RSA 2017: Day 3
The Machines are Learning
On average, a small business of 100 employees with a typical number of servers and network devices can generate 10GB of raw log data every day. That is the network devices, servers, and workstations create this data themselves – logging what is happening in the network environment. This data equates to roughly 3.6TB of raw log data that is generated every year. At that volume, it is nearly impossible for a human to read, process, analyze, and correlate all of that data. At the least, that is one or more full time jobs. This isn’t realistic. Amplify and scale that on an exponential curve as the business size grows. This was the overall theme conveyed on Day 3 of RSA. Machine learning, artificial intelligence, and adaptive sensors are all being advocated, built, and deployed to help combat log fatigue. This means that the machines are learning. They are learning faster and in more meaningful ways. Alphabet’s (Google) Eric Schmidt shared his deep knowledge of artificial intelligence (AI) and how Google is using AI in most of their service-delivery areas. From multi-layered / Multi-dimensional neural networks to machine vision, Google has clearly fulfilled its founders original vision of it being an AI company. So much so has Google adopted AI, that they have shifted into an ‘AI-First’ model. Major Security Operations Centers (SOC) management platforms have long touted machine-learning abilities. This year it was obvious that no longer are these ‘limited’ abilities. Several platforms have shifted from a reactive machine-learning algorithm to a retroactive predictive model. How is that possible you ask? Retroactive seems to be the opposite of predictive. Simply, the systems are looking back through all captured traffic and log data and reassessing their threat decisions. Using this data they train themselves on what is actually malicious activity and then applies that understanding forward on an ongoing basis.
So, how does this impact smaller businesses? Is it just for the enterprise? The answer, fortunately, is no. No it’s not technology just reserved for governments and enterprises. In fact, several leading authorities from the SANS institute commented publicly at RSA that a shift is coming in the near future in which the bad guys will pivot from larger healthcare to smaller banks and financial institutions. Remember all of those embarrassing hospital attacks? The attack on Cigna? All of the well publicized healthcare organizations held for ransom? Well, we can look forward to seeing that applied to smaller banks and financial institutions. This warning is a rare opportunity to prepare for what, by all accounts, will be an overwhelming season of attacks.
CIT has been promoting the concept of a coming pivotal shift of attacks from large enterprise to small business for some time. Why you may ask do we feel this shift is happening now? Simply, business economics. Not the economics you may think. We believe that at a point, in the very near future, the bad guys will simply not realize enough of a return on their investment. Simple business economics. While there will always be nation-state actors and the persistent targeted attacks toward specific large businesses, we believe the bad guys will simply realize that they can realize a larger return on their investment – both of time and money – by attacking smaller business. Today, these targets – Smaller businesses – are much softer targets than their large enterprise counterparts. This forecast combined with the rise of an affiliate attack model will breed a new era of opportunistic attacks. Small businesses are squarely in the crosshairs of these attacks and are generally woefully underprepared. So, what can be done? Let’s explore some practical application of Information Security concepts.
First, let’s get this out of the way. A firewall is no longer enough. Attackers are smarter and can walk right through nearly all firewalls. With that out of the way, let’s dive in.
1.) Apply excellent network hygiene: CIT promotes the adoption of the 20 Critical Security controls (20CSC). The #1 control is summarized as “know what’s on your network”. To do this well, it’s difficult. Really difficult. It includes ensuring that you are acquiring hardware and software from trusted sources. It requires that you know exactly what has access to your network, when, and from where. There is a very good reason that this is the #1 control. It’s the most effective method to safeguard your information and business systems.
2.) Get really good at detection: How do you know if you are under network attack? It’s nothing like it is in the movies. There are no explosions, lights flickering, or other Hollywood dramatics. Attackers move very slowly down the killchain and intentionally try to exist under the radar. Here in North Carolina, we could relate this to proper BBQ techniques. “Low & Slow”. What must smaller organizations get better at detecting? Strange or anomalous network traffic, systems behavior, and ever-so-out-of-the-ordinary log data. This includes implementing Network Intrusion Detection, Host Intrusion Detection, system process control technologies, and a very strong network perimeter. That network perimeter should make it more difficult for traffic to get out than in. Implementing a SIEM will permit a machine to correlate all of the data generated by your systems to help find the needle in the stack of needles.
3.) Patch your humans: You patch -or should – the Operating Systems and Applications throughout your environment. These patches fix problems or ‘bugs’ in the software. Problems that the programmers made a mistake or overlooked some interaction in the software. Why is anyone surprised when “Bob from accounting” clicks on a spearphishing email and lets the bad guys into the network? If Bob’s not been trained or made aware of the latest spearphishing campaign, how is he supposed to know of the threat and associated risk? No longer are simple phishing drills enough. Nor are annual CBT training videos. Delivering meaningful and very timely threat intel and training to end-users is critical to keeping the bad guys out. This training is not only to raise their awareness of ongoing threats but also to keep them apprised of their importance to the organization’s cybersecurity posture.
4.) Know the 4W’s of your data: Who has access to the data, Where is the data stored and backed-up, What is the backup schedule for each type of data, When was the last fully successful and tested backup taken. If you can’t answer that quickly, then act. Act quickly. This extends to your workstations and end-user devices.
5.) Improve data protection – In 2017 there is no reason for an organization of any size to have inadequate backups. In an era of Cryptoransomware, Doxing, and data weaponization (more on this later) data backup using the 3-2-1-0 methodology is critical. 3 copies of your data, stored on 2 different types of media, with 1 copy offsite, and 0 backup failures or exceptions.
6.) Extend the sphere of (risk) control: Most businesses aren’t contained to the 4 physical walls of their facility(ies). There are remote users, mobile devices equipped with email, vpn, and file synchronization, contractors, and business partners or vendors. Every one of these poses a unique threat to your organization’s information and systems. Extending need-to-know access and administratively-enforced secure device configurations throughout the whole organization radically improves security and decreases the risk introduced by the universe of devices to the organization. This should extend to all internal, mobile, remote, and VPN-attached nodes on the network without exception.
7.) Look inward: The attackers are growing smarter. They are well funded, educated, and extremely good at their craft. They know that it is growing increasingly difficult to get past the gauntlet of network defenses businesses are putting up. So, rather than trying to crash the party and run the gauntlet they are being invited as a guest. A guest of your employees and/or contractors. There are commonly ads running on craigslist for “Insider wanted” at many major organizations. These schemes are sometimes disguised in a get-rich-quick scheme offering hundreds to tens-of-thousands of dollars for simple cooperation. Often this is simply providing information or going to a website. Implement an insider threat program. Segment duties and responsibilities. Rotate duties between personnel. These techniques can help identify rogue insiders.
8.) Iterate and Adapt: There is a new threat discovered hourly. The vectors of attack change regularly. Stay informed of the newer attacks and threats to your business. This doesn’t include any major TV network. What you hear on the news about anything cyber-related seems to be misreported more than its accurate.
The experts and industry represented at RSA are pointing toward the huge volumes of data that our business information systems are creating to warn us that we must look to this data to find ever-elusive attackers. CIT has experience in deploying the required technologies, processes, and validation exercises to secure your organization.
Contact us today to learn how we can help you secure your organization!