the FireEye system is malware and that is, in today’s threat-scape, appropriate. However, the company does collect considerable data on non-mal-ware-based attacks and exploits. By com-bining these two attack types users can get a comprehensive view of the threatscape as it applies to them. Tying the threatscape to the user’s enterprise infrastructure is a powerful step in proactively protecting the enterprise data.
As users interact with the portal a lot of things go on under the covers. For example, as new threats, malwares and hostile addresses, URLs and domains are researched, the FireEye system cre-ates encyclopedia entries. This adds to the knowledge base and gives the analyst more to work with. Malware that the user discovers can be submitted to the FireEye sandbox for analysis.
FireEye Threat Intelligence
www.scmagazine.com • February 2015 • SC 41
EMERGINGPRODUCTS
EMERGING PRODUCTS Threat intelligence EMERGING PRODUCTS Threat intelligence
DETAILS
Product Threat Intelligence
Company FireEye https://www.fireeye.com/
Price Depends on services ordered.
What it does Cyber threat intel-ligence and proactive threat-based management of FireEye network security tools.
OUR BOTTOM LINEFireEye is a venerable player in the
threat analysis and response space.
With its acquisition of Mandiant they
have added materially to their knowl-
edge base, and users of the Threat
Intelligence system benefit by that.
We had the impression that the
availability of ATI and ATI+ depended
on having the rest of the FireEye
network protection system in place
since those modules include DTI.
This is an extremely powerful sys-
tem for gathering, analyzing and act-
ing on cyberthreat intelligence. The
wealth of available data is impressive
and FireEye is an experienced player
with a heavy recorded history of data
going back 10 years or more. We do
wish, however, that this wealth of
analytical power was readily available
as a standalone service for threat
analysts who are not necessarily part
of a network defense team.
EMERGINGPRODUCTS
This is a company that, starting in 2007, decided that it could make the security stack better and more
responsive to risks by integrating intel-ligence into the security management pro-cess. This is not to say that iSight has not addressed the cyber threat intelligence analyst. Simply, it has done that and more. There are two aspects to the iSight prod-uct: the portal and the API.
The entire process – through the portal or via the API – originates in the Threat-Scape Intelligence Platform (TIP). This platform feeds the cloud and provides the data that users access one way or another. iSight employs a large global research team so that intelligence comes from, among other places, boots on the ground in the various locales where cyberthreats are originating. To do that, the company has more than 200 experts in 16 countries working in 24 languages. These opera-tives follow cyber crime, cyber espionage, hacktivism, threats to the enterprise and critical infrastructure, and vulnerabilities and exploits.
ThreatScape deliverables include reports, direct access to the cloud through the MySight Portal, and dedi-cated client support. If you deploy the API, you also get a good number of out-of-the-box integrations with such tools as CheckPoint, ArcSight, Palantir and RSA
Archer eGRC.The MySight portal provides catego-
rized information on the classifications above and allows drill-down for greater details. There are about 100 available reports per day so finding that which could impact your organization likely is a given. These more detailed classifications are viewed in the context of three basic types of intelligence: threats, malware and vulnerabilities. These classifications are what the company calls ThreatScapes.
One ThreatScape particularly addresses such things as fraud and underground marketplaces – think Silk Road. For an organization such as a financial services company, the Cyber Crime ThreatScape is very important. The other ThreatScapes are equally detailed and focused.
The API provides threat intelligence input into other threat analysis tools, as well as tools that in one way or another manage the security stack. For example, connecting to Splunk provides addi-tional information about addresses and domains that are recognized by Splunk as it collects security information on the enterprise. That additional information appears directly on the Splunk desktop. For other tools, the API provides the ability to block or alert, help prioritize patch management and support incident analysis.
iSIGHT Partners
ThreatScape
42 SC • February 2015 • www.scmagazine.com
DETAILS
Product ThreatScape
Company iSIGHT Partners http://www.isightpartners.com
Price Varies depending on deploy-ment.
