A constellation of stars, representing Bandura Cyber's commitment to increasing cyber security.

Surprise, It’s All Broken Again – The Scale Pivot

POSTED ON 03 JULY 2017 // BY BILL MCINNIS

To understand what we are currently trying to solve in the cyber security industry it would be helpful to think about where we have been. We need to take a look back at some key points in the last almost 20 years to illustrate the fundamental shifts in the industry. The beauty of this exercise is that it helps us have an honest discussion about what we are trying to accomplish, above the threatening chaos of the current situation and the financial fascination with our industry at the moment.

In short, I have identified what I believe are the three key pivots in the last two decades. First was the Diversity Pivot, second was the Sophistication Pivot and I propose that we are currently in the Scale Pivot. Each of these started with the realization that everything is broken and ushered in new tech (or new applications of old tech) to help mitigate these gaps, which created new billion dollar companies and a new way of viewing how effective cyber security programs and operations are conducted, fundamentally changing the way we approach our daily efforts.

The Diversity Pivot

Spyware, Phishing, Pharming, Vishing, Email Authentication, Behavior-Based – those are some of the key words that came into the lexicon in the early 2000’s. Up until that point, we thought if we kept our AV up to date, we were good to go. Once we learned of people being tricked to enter credentials, getting calls from phone numbers that appeared to be your bank, cool apps and programs for our desktop that were collecting information about everything we did, then came the realization that everything was broken and we had major gaps in our security. The general public and large organizations became aware of the DIVERSE nature of the threats and that there was a gap in our collective security. The Diversity Pivot had an effect on the security market, contributing to the meteoric rise and acquisition of companies such as Webroot, Ciphertrust, Ironport, Whole Security and others.

The Sophistication Pivot

APT, Spear Phish, RootKit, Zero-Day, Sandbox – Those were some of the words that came to our lexicon in the early 2010’s. Up until that point, we, as an industry, were starting to authenticate email, taking down phishing sites quickly, felt we were getting better at stopping money/data from leaking out of our accounts by not clicking on links for account information, we were enhancing logins, and then it happened. Operation Aurora hit the news like something out of a movie, Google, the company with more PHD’s than any other organization on the planet had been hacked. That was when we learned that not all of the actors were loud criminals who wanted to post pictures of themselves in front of Ferraris on MySpace and Facebook. We learned that apparently there were people whose sole job appeared to be hacking YOUR organization. And they were good at it. We learned that they did research, wrote malware just to target your organization and apparently tested it on AV engines and the like before they sent it. They were, and most definitely still are SOPHISTICATED. For years some vendors were screaming at us that everything was broken, and most didn’t believe them, then all of a sudden, we did. The realization hit that we needed better visibility, we needed to check files coming into our enterprise, we needed to know more about the threats. The security market responded to this pivot with aggressive growth of companies such as Fireeye, Netwitness, Arcsight, Palo Alto, Fortinet and others.

The Scale Pivot

Threat Intel, Threat Feeds, Information Sharing, STIX/TAXII, Cyber Kill Chain, Reverse Engineering, Endpoint Protection, Orchestration, Threat Intel Platform – these are some of the phrases entering organizations’ vocabulary as we speak. In 2009 Internet Identity (IID) was one of, if not the first organization to come to market with a list of recently active or ongoing threats. These were phishing sites that IID identified and deactivated, as well as providing lists of threatening IP addresses based on their research. The identified threats numbered in the thousands and folks were amazed at that number! Fast forward to 2016 and the number across the numerous threat feed providers in the marketplace today is in the millions, every day. So, when compared to the solutions put in place over the last decade, the math has caught up and taken over. That is what is driving the underlying evolution in security technology today. When you dig into the need for information sharing, the need for orchestration, the need to understand where a valid threat fits in the cyber kill chain, the root cause of those needs is the need to function at a SCALE never before seen.

Put it all together and the story goes something like this: at each pivot point, organizations have thought- “We are good. We have [insert solution from last pivot response here]” and then, the event and the collective realization: “Oh, crap, it’s all broken again,” and we seek a solution to fill the new-found gaps in our network and operations security.

It is the scale problem, that Scale Pivot, that exponentially growing threat situation that turned my attention to Bandura. Everything is broken again, and until your organization can sit down and say it, you might as well put all your data on thumb drives and mail it to the adversaries to at least try and save some of the bandwidth costs from it flying off your network. You should also be prepared to kiss your best cyber-defenders’ goodbye because they know it’s broken and if you won’t give them the tools, they will find places that will. It’s no fun to sit around and watch a train wreck, especially when you will be the one getting blamed.

