Archive

Posts Tagged ‘anti-virus’

The big cybersecurity challenge: Time-to-detection

July 29, 2015 Leave a comment

Do you sunbathe? You shouldn’t in this day of hypersensitivity about skin cancer. But if you do, the sunlight falling on your liver-spotted, lizard-like skin has been traveling through space for about nine minutes. When you gaze at the night sky and see Alpha Centauri, you probably remember from grade school that light from that nearby planet takes about 4.3 years to get to earth.

If something like a Burning Man festival were held on Alpha Centauri, you wouldn’t know about it until 4.3 years after it was over. Too late to load up your Airstream and get there in time for the fun. Most stars are so far away, they probably collapsed into black holes a billion years ago, yet all we see is merry twinkling millennium after millennium.

Not to over-dramatize, but this is how things are in cybersecurity — specifically intrusion detection. When the Office of Personnel Management was patching its systems, it discovered its great breach, months after the break had occurred. It might have been still more months before anyone noticed the anomaly. It reminds me of a corny roadside display in Pennsylvania when i was a kid. A sign on a little barn said, “World’s Biggest Steer Inside.” When you pulled over and peered in the window, you saw a big jagged hole in the back of the barn, a chain lying in the dirt, and another sign, “Too bad, guess he got away!” There must’ve been a gift shop or goat’s milk fudge stand nearby.

This is one of the big problems with modern-day cyber attacks. Too often, IT and security staffs only find out about them long after the damage has been done and the hackers moved on to other soft targets. If it takes seconds or minutes to exfiltrate data, what good does discovering it do next year?

I recently spoke with John Stewart, one of the top security guys at Cisco. The topic was Cisco’s Midyear Security Report. Here’s my summary: Federal IT and security people, like everyone else, have plenty to worry about. Like the fact that a thousand new security product vendors have started up in the last five years, yet most of them sell non-interoperable software. Or that the white-hat, good-guys side of the cybersecurity equation is literally about a million qualified people short.

Yet among the most seemingly intractable problems lies time-to-detection, or how long on average it takes for organizations to find out they’ve been hacked. This makes it likely that many more successful attacks have occurred than systems administrators are aware of. Stewart says most of the data show that IT staffs routinely take months to detect breaches. A major goal of the products industry and practitioners’ skill sets must therefore be getting time-to-detection down to seconds. At this point, I’ll bet many federal agencies would be happy with days or hours.

Malicious hackers aren’t standing still, the Cisco report points out. They’re switch vectors and modalities at lightning speed. They’re using wealth transfer techniques that stretch law enforcement’s ability to detect. Stewart says, systems like Bitcoin and the murky avenues of the dark web don’t include or even require the typical middlemen of the surface financial transaction world — such as banks, transfer networks, mules. He describes the bad-hacker industry using a term the government likes to use for itself: innovative. 

Embedded IP domains and fungible URLs, jacking up data write-rewrite cycles to dizzying speeds, or quietly turning trusted systems into automated spies in the time it takes someone to go for coffee — that kind of thing. You might call it agility. They’re dancing circles around systems owners. The hacking community has become wickedly innovative at evading detection, Stewart says, exploiting the common systems and software everyone uses routinely.

He adds that the motivations of bad hackers have blossomed into a veritable bouquet. They go after systems for espionage, theft of money or intellectual property, terrorism, political activism, service disruption and even outright destruction. That’s a good case for the so-called risk-based approach to cybersecurity planning. If you’re a utility, disruption or destruction is more likely to be the hackers’ goal. If you’re a database of people with clearance, espionage and theft are good bets.

Answers? As cybersecurity people like to say, there is no silver bullet. Stewart says nations will have to cooperate more, tools will have to improve, people will have to get smarter. Cisco hopes to build some sort of architecture framework into which the polyglot of cyber tools can plug, reducing what he calls the friction of integration.

For now, a good strategy for everyone connected to cybersecurity is to bore in on the essential question: How soon can we know what’s going on?

Numbers tell the tale of the #OPMbreach

June 25, 2015 Leave a comment

Some big stories become defined by the people and the emotions connected to them. The earliest news memory burned into my gray cells occurred on November 22, 1963. Emerging from my third grade classroom, I recall the emotions of the clustering Walking home, I remember my mother in tears before our black-and-white RCA console TV, declaring to me and, I guess, heaven, “Someday there will be another Kennedy in the White House!” I’m not certain I have  direct memory of Walter Cronkite pulling off his heavy glasses, having seen the kinescopes of that moment replayed periodically through the years.

