EVERYTHING CYBERSECURITY. ALL IN ONE PLACE. RSA Conference 2017 Asia Pacific & Japan is the only event you need to stay at the forefront of global and regional issues. Learn from the best and brightest minds in expert-led sessions covering all aspects of cybersecurity. Experience visionary keynotes and discover where the industry is headed. Fine tune your skills in immersive tutorials. And demo the most advanced products and solutions. Register now for the chance to save! Be one of the first 50 registrants to use discount code 5A7MYSECFCD and you’ll save S$100 off a Full Conference Pass. Go to www.rsaconference.com/ACSM and register today!
Follow us on: #RSAC Stay up to date on the latest news, special offers and updates about our worldwide events. Sign up at https://go.rsaconference.com/emailsignup
•
Majority of attacks target well-known Security patches close vulnerabilit ies. vulnerabilities that can be
exploited by hackers to gain access to machines and systems for multiple malicious purposes such as stealing personal information and stealing confidential files among other things. Vast research shows that unpatched software remains one of the most prevalent factors for cyber-attacks targeting organisations. So patching is more than essential! Take the recent “WannaCry” ransomware attack that took place. While many discuss whether their anti-virus could have stopped the attack, the plain facts are: • This attack used a vulnerability on a component of Windows and Windows Server that was patched by Microsoft two months before the attack happened! • The vulnerability was part of the recent NSA leak, a highly publicised scandal, and not an obscure vulnerability that no one had heard of before • Applying the patch would prevent any successful attack In line with the Australian Signals Directorate (ASD) The ASD indicates patching of applications and systems as two of the “Top 4” mitigation activities capable of stopping 85% of attacker techniques. These Top 4 mitigation strategies for targeted cyber intrusions are mandatory for Australian Government organisations as of April 2013.
•
The challenge of security patching If we all know patching is important, why do we continue to see security incidents and data breaches associated with exploitation of well-known vulnerabilities?
77.5% of vulnerabilities in the most common applications are in t he Non-Microsoft apps!
The main reason is the gap between IT Security and IT Operations. Normally, those in charge of scanning for vulnerabilities (IT Security teams) are not in charge of applying patches (typically done by IT Operations); therefore, it is common that both groups don’t understand each other’s challenges and the gaps in the technologies they use. Then technology integration is commonly poor so it is impossible to build reliable processes using disparate technologies. Lastly IT Operations teams often do not have performance measures associated with applying security patches, and do not have tools to support making the right decisions when it comes to applying patches.
85% of vulnerabilit ies have a patch available at t ime of public disclosure.
A strategic software vulnerability management solution is required to bridge the gaps in vulnerability management processes. The solution: Software Vulnerability Manager Software Vulnerability Manager empowers IT Security and Operations with intelligence to continuously track, identify and remediate vulnerable applications – before exploitation leads to costly breaches. It enables SecOps initiatives by providing verified intelligence by Secunia Research, timely vulnerability advisories, accurate assessment and security patches, all in a single console. This approach effectively reduces the attack surface for cybercriminals by accelerating identification of vulnerable applications, driving prioritization and reducing time to mitigation. To talk further about bridging the vulnerability gaps in your organisation or improving your patch management processes please contact us at www.flexerasoftware.com or at +61 3 9895 2000.
Hackers don’t need
ZERO-DAY
vulnerabilit ies. There are plenty of neglected unpatched vulnerabilit ies to target.
Reimagining t he way software is Bought, Sold, Managed & Secured
www.flexerasoftware.com
RSA CONFERENCE 2017 FEATURE REVIEW
THE BIGGEST ‘MUST GO’ CYBERSECURITY SHOW ON EARTH - PART 1 Editor’s RSA Conference 2017 Review & Austrade Cyber Security Trade Mission
// KEYNOTE TAKE-AWAYS RSA is named after Rivest, Shamir, and Adelman, the three inventors of public-key encryption technology. The RSA Conference therefore is unsurprisingly the event where the cyber trends are set and the security deals are made. Situated in San Francisco, giving rise to Silicon Valley, the RSA Conference is recognised as the largest cybersecurity gathering on the planet and is a ‘must-go’ cybersecurity vendor-rich conference. The impact is obvious across the city. Bus stops, bill boards and key advertising locations are taken up by the likes of Cisco, HP, McAfee and Ixia. Purple RSA lanyards are proudly worn by up to 45,000 technology and security professionals, entrepreneurs, businesses and support staff as they crisscross the city, to and from hotels, meetings and micro events. All this creates a dominant presence and a city-wide ‘cybersecurity’ buzz. Even passing former RSA
4 | Australian Cyber Security Magazine
Security CEO Art Corveillo at pre-registration, and the early appearance of Michael Dell, both at the pre-event media and analyst function and on stage for the opening morning keynote, gave an initial and suitable appreciation of the importance of RSA Conference 2017 and what it will contribute to the global cybersecurity sector. Opening with a monologue by actor John Lithgow, contemplating a world without security and without trust, naturally heightened the experience and created a ‘rock concert’ vibe. This adds to the natural spectacle, entertains and captivates the audience, and gets them ready to listen.
// PLAN FOR CHAOS “Embrace uncertainty and difficulty because human nature drives towards chaos. Chaos forces progress that can be painful and in these moments, our darkest and hardest, we have to stop and look in the mirror and ask ‘what am I made of?’ “ Dr Zulfikar Ramzon, RSA’s Chief Technology
Michael Dell & Dr Zulfikar Ramzon Opening Keynote Address
Officer opened with a message speaking to the thousands of ‘individuals’ in the room. The message being “don’t draw lines, draw connections.” Directed towards the conference theme of ‘business driven security’, whether it’s developing code, writing policies, managing teams or running businesses, today you need to be a business-driven security leader and living up to the expectations and redrawing the boundaries. Referring to the ‘butterfly effect’, Dr. Ramzon highlighted the potential for big consequences when playing with large integrated, complex systems. Such as the idea of a foreign government setting out to influence
FEATURE REVIEW RSA CONFERENCE 2017
a democratic federal election. The problem is not the immediate impact but the long-term ripple effect. “Ripples move faster and wider now with connected devices and we are fighting against human ingenuity which is a powerful thing. Innovations create ripples. Start by adopting a business security strategy and establishing the ‘gap of grief’. Business leaders want to understand the pay off. First treat risk as a science and use scenario analysis - ask what if! But as acknowledged, with a reference to Neils Bohr, ‘prediction is very difficult, especially about the future’. “Simplify what you control”, Ramzon explained, by noting he had recently spoken to a CISO who had 84 different security vendors. “How do you manage and measure that? Consolidate vendors and plan for the chaos you cannot control with an Incident Response plan based on the ABC’s - availability, budget and collaboration. Collaboration being the skill of bringing together IT, finance, sales and others across the business to work together. Connections, like those made at RSA 2017,
will have lasting impact on the industry, and cybersecurity now ripples and impacts throughout society.
// CYBERTHREATS IN UNCERTAIN TIMES: Microsoft President Brad Smith Starting with the problems, customers are clearly worrying about being hacked and the economic loss that will result, estimated to be worth $3 trillion by 2020. In the past year, there has been more and more nation state attacks. Geo political controversies have become more pronounced. The Sony (2014) attack was a turning point and in the two and half years since, the attacks have evolved and cyberspace is the new battlefield. Cyberspace is for all of us. This includes it being owned and operated by the private
sector and private property. It is a different kind of battlefield than the world has seen before. The industry has become not only the plain of battle but also the first responders. It is a sobering thing to consider that for over two thirds of a century, the Government has been protecting civilians in times of war. But now the Government turns to civilians, the private sector, to protect itself from (cyber) attacks on them, in times of peace. This is not the world the Internet’s inventors envisaged but yet it is the world we inhabit today. We each need to do more. Ninety per cent of intrusions start with a phishing attack. Using threat intelligence and advanced data governance tools can better harness the power of data. Microsoft’s datacentres around the world are connected to over a billion endpoints, creating over a trillion data points each and every day. With advanced threat protection systems scanning over 200 billion emails a month for malware. All of this data is becoming the game changing defence mechanism. Smith stated “we need to call on governments to come together. They came
Australian Cyber Security Magazine | 5
RSA CONFERENCE 2017 FEATURE REVIEW together in 1949 for the Geneva convention to protect civilians in times of war. But now we need a convention to protect civilians in times of peace. Like a United Nations body, able to agree to norms in cyberspace. We need a digital Geneva convention, supported by a new and independent organisation for the best and brightest and this will be the only way Governments recognise that cyber-attacks and cyber-war is not the way forward. We need to act collectively to do more and build a global technology sector Accord, similar in concept to a digital Switzerland. Focused on 100 percent defence and 0 per cent offence.” “Technology needs to retain the world’s trust. Every Government, regardless of its policies or politics needs a national and global IT infrastructure that it can trust. An example being a world partnership around Artificial Intelligence (AI) and Government spying. Bringing the world together as an industry – technology, products and people – and with 157 countries represented, Microsoft, Smith proposed, is like the United Nations of technology, with a unique level of mutual understanding and inspiration. “Build on what we can share. An industry than serves the world and even in an age of nationalism, the technology industry can still be a neutral Switzerland.”