Likewise, if you are in management and reading this and your CISO tells you they have it covered, ask them how many new technologies they have looked at in the last 6 months that don’t come from one of the major brands that love to take them to expensive dinners and invite them to outlandish conferences where they get to be put on the stage as the keynote speaker. Innovation is coming from new, fast moving companies such as ThreatQ, Reversing Labs, Phantom, RiskIQ, Polarity, DarkCubed, and others. Ask your CISO specific questions about how are they dealing with the scale of things. Can they hold and action millions of Indicators of Compromise (IOCs). That is one of the challenges of today. Time to think bigger! Just thinking that your recent firewall upgrade will cut it is not the solution, as even the beefiest firewalls can, at most, action a few hundred thousand IOC’s, leaving valuable intelligence on the cutting room floor. Worse than that, it can overwhelm your team as you then dump the rest of them into a SIEM and have your team play the matching game all day on threat feeds and your logs, chasing down PCAPS to see if something fired. It may not have fired, and it is probably not a false positive, but could have not fired for many other reasons (another blog post on this in the future). And when you do finally find a match that did fire, if it is from a sophisticated actor there are probably so many holes in your network from the bad actor that you will never find them all. What an incredible waste of time for your team and their talents. It is a sign that something is broken in your architecture, not of a highly functioning team, and probably makes them want to find new jobs.

It’s a math problem – no amount of orchestration or artificial intelligence can solve that for you. Are you getting data from the AIS program at DHS? Do you have a relationship with your sector specific agency (like HHS of you are in healthcare) or the Information Sharing and Analysis Center for your industry (FS-ISAC for financial, MS-ISAC for state and local, etc)? Start adding all of the data available to you freely from organizations like this and some of the security companies that also offer threat feeds, Webroot, Crowdstrike, Cyren, Infoarmour, iSIGHT Partners, and others and you will find yourself with a lot more information than you can deploy. That said it is legit information, there is just a lot of it. Do you really want to accept that you just cant deploy it? Is that supposed to be the way it is?

So, in writing this, I hope the readers can be gentle on my memory as I am sure I got some names and places wrong, but I don’t think you can argue the pivots. On a side note and a bit out of scope for this post, below is a diagram, that I think can have multiple uses, but highlights the key components at the core of what we deal with each day. I think it also highlights the how each is related to each other and explains what we are dealing with threats like WannaCry or Petya (or whatever it actually is). Meaning an actor and a threat is a problem for someone, when you add in the scale, it’s a problem for lots of people – so I figured I would call the threats like Wannacry, Petya, Mirai, etc a Hyper Threat and see if folks think that is a good name for it. Maybe I will follow up on these types of threats in a future blog post. They truly are different and highlight that scale is a gap in our defenses. They have put us on notice that scale will be used more and more until it becomes a normal part of each and every attack.

In closing I hope that you, the reader, can work with your organization and help the industry get leadership to a point where we can all acknowledge that “Yes, it’s all broken again”, because until we acknowledge it and start to re-architecture to address it, nothing will change, it will be a case of organizations saying “were good” and vendors saying “we are faster, smarter, find more, than the other folks”, whereas if we acknowledge it, everything begins to change for the better, there will be new threats from new angles, but we can at least say we can plan and act on diverse threats, from sophisticated actors, at scale.


Bill McInnis
Bill McInnis helped to pioneer the commercialization of curated and contextual cyber threat feeds.

BANDURA CYBER, INC.

TERMS OF SERVICE AGREEMENT 

IMPORTANT: UNLESS OTHERWISE AGREED IN WRITING SIGNED BY BOTH PARTIES, THIS TERMS OF SERVICE AGREEMENT (THE “AGREEMENT”) GOVERNS ALL USE BY YOU AND THE BUSINESS ENTITY THAT YOU REPRESENT (COLLECTIVELY, “CUSTOMER”) OF THE BANDURA SOFTWARE AND THE BANDURA EQUIPMENT (THE “EQUIPMENT”) INCLUDING ALL SOFTWARE EMBEDDED IN THE EQUIPMENT AND ALL SOFTWARE (THE “SOFTWARE” AND TOGETHER WITH THE EQUIPMENT, THE “SOLUTION”) PROVIDED BY BANDURA CYBER, INC. (“BANDURA”) FOR USE IN CONNECTION WITH THE EQUIPMENT.