What it does Adds a lot of value to your security stack by applying threat intelligence. Provides a prodigious amount of extremely useful research, much of it from analysts around the globe.
OUR BOTTOM LINE
This is a really competent add-in for
your existing security stack, as well
as a very good analyst’s tool in itself.
The reporting is rich and its ability
to add value to the elements of your
security stack are impressive. We
liked the extensive reporting.
We would like to have some sort of
indexing or way that we could teach
it to go for the explicit issues that
interest us. Perhaps there is a way to
do this but we did not see it.
This is a tool that you absolutely
need to look at. In the fast-moving
world of cyberintelligence you never
can have too many – or, perhaps,
enough – good tools. This one adds
real value to your analysis and to
your security stack.
These guys are really interesting. We first came across them some time ago when we needed an impressive
way to open a talk on cybersecurity. We found their attack map and started digging into what they had. If you think the map is cool, consider data centers in 140 countries and tens of terabytes per day of data that they are analyzing. All of this is focused in the Norse DarkMatter Platform. DarkMat-ter collects data from sensors, geoloca-tion, open source and a wide variety of other sources. It then uses advanced Big Data analytics to make sense of the mas-sive amounts of data and then makes the analyses available to Norse customers in a variety of ways.
The deeper we dug into the Norse Dark-Watch product the more impressed we were. Of course we expected honeypots. And Norse does use low interaction hon-eypots, but they account for only about 20 percent of the total data gathered. Addi-tionally, using a tool it calls Anon-Proxy, Norse is watching somewhere around 200,000 TOR exit nodes on a daily basis. If you need a lot of cyber threat intelli-gence, this is a good way to get it.
Access to Norse data is through the firm’s API or through its portal. The Norse DarkWatch appliance is a pretty impres-sive tool itself. It updates from the same DarkMatter fire hose every five seconds
and can alert or block. The dashboard for DarkWatch is straightforward and typical of dashboards we all are used to seeing. It is pretty plain but clearly laid out, and drill-down can get you just about anything you need.
Of course the key to ease of use is the drill-down capability. Drilling down from the main interface you can get to a lot of data, smartly arranged and nicely categorized. Finding malicious sites, crawling for new malware and developing analyses is an ongoing task and with the frequent updates to the device all of that is available to the user. An interesting example of this is capture of domains cre-ated using domain-generation algorithms sometimes thought of as polymorphic URL algorithms.
DarkWatch is a policy-driven device. That means that users can develop or modify policies that are created and deliv-ered by the policy engine. DarkWatch’s policy engine is easy to use and very flex-ible. Setting up a policy is a matter of a few mouse clicks to define what you want to do, to what you want to do it and when you want the policy to kick in. A single web page on the web interface has every-thing you need. Actions can be blocked, alerts can be sent or simple notification is available if that is all you want for a par-ticular event.
Norse DarkWatch
www.scmagazine.com • February 2015 • SC 43
EMERGINGPRODUCTS
EMERGING PRODUCTS Threat intelligence EMERGING PRODUCTS Threat intelligence
DETAILS
Product DarkWatch
Company Norse http://norse-corp.com
Price $50,000.
What it does Threat intelligence ap-pliance that ties the Norse DarkMatter infrastructure to your network.
OUR BOTTOM LINEThis is the Cadillac of cyberthreat
assessment tools. It is big, complete
and it does just about everything
you could want. Its user interface is
well-organized and its data sources
are extensive. DarkWatch comes as
an appliance or as a virtual appliance
but beware: the virtual appliance is
power-hungry.
This is one you should take very
seriously. Typically we look for warts.
In this case, though, we found none.
The Norse product suite is, as a
whole, a sort of benchmark if there is
such a thing in this product space –
and it is well worth your attention.
DarkWatch, DarkViking and
DarkList all add to the benefits that
Norse customers can take advantage
of but they all have in common the
DarkMatter Platform. That is the
secret sauce and pretty tasty it is,
at that. The IPViking attack map is
pretty cool, too.