we always have - we have not overcome any of them. The growing attack surface, continues to grow every day. Given the amount of data, the new attack surface is large in aggregate but small in isolation. It is in the home, increasingly where people do their work and the home has more powerful and more connected devices. These home devices are also being used to launch more attacks. Who is taking the home into the consideration of security architecture for the business? This requires policy to be driven down and locked down but ask yourself the question…if what I’m doing is right, what about RSA Cryptographics Panel - RSA Opening Keynote Session
// SWEATING THE SMALL STUFF: Christopher Young, Intel Security The role of data security was on display in 2016, with data manipulation designed to influence people making decisions. Now, big data and analytics is the bedrock of the economy. But leveraging on big data analytics to make decisions, we have to focus on the integrity of the small data going into the big data pools. Connected Cars, alone, are forecast to create 4,000GB of data per day. With 1 billion cars, 200 petabytes of data. But what about the data models we will use that the cars will rely on to allow driverless cars to function and for transport systems to operate at highest efficiency. When big data is compromised with small bad data, we will see the next cyber threat evolution - the weaponisation of big data. We are still dealing with the same threats
6 | Australian Cyber Security Magazine
RSA Security Operations Centre
RSATV Recording
the person next to me? The Mirai botnet and Dyn Attack (2016) is considered to be just a test of what is the limit to the attacker’s capability. As an example, a DVR was connected to an open network and left unsecured - it was attacked and compromised in less than a minute. The ‘Internet of terrorism’ is a risk into the future. Everything we knew about data security is changing again and turning around. It starts with all of us recognising none of us can go it alone - it is a difficult problem to crack. Young called the industry to “check egos at the door and focus on a bigger goal.” How do
FEATURE REVIEW RSA CONFERENCE 2017 Michael McCaul, Chairman of the House Committee on Homeland Security, RSA Opening Keynote
initiative and GIThub.com is now available as a development platform. Intel Security has partnered with Kaspersky Labs for the Nomoreransom.org website, in support of an initiative by the National High Tech Crime Unit of the Netherlands’ police, Europol’s European Cybercrime Centre with the goal to help victims of ransomware retrieve their encrypted data without having to pay the criminals. The Cyber Threat Alliance has also been established with Cisco and Checkpoint joining as co-founders and will be led by Michael Daniel, former White House Security Coordinator.
we make the world safer through technology? Threats are getting faster, using smarter tools and scaling themselves - industry has to do the same and together. The global challenges need the highest call to action. Children get the complexities of the future, but are also counting on us to get the small things right.
“As a small part of a much larger effort,” Young stated, “we need our own dream team for cybersecurity.” Intel Security is splitting the McAfee brand in 2017 to focus purely on cybersecurity. The company is providing an SDK for OpenDXL as part of a threat intelligence sharing
// WE SHOULD START OVER THE INTERNET TODAY IS REALLY ALREADY OVER: RSA Cryptographer’s Panel Chaired by Paul Kocher and sitting with Whitfield Diffie, Susan Landau, Ronald Rivest, Adi Shamir, this was a high-level discussion around the exponential growth in the number
Australian Cyber Security Magazine | 7
RSA CONFERENCE 2017 FEATURE REVIEW
of devices attackers can target, the amount of logic in those devices and growth in the value of systems, both to the owners and attackers. Cryptographic algorithms are one of the few, if not the only, security technologies that has withstood decades of scaling and the greatest ability to withstand years of further scale. It is anticipated that 15 years from now, the largest amount of data being gathered will be generated by Artificial Intelligence (AI). Though AI will be helpful in the defence side, the panel did not consider AI withstanding against a zero-day attack, where creativity is required for deviations – nor is AI considered suitable for offensive cybersecurity applications. Neither is quantum cryptography appearing to be moving as fast as quantum computing, though not one the highest of issues. Possibly in the next few decades, today’s cryptography algorithms could be broken by future quantum computing, though the mathematics is designed for 2,000 years. Adi Shamir led the discussion centred on the Russian strategy of ‘war by other means’ and democratic election integrity. With the Trump election being a case study on when normally you have to convince the loser but with Trump, you have to convince the winner. Though Russia has been involved with Election interference before, and the USA is hardly an innocent party in its roles in influencing elections around the world. The 1956 Hungarian
8 | Australian Cyber Security Magazine
FEATURE REVIEW RSA CONFERENCE 2017 city. In having this capability, it is critical that the government should not allow devices that are not sufficiently secured to be connected to the public internet.
FBI Stand
// WE ARE IN THE FIGHT OF OUR DIGITAL LIVES AND WE ARE NOT WINNING
elections was also highlighted as a suitable historical case of stolen documents influencing an election. Mossad and the CIA stole the speech of Russian leader Nikita Khrushchev, which later shocked the Soviet Union and Hungary by denouncing Stalin and detailing the dictator's crimes. The speech was smuggled out of Moscow and published in full in the New York Times. Susan Landau considered law enforcement is being somewhat assisted by how easy it is to do investigations over mass surveillance. The Apple iPhone case highlighted the FBI wanted the Apple hacking tools, which have now been released. Overcoming encryption means creating a backdoor and the panel did not think that was an option. Ronald Rivest referred to a December 2016 Encryption Working Group report from the Judiciary, Energy and Commerce Committees that concluded
four outcomes, namely any measure that weakens encryption works against national security, encryption is widely and increasingly spreading, there is no one size fits all solution and Congress should encourage collaboration between law enforcement and industry. Whitfield Diffie proposed we are doing everything wrong and the confinement problem is trying to be solved with interactive security and if as much money was spent on improving the quality of devices we would get much better results. The home is the place and basis of education and emphasis needs to be on education and people skills development. Shamir, presenting a paper later in 2017, titled ‘IoT going Nuclear’ described how we are approaching the time, with aggregated devices, when with the simple use of IP lighting, that by plugging in a single smart light in a hotel room, could feasibly, within minutes, infect an entire
Michael McCaul, Homeland Security Committee chair confirmed adversaries from Russia and China are stealing secrets and financial data, stating, “I’m going to be brutally honest. We are in the fight of our digital lives and we are not winning.” Terrorists are using social media to call for recruits and radicalisation. The phone in your pocket is the new battlefield. Cyber intrusions have the potential to interrupt the fabric of society. The volume and complexity of network intrusions is overwhelming, laws have not kept up with the digital age and the high speed of technology means the pace of adaption is too expensive for government to maintain pace. McCaul stated, “we are facing 21st century threats, with 20th century technology and with a 19th century bureaucracy.” The sharing of information between agencies and industry is still far too weak and deterrence is difficult in a cyber realm – reporting of attacks is too low. Government does not have a clear proportionate response against cyber criminals or nation states, nor do we have the manpower or legal structures. The paradox of national security and digital security means we are faced with a new generation of terrorists and their ability to recruit over the internet, globally. There is an unprecedented spike in terrorist plotting online and terrorists can stay under the radar and are using end-end encryption on their phones to cover their tracks. However, we also need to resist the temptation to go after encryption with simple knee jerk responses. “I believe that creating backdoors into security platforms would be a huge mistake.” It will make us all vulnerable to intrusion. It starts with the right mindset and we need to acknowledge we are under siege in cyber space. We need to double down to protect the private sector networks and the public. We need to continue the bleeding edge work in the
Australian Cyber Security Magazine | 9
RSA CONFERENCE 2017 FEATURE REVIEW
professional private sector and developing a talented cyber workforce. Government plays a critical role in coordination but we should not have military protecting public networks. The creation of a Digital Security Commission is underway and will be focused on breaking down bureaucratic barriers in order to collaborate and protect against adversaries targeting critical infrastructure. We know, with reports from the head of the NSA to Congress, that adversaries are leaving digital fingerprints on critical infrastructure systems, as a warning to America to watch what you say and do. ‘We can hit you from within and it is only a matter of time before this happens.’ The US will be developing a new national cybersecurity strategy to deal with the tectonic shifts and review response options, as well as conducting regular cyber exercises with allies. The US ability to win a war in cyberspace means having the ability to respond in a cyber realm and counter attack if necessary. We have to say ‘enough is enough’, and figure this out quickly because the attackers won’t give us the benefit of time. There must be clear rules of the road, especially when it comes to cyberwarfare. In times of crisis and uncertainty, it can cause situations to spiral
10 | Australian Cyber Security Magazine
FEATURE REVIEW RSA CONFERENCE 2017 Australian Cyber Security Showcase Evening
out of control, so we should refer with our partners on major incidents, work together to build mutual defences and put infrastructures in place for joint action. We should make sure we are prepared for what lies ahead. We need to be ready for the era of quantum computing, the digital atomic bomb is on the not too distant horizon and the first such nation to gain this capability will pose a serious threat to the rest of the world. The US should lead a coalition of nations to prepare for the quantum future and ensure we have the right cyber defences in place when it comes. The year 2016 was a watershed year for cyberspace and for a lot of the wrong reasons. But it has made us more realistic about the danger we face and more clear eyed about what needs to be done. And although the cyber future is bleak, we cannot let the fear of the unknown out way what we do know, in that we have the world’s greatest minds working to defend our networks.