BANDURA IS WILLING TO PROVIDE THE SOLUTION TO CUSTOMER ONLY UPON THE TERMS CONTAINED IN THIS LICENSE AGREEMENT. BY REQUESTING AN EVALUATION OF THE SOLUTION, ACCEPTING A QUOTE FOR THE SOLUTION, SUBMITTING AN ORDER FOR THE SOLUTION, OR BY USING ANY PART OF THE SOLUTION, CUSTOMER IS BINDING ITSELF TO ALL TERMS OF THIS AGREEMENT. IF CUSTOMER DOES NOT AGREE TO ALL OF THE TERMS OF THIS AGREEMENT, THEN BANDURA IS UNWILLING TO LICENSE THE SOFTWARE OR PROVIDE THE EQUIPMENT TO IT AND (A) CUSTOMER MAY NOT USE THE SOFTWARE OR THE EQUIPMENT, AND (B) CUSTOMER MAY RETURN THE EQUIPMENT FOR A FULL REFUND. CUSTOMER’S RIGHT TO RETURN AND REFUND EXPIRES 30 DAYS AFTER PURCHASE FROM BANDURA OR AN AUTHORIZED BANDURA RESELLER, AND APPLIES ONLY IF CUSTOMER IS THE ORIGINAL END USER PURCHASER.

The following terms of Agreement govern Customer’s access and use of the Software.

License. Conditioned upon compliance with the terms and conditions of this Agreement, Bandura grants to Customer a nonexclusive and nontransferable license to use the Software and the Documentation for which Customer has paid any and all required license fees, as limited in time or scope by any Solution quotation, evaluation or order documents. “Documentation” means written information contained in user or technical manuals, training materials, and specifications specifically pertaining to the Software and made available by Bandura for use with the Software or the Equipment in any manner (including on CD-ROM, or on-line).

Customer’s license to use the Software shall be limited to, and Customer shall not use the Software except in connection with, the Equipment.

Unless otherwise expressly provided in the Documentation, Customer shall use the Software solely as embedded in the Equipment for Customer’s internal business purposes only.

General Limitations. This is a license, not a transfer of title, to the Software and Documentation. Unless otherwise stated in any other documentation agreed by the parties, title to Equipment shall pass to Customer upon delivery.  Bandura retains ownership of all copies of the Software and Documentation. Customer acknowledges that the Software and Documentation contain trade secrets of Bandura, its suppliers or licensors, including but not limited to the specific internal design and structure of individual programs and associated interface information. Accordingly, except as otherwise expressly provided in this Agreement, Customer shall have no right, and Customer specifically agrees not to

  • transfer, assign or sublicense its license rights to any other person or entity, or use the Software except in connection with the Equipment, and any attempted transfer, assignment, or sublicense shall be void;
  • modify, adapt, alter, or otherwise change the Software or create derivative works based upon the Software, or permit third parties to do the same;
  • reverse engineer or decompile, decrypt, disassemble or otherwise reduce the Software to human-readable form, except to the extent otherwise expressly permitted under applicable law notwithstanding this restriction;
  • use or permit the Software to be used to perform services for third parties, whether on a service bureau or time sharing basis or otherwise, without the express written authorization of Bandura; or
  • disclose, provide, or otherwise make available the Software or trade secrets contained within the Software and/or Documentation in any form to any third party without the prior written consent of Bandura. Customer shall implement reasonable security measures to protect the Software and such trade

Software, Upgrades and Additional Copies. For purposes of this Agreement, “Software” shall include (and the terms and conditions of this Agreement shall apply to) computer programs, including firmware, as provided to Customer by Bandura, or an authorized Bandura reseller, or embedded or installed in the Equipment, and any upgrades, updates, bug fixes or modified versions thereto (collectively, “Upgrades”) or backup copies of the Software licensed or provided to Customer by Bandura or an authorized Bandura reseller.

NOTWITHSTANDING ANY OTHER PROVISION OF THIS AGREEMENT: (1) CUSTOMER HAS NO LICENSE OR RIGHT TO USE ANY ADDITIONAL COPIES OR UPGRADES UNLESS CUSTOMER, AT THE TIME OF ACQUIRING SUCH COPY OR UPGRADE, ALREADY HOLDS A VALID LICENSE TO THE ORIGINAL SOFTWARE AND HAS PAID ANY AND ALL APPLICABLE FEE FOR THE UPGRADE OR ADDITIONAL COPIES; (2) USE OF UPGRADES IS LIMITED TO THE EQUIPMENT FOR WHICH CUSTOMER IS THE ORIGINAL END USER PURCHASER OR WHO OTHERWISE HOLDS A VALID LICENSE TO USE THE SOFTWARE WHICH IS BEING UPGRADED; AND (3) THE MAKING AND USE OF ADDITIONAL COPIES IS LIMITED TO NECESSARY BACKUP PURPOSES ONLY.

