RSA Conference Day 2 - Wednesday

We are at RSA Conference in San Francisco this week, keeping current with the latest developments in the information security industry. With 40,000 attendees, this is one of the biggest annual events focused on security. We'll be summarizing the developments here in daily blogs, as well as live-tweeting the high points at our Twitter account @Path2Protection

Today was breakout/track sessions in the morning, with some keynotes in the afternoon. We also hit the expo floor hard today, but will cover that in a separate post.


"Giving the Bubble Boy an Immune System so He Can Play Outside" - Kevin Mahaffey

Kevin Mahaffey (@dropalltables) is the founder and CTO of Lookout, one of the first mobile-centric security/anti-malware companies.
This talk is intended to explore how many large and forward-thinking companies are removing many traditional elements of security architecture (e.g., anti-virus, VPNs, firewalls) in favor of a data-driven security model. The talk was given on 02 March 2016 at the RSA Conference in San Francisco.

REACTION:
I am a big fan of the concept of internal resilience and immunity as an approach to security, as opposed to building a bigger, better wall at the perimeter. This is a more and more important approach as mobile devices, BYOD, external cloud service providers, and other trends take hold in organizations. I'm not convinced that the data-driven approach is the road forward, though. Data analytics is a powerful tool, but at some point it becomes an exercise in navel-gazing. If you literally log and watch everything, including the system that is storing and analyzing the logs, the data grows virtually without limit. Big data technologies are making this more practical, but detection and remediation still lag. The ideas Kevin is sharing are very interesting, but these methods still seem like an enhancement to me, rather than a replacement for traditional security devices/software.

The best resource mentioned was the Google "Beyond Corp" paper.

 "Proactive Measures to Mitigate Insider Threat" - Andrew Case

​Andrew Case (@attrc), Director of Research at Volexity, an infosec advisory firm headquartered in Washington, DC. This talk was surprisingly well-attended; the most packed session I’ve been to. I guess insider threat is weighing heavy on people's minds these days?

REACTION:
Andrew's case examples were very interesting, and the strategies he gives are sensible, if not revolutionary. Limiting and monitoring the use of removable media and of cloud file sync/storage services is a strong recommendation which I make to many of my clients. Identifying where your key intellectual property is located and concentrating monitoring on those locations is another excellent recommendation. Separation of duties is a common requirement, but a difficult one for many organizations to implement. Tighter controls on users at termination and inventory of issued equipment down to the level of noting serial numbers of hard drives and other components of laptops is also a stretch for most organizations.

Keynotes:

I actually hit the vendor expo during the keynotes this afternoon, so I missed a lot of the keynotes. There were only two I found particularly interesting, and I took in enough of those to give some notes.

"Ascending the Path to Better Security" - Marty Roesch - VP & Chief Architect, Cisco Security Group
Marty addressed the issue of increasing complexity and diversity of security tools and technologies. He said that it's not necessarily true that "complexity is the enemy of security" as long as the complexity actually delivers increased performance, detection, prevention, and/or response. However, Marty argued that we are reaching a point of diminishing returns as we increase the complexity and sophistication of our security tools. The complexity curve continues to get steeper, but the gains in actual outcomes are diminishing at the same time. Marty said we need to do three things:
  • Integration - Interoperable security technologies that talk to each other to make them smarter.
  • Consolidation - Fewer "things" with more capabilities. To achieve this, we need true security "platforms" that are extensible with open programming interfaces so that others can build on them.
  • Automation - automate analytics by programmatically contextualizing events.

"Turning the Tables: Radical New Approaches to Security Analytics" - Martin Fink - EVP, CTO, HP Enterprise
Big data analytics has truly revolutionized what we can do with the data available in cyber security. We used to look at all the log data and packet data and think, "It would be great to store and search through all this, but it's just too much data to be feasible." That's no longer true. The "big data" revolution and the continuing advances in storage technology have changed the landscape. It is now feasible to capture, store, aggregate, and analyze the logs from every device in your network, or the contents of every packet that crosses your network.