We remember other big stories for their remarkable numbers and statistics. Not that it lacks emotional content, but the Bernard Madoff crime is notable for its sheer audacity of size, expressible in lurid statistics: 11 federal felonies, $65 billion in fraudulently stated gains, 150 years in the slammer. Who knows, the word “Madoff” could well replace the word “Ponzi” in the vernacular reference to really big frauds against innocent individuals.

OPM’s data breach, which has spawned its own hashtag — the new form of vernacular among what might kindly be called the vulgate — is a numbers story, leavened by the justifiable frustration and anger of the employees involved. Mike Causey likens this story to The Blob (one of my all-time favorite movies). Here the horror is underscored by numbers:

  • 4.2 million feds and retirees affected
  • 14 million more in another breach that claimed data from SF-86 forms
  • 18 million Social Security Numbers may have been purloined, according to testimony from OPM Administrator Katherine Archuleta.
  • Two hour waits to reach someone on the telephone at contractor CSID
  • 36 hours between OPM hanging out the notice of the credit monitoring services requirement and awarding a contract.
  • $21 million for the credit monitoring services so far.
  • 15 points in the plan OPM came up with for fixing its cybersecurity vulnerabilities
  • 1 direct report cybersecurity advisor working for Archuleta

This is one of those drip-drip stories in which details come out serially, although not all that clearly. From one of the congressional hearings we got a sense of how much more money OPM thinks it will need. In a kind of symmetry, Archuleta says OPM may need still another $21 million in 2016 to button up its systems. The agency has asked for a total of $32 million more for 2016, but is also saying the total cost of the breach could be as hight as $80 million. That figure won’t buy a wing assembly for an F-35, but it’s a significant figure against OPM’s roughly $400 million spending authority.

In business, bad results tend to bring on one of two outcomes. Either your budget gets cut. Or the money becomes available to fix the problem, but you don’t get to spend it because you’re gone.

So where are all the numbers and this story headed? It’s not over yet. We still don’t know the full extent of how many names, Social Security numbers and SF-86 forms were taken. When that many people are affected, it’s hard to make it disappear. We still have yet to learn the motivation of the data thieves, which means millions will be holding their breath for a long time.

As an unseen benefit, every other agency is scrambling to make sure it’s not the next OPM. One departmental CIO told me as much just the other day. Software vendors will have Christmas in the summer as agencies get serious about two-factor authentication, continuous diagnostics and mitigation and the tools that go with them. Homeland Security is scrambling to get Einstein 3A into place. So, some silver linings.

No TV news anchor pulled off his glasses and put them on again to mask emotional turmoil over the OPM breach. But at least the lessons learned, as the government likes to say, will stick this time.

One way to secure the weak chain link

April 10, 2010 Leave a comment

The enterprise IT market is becoming crowded with specialized products aimed at cyber security. Many of them adapt packet analysis on IP networks. Taking advantage of the fact that switching operates essentially at wire speed and that storage, in dollars per terabyte, keep falling, these products capture all packets, in some cases replicating offline for forensic analysis, in others analyzing packets as the flow by and recording metrics to log.

Some, such as Solera Networks, look purely for anomalies indicating cyber threats. They record and can playback, almost like tape, recent network activity with the added function of deep inspection of each packet. Real traffic can be compared to a database of known works and viruses, but looking for new threat behaviors must happen offline.

Others products, like Splunk, are used partly for cyber forensics and partly for application monitoring. They also use the packet coming into the network as the basic element for understand of and visibility into the network.

These products are located at the network hub, typically as a dedicated rack appliance, and they report either through their own dashboard or via another network monitor.

But security and network administrators also have to worry about a constant source of cyber evils, namely the end points their networks support. The bulk of end points are PCs. Judging from the attack patterns, the traditional anti-virus products and personal firewalls don’t seem to be that effective at stopping worms and viruses from reaching the network servers.

I spoke the other day with Aaron Barr, who heads up a four-month-old federal unit of HB Gary, whose Digital DNA resides in the RAM of PCs on the network. That’s where malware lives, and from where its behavior can be seen and analyzed by looking into the code itself. Looking at behavior is distinguished from looking at profiles like standard anti-virus products. Barr said detecting behavior — for instance, keystroke logging — is preferable because it takes into account the fact that malware self morphs as a way of evading profile-based detection.

Keep in mind that analysis and reporting tools are not intended for search-and-destroy, but rather to give the network operations staff a near real-time picture of what is going on and whether there are dangerous infections aimed at capturing keystrokes or other information.

Now the question is whether the mechanism exists for organizations to efficiently share information on threats so that response isn’t always a step behind the perps putting malware into the wild, where it hunts for vulnerable organizations.