// CYBERROOS HEAD TO SILICON VALLEY Releasing the Australian Cyber Security Industry Capability Statement in San Francisco, alongside the RSA Conference 13 – 17 February 2017, about thirty Australian companies
Craig Davies, CEO ACSGN
gathered at the lush Fairmont Hotel for an Australian Cyber Security Showcase event, hosted by Chis Oldfield, Australian ConsulGeneral to the USA. According to the Capability Statement, “In terms of citation impact, an indicator of research quality, Australian cybersecurity research ranks ahead of the US, Canada, England, Germany, Japan and Singapore.” The Austrade and Australian Cyber Security Growth Network Trade Mission to the
Dr Vikram Sharma, CEO QuintessenceLabs
San Francisco Bay Area had set out to make the link between Australia’s leading research and close a comparable gap when it comes to correlating this to an established industry. This gap is noticeable. With prominent pavilions from Germany, England, Korea and Israel on the RSA Conference Showroom floor, some of the leading Australian cyber security companies being promoted on the Mission have already left Australia, basing themselves in Silicon Valley.
Australian Cyber Security Magazine | 11
RSA CONFERENCE 2017 FEATURE REVIEW
Among the delegation, made up of predominantly service companies, there is some impressive new technologies needing as much support as possible. Robert Morrish of Haventec, a company which has developed a process to decentralise critical information stores to massively reduce organisation security risk, asserted “Australian companies need to ‘re-tune the pitch’. America is more ready than what Australia is. Australia’s corporate sector doesn’t look locally for new innovation. Our first deal was in the USA and our second was in Singapore.” Now backed by Macquarie Bank and being supported by Nuix, a sister company, Robert Morrish used the Trade Mission opportunity to hone his own pitch to leading American venture capitalists and potential
12 | Australian Cyber Security Magazine
clients, as well as learn from colleagues and coAustralian companies on their market approach. Another ‘wish I’d thought of that’ innovation is FunCaptcha, led by young CEO Kevin Gosschalk. FunCaptcha stops bot abuse by verifying humans with image-based, easy to solve games for website registrations and online payment systems – a simple and effective idea created by Gosschalk and co-founder Matthew Ford. Now proven effective, FunCatcha is suitable across social networks, voting systems and ecommerce platforms – plus with a 3D image technology patent pending. Other standouts include QuintessenceLabs, Randtronics and ResponSight. QuintessenceLabs now based in Silicon Valley, headed by Dr Vikram Sharma, CEO,
highlighted the advancements this Australian born company is making in high-speed quantum random number generation with advanced key and policy management. As part of the Trusted Security Foundation (TSF) – the technology combines FIPS 140-2 Level 3 hardware security modules, which can be deployed across a customer’s international data centres. Customers include financial services, government and defence. Based in Melbourne, ResponSight, a data science software development company, provides security and hacker detection through behavioural analytics. Focusing on behavioural profile management at the individual endpoint, this can now integrate with SIEM and forensic systems to enhance priority identification. Undertaking a data analytics pilot with an invitation-only enterprise, they expect commercially available algorithms to be available in mid-2017. With just a team of eight, the focus is on financial services, critical infrastructure and telecommunication sectors. Finally, Randtronics, established 15 years ago, has patent pending technology centred on the Data Privacy Manager (DPM), protecting structured and unstructured data using encryption, key management, masking, tokenisation and anonymization, with additional attributes of access control and auditing. Austrade is progressing their strategy to identify opportunities for cyber security activities and initiatives in global markets. In doing so, Austrade will work closely with Craig Davies and the tight but growing team at the Australian Cyber Security Growth Network to identify Australian cyber security companies with the capacity, capability and appetite to enter and expand into global markets. The RSA Conference Mission was also used to highlight the San Francisco hub, just one of five global Landing Pads, as part of the Government’s National Innovation and Science Agenda. Austrade has established other Landing Pads in Berlin, Shanghai, Singapore and Tel Aviv. For more information visit www.australiaunlimited. com/landing-pads
RSA Conference 2017 Review Part 2 will examine Vendors, Start-Ups and Key Innovations on display across the two showroom floors.
N I G N I H C N U LA
7 1 20
Australian Cyber Security Magazine | 13
14 | Australian Cyber Security Magazine
Australian Cyber Security Magazine | 15
Journey to customers: HPE SECURE DATA’S INNOVATION, APPLICATION & SOLUTION Insights interview with Tammy Schuring, Vice President of Sales, Hewlett Packard Enterprise
W By Chris Cubbage
hen discussing the focus for data security at Hewlett Packard Enterprise (‘HPE’), it becomes apparent that the worldwide news and headlines of cyber-attacks over recent years, remains a prime motivator for treating the risk of a data breach. Based in Silicon Valley, Tammy Schuring, Vice President of Sales for HPE Security – Data Security, came into the role in 2015, having dedicated over a decade to growing a loyal customer base. Tammy continues to evangelise a fundamental security approach, protect ‘the data’. Tammy was in Australia meeting with customers to provide her own insights into the capability of monetising data—be it personally identifiable information, healthcare, financial or similar sensitive information. Tammy asserts, “unfortunately, companies the world-over are faced everyday with the daunting realisation that it’s not a matter of ‘if’ they are breached, it’s a matter, ‘are’ they being breached now, have they ‘already’ been breached or are they ‘about’ to be breached. It’s a change in mindset. Whether it’s an insider threat, or a cybercrime organisation that’s patiently looking for a way to get in or that is already syphoning off data. It’s stepping out and saying at the outset: it’s not a matter of whether we can keep them out, we need to start seeing through the lens of its already happening.”
16 | Australian Cyber Security Magazine
INOCULATING SENSITIVE DATA HPE is attacking the data protection problem right at the heart of a much-needed solution. Tammy explains, “What we do at Data Security inside HPE is inoculate sensitive data, so when it’s in the wrong hands, it cannot be used against the customer, be it a company or person. The ability to take sensitive data that the cyber criminals can use, to create money, be it a fraudulent tax return, or credit information, and protect it yet have the data retain its format and its logic inside the company, is huge. This way, if the protected data gets stolen, it cannot be monetised. It cannot be used somewhere else – it’s not actually the real data.” Typically, when encryption or tokenisation is applied, it transforms the data into an unusable, very long string—be it a 256-bit or 128-bit string; and applications cannot function with de-identified data. HPE SecureData has enhanced the cryptology in such a way that when the data is de-identified, what comes out the other side retains that expected format. It retains the logic, as a random set of numbers or letters would otherwise not present. For example, HPE’s Secure Data will pass Checksum, in the case of PAN (primary account number) data. “The other key element,” Tammy highlights, “is it can
Women in Security
“There are specific aspects within GDPR that deal with data protection, and I am talking about pseudonymization. If you leverage this, to a great extent, it is almost the 'get out of jail free' card."
also retain data relationships, with what in technology is called, ‘referential integrity’. By preserving the referential integrity—your relationship to your address, phone number, your credit card data, your account number, your health data—all of those relationships are preserved, even when we are encrypting or tokenising those elements. Metadata can also be preserved, and that’s an aspect of its logic. The ability to retain as much of the principals of the data. Companies can start to operate on the de-identified data and you will find companies typically have 50 and up to 120 data types that are viewed to be sensitive data.” “We’re taking the threat surface and drastically reducing it.” As an analogy, Tammy commonly likes to use, “it is gold versus fool’s gold – we are figuratively transforming the gold into fool’s gold. It looks like gold, it acts like gold. The data ‘shimmers’ throughout the system; but when the bad guys steal it, they spend a lot of money and time trying to monetise it and they simply can’t—because it’s not real data, but it absolutely looks like data.”
Tammy Schuring - Vice President of Sales for HPE Security – Data Security
ABILITY TO DECIDE ON SECURITY HPE SecureData has built a loyal customer base across a wide range of industries, with the standards-based technologies of HPE Format-Preserving Encryption (FPE) and HPE Secure Stateless Tokenization (SST). HPE FPE is an encryption technology that preserves the original data format in the encrypted state, as well as context value, relationships and meaning, enabling business process and secure analytics. HPE SST provides advanced data security without token databases. HPE SST improves speed, scalability, security, and manageability over conventional and first-generation tokenization solutions. These technologies protect the data, and the protection is carried with the data itself – wherever it goes – in-motion, at-rest, and while in-use. Tammy described how customers have the ability to decide, from a rules perspective, how they want the deidentified data to appear, either once it’s been encrypted or decrypted, she said, “One of the things customers can do is called ‘obviously protected’. They can choose to transform it, perhaps as an example, add letters and visually see that this is in fact not the real data, so there are ways to decide, for a particular attribute of the use case or bi-product of the system.”