​Martin Fink started by talking about the need to build security into every part of the system, rather than just the perimeter. Starting from the silicon and the firmware, the state of the system should be checked for integrity and should have a built-in recovery capability to a known good state. The operating system, as well, should be checked for integrity and have a capability to restore itself to a known good state.

"Analytics-Driven Intelligent SOC"
  • Real-Time Monitoring: the foundation of any security operation
  • Deep Analytics: investigation & hunting augmented by machine learning; enables detection of unknown threats through behavioral analysis
  • Deception Grid: redirect attacks to a test network/host for study/analysis

The False Positive Problem:
-- The Base Rate Fallacy: when looking for rare events, even a low rate of failure in proper identification leads to a large number of failures
-- The solution is more advanced analytics that correlate many events over time; false positives will usually be discarded because one event may be mistaken for an attack indicator, but that event will almost always fail to be accompanied by the other expected events associated with that attack.

HP is working on research to build "The Machine" -- a memory-driven machine where memory precedes processing in order to overcome processor limitations on the quantity of data that can be processed and the speed with which it can be processed. This machine, with 640TB of main system memory, could process 10 million events/second and analyze up to 14 days worth of events.



Comments

Post a Comment

Popular posts from this blog

Weekly Infosec News Brief: 14-20 March

Image
Major Media Websites Caught up inNew Malicious Advertising Attacks Last week multiple major advertising networks, including Google's DoubleClick, AppNexus, Rubicon, and AOL were abused by attackers to serve up malicious advertisements on major media sites. These malicious advertisements were redirecting to the "Angler" exploit kit, which uses multiple means to attempt to compromise a browser and install malware. While such malicious ads are common on smaller websites, they are not unheard-of on major media sites. This outbreak, however, was unusually large and long-lived, lasting at least the better part of two days. Given how common malicious web ads are, some security experts are recommending the use of ad blocking technology in web browsers. http://www.computerworld.com/article/3044565/security/advertising-based-cyberattacks-hit-bbc-new-york-times-msn.html Malicious Macros in Word Documents Used to Install Malware with No Files Needed Everything old is new a
Read more

Weekly Infosec News Brief 20-26 July

Image
FBI Sees Massive Increase in Espionage, Including Industrial Espionage, Against the US The FBI on Thursday issued a press release discussing what they believe is an increasing threat of economic espionage against US companies. They estimate that such espionage may cost the US as much as "hundreds of billions" of dollars a year. This espionage is not just directed against large industrial companies, but any place where trade secrets and innovations might be found, including third-party organizations (e.g. business partners, vendors, consultants, lawyers, etc.) affiliated with targeted companies. A key take-away is that the threat is more widespread than most people think, and that few organizations are immune. https://www.fbi.gov/news/pressrel/press-releases/fbi-announces-economic-espionage-awareness-campaign http://www.cnn.com/2015/07/24/politics/fbi-economic-espionage/ Microsoft Releases Out-of-Cycle Patch for Critical Font Driver Bug A flaw uncovered in connecti
Read more

Weekly Infosec News Brief: 22-28 February

Image
Ransomware Observed to Jump from One Device to Another via the Cloud Researchers described last week an incident where they observed malicious "ransomware" propagating from one device to another via cloud-based file synchronization. When the ransomware encrypted files on one machine that synchronized files to a specific folder, it spread to other PCs that synchronized to that same folder. This type of phenomenon is simply another reason for organizations to serious consider limiting or eliminating the use of such file-synchronizing software within their networks. http://www.scmagazine.com/researchers-confirm-cases-of-ransomware-encryption-jumping-devices-via-cloud-apps/article/479572/ New OpenSSL Patches Soon to Come The OpenSSL project team announced last Thursday that they are working on patches to fix at least two "high" severity vulnerabilities in OpenSSL. This is the software that powers the cryptographic security layer of many web servers, browser
Read more