EMERGINGPRODUCTS
OpenDNS is an interesting concept. It offers two choices for users: no-cost for personal use and a paid ver-
sion for commercial use. The idea behind OpenDNS is that the company provides an assured, independent, secure set of domain name servers. When top-level domain serv-ers are compromised by attacks such as cache poisoning, OpenDNS servers can
be relied on to provide safe domain name service.
As a result, engineers at OpenDNS have developed tools they use to manage, mon-
itor and investigate potential cyberthreats, especially those that impact name servers directly. One of those tools is Investigate.
The purpose for Investigate is simple, although its use can become complicated and tedious depending on what you want to know and whether you are running the tool manually or from the API. But, we are getting a bit ahead of ourselves and giving, perhaps, the impression that this is an incomplete or poorly thought-out tool. In fact, nothing could be further from the truth.
To apply Investigate in its manual mode, we start with a known address. Let’s be spe-cific. Recently we received four IP address-es that had appeared at the gateway of one of our industry partners. Associated with those addresses was a persistent vulnerabil-
ity scanning effort. Rather than simply the expected knob-twisting we all experience daily, this appeared to be a concerted effort to find a weakness and it appeared to be automated. What to do?
We took the first of the four addresses and fed it to Investigate. No threats report-ed. OK…on to the next. We went through three before we hit pay dirt. This showed that it was a fast flux network. Scrolling down a bit we found hundreds of IPs that were part of the network. DNS checks on several of these IPs gave back nothing. Tra-ceroute gave back nothing. It looked like a fast flux botnet. Its URL suggested use of a domain-generating algorithm.
Next we looked at the domains hosted under this IP. There were six. Each one was also a fast flux with huge numbers of unidentifiable addresses attached. Our conclusion was that this posed a potential problem and we told our partner not to bother blocking the IPs. Rather, block the domains. We gave them a domain list and that ended the problem.
All of this took about two hours using Investigate only – and only in its manual mode. We manually mapped out a sus-pected botnet architecture. Deployed as an API we would have had the task finished in seconds. This is a threat analyst’s tool par excellence. We designate OpenDNS Inves-tigate with an SC Lab Approved rating.
OpenDNS Investigate
44 SC • February 2015 • www.scmagazine.com
DETAILS
Product Investigate
Company OpenDNS http://www.opendns.com
Price Starts at $150K per year based on use and volume.
What it does Threat intelligence derived from more than one billion DNS requests per day through the OpenDNS system.
OUR BOTTOM LINEInvestigate is a must-have for your
threat analysis toolkit. Our technique
of pivoting off of the suspect domain
to uncover a potentially malicious
architecture is greatly enhanced by
Investigate. It provides the context
for a solid analysis of a potential
threat.
However, unless you really like
playing with it, and we do, you are far
better off to deploy the API.
You need this tool but it re-
ally belongs in your data protection
workflow where it can automate the
process of hunting and can dig deeply
through large suspicious networks of
just about any ilk. So we recommend
the API. Of course, it wouldn’t hurt
to get a license or two of the manual
version for the geeks who really like
to dig into threat analysis.
This is one of the open source intel-ligence services that really fits well into the cyberpicture. Open source
intelligence takes several forms, from web-sites to blogs, research papers and other publically available sources. Recorded Future’s strength decidedly is its deep reach into the cyberworld.
Recorded Future accesses more than 600,000 sources and the firm adds new ones regularly. One of the unique aspects of this company is that rather than depending on users to access
and pull down data, they push it so that users are receiving what is needed when needed. The company has several mecha-nisms for this. One that we have been using here in the labs is its Cyber Daily report.
Cyber Daily recognizes the 80/20 rule: 80 percent of what you need is in the top 20 percent of what you read. It gives me just three things: Top suspicious IP addresses, top exploited vulnerabilities (in CVE and other formats), and top vulner-abilities in CVE format. The top vulner-abilities, as reported across the internet, may not be the same as the top exploited vulnerabilities. Having both lets us pre-pare for the near future and respond to something that may hit us now.