PSEUDONYMIZATION MEETS GDPR There are a number of regulations that companies must comply with, such as PCI DSS (Payment Card Industry Data Security Standard) through to the emerging regulation of GDPR (General Data Protection Regulation), and a wide range beyond that. Tammy notes, “At the end of the day, interestingly, regulations and audit compliance may be only pointers in the right direction. Just ask any compliant company that has still experienced a data security breach.” Tammy assured, saying, “If anybody believes that compliance equals security, just go read the news any day of the week. Customers are able to leverage our solution to greatly reduce their compliance scope and save personnel hours, and that’s not even the best part of the story.” “The best part of the story,” Tammy says, “is where they end up at the other side. It is truly addressing the risk. The risk that even if you were compliant, and have reduced the compliance footprint, like we do with PCI so dramatically, and you still suffer a breach. If that data is stolen, that data >>
Australian Cyber Security Magazine | 17
“When you look at the difference in the innovation, in regards to encrypting and keeping the format the same, versus bloating it into a 256-bit string, that impact is minimal. We’ve been deployed with two of the biggest card brands in the world, with every single card transaction related to them. The ability to be in every single transaction means it has to meet requirements in performance and scale. " itself cannot be monetised. The ability to leverage the format preserving encryption and format preserving tokenisation, that we bring to the market, enables them to protect the data at capture and keep it protected throughout its lifecycle. There’s no longer a need to decrypt it to determine where it goes next. It ends up staying in it's protected state. GDPR will greatly impact how companies will deal with data, going beyond just fines and protecting personal information, but opening avenues to a world of lawsuits and empowering the individual to take action. Up to four percent of a company’s annual turnover (Article 83, GDPR) is potentially at risk, so the stakes are tremendously high. Tammy explained, “There are specific aspects within GDPR that deal with data protection, and I am talking about pseudonymization. If you leverage this, to a great extent, it is almost the “get out of jail free” card.” Tammy said, “If you are taking this personally identifiable information as defined by GDPR, and you’re leveraging a data protection solution such as HPE SecureData, you’re keeping all the benefits of the data but you’re leveraging pseudonymization. Such that, should something happen to the data, and it is lost or stolen, the data is useless to the attackers, and is therefore a non-event and that is the ideal scenario.”
BIG DATA INNOVATIONS One of the big innovations is around data itself. Tammy notes, “If you go back just a few years, the amount of data that we could consume and do real-time analytics on pales in comparison to what we can do today. There is so much value in being able to take not only the data a company has, but bringing in data from other sources. Working with some of the car manufacturers and their belief there should never be a recall on a car again, because these cars are so instrumented and with so much data coming out of them, they should get ahead of any problem that would come up. But it wasn’t until ‘big data’ that they could see the patterns light-up in real time, in order to determine where they needed to make adjustments. Once they figured out with these innovations in technology, there was a major inhibitor standing in their way – and that was security.” “The proposition was there, but how could you take so much sensitive data about just one person? Their personally
18 | Australian Cyber Security Magazine
identifiable information, the vehicles’s identification number or VIN, where they’re going, GPS data, how fast they’re driving, you name it. How many times are they are hitting the breaks, and to put that essentially into a huge soup pot that’s based on Hadoop, innately probably the most insecure platform on the planet right now. The risk was too high.” “What we’ve been able to do with the SecureData technology is apply it into the world of big data analytics. For example, with the car manufacturers, that ability to protect the data in a way that the format is preserved, the logic is preserved, and most importantly the relationships. It is not important to know all the individual pieces of information and details. What is important is ability to detect the patterns. There is so much data there, the problem really isn’t an ability to associate with one particular person, but the ability to see those patterns.”
WAVES STARTING TO HIT: ACCESS TO THE CLOUD & INTERNET OF THINGS Tammy highlights, “One of the key aspects that is shining a light on this technology’s evolution is access to the cloud. The ability to embrace public cloud can save companies a tremendous amount of money by giving them access to things that they didn’t have access to before.” Referring to a large car brand as a customer, Tammy said, “they discovered they can save 40 per cent, per application, per year, if they moved their .NET applications to Microsoft Azure. This value proposition is potentially tens of millions, if not hundreds of millions of dollars in some cases, over a five-year period. When this was realised in one of the business units, the CEO was naturally very excited with such an innovative, cost-saving measure. Before proceeding, Security asked one simple question—is there any sensitive data, including PAN data, involved? The answer was, ‘yes’. Yet before objecting to the project, someone on the CISO’s team had recalled our ability to secure the data and preserve the format. Without creating a bigger processing footprint in putting this data into the cloud, in these .NET applications, the concerns the customer had around the data were addressed. The applications did not have to change their data model. With the data format and data relationship integrity staying intact, there was no need for any rule changes.” “We match the elasticity model in the underlying platform,” Tammy continued, “so most of our customers decide they want this data-centric protection model across their entire organisation. They don’t want to have to decide if it will only be in the Hadoop environment, or only in their mainframe, or .NET, or J2EE (Java Platform Enterprise Edition) applications, or open system applications. What we do is match to the acuity model of that environment. Such as in Hadoop, that is a node-based environment and we can sell our product based on the node count; for a smaller organisation with 10-20 nodes, through to some of the largest customers in the world, with tens of thousands of nodes, we have a model that can be adapted for all.” IoT is an exciting paradigm and the wave is just starting to hit. However, Tammy asserts, “there is so much data and this can be used very maliciously. Be it a driverless
Women in Security
car or a medical device, should someone manipulate that, the impact is no longer how much data can I monetise, the impact is on people’s lives.” The HPE SecureData technology comes packaged as either an API (Application Programming Interface) or an SDK (software development kit). HPE has a mobile SDK which allows companies to build right into their mobile applications. The capture of data and format preserving encryption paradigm, as we’re all out on the go, entering various information into our devices, right at capture, can be protected. Tammy explained, “It’s not sitting in memory in clear text. The vulnerability aspect of what these mobile devices bring is addressed. We’re seeing with IoT, the power, scale, innovation, is exponentially improving, not in years now but in months. What could be done a year ago, pales in comparison to what will be done a year from now. The ability to build in this encryption, right at capture from inside these IoT devices, is there in many cases, or on the verge of being there.” “When you look at the difference in the innovation, in regards to encrypting and keeping the format the same, versus bloating it into a 256-bit string, that impact is minimal. We’ve been deployed with two of the biggest card brands in the world, with every single card transaction related to them. The ability to be in every single transaction means it has to meet requirements in performance and scale. SecureData has the ability to take any production data, like transaction information, be it per second information, latency information, and then turn it around and apply it in the world’s top financial institutions, healthcare and retailers. We can show that at scale, so the customer’s requirements are often so much lower than we’re already being applied to.” “One of the key elements of what powers a lot of what HPE SecureData does and why this is being adopted so broadly now, is that the technology has format preserving encryption, now a mode of AES (Advanced Encryption Standard). We have received our NIST (National Institute of Standards and Technology) certification as FFX1, and our FPE technology provides accelerated encryption performance up to 170 per cent in conservative scenarios. Building on today’s proven high-speed FPE technology, while aligning to the high-volume needs of next generation
Big Data, cloud, and IoT scenarios. With the power of what this algorithm can do in terms of enhancing the encryption footprint, the US Federal Government fast-tracked it to make it a standard and now, as we’re finalising our FIPS 1402 and Common Criteria, this opens up many areas. Where it was already being leveraged before that certification, it is now able to be used by government entities and other entities who set the bar and this standard is a requirement.”
CAPTIVATING AUSTRALIA “Australia is a very interesting market,” Tammy observes, “we started investing here about seven years ago and have a lot of interest. One of the main discussions back then was PCI (payment card industry) and companies wanting to get to compliance – there wasn’t the view that there was the same kind of risk as there was in other parts of the world.” “Paradigms like big data, cloud, mobility and with data so transient now, the Australian market is much more exposed, and a light has been shone on it. Big data is probably the biggest driver now, and regulations like GDPR are right behind it, as well as the drive to public cloud.” The Australian market has a tremendous need, Tammy notes, “I spent time with the Government and large financial services, telecommunications, retailers, sports betting—and I was shocked. I was last in Australia, literally at the time when the Census breach was happening, and seeing the way that sensitive information is being used in this country. I found having been an evangelist of this approach across the globe, it has really surprised me how often a national ID, or a credit card number or an account number is used as a primary key and mode of identification. There is a lot of ground to cover here.” Tammy concludes, “I think the Census example, of showing how systems can fundamentally break down, showed when the confidence of the citizens in those systems evaporates. So, having returned to Australia this year, there is such a desire now to protect the information and it’s no longer about meeting a particular regulation as the driver, be it PCI or GDPR – it’s really about the overarching sense of confidence and protection of brand.”