Proprietary Notices. Customer agrees to maintain and reproduce all copyright and other proprietary notices onallcopies,inanyform,oftheSoftwareinthesameformandmannerthatsuchcopyrightandotherproprietary notices are included on the Software. Except as expressly authorized in this Agreement, Customer shall not make any copies or duplicates of any Software without the prior written permission ofBandura.

Term and Termination. This Agreement and the license granted herein shall remain effective for such period indicated in the quotation or order documents, provided that any fees therefor are paid by Customer.  Customer’s rights under this Agreement will terminate immediately without notice from Bandura if Customer fails to comply with any provision of this Agreement. Upon termination, Customer shall destroy any and all copies of the Software, Upgrades and Documentation in its possession or control.

All confidentiality and indemnity obligations of Customer, all limitations of liability, all disclaimers and all restrictions of warranty contained in this Agreement shall survive termination of this Agreement.

Export Restrictions. The Equipment, Software and/or Documentation are subject to the export control laws and regulations of the United States, including, but not limited to, the U.S. Export Administration Act of 1979, as amended, and any successor U.S. legislation, and the Export Administration Regulations (“EAR”) administered by the U.S. Bureau of Industry and Security (“BIS”), in particular because the Equipment, Software and/or Documentation incorporate cryptographic functionality. Accordingly, Customer shall not export, reexport, transfer, or otherwise distribute or disseminate the Equipment, Software and/or Documentation without first obtaining any and all necessary licenses or approvals from BIS, including the issuance either to Bandura or Customer of a Commodity Classification and Automated Tracking System (CCATS) determination from BIS in accordance Section 740.17 or Section 742.15 of the EAR, and any other responsible U.S. Government agency. In particular, except as specifically authorized, Customer shall not export, reexport, transfer, or otherwise distribute or disseminate the Product (i) in or to any country then under U.S. embargo, currently Cuba, Iran, Sudan, Syria, and North Korea; (ii) to any entity or individual on the U.S. Treasury Department’s List of Specially Designated Nationals and Blocked Persons, or on the Entity List, Denied Persons List, or Unverified List, each if which is maintained by BIS; or (iii) for any end use prohibited pursuant to Part 744 of the EAR. Furthermore, Customer agrees not to export, reexport, transfer, or otherwise distribute or disseminate the product to any end user in a country other than the countries listed in Supplement No. 3 to Part 740. Customer will defend, indemnify, and hold BANDURA harmless from and against all fines, penalties, liabilities, damages, costs, and expenses incurred by BANDURA as a result of any violation of the U.S. export control laws and regulations.

U.S. Government End User Purchasers. The Software and the Documentation qualify as “commercial items,” as that term is defined at Federal Acquisition Regulation (“FAR”) (48 C.F.R.) 2.101, consisting of “commercial computer software” and “commercial computer software documentation” as such terms are used in FAR 12.212. Consistent with FAR 12.212 and DoD FAR Supp. 227.7202-1 through 227.7202-4, and notwithstanding any other FAR or other contractual clause to the contrary in any agreement into which this Software License Agreement may be incorporated, Customer may provide to Government end user or, if this Agreement is direct, Government end user will acquire, the Software and Documentation with only those rights set forth in this Software License Agreement. Use of either the Software or Documentation or both constitutes agreement by the Government that the Software and Documentation are “commercial computer software” and “commercial computer software documentation,” and constitutes acceptance of the rights and restrictions herein.

 

Warranty, Disclaimer and Limitation of Liabilities

 

BANDURA WARRANTS, DURING THE TERM OF ANY LICENSE OR SUBSCRIPTION FOR THE SOLUTION IN EFFECT PURSUANT TO THIS AGREEMENT, THAT THE SOFTWARE WILL OPERATE IN ACCORDANCE WITH THE DOCUMENTATION IN ALL MATERIAL RESPECTS.  BANDURA’S SOLE OBLIGATION AND CUSTOMER’S SOLE REMEDY FOR ANY BREACH OF THE FOREGOING WARRANTY SHALL BE TO REPAIR THE SOFTWARE OR OTHERWISE MODIFY THE SOLUTION SO THAT THE SOFTWARE OPERATES IN ACCORDANCE WITH THE FOREGOING WARRANTY.  NO WARRANTY IS GIVEN FOR EQUIPMENT, BUT BANDURA WILL PROVIDE REASONABLE COOPERATION TO OBTAIN THE BENEFIT OF ANY EQUIPMENT WARRANTY FROM THE MANUFACTURER.  EXCEPT FOR THE EXPRESS WARRANTIES STATED HEREIN BANDURA DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED WITH RESPECT TO ANY SOFTWARE OR EQUIPMENT FURNISHED BY BANDURA.