Tying these two categories back to suspi-cious IPs lets you apply intelligence where
you need it, only where you need it and right now. We collect the IPs, for example, and follow them for trending. As we see relationships between IPs and vulnerabili-ties in the form of specific exploits that we get elsewhere we can begin to build up a threat architecture. We start to know what we need to block.
The Recorded Future threat dashboard is reminiscent of vulnerability and risk dashboards that we all are used to seeing. It contains excellent filters, good visualiza-tion and multiple ways of representing, parsing and displaying the threatscape. Drill-downs let you develop your own reports on such things as the technical indicators for a particular malware or attack campaign. You can develop graphi-cal representations of the evolution of an exploit kit across the internet over time, watching the periodic spikes of activity.
Recorded Future follows more than 100 specific event types and is available in seven languages, including Arabic and Chinese. This means that exploit discus-sions in these languages now are accessible to speakers of other languages.
Recorded Future is a SaaS offering with more than 300 virtual machines in its cloud. The classification system is based on a sophisticated ontology and the emphasis on the technical aspects of cybercam-paigns is clear and put to excellent use.
Recorded Future
Cyber
www.scmagazine.com • February 2015 • SC 45
EMERGINGPRODUCTS
EMERGING PRODUCTS Threat intelligence EMERGING PRODUCTS Threat intelligence
DETAILS
Product Cyber
Company Recorded Future https://www.recordedfuture.com/
Price Varies by configuration and number of seats.
What it does Open source cyber intelligence focusing on the technical aspects of the cyberthreatscape over the web.
OUR BOTTOM LINEThis is a solid, technically oriented
open source intelligence service. It
has the advantage of pushing critical
data to you and is easily configurable
to get to where you need to be on a
custom level.
Given the types of technical infor-
mation it collects, it is not too far a
stretch to take that information and
apply it directly to the infrastructure
to assist in blocking rogue domains.
This is a first-rate, technically
focused open source intelligence tool
that plucks the wheat from the chaff.
However, we believe there is a huge
opportunity here to take the first
steps toward proactive automation of
the security configuration as an intel-
ligence management system (think
patch management in the vulnerabil-
ity space and translate that into the
threatscape). We like this one enough
to grant it SC Lab Approved.
EMERGINGPRODUCTS
LAB APPROVEDLAB APPROVED
This is another open source intel-ligence tool with its own twist. We like the twist enough for us to
designate them SC Labs Approved. The twist? Silobreaker started life looking at an open source intelligence landscape that had little or nothing to do with cyberthreats. A UK company, it built its focus on general open source intelligence gathering over the internet and became a solid service with significant reach and
analytical capability. It is a real workhorse in our intelligence analysis tasks.
The biggest benefit that Silo-breaker gives us is that it is not cyberspe-cific. The biggest issue in applying open source intelligence is context. Silobreaker helps provide context. It is a cloud-based service and is accessed via a web interface. The interface is straightforward and con-figuration, while not exactly intuitive, isn’t all that difficult.
The tool has a lot of resources that it uses to gather information. Its 400,000-plus sources include blogs, web pages, social media, research reports and quite a few other types. One unique feature of the tool is its ability to create custom dashboards extremely quickly. You can create dash-boards that are the basis for ongoing moni-toring or you can create dashboards on the fly to answer a particular question.
For example, we needed to get a quick understanding of a particular botnet from which we were beginning to see activ-ity. Within less than 10 minutes we had a dashboard that gave both an historical and a current trending view of the important factors in the problem. Because Silo-breaker explicitly follows well over 200 specific hacker groups, context is fairly simple to develop for any given problem that revolves around hacking, ops or other types of cyberattack campaigns.
There are several widgets that you can use to create dashboards and you can develop your own core data sets as well. For example, you can create a list – for the project mentioned, we created a list of all of the prevalent exploit kits. We can play that against a list of malware that Silo-breaker maintains.