Australian Cyber Security Magazine | 19
International
RSA CONFERENCE 2017 FEATURE REVIEW
THE BIGGEST ‘MUST GO’ CYBERSECURITY SHOW ON EARTH - PART 2 Editor’s RSA Conference 2017 Review - Vendor Insights
/// ARTIFICIAL INTELLIGENCE PROTECTING THE ACTIVE DIRECTORY INTERVIEW WITH JAVELIN FOUNDERS GUY FRANCO AND ROI ABUTBUL, CEO At RSA Conference 2017, Javelin announced the release of AD Protect™, an AI-based platform designed to stop the use of stolen and misused directory credentials to move laterally into an organization’s network environment. Thwarting attackers at the point of compromise, the AI autonomously projects to the attacker a false set of organisational resources, including the Active Directory, that look and act real, yet get the attacker nowhere, containing the breach to just one machine. The result is Javelin’s
20 | Australian Cyber Security Magazine
automated incident response (IR) and breach containment that provides attack compromise detection and directory credential theft or misuse, while assisting efforts to investigate and contain any further attack. The story behind Javelin arcs back to three young men meeting in the Israeli Airforce and Intelligence Corps. Guy and Roi, along with co-founder Almog Ohayon, started out in 2014 and after $2 million in seed funding. In early February 2017, they announced a $5 million Series-A Financing Round to fuel further development and growth. Based in Tel Aviv, the company is now also situated in Palo Alto, CA and Austin, TX. As Guy explained, “the industry is focused on protecting networks, computers, devices and applications, but at the end of the day the key element being targeted is the Active Directory (AD) – it is used by 9 out of every 10 companies around the world and remains mostly unprotected. All the campaigns APT (Advanced Persistent Threat) attacks are based on is achieving AD manipulation – the attacker’s aim is to be stealthy, leave no evidence and achieve
a high gain and mostly, a financial gain.” After almost two and half years working just on the technology, with a dedicated ADP (Automatic Data Processing) design team, the company launched in the second half of 2016 and hired former Cylance Executive, Greg Fitzgerald to drive the message home – that attacks and threats are focused on the AD – the heart of the organisation. Javelin reports seeing immediate traction with customers, with one customer, despite having a $50 million security budget, discovering they still had limited protection of their AD. Javelin can support 20,000 devices and then scale out to 500,000 end points. The learning phase is rapid, within minutes, acquiring 200 devices at a time – so a large enterprise network can be acquired within an hour or two. Roi stated, “the greatest thing we have accomplished is we have created an autonomous IR mechanism and the only one specifically designed to work in a domain environment. That domain environment has its own rules and we have built that from scratch – once we find an infection on one computer and
International
FEATURE REVIEW RSA CONFERENCE 2017
deployed inside a domain, the AI establishes the elements of the infection and will automatically look across the network for those elements, called automatic IRN counting. This pattern recognition algorithm is continually fed and creates automatic patterns based on the environment and data sets that is deployed in that environment. The company has 5 patents based on this
approach, with one specifically an AI patent on how it creates the virtual environment. As part of the hunting and cross reference to other computers, it looks to where the malicious processes came and what method was used for compromise, such as is it local or part of a bigger effort. This allows a forensic report to be formulated. Javelin is not an EDR solution, Roi explained, “we don’t reduce the noise, we just
pinpoint for only this type of (AD) attack.� With Javelin, the attacker will not get valid credentials or organizational topology. Without this, the attacker cannot move beyond the endpoint nor do so undetected. Javelin protects the entire organization from the point of attacker entry without unnecessarily adding to the infrastructure nor altering the AD itself.
Australian Cyber Security Magazine | 21
International
RSA CONFERENCE 2017 FEATURE REVIEW
/// KEYS TO THE KINGDOM: RISK AROUND CREDENTIALS THEFT EXPERT ROUND TABLE DISCUSSION Kowsik Guruswamy Chief Technology Officer, Menlo Security
Scott Scheferman Director of Consulting, Cylance
Roi Abutbul Chief Executive Officer, Javelin Networks
Stefan Lager Vice President of Services, SecureLink Credentials are a lot more than logins and passwords. It can be, for example, if you have a directory service like active directory, it could be the keys to the kingdom of every asset on that network. If you are an end user, you may have access to a small number of resources. If you are a senior manager, you might have access to more. If you're an administrator, you could have access to everything. In a special roundtable discussion organised by NetEvents in San
Francisco, we discussed credentials, phishing and cybersecurity risk. This is an edited extract of that discussion: Kowsik Guruswamy: I think it really depends on whose credentials are being phished. If somebody sends me an email from my bank saying my account has been comprised and I happen to fall for it, enter in my user name, password, somebody is getting into my bank account. They can do money transfers, etcetera. This is on a personal basis. If I'm the CFO or the controller for an organisation and that same thing happens to my corporate credentials, now all of a sudden it's a whole different ball game. Now they've got the company's bank account. It also applies to applications, such as Salesforce. I may not be a C-suite executive in a company, but if I'm Salesforce admin and I'm getting phished, then all of a sudden my entire company, all of the pipeline, all of the revenue information is now in somebody's hands. So, it really depends on who is getting phished and what sort of information that they possess that could be very, very valuable. Scott Scheferman: Maybe from a slightly different lens, a lot of what we do when we're doing response and compromise assessments is address this credential problem. Other than execution, credentials are a choke point common to every breach. The thing about credentials are that an attacker would prefer to just have legitimate
RoundTable - Javelin, Cyclance & Menlo - Roi Abutbul, Scott Scheferman, Guy Franco & Stefan Lager
22 | Australian Cyber Security Magazine
credentials as opposed to leave behind malware that might get detected. Once they get to the credential part of that kill chain, they're off and running and they're able to use white listed tools and other types of normal authentication, such as to Salesforce, or whatever it might be, and there is no more malware, so they can evade your detection systems. Stefan Lager: I think we can never be 100 per cent to protect against this kind of threat. I think limit the damage you can get if a credential is stolen and also making sure you can detect and respond to that as quickly as possible, is really key. The way we look at it is from kind of a matrix where you have people, you have processes, technologies and you have protection, detection and response. You need to have a good mix of capabilities within all these different areas. Kowsik Guruswamy: In the case of phishing and credential theft specifically. There is no malware or anything involved. There was a website, it looked like your bank and you typed in your password. It is very simple. I think that goes back to what phishing is all about. It used to be about stupidity. It's really become about sophistication. Every one of us I'm sure has fallen for it. I'm not a private investigator, but if I googled your name and there was something on your blog about a hit and a run that you saw and I sent you an email
Corporate Security
FEATURE REVIEW RSA CONFERENCE 2017 about an insurance quote for a hit and run, the chances are you're going to take a little bit longer to read it and I got your attention. It's about personalising that information, knowing some context around whether this person is going to read it or not. So personally, I delete all my emails that I get from people that I don't know. But every email that I take more than five seconds to read, I treasure them because they've got me. They've got my attention. Spear phishing is just a concept. It's really about contextualising the data that is being presented, so you fall for it.
Wombat Security Technologies stand
Scott Scheferman: A lot of what we were calling breaches or compromises are actually starting outside of the organisation all together. If somebody does a massive database dump and they grab the whole database, user names and passwords for a common social media site or something else, those passwords are then very readily available, email addresses and passwords. So many of our users have reused a password for their personal life. Not all organisations are using two-factor authentication for all of their external phishing applications. You put those two facts together and what you realise is that there is a massive market for the stealing and reselling of credentials so that you don't have to use any malware. You can opportunistically target a certain vertical that you're looking to target as an actual attacker. Attacker not being a hacker, but an attacker that's interested in an organisation, in a certain vertical. Why not just buy the credentials for that vertical as opposed to try to touch your victim? You never want to touch the victim if you don't have to. Much like spear phishing, just put in your user name and password and you barely touch the organisation at all and they've done all the work for you. Kowsik Guruswamy: The underpinning technology behind Menlo is what we call isolation. The concept of isolation is simple. If you look at the overall risk from the web, it's active content, flash, Java script. That's the risky part. If you go back 20 years in the old Netscape days, when the Internet was filled with five web pages that were all static, there was about zero risk. There was no problem. Fast-forward 20 years you've got this interactivity and advert networks, everybody rushing to inject interactive content into the web
browser, that's a risk. Our concept behind isolation is very simple. We stop playing this game of trying to figure out is this website good or bad and just execute away from the user in the cloud. We do it in such a way that the end user has no idea that we're doing that and retains the native user experience. That's the underpinning model behind isolation and that's what Menlo does.
Specific to phishing, if you look at how phishing links come to the user and what it does, it falls into three buckets. First is what we call the known bad. Everybody knows it is a phishing site, it's on some list, Google has it, other feeds have it, everybody knows it is a phishing site. You do the obvious thing, you block it. The next one is what we call the known
Australian Cyber Security Magazine | 23
Corporate Security
RSA CONFERENCE 2017 FEATURE REVIEW the password into a bank looking site, are you sure? So that really helps eliminate phishing, in our opinion.
