POSTED ON 03 JULY 2017 // BY BILL MCINNIS
To understand what we are currently trying to solve in the cyber security industry it would be helpful to think about where we have been. We need to take a look back at some key points in the last almost 20 years to illustrate the fundamental shifts in the industry. The beauty of this exercise is that it helps us have an honest discussion about what we are trying to accomplish, above the threatening chaos of the current situation and the financial fascination with our industry at the moment.
In short, I have identified what I believe are the three key pivots in the last two decades. First was the Diversity Pivot, second was the Sophistication Pivot and I propose that we are currently in the Scale Pivot. Each of these started with the realization that everything is broken and ushered in new tech (or new applications of old tech) to help mitigate these gaps, which created new billion dollar companies and a new way of viewing how effective cyber security programs and operations are conducted, fundamentally changing the way we approach our daily efforts.
The Diversity Pivot
Spyware, Phishing, Pharming, Vishing, Email Authentication, Behavior-Based – those are some of the key words that came into the lexicon in the early 2000’s. Up until that point, we thought if we kept our AV up to date, we were good to go. Once we learned of people being tricked to enter credentials, getting calls from phone numbers that appeared to be your bank, cool apps and programs for our desktop that were collecting information about everything we did, then came the realization that everything was broken and we had major gaps in our security. The general public and large organizations became aware of the DIVERSE nature of the threats and that there was a gap in our collective security. The Diversity Pivot had an effect on the security market, contributing to the meteoric rise and acquisition of companies such as Webroot, Ciphertrust, Ironport, Whole Security and others.
The Sophistication Pivot
APT, Spear Phish, RootKit, Zero-Day, Sandbox – Those were some of the words that came to our lexicon in the early 2010’s. Up until that point, we, as an industry, were starting to authenticate email, taking down phishing sites quickly, felt we were getting better at stopping money/data from leaking out of our accounts by not clicking on links for account information, we were enhancing logins, and then it happened. Operation Aurora hit the news like something out of a movie, Google, the company with more PHD’s than any other organization on the planet had been hacked. That was when we learned that not all of the actors were loud criminals who wanted to post pictures of themselves in front of Ferraris on MySpace and Facebook. We learned that apparently there were people whose sole job appeared to be hacking YOUR organization. And they were good at it. We learned that they did research, wrote malware just to target your organization and apparently tested it on AV engines and the like before they sent it. They were, and most definitely still are SOPHISTICATED. For years some vendors were screaming at us that everything was broken, and most didn’t believe them, then all of a sudden, we did. The realization hit that we needed better visibility, we needed to check files coming into our enterprise, we needed to know more about the threats. The security market responded to this pivot with aggressive growth of companies such as Fireeye, Netwitness, Arcsight, Palo Alto, Fortinet and others.
The Scale Pivot
Threat Intel, Threat Feeds, Information Sharing, STIX/TAXII, Cyber Kill Chain, Reverse Engineering, Endpoint Protection, Orchestration, Threat Intel Platform – these are some of the phrases entering organizations’ vocabulary as we speak. In 2009 Internet Identity (IID) was one of, if not the first organization to come to market with a list of recently active or ongoing threats. These were phishing sites that IID identified and deactivated, as well as providing lists of threatening IP addresses based on their research. The identified threats numbered in the thousands and folks were amazed at that number! Fast forward to 2016 and the number across the numerous threat feed providers in the marketplace today is in the millions, every day. So, when compared to the solutions put in place over the last decade, the math has caught up and taken over. That is what is driving the underlying evolution in security technology today. When you dig into the need for information sharing, the need for orchestration, the need to understand where a valid threat fits in the cyber kill chain, the root cause of those needs is the need to function at a SCALE never before seen.
Put it all together and the story goes something like this: at each pivot point, organizations have thought- “We are good. We have [insert solution from last pivot response here]” and then, the event and the collective realization: “Oh, crap, it’s all broken again,” and we seek a solution to fill the new-found gaps in our network and operations security.