So if we are looking at exploit kits and malware, and a particular exploit kit uses a particular malware that connection will show up on the network. You can then drill down all the way to the indexed source documents.
A big benefit of the tool is its ability to track trends. We can look at a list and see what elements of the list are trending hot or cold (increase or decrease in hits over the internet) in a sliding one-day or seven-day window. We also can see the specific number of hits in those two windows.
46 SC • February 2015 • www.scmagazine.com
DETAILS
Product Silobreaker
Company Silobreaker http://www.silobreaker.com
Price Company subscriptions start at $25,000 per year.
What it does Solid open source intelligence gathering and analysis tool that brings non-cyber context to cyber threat intelligence analysis.
OUR BOTTOM LINEThis is a general open source intel-
ligence tool with a solid, though
not extensive, focus on cyberintel-
ligence. It is, however, extremely
strong in providing context between
cyber and non-cyber issues.
It ties cyber intelligence to
non-cyber intelligence. It has a lot
of internet resources, the ability to
build custom dashboards quickly and
relatively easily, and it is a fine tool if
you are a bit creative.
We believe that increasing focus
on cyberissues is an important next
step, especially in this marketplace
where the focus on cyberintelligence
is important. Just as important in our
view, though, is the ability to glean
context from non-cyber issues that
impact cyberattacks. These issues,
such as politics and economics, play
significantly but not always obviously
in the cyberworld.
This is, perhaps, the most unusual of the products we looked at this month. While we certainly do char-
acterize this tool as a threat intelligence tool – and a very good one at that – it has a special capability, as one might guess from the name: SurfWatch C-Suite. This tool was born and bred to provide the types of cyber threat intelligence that executives need in a format they can use. The C-Suite portal is the front-end for an impressive intelligence gathering and analysis framework.
This orientation is obvious. Fom the moment you fire up the SurfWatch por-tal you are shown the types of questions that executive leadership needs to have answered: What is the cyber risk to my industry sector? What cyber risks are trending? Who’s being affected? How does my cyber defense strategy align with the leading risks to my industry? What is the full picture of cyber risk to my indus-try? And are there breaking events for my sector that I should pay attention to right now? This approach is not surprising since the founders came from the intelligence community and are focused on actionable intelligence at various levels within the organization.
The upshot of the tool’s simplicity is that executive users need to consume all of the critical information and none of
the chaff in a brief scan of resources. In short, they need to be equipped to ask the right questions of the right people in their organizations. C-Suite admirably provides that level of knowledge. One of the impor-tant keys in executive boardrooms is that one size does not fit all. Some leadership may be sufficiently technical and inter-ested enough to dig a bit deeper than the surface. Some may prefer the 40,000-foot level. C-Suite offers both extremes and a lot in the middle.
Drill-downs are the key element of a system that is sort of self-customizable. By that we mean that the user can set the level of detail deciding how deep a dive they want to take. It is not necessary to call the IT department just to slightly alter a dashboard.
The process starts with the development of your profile. That means information about your business, what industry you are in, who your customers and end-users are, and the role of brand recognition. Once that is done the tool starts to gather infor-mation that is useful to you. One of those is the Cyberfact Timeline. This shows what is happening – relative to your profile – as events on a timeline. Besides showing clearly when activity is happening, this timeline allows you to drill down and see details, such as the top 10 related actors, targets or effects.
SurfWatch Labs C-Suite
www.scmagazine.com • February 2015 • SC 47
EMERGINGPRODUCTS
EMERGING PRODUCTS Threat intelligence EMERGING PRODUCTS Threat intelligence
DETAILS
Product C-Suite
Company SurfWatch Labs https://www.surfwatchlabs.com/
Price Starts at $10,000 for a single li-cense based on annual subscriptions.
What it does Provides a distilled view of cyber threat intelligence in a format useful to executive management.