Malwarebytes Stand
Cylance AR display
good. Like amazon.com is not a phishing site. Yes, there might be some ads that give you malware, but it's not a phishing site for sure. So, there is a known good. Then the grey area. If you look at the grey area, we're doing the same thing that we've been doing for the last 20 years to phishing, which is trying to figure out if it is a phishing site or not. What Menlo does is we gave up on that idea. It's not working. It's very difficult. Instead
24 | Australian Cyber Security Magazine
what we do is when people click on the link we end up isolating them and we have certain workflows which basically combines the training aspects and also puts the website into a protective shell. It's a read only mode. People can't type anything. The combination of that effectively means when you're about to enter the password into your bank account, you've got to pause. There is some training that's built into the workflow that tells the user, hey, you're about to enter
Scott Scheferman: I love the pause part of that description because I think in security, any time you're looking at this kill chain we've been talking about, it's important to pause before each one of these things. In Menlo’s case, it's before the user clicks. In Cylance's case, the best way to describe it would be, we have tried to solve the problem in those 100 milliseconds prior to an executable executing and allow the AI (artificial intelligence) to predict whether or not that file should run or not within that 100 milliseconds pause, if you will. In the time it takes you to blink your eye, we would look at seven files. We can look at seven files and convict them to be able to run or not. It's a very interesting thing because what we're using is predictive AI. What that looks like is, if you take something like Shamoon2, Wave 2 that just came out in the Palo Alto Unit 42 report, which they did an excellent exposÊ on, what that threat actor is and the motivations. The TTPs, the IOCs, all these buzzwords of intelligence, we were actually able to prevent that pre-execution 430 days before Palo Alto's report. So, when we say prevention, we're literally talking days, weeks, months or sometimes years in front of when the threat actors, in some case like ZCryptor ransomware have even compiled their first binary. We've predicted that binary and are able to block it. So that's what our pause is. The other aspect of what Cylance does extremely well is our compromise assessments. We leverage that same machine learning as well as machine learning that's focused on the credential aspects of this problem space. I'm looking at user account profiles and applying machine learning to that problem to instantly discover accounts that are probably compromised based on statistical confidence. We have about 86 per cent efficacy that we have baked into our compromise assessments, where we hit the big red button and out pops all the accounts that mathematically, we know that these accounts have been comprised. For us, that allows us to move very, very quickly, or allows the organisation to pivot to containment. On the product side, it's predictive prevention via AI and that's a really big exercise. We're in the top 100 customers of Amazon where we're crunching these millions of files. For each file we're breaking them up into 2.7
Corporate Security
FEATURE REVIEW RSA CONFERENCE 2017
million features that we're looking at. It's not just 30 features or 200 features that malware analysts understand and the rest of the whole industry, but actually features that the human race doesn't even have words for. The machines are telling us about features and absences of features and combinations of features that we know to indicate this malicious software and we're able to, because of the confidence we have, make an autonomous decision and put that 100 milliseconds pause before execution to say no you can't run. We're seeing a massive shift in money from doing penetration testing in traditional services, shifting over to doing annual, biannual or quarterly compromise assessments because the value is much more to the Board than hiring a small team for a small period of time. You're able to tell the Board I know I'm not compromised or I am compromised and I've been able to learn how the bad guys got in that were targeting the organisation. Instead of hiring penetration testers, hypothetically, to protect you, hire the entire Internet that has targeted you the last two years and learn from that. That's how we get to the place we are today. As vendors, the three of us here have the AI aspect and we're sitting in the middle of this revolution. Those are the ways that we can solve these problems with confidence. Confidence ends up being a mathematical definition. It's a mathematical term. We actually have a degree of confidence index. Roi Abutbul: I want to add to your comments that if you look at it, the CISOs today are swamped. The security teams are overloaded
with, as you said, data and a lot of work that they need to do at the end of the day. But from the other equation, if you look at the effort that attackers need to invest in order to penetrate, in order to bring down an organisation, is exactly that asymmetric problem. Their investment in order to bring down an organisation is low and our investment as defending the organisation from being breached is high. That's the main problem in
this industry. Also, the CISOs today, on top of that, are over swamped. They are understaffed and with limited budgets. If you look at here at RSA, if you go inside under the expo of North and South showrooms, most of the vendors are saying the same. It is very hard for them even to distinguish exactly what they are doing.
Australian Cyber Security Magazine | 25
Cyber Security
RSA CONFERENCE 2017 FEATURE REVIEW
/// BIG SWITCH NETWORKS: TRAFFIC VISIBILITY ON A CLOUD-NATIVE APPLICATION Sitting down with Greg Holzrichter on the RSA Showroom floor, we were walked through the next generation of networking and datacentre switching, offered as an open alternative to Cisco’s Application Centric Infrastructure and the offer of being up to 50 per cent cheaper with pervasive visibility, scalability and security, overlayed by the Big Monitoring Fabric – or Big Mon. Big Monitoring Fabric Release 6.0 is currently in beta and is available in expected to be available Q1, 2017.
26 | Australian Cyber Security Magazine
Receiving Series C funding for US$48.5 million and a strategic partnership with DellEMC, BigSwitch Networks is enjoying triple digit growth. In December, the company announced significant updates to the Big Mon product line with the introduction of BigSecure Architecture™, a cyber-defence platform that enables Terabit attack mitigation. Extended Pervasive Visibility use cases include cloudnative application traffic for monitoring of VM, Containers and Public Cloud environments. This solution enables existing security tools to leverage an externalised attack mitigation infrastructure, consisting of a pool of x86-based compute resources. Once BigSecure Architecture is instantiated, a security tool detects a high-bandwidth attack and interacts with the Big Monitoring Fabric Controller via programmatic APIs to redirect incoming traffic for elastic mitigation. Depending on the type of attack, the Big Mon Controller
activates SDN fabric and compute resources for attack mitigation, reconfigures the service chain to redirect traffic to mitigation infrastructure, and load-balances traffic across a cluster of Big Mon service nodes and NFV tool farm for scaleout performance. The combination of SDN fabric, Big Mon service nodes and NFV tool farm performs Layer-7 scans of network traffic and blocks those packets/flows that contain attack signatures. With BigSecure, security teams are able to deploy dynamic cyber-defence architecture that provides elastic, Terabit-scale attack mitigation capability at an affordable price while continuing to leverage best-of-breed security tools. Integration with leading Technical Solution Partners, includes • A10 Networks and Big Switch Networks have partnered to create a solution for DDoS attack detection across the entire data centre. The solution is composed of
Corporate Security
FEATURE REVIEW RSA CONFERENCE 2017
•
•
•
•
A10 Networks' Thunder Threat Protection System (TPS) and Big Switch’s Big Monitoring Fabric, which leverages open networking switches. ExtraHop and Big Switch Networks have partnered to deliver a scalable solution for all IT teams to gain visibility into network and application traffic. The joint solution combines ExtraHop’s streaming analytics and proactive remediation capabilities with SDN controls from Big Monitoring Fabric. The collaboration between FireEye Threat Prevention Platform and Big Switch Big Monitoring Fabric enables monitoring of any flow, at any time on orchestrated service chains, from a single pane of glass. Riverbed SteelCentral NetExpress network performance management platform and Big Monitoring Fabric deliver an all-in-one pervasive network monitoring solution that combines flow as well as packet collection and analysis for the entire data centre. Certified joint solution of Symantec SSL Visibility Appliance with Big Monitoring Fabric Inline through Symantec's ETM
Ready Program (Encrypted Traffic Management) helps customers address malware hiding in SSL traffic.
/// WEBROOT INSIGHTS TRAFFIC VISIBILITY ON A CLOUD-NATIVE APPLICATION Webroot announced three new products. Webroot FlowScape® Analytics, Webroot BrightCloud® Streaming Malware Detection, and Webroot SecureAnywhere® DNS Protection leverages an AI engine for protection against malicious known and unknown cyber threats. Chad Bacher, SVP of product strategy and technology alliances said. “Our new products offer better protection against today’s most advanced threats—both known and unknown—
no matter where users are or what devices are connected. These new solutions are built on a mature cloud platform that uses proven machine learning methods that continue to get smarter and more effective as we add new endpoints, sensors, and data sources.” Webroot has integrated FlowScape Analytics with Webroot BrightCloud® Threat Intelligence to accelerate the discovery and investigation of unknown threats that access, traverse, and exit disparate networks. The FlowScape solution analyses different traffic types and behaviours within the network, as well as inbound and outbound traffic, to supply security operations teams with the ability to identify anomalous network traffic from unknown threats. Combined with BrightCloud Threat Intelligence, FlowScape Analytics offers contextual threat intelligence on malicious IPs and URLs with network visibility for incident response teams to investigate threats and devise mitigation plans. As malware is now overwhelmingly polymorphic and advanced persistent threats (APTs) mask their activities within everyday network noise, FlowScape
Australian Cyber Security Magazine | 27
Corporate Security
RSA CONFERENCE 2017 FEATURE REVIEW is part of a much bigger, global machine, that is RSA. Leonard provided insight into his role as Chief Cyber Security Advisor for the Asia Pacific region.