 

BANDURA SPECIFICALLY DISCLAIMS AND DOES NOT AGREE TO ANY IMPLIED WARRANTY, INCLUDING WITHOUT LIMITATION, ANY IMPLIED WARRANTY OF MERCHANTIBILITY, ANY IMPLIED WARRANTY OF FITNESS FOR A PARTICULAR OR ANY IMPLIED WARRANTY THAT THE HARDWARE OR SOFTWARE WILL NOT INFRINGE ANY PATENT, TRADEMARK, COPYRIGHT OR OTHER INTELLECTUAL PROPERTY RIGHTS.

 

EXCEPT FOR ANY REMEDY SET FORTH IN THIS LIMITED WARRANTY, IN NO EVENT WILL BANDURA OR ITS SUPPLIERS BE LIABLE TO YOU FOR ANY LOSS, DAMAGES, CLAIMS OR COSTS WHATSOEVER INCLUDING ANY CONSEQUENTIAL, INDIRECT OR INCIDENTAL DAMAGES, ANY LOST PROFITS OR LOST SAVINGS, ANY DAMAGES RESULTING FROM BUSINESS INTERRUPTION, PERSONAL INJURY OR FAILURE TO MEET ANY DUTY OF CARE, OR CLAIMS BY A THIRD PARTY, EVEN IF A BANDURA REPRESENTATIVE HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH LOSS, DAMAGES, CLAIMS OR COSTS. REGARDLESS OF WHETHER ANY REMEDY SET FORTH HEREIN FAILS OF ITS ESSENTIAL PURPOSE OR OTHERWISE, IN NO EVENT WILL BANDURA OR ITS SUPPLIERS BE LIABLE FOR ANY LOST REVENUE, LOST PROFIT, OR LOST OR DAMAGED DATA, BUSINESS INTERRUPTION, LOSS OF CAPITAL, OR FOR SPECIAL, INDIRECT, CONSEQUENTIAL, INCIDENTAL, OR PUNITIVE DAMAGES HOWEVER CAUSED AND REGARDLESS OF THE THEORY OF LIABILITY OR WHETHER ARISING OUT OF THE USE OF OR INABILITY TO USE THE SOFTWARE OR OTHERWISE AND EVEN IF BANDURA OR ITS SUPPLIERS OR LICENSORS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

 

IN NO EVENT SHALL BANDURA’S OR ITS SUPPLIERS’ OR LICENSORS’ LIABILITY TO CUSTOMER, WHETHER IN CONTRACT, TORT (INCLUDING NEGLIGENCE), BREACH OF WARRANTY, OR OTHERWISE, EXCEED THE PRICE PAID BY CUSTOMER DURING THE 12 MONTH PERIOD PRECEDING THE EVENT GIVING RISE TO LIABILITY.

 

THE FOREGOING LIMITATIONS AND EXCLUSIONS APPLY TO THE EXTENT PERMITTED BY APPLICABLE LAW IN YOUR JURISDICTION. BECAUSE SOME STATES OR JURISDICTIONS DO NOT ALLOW LIMITATION OR EXCLUSION OF CONSEQUENTIAL OR INCIDENTAL DAMAGES, THE ABOVE LIMITATION MAY NOT APPLY TO YOU.

Customer agrees that the limitations of liability and disclaimers set forth herein will apply regardless of whether Customer has accepted the Equipment, the Software or any other product or service delivered by Bandura. Customer acknowledges and agrees that Bandura has set its prices and entered into this Agreement in reliance upon the disclaimers of warranty and the limitations of liability set forth herein, that the same reflect an allocation of risk between the parties (including the risk that a contract remedy may fail of its essential purpose and cause consequential loss), and that the same form an essential basis of the bargain between the parties.

Miscellaneous. The Agreement shall be governed by and construed in accordance with the laws of the State of Maryland, without reference to or application of choice of law rules or principles.

If any portion hereof is found to be void or unenforceable, the remaining provisions of the Agreement shall remain in full force and effect.

Except as expressly provided herein, this Agreement constitutes the entire agreement between the parties with respect to the license of the Software and the Documentation and supersedes any conflicting or additional terms contained in any purchase order or elsewhere, all of which terms are excluded.

Any controversy or claim arising under or related to this Agreement shall be settled by arbitration in the State of Maryland, United States of America in accordance with the arbitration rules of the American Arbitration Association before a single arbitrator and judgment upon the award rendered by the arbitrator may be entered in any court having jurisdiction thereof. Bandura and Customer shall each select an arbitrator, and those two selected arbitrators will select the single arbitrator to hear the controversy or claim.