OUR BOTTOM LINEThis is a very good threat intelligence
tool where almost all of the threat
sources and analytics are under the
covers. It is particularly designed for
executive management and contains
only the types of information and
risks that these folks need to make
important decisions. Addressing
such things as budgets relative to
cyber risk is the core of what top
executives need to be able to do. I
If you need to communicate key
indicators of cyber risk to manage-
ment in a way that not only makes
sense at the executive level but al-
lows managers to tune what they get
to suit their own needs, take a long
look at C-Suite. We were tempted to
look for a bit more technical depth
until we realized that SurfWatch has
done a good job of keeping all of that
hidden – which, of course, does not
mean it’s not there.
EMERGINGPRODUCTS
LAB APPROVED
Silobreaker Silobreaker
ThreatStream’s Optic is a cyber-threat intelligence platform that manages the lifecycle of threat
intelligence via integration across an enterprise’s security infrastructure. It’s a SaaS-based platform that users access via a web-based portal. Adding OpticLink, a software package that can be optionally installed on customers’ premises, auto-mates the process to operationalize risk-scored and actionable threat intelligence into the existing security infrastructure.
ThreatStream has a lot of neat func-tionality beyond the obvious benefits of a direct intelligence-to-infrastructure con-nection. For example, partners can create connectors that are provided through ThreatStream’s Alliance Preferred Partner (APP) store. The organization pioneered the use of the modern honeynet network.
OpticLink goes on devices on which users want to take advantage of intelli-gence feeds from ThreatStream. The archi-tecture is interesting in that it constitutes a set of connectors that can consume intel-ligence data from a number of suppliers. Also, it can apply its analytics to devices, also from a number of suppliers. The intel-ligence platform tracks about four million indicators and it uses 50 factors to deter-mine the applicability of an indicator to the user’s infrastructure.
ThreatStream does not stop with IPs
or malware, either. There is a significant threat analysis capability that reaches past malware to such things as ops from organi-zations such as Anonymous.
Sometimes, threats are of a sort that is particularly applicable to an organiza-tion because of who they are, what they do or the business or government sector in which they operate. In that case, it is convenient to track certain types of threat intelligence on an ongoing basis and, per-haps, share that with others in the organi-zation. ThreatStream has a tool called TIP – Threat Intelligence Package – for that. You can create your own TIP and share it with trusted circles.
For example, you might be part of an Information Sharing and Analysis Center (ISAC) and want to share your TIP with other members since it might apply to all of them. You can classify your TIP as public, private or trusted circles. Further, as in many similar products, Threat-Stream has a powerful sandbox. We were impressed by the level of detail its sandbox produces. Finally, there are more than 100 threat streams available out of the box, but you can add your own feeds. ThreatStream will do the connection so you can be sure that everything matches your platform. Reporting is comprehen-sive and you have sole control over what is in the reports.
ThreatStream Optic Platform
48 SC • February 2015 • www.scmagazine.com
DETAILS
Product Optic Platform
Company ThreatStream http://threatstream.com/platform
Price Starts at $50,000.
What it does Acts as the middle of the overall threat-managed security in an enterprise. It collects threat intel-ligence and uses it to manage security devices on the enterprise.
OUR BOTTOM LINEThis is a solid integration of lots of
threat sources and enterprise secu-
rity tools. It takes threat intelligence
and uses it to configure, manage and
alert. The founder of ThreatStream
came from ArcSight so there is a
solid history behind this two year-old
company.
This is a worthwhile system to
explore. While it runs pretty much on
its own steam, so to speak, keeping
new threat streams feeding into
it requires some dedication from
analysts and security engineers.
When the threatscape changes
as rapidly as what we are used to
seeing today, having ThreatStream
is a first-rate proactive defense.
However, in such a changing environ-
ment it would be a mistake to “set
and forget.”