What role does a cyber security advisor fulfil?
analytics and unsupervised machine learning enable organisations to reduce the time required to classify and address threats. Quoting Gary Hayslip, CISO for the City of San Diego “With a daily count of approximately 500,000 cyberattacks against the city of San Diego networks, Webroot FlowScape Analytics gives us the network visibility we need to protect critical infrastructure and services. FlowScape Analytics technology allows us to determine risk of system-wide user behaviour and flag anomalies for remediation.” “With these new releases, Webroot is working to address some of the key issues that make protection against modern malware so difficult,” said Eric Ogren, Senior Analyst with 451 Research. “Through greater visibility into the network layer, Webroot will now help customers identify threats based on anomalous network behaviour. Providing a security solution that combines endpoint security and DNSbased web security, will also help protect businesses from threats, while lowering overall support costs.” The FlowScape solution is available for custom integration and evaluation as part of an early availability program. BrightCloud Streaming
28 | Australian Cyber Security Magazine
Malware Detection is available for Beta technology partners with general availability scheduled for mid-2017. Webroot SecureAnywhere DNS Protection is in Beta currently and scheduled for GA release in April 2017.
/// PREDOMINANT FOCUS: IF CONTENT IS KING, THEN CONTEXT IS QUEEN Insight Interview with Leonard Kelinman, Chief Cyber Security Advisor, RSA - APJ Region Leonard Kelinman should be well known in Canberra cybersecurity circles, but sitting down to chat in San Francisco amongst 45,000 other busy professionals, there was a sense he
This role with RSA allows me to remain forward focused when reaching out to industry, government and organisations. Essentially, I provide the advice, guidance and support that they may need. The three predominate sectors I’m working with are governments in the Asia Pacific and Japan region, critical infrastructure and education. The first part of the role is to understand the landscape, mainly with government and utilities, particularly with the mandatory data breach legislation and the impact this has at the board level. This includes Incident Response (IR) and IR capabilities, cyber insurance and considering how it affects their ability to discover and respond to breaches. I have found invariably the larger the agency or organisation the better they are in terms of posture and preparedness. I feel for the SME type organisations, they often have contracted services, where they may have good process and procedures but with limited inhouse capability, you cannot outsource responsibility, so vetting the contractors is vitally important. My mantra going forward is based on our traditional technology capabilities which have been built around content but now we are talking about context – put simply, ‘if content is king, then context is queen.’
What does it mean to be contextually aware? There is a lot of value there in what organisations have already invested in. What we are doing is building a capability that creates a plus one, adds to the traditional services and gives context. My role allows me to come to understand the pain points and develop the strategy around that for customers. An easy industry example would be the cyber-industry vocation. I’m working with a government agency in assisting them with their recruitment for cyber. The focus is on developing the right job description, criteria and develop a methodology for selection. In the Federal Government space, based on my experience at the Australian Taxation Office, there was great success in vulnerability management and a large part of
Corporate Security
FEATURE REVIEW RSA CONFERENCE 2017 that was about getting the right people. That means the right people into the right roles. Part of the problem can exist at the higher positons of organisations, with those who have the capability and responsibility but due to age and years of experience, bring a more traditional ‘they know best’ mentality and this makes it much more difficult for cultural change. But having said that there are those with a more open mind set and who are better prepared. The engagement is so much more fruitful with those individuals. The other aspect, is with time, you are going to find that the newer generation, say those of 5-10 years junior to the current senior roles will have greater cyber exposure and will bring a better and stronger appreciation to cybersecurity services and capabilities. I’m a bit pragmatic. If your organisation got hacked, you need to better understand that. Bad stuff is still going to happen and understanding you have done everything that is reasonable to have done. Knowing what is reasonable, learning about known breaches and have a clear proceeding course of action.
How is Australia fairing in the APAC region? The AU$230 million allocation as part of the Australian Cybersecurity Strategy and AU$300 million to the ASD is encouraging because it is substantially more than before, but far less than the UK and USA. Let’s see what we can do with it first and then allocate more if needed. We are working with other countries and using them as a yard stick. Within ASD and review of the PSPF, there has been a change to devolve risk to the agency heads and now it’s up to the business heads to manage, so cyber programs are subject to different risk appetites. Most organisations have a moderate risk tolerance and production programmes tend to have a higher risk tolerance.
How does the 2017 cyber landscape look? In 2017, we are likely to continue to see a lot of volatility and this industry is naturally volatile. In particular consolidation across the vendors and the legislative landscape changes, highlighting mandatory reporting and GDPR, which is applicable anywhere in the world, including Australia. Discussions have started to make some waves, such as ‘how does that affect us?’;
but it still playing catch-up to the cyber realm. Organisations have to spend some time thinking about this, in a global world and with a pervasive technology.
/// MENLO SECURITY UNCOVERS NEW SPEAR PHISHING CAMPAIGN Leveraging multiple scripts to customize attacks on US enterprises Menlo Security, a pioneer of cloud-based isolation security technology, announced that its cybersecurity researchers recently uncovered a sophisticated spear phishing attack at a well-known enterprise that went undetected by existing security solutions. A close examination of the recent spear phishing event by Menlo Security researchers revealed the following details: • The attackers performed various checks on the password entered by the victim and their IP address to determine whether it was a true compromise versus somebody who had figured out the attack. • The attackers supported various email providers. This was determined by the fact that they served custom pages based on the email domain. For example, a victim whose email address was john.doe@gmail.com would be served a page that looked like a Gmail login page. • The attackers exfiltrated the victim’s personally identifiable information (PII) to an attacker controlled account. • The attacker relied heavily on several key scripts to execute the phishing campaign, and to obtain the victim’s IP address in addition to the victim’s country and city. “Credential theft via increasingly sophisticated spear phishing attacks is dangerous to the enterprise,” said Poornima DeBolle, Chief Product Officer and co-founder of Menlo Security. “Existing email security products will have a difficult time detecting these attacks using the usual good versus bad methods. Once an attacker obtains an employee’s credentials,
they have the keys to your kingdom.” The spear phishing vulnerabilities stem from legacy email security solutions, including sandbox-based anti-phishing products, being largely based on reputation; that is, whether an email link is known to be “good” or “bad.” A link’s reputation is determined via third-party data feeds, or internally by way of large-scale email traffic and data analysis. In the case of spear phishing attacks, which target specific individuals within an organisation, the email link is usually unique, as is the target user, hence there is no third-party reputation data available, nor is there enough data to analyze internally to make an accurate determination. If the determination is incorrect, users are sent directly to a web site where credentials can be stolen or malware can be downloaded to the user’s device. For more details on the anatomy of the spear phishing attack, please visit: www.menlosecurity.com/research-brief-2017
Australian Cyber Security Magazine | 29
Corporate Security
Modernising your security strategy
W By Peter Tran General Manager and Senior Director of RSA Security’s Worldwide Advanced Cyber Defence Practice RSA
hile cloud, mobile and the Internet of Things (IoT) present undeniable efficiencies and opportunities in the business world, the reality is that they also add a multitude of cybersecurity complexity and potential exposure. In 2016, over 260 billion apps were downloaded over the Internet across approximately 7.5 billion mobile devices communicating in an interdependent web with cloud based platforms and services. This is referred to as the Internet’s “Third Platform” and is where innovating your information security strategy is imperative. Many organisations are finding the increased efficiency gained from new technologies is paramount to remain competitive in today’s “Third Platform”, as these technologies are foundational to many critical key business and operational innovations. The number of devices, identities, and cross-functional systems across hybrid cloud, on-premise, public/private infrastructures, mobile platforms and shared business IT services is skyrocketing. To date, there are over 22 billion connected IoT devices on the World Wide Web with a projected growth to over 50 billion by 2020. This is predominately driven by an increased adoption of cloud collaboration infrastructures, mobile workforce, sales and operations teams as well as an expanding number of global trusted partner networks and privileged external/ third party users. The explosion in the number of devices, identities, and shared systems isn’t just transforming business but is changing critical cyber security requirements directly related to the sheer scale, speed and complexity by which organisations, both public and private, are migrating legacy system to the “Third Platform”. While modern organisations are capitalising on cloud, mobile and IoT, they are also expanding their attack surface— and with it, new “hacker hot spots” are left in the wake of IT technology expansion, which leaves a fertile ground for nation state hackers and cyber criminals to exploit.. The worldwide cybersecurity spend for 2016 topped US$74 billion according to research analyst firm, IDC with projected spend to reach over US$102 billion by 2020. Despite this level of spending, we have seen over 2,000
30 | Australian Cyber Security Magazine