It is the scale problem, that Scale Pivot, that exponentially growing threat situation that turned my attention to Bandura. Everything is broken again, and until your organization can sit down and say it, you might as well put all your data on thumb drives and mail it to the adversaries to at least try and save some of the bandwidth costs from it flying off your network. You should also be prepared to kiss your best cyber-defenders’ goodbye because they know it’s broken and if you won’t give them the tools, they will find places that will. It’s no fun to sit around and watch a train wreck, especially when you will be the one getting blamed.
Likewise, if you are in management and reading this and your CISO tells you they have it covered, ask them how many new technologies they have looked at in the last 6 months that don’t come from one of the major brands that love to take them to expensive dinners and invite them to outlandish conferences where they get to be put on the stage as the keynote speaker. Innovation is coming from new, fast moving companies such as ThreatQ, Reversing Labs, Phantom, RiskIQ, Polarity, DarkCubed, and others. Ask your CISO specific questions about how are they dealing with the scale of things. Can they hold and action millions of Indicators of Compromise (IOCs). That is one of the challenges of today. Time to think bigger! Just thinking that your recent firewall upgrade will cut it is not the solution, as even the beefiest firewalls can, at most, action a few hundred thousand IOC’s, leaving valuable intelligence on the cutting room floor. Worse than that, it can overwhelm your team as you then dump the rest of them into a SIEM and have your team play the matching game all day on threat feeds and your logs, chasing down PCAPS to see if something fired. It may not have fired, and it is probably not a false positive, but could have not fired for many other reasons (another blog post on this in the future). And when you do finally find a match that did fire, if it is from a sophisticated actor there are probably so many holes in your network from the bad actor that you will never find them all. What an incredible waste of time for your team and their talents. It is a sign that something is broken in your architecture, not of a highly functioning team, and probably makes them want to find new jobs.
It’s a math problem – no amount of orchestration or artificial intelligence can solve that for you. Are you getting data from the AIS program at DHS? Do you have a relationship with your sector specific agency (like HHS of you are in healthcare) or the Information Sharing and Analysis Center for your industry (FS-ISAC for financial, MS-ISAC for state and local, etc)? Start adding all of the data available to you freely from organizations like this and some of the security companies that also offer threat feeds, Webroot, Crowdstrike, Cyren, Infoarmour, iSIGHT Partners, and others and you will find yourself with a lot more information than you can deploy. That said it is legit information, there is just a lot of it. Do you really want to accept that you just cant deploy it? Is that supposed to be the way it is?
So, in writing this, I hope the readers can be gentle on my memory as I am sure I got some names and places wrong, but I don’t think you can argue the pivots. On a side note and a bit out of scope for this post, below is a diagram, that I think can have multiple uses, but highlights the key components at the core of what we deal with each day. I think it also highlights the how each is related to each other and explains what we are dealing with threats like WannaCry or Petya (or whatever it actually is). Meaning an actor and a threat is a problem for someone, when you add in the scale, it’s a problem for lots of people – so I figured I would call the threats like Wannacry, Petya, Mirai, etc a Hyper Threat and see if folks think that is a good name for it. Maybe I will follow up on these types of threats in a future blog post. They truly are different and highlight that scale is a gap in our defenses. They have put us on notice that scale will be used more and more until it becomes a normal part of each and every attack.
In closing I hope that you, the reader, can work with your organization and help the industry get leadership to a point where we can all acknowledge that “Yes, it’s all broken again”, because until we acknowledge it and start to re-architecture to address it, nothing will change, it will be a case of organizations saying “were good” and vendors saying “we are faster, smarter, find more, than the other folks”, whereas if we acknowledge it, everything begins to change for the better, there will be new threats from new angles, but we can at least say we can plan and act on diverse threats, from sophisticated actors, at scale.
Bill McInnis helped to pioneer the commercialization of curated and contextual cyber threat feeds.