EMERGINGPRODUCTS
EMERGING PRODUCTS Threat intelligence
FEBRUARY»SANS Scottsdale 2015Feb. 16-21SANS is bringing its top IT secu-rity courses back to Arizona. Venue: Scottsdale, Ariz.Contact: sans.org/info/166122
»DFIRCON West 2015Feb. 23-28This Digital Forensics and Inci-dent Response (DFIR) themed training event brings SANS’s forensic courses, instructors and bonus seminars together.Venue: Monterey, Calif.Contact: sans.org/info/167347
MARCH»Cyber Guardian 2015March 2-7The fifth annual SANS Cyber Guardian event features two Cyber Guardian Baseline courses and a Blue Team course.Venue: BaltimoreContact: sans.org/info/167352
»Boston SecureWorldMarch 4-5This gathering offers two days of cybersecurity education. Earn 12-16 CPE credits, network with industry peers and partake in 60+ educational elements. There will be four keynote speakers – including William Evans, police commissioner of the Boston Police Department – industry expert panels, plus a variety of security vendors and solutions.Venue: BostonContact: secureworldexpo.com/boston/home
APRIL»INTERPOL World 2015April 14-16INTERPOL World is a new inter-national security event that will showcase innovation, potential and joint achievements among the public and private sectors in the security arena. It will address the rising demand for technology and capacity building to meet real global security challenges. It will focus on cybersecurity, border management, safe cities and sup-ply chain security.Venue: SingaporeContact: cloudsecurityalliance.org/events/#_industry
»RSA ConferenceApril 20-24This year’s gathering is dedicatedto leading-edge informationsecurity topics, including databreaches, threats, compliance,social engineering, cloud, riskmanagement, applications,mobile, governance, data, legisla-tion, policy, law, cryptographyand identity management.Venue: San FranciscoContact: rsaconference.com
MAY»SANS Security West 2015May 4-12, 2015SANS Security West 2015 will focus on emerging trends and will feature related evening talks and a star-studded, interactive panel discussion on the future of cybersecurity. Attendees will have the opportunity to take courses from top SANS instructors and real-world practitioners who can ensure you not only learn the material, but that you can apply it immediately when you return to the office.Venue: San DiegoContact: sans.org/info/171472
JUNE»Infosecurity Europe 2015June 2-4Infosecurity Europe addresses the latest challenges in informa-tion security to provide attend-ees with business critical insight, best practice and practical case studies. Speakers include infor-mation security thought-leaders from public and private sector end-users, policy-makers and government, analysts, industry experts, service providers and vendors. More than 345 exhibi-tors will be on the expo floor and more than 100 hours of free education offered.Venue: LondonContact: infosec.co.uk
»Portland SecureWorldJune 17This gathering offers a full day of cybersecurity education. Attend-ees can earn six-to-eight CPE credits, network with industry peers, partake in any of 30+ edu-cational elements. Also on offer, keynote speakers, industry expert panels, plus a variety of security vendors and solutions.Venue: Portland, Ore.Contact: secureworldexpo.com/portland/home
Events Seminars Start here for a calendar of events. To have your event included, contact [email protected]
ADVERTISER INDEXCompany Page URL
AT&T Inside Front Cover att.com
SC Awards 7 awards.scmagazine.com
SC Congress 51 congress.scmagazine.com
SC Magazine White Paper Library 5 whitepapers.scmagazineus.com
SC Magazine Inside Back Cover scmagazine.com
www.scmagazine.com • February 2015 • SC 49
»SC Congress TorontoJune 10-11SC Congress Toronto returns for another exciting two-day program. We’re bringing together leaders in the informa-tion security industry in both the public and private domains, particularly based in Canada. You will have a chance to walk our expo floor exploring the latest trends and products best suited for your company, as well as sit in on keynote and breakout sessions. Don’t miss this opportunity to earn nine CPE credits, network with other information security professionals, and better equip yourself to stay ahead of the pack. Venue: TorontoContact: congress.scmaga-zine.com/page.cfm/link=10
»SC Congress LondonMarch 3SC Congress returns to London for another exciting one-day program. We’re bringing together leaders in the information security industry in both the public and private domains, particularly based in the U.K. and EU. You will have a chance to walk our expo floor exploring the latest trends and products best suited for your company, as well as sit in on keynote and breakout sessions. Don’t miss this opportunity to network with other information security profession-als, and better equip yourself to stay ahead of the pack. Venue: LondonContact: congress.scmaga-zine.com/page.cfm/link=94
Our security model is broken and needs to be revamped. If
JP Morgan – with a budget of $250 million and 1,000 security professionals – can-not stop or detect a major security breach, there is little hope for the rest of us. Unless something changes.