data breaches, 700 million personal records stolen with an average financial loss of US$3.5M per incident. That said, the most shocking statistic is that on average, organisations were aware they had been hacked less than 30 percent of the time. Another way to look at it is that with today’s aging security capabilities, hackers have a 70 percent chance of breaching an organisation’s network undetected. It’s a reality check now, and time is not on our side, for organisations to face the hard facts. Traditional security measures no longer stack up against the advanced cyber risk that organisations face today. They are ineffective because they are built around the belief that attacks can be prevented based on conventional perimeterbased designs. The rapid transformation to the “Third Platform” coupled with new attack techniques and tactics are driving a call to action for strategies to be put in place to manage attacks based on business context and operational risk or “business driven security”. Traditional security strategy has typically been an afterthought, focused almost exclusively on protecting technology and systems that have already been put in place within legacy on-premise infrastructures. Business initiatives were and in many instances are still developed without considering the cyber risk exposure associated with them. In fact, many organisations have not even gone through the exercise to determine what their cyber risks are. Simply put, the right hand doesn’t know what the left hand is doing. The widening gap between business context and cyber risks is where breach exposure exists. The gaps in traditional security strategies become wider with the proliferation of cloud, mobile and IoT, as well as a surge in third party workforces within organisations, all adding to business complexity and risk. If businesses want to modernise their security operations, technology investments alone is insufficient. Security innovation and transformation begins with a balanced strategy between IT architecture, infrastructure, technology, process, automation, data analytics, effective workforce management, compliance and governance. Cloud technologies provide enterprises with on-demand
Corporate Security
"The goal of a modern organisation’s security strategy is to create harmony between the security strategy, IT environment, and business and operational priorities." anytime/anywhere access to key applications, services and platforms. However what many organisations fail to realise is that all the convenience provided by the cloud is in fact at the heart of the problem; better, faster, cheaper but NOT necessarily secure. Decisions about cloud systems are often made by siloed and federated departments while bypassing formal approval channels and without the knowledge of IT - a practice that is called working in the shadows or “Shadow IT”. It’s easy for malicious insiders and other attackers to take advantage of Shadow IT. Cloud systems often interact with other business and operations systems and/or are used to store the organisation’s valuable data about engineering/ developing, partners, prospects and customers. In this way, attackers can easily compromise cloud systems in order to steal proprietary and/or confidential information completely undetected.. The best way to control cloud technologies is to gain complete visibility into the cloud infrastructure and services being used and implement appropriate controls. Although this is easier said than done, it is a sound security strategy that drives continuous monitoring and early detection across the cloud and to the end points. Additionally, “Bring Your Own Device” (BYOD) has now become common practice for most organisations, allowing employees to work remotely and/or have access to the organisation’s information from their personal devices. Does this further compound the problem? Absolutely! The combination of mobile or potential rogue devices and an Internet connection is enough to breed mass scale mobile security risks. Users may rely on a device and/or connection that is not owned, provisioned, managed, or controlled by the organisation. If businesses provide mobile devices to employees or have a BYOD policy in place, then it’s critical to closely monitor activity for all devices accessing organisational data. Modern organisations are aware of the risks involved and as such, they have control over which business data can be accessed by and saved to mobile devices. More importantly, continuous monitoring and early detection of user behavioural analytics (UBA) in context to business risk should be a top priority with an adaptable security strategy. In only three years there will be over 50 billion connected devices and sensors worldwide. How prepared are organisations to integrate and cope with the influx of business-enabled, internet-enabled devices?
Many of these devices and sensors send continuous streams of unstructured information about business and operational activities across the Internet where that information is harvested for insights. As such, IoT is often referred to as the “Next Industrial Revolution” – with the promises of dramatically increasing the production and efficiency of manufacturing, healthcare, banking, workforce productivity and more. This is the promise of “connected and enhanced living” and business driven security will be a force enabler in managing “Third Platform” risks of intrusion, data disruption and destruction. As security strategy shifts from perimeter to managing dynamic, business driven security environment, a stronger partnership between business leaders and their security experts is essential. Business leaders want to know what the business impact is or would be of a security breach. Security experts focus on the technological details and implications of a security breach. This gap in understanding stands in the way of being able to answer THE critical question when an incident does occur… HOW BAD IS IT TO THE BUSINESS? The goal of a modern organisation’s security strategy is to create harmony between the security strategy, IT environment, and business and operational priorities. As such, modern organisations are moving rapidly toward a business-driven security strategy—developed in collaboration with the broader IT team, operational and business leaders—that prioritises security efforts by connecting security risk to the business and operational risk. Fully understanding the security risk in the context of impact to business and operations is key. With a businessdriven security strategy, organisations can connect security risk to business risk that is contextual and specific to the growing organisation. About the Author Peter Tran is an Advanced Cyber-defense Technology, Security Operations Practitioner and Executive Leader with over 18 years of demonstrated field experience focused on developing, implementing and growing cutting edge cyber-counterthreat, exploitation solutions and operations to address new innovations, applications and applied information security defence methods. As the GM & Senior Director for RSA’s Worldwide Advanced Cyber Defence (ACD) Practice, Peter is responsible for global cyber defence strategy, breach readiness, security operations design/implementation, intelligence and proactive computer network defence solutions and services. Prior to RSA, Peter led Raytheon’s commercial cyber professional services and solutions business as well as its Enterprise Security Operations and Cyber Threat Programs for SOC/CERT, intelligence, APT threat analysis, technical operations, exploitation analysis and adversarial attack methodologies research/tools development. He possesses over 18 years of combined government, commercial and research experience in the field of computer network forensics, exploitation analysis and operations.
Australian Cyber Security Magazine | 31
10 Cybersecurity startups to watch in 2017
By Tony Campbell Editor
A recent influx of investment capital into
of the cybersecurity industry, with areas of
cybersecurity has driven innovation and
focus such as security risk mitigation, cloud
expansion in startup communities all around
security and adaptive behavioral modelling
the world. Cybersecurity is now a red-hot
technologies.
business proposition, which is why new
players at the RSA conference in February
companies, even when they are still in their
2017, here are ten of the most exciting new
infancy, can create entirely new segments
cybersecurity startups to watch in 2017.
10 | Darktrace
7 | Kenna
Darktrace focuses on a cyber “immune system” to manage and mitigate threats to network security in an enterprise or industrial setting using adaptive machine learning technology based in Bayesian mathematics. The company was founded in 2013, and received over $25 million in funding during 2016 alone. CEO: Nicole Eagan Headquarters: Cambridge, United Kingdom Founded: 2013 www.darktrace.com
Kenna security software is a risk intelligence platform intended to prioritize and mitigate vulnerabilities within a company’s infrastructure in a matter of minutes. This is particularly important for companies that need to provide risk reports to their stakeholders on a regular basis. Kenna was founded in 2011 and had a $15 million funding round in late 2016. CEO: Karim Toubba Headquarters: San Francisco, United States of America Founded: 2011 www.kennasecurity.com
9 | Evident.io Evident.io provides security and compliance monitoring for Amazon Web Services, public cloud services, infrastructure as a service and platform as a service. Their software allows for real time monitoring and security alerts for companies operating in the cloud. Evident.io was founded in 2013 and had a $22 million funding round in 2016. CEO: Tim Prendergast Headquarters: California, United States of America Founded: 2013 https://evident.io
8 | Intsights IntSights’ software subscription allows companies to detect, analyze, and remediate cyber-attacks to their infrastructure in real time. The company was founded in 2015 and had a $15 million funding round already this year. CEO: Guy Nizan Headquarters: New York, United States of America Founded: 2015 https://intsights.com
32 | Australian Cyber Security Magazine
After seeing all the big
6 | PerimeterX PerimeterX offers behavior based defense from automated or non-human cyber-attacks. The company was founded in 2014 and had a $12 million funding round in early 2016. CEO: Omri Iluz Headquarters: San Mateo, United States of America Founded: 2014 www.perimeterx.com
5 | Phantom Phantom was founded in 2014, and provides an automated security and orchestration platform that can perform incident response, triage, and remediation. The company has already received $13.5 million in funding in 2017. CEO: Oliver Friedrichs Headquarters: Palo Alto, United States of America Founded: 2014 www.phantom.us
Women in Security
4 | RiskIQ
2 | Cynet
RiskIQ, founded in 2009, provides risk monitoring technology for online threat detection concerning a brand’s customers. RiskIQ had a $25+ million funding round in 2016. CEO: Elias (Lou) Manousos Headquarters: San Francisco, United States of America Founded: 2014 www.riskiq.com
Cynet is a newer cybersecurity company, founded in 2015. They provide threat detection and incident response for enterprise companies. They had a $7 million funding round in early 2016. Their software provides endpoint detection and remediation, user behavior analytics, network analysis, and system forensics in a single platform. CEO: Eyal Gruner Headquarters: New York, United States of America (and Rishon Lezion, Israel). Founded: 2015 www.cynet.com
3 | Skybox Security Skybox security is the most senior company on this list, founded in 2002, however, they had an impressive $96 million investment in 2016 from private equity. Skybox offers a security analytics and intelligence platform for companies operating in the cloud. CEO: Gidi Cohen Headquarters: San Jose, United States of America Founded: 2002 www.skyboxsecurity.com
Users
1 | Fireglass This company was founded in 2014, and had a significant $20 million funding round in 2016. Fireglass offers a network security and isolation platform to companies operating in the cloud, aimed at removing threats and stopping security breaches in real time. CEO: Guy Guzner Headquarters: New York, United States of America (and Tel Aviv, Israel). Founded: 2014 https://fire.glass
Web Australian Cyber Security Magazine | 33
Cyber Security
34 | Australian Cyber Security Magazine