We need granular encryp-tion of personal informa-tion at rest and in transit everywhere; second-factor authentication, including system administrators; better privilege-access controls; continuous vulnerability monitoring; and prescriptive security regulations. Now!
There have been a slew of high-profile security breaches recently, including the
JPMorgan Chase security breach. The financial institu-tion has more than 1,000 security pros on staff. If JP Morgan can be breached, then what does that mean for the rest of the enterprises in the U.S.? It means that every-one is susceptible to major breaches, no one is safe.
Why! Because our security model is broken. Too often, critical baseline security safe-guards are not implemented. And, of course, risk-based regulations are not helping.
We must change our busi-ness security model. Spe-cifically, all known security breaches either exploit some vulnerability to install mal-ware and/or obtain escalated user access privileges to gain access to sensitive data. A breach occurs and goes undetected because critical security safeguards are not in place to mitigate these breaches.
Preventive security safeguards that should have been implemented yesterday need to be deployed today – without debate about risk since we know the results of that approach.
Specifically, second-factor authentication, something you know and have or are, needs to be utilized both over external and internal networks for all staff, ven-dors and customers. We all know that password-based authentication was obsolete
10 years ago. Sensitive data encryption
at rest needs to be pervasively implement at a granular level so that all data access is limited, even for privileged users. Too often, encryption is implemented at the disc or database level, not at the field level.
As well, privileged access monitoring and controls need to be in place to effectively limit usage to minimum and monitored or review usage of privilege accounts.
And, continuous vulner-ability monitoring should be occurring over the whole network, not at arbitrary intervals on some network segment.
These critical controls should be in place wher-ever sensitive information is stored and processed.
We need better and prescriptive security regula-tions. Current regulations are interpretative, based on judgmental risk assessments by the enterprise, and many rely on self-compliance.
Security risk assessments are often performed by unqualified individuals and often used to justify not doing anything because “it never happened before,” or “I will assume the risk,” etc. Too many enterprises do the minimum necessary to comply with regulations.
We need security regu-lations that specifically prescribe necessary technical controls and remove ambi-guities.
Finally, compliance to security regulations should be enforced and have mone-tory consequences if not complied with, similar to consumer product protection safeguards regulated by state and federal agencies.
If the dimensions and the frequency of security breaches, whether driven by cybercriminals or govern-ment-sponsored, is to sub-side, we need a new security model. We need to deploy technical security safeguards that address today’s threats and we need more prescrip-tive security regulations.
Craig Shumard is principal of Shumard and Associates, a security consulting firm.
LastWord
The security model is broken
Safeguards that should have been implemented yesterday need to be deployed today.”
Every enterprise is susceptible to a breach, unless..., by Craig Shumard.
50 SC • February 2015 • www.scmagazine.com
March 3, 2015 June 17-18, 2015
Visit Congress.SCMagazine.com for more information
Unprecedented Networking Opportunities * Innovative Content * Best in Class Exhibition Hall * CPE Credits
Mark your calendars!
Cyber security thought leaders will be there...
Will you?
SCC_FEBt_Print_AD.indd 16 1/13/15 1:39 PM
BROADBRANDSC Magazine, the source for IT security pros, delivers the content you need
in a myriad of ways. Receive the latest industry news, analysis, whitepapers,
ebooks and product reviews on your phone, computer, tablet or via the print
magazine. You get the picture…
scmagazine.com
Broad Brand.indd 68 2/12/14 2:13 PM