Q: The recent breach at Panamanian law firm Mossack Fonseca and many other firms shows how cyber criminals are able to siphon out huge amounts of data from inside a network without being detected. What exactly is it that organizations are failing to do in this regard? Why are they unable to detect such massive data theft until after it happens?
Paul Martini: Many organization and vendors are focused on defense; blocking malware by building bigger and thicker walls. Yet, we all agree that detecting 100% of malware is unrealistic. Even 99.99% detection of malware is not sufficient because the .01% that does get through is likely the malware you should be the most worried about. If you ask organizations what solutions they have in place to detect infections that have never before been classified and are unknown, are masking CnC communications or malware that has breached the perimeter and is now lurking inside the network, you get mixed responses.
Based on multiple reports, we know that most of the data is stolen within minutes after a breach. This is why defensive tools are critical, but it's just as critical to have continuous monitoring for infections that may already be inside the network, if not even more important. Tools such as Data Anomaly detection and Containment as well as advanced cyber analytics that can monitor and analyze deviations from the norm and alert you, are imperative in today's threat environment. Such tools can help identify a breach even if none of the perimeter defenses have been triggered.
Q: How is cloud computing complicating the data leak prevention challenge? How difficult is it for enterprises to simply extend their on-premises DLP to the cloud?
Martini: With the move to the cloud, many applications crucial to managing business operations, such as payroll, help desk and repositories, are now in the cloud. In the past, monitoring access was easier because these services were local and you had more control over access and applying signature-based DLP against this access. Now, the combination of services offered in the cloud, along with the growth of distributed enterprises and mobile users, makes it more difficult to manage the who, what, and when of these services, since the requests are going direct-to-cloud. Also, the encrypted communication between the user and the system increases the complexity of applying traditional signature-based DLP.
Just like these services are moving to the cloud, the network edge is also moving to the cloud. New cloud security platforms leverage security at the perimeter edge, when it's in the cloud, yet [they] also secure the perimeter edge locally, for these networks when it's required. In addition, behavioral-based approaches to anomalous data moving to and from the cloud increase the ability to detect data loss much more effectively than the traditional signature-based approaches. It does so by correlating data access based on users in the organization and then matching how users traditionally leverage these cloud services to detect anomalies. This is effective in pinpointing unauthorized access to these cloud services and detecting breaches.
Q: What is it you want the audience at Black Hat USA to know about web gateway products that perhaps they do not understand as well as they should?
Martini: First, Web security has evolved and is no longer the browser-based security of the past. Today's Web security needs to be ‘Internet' security that secures all traffic beyond ports 80 and 443, in order to detect evasive protocols, which don't leverage web ports. Legacy security suffers from blind spots because they only see two ports.
Second, how Web security is delivered has changed. In the past we had the option of on-premises hardware or cloud security. Both had their limitations. Cloud security is appealing but many organizations are cloud adverse, or restricted from leveraging the cloud, which restricts them to on-premises solutions. Organizations should know that security delivered in the cloud should be based on containerized cloud architectures, which allow organizations to adopt the public cloud when it makes sense, such as for remote sites or mobile users, and then host the cloud in areas where it's desirable. This is now possible with clouds built on containers. They allow more flexibility, giving organizations more freedom to adopt the cloud and benefit from its advantages.
Q: You recently talked about cybercrime collaboration and changes in targets among cybercriminals. What exactly is happening and what is driving this change?
Etay Maor: We are seeing changes in the approach to cybercrime, in several aspects. Cybercriminals are changing their targets - financial institutions have been the "bread and butter" of cybercrime, however, in 2015—and continuing in 2016—we are seeing a shift from almost a pure FI focus to other areas, with healthcare being the major target.
Healthcare data can on the one hand facilitate different types of fraud and on the other hand - healthcare institutions do not [have] the same level of security as financial institutions - allowing for an easier target. In addition, cybercriminals are sharing and collaborating, and do so with relative ease and security on the dark web. Cybercrime underground markets are flourishing, forums are filled with cybercriminals from all over the globe - sharing their knowledge, ideas, tools, techniques and services.
Q: Cybercriminals appear to be getting increasingly better at sharing information and tools with each other in order to carry out and monetize their attacks. Why has information sharing been so difficult to achieve within the security industry?
Maor: Historically speaking, players in the security industry claimed for an edge over other vendors based on their exclusive threat intelligence capabilities. Information wasn't shared because it was a big key for outplaying competitors. However, the industry started realizing that we must share data to better protect our customers. Just as when there is a health crisis, doctors in the field share data of the threat knowing that data sharing is vital to beat the threat.
IBM Security realized this and decided to release all the data it accumulated over the years. This was done via the Xforce Exchange, and immediately the security community, businesses of all types and other organizations started consuming and sharing threat intelligence data. Xforce Exchange now has over 2,000 organizations across 16 global industries.
Q: What do you want the audience at Black Hat USA 2016 to know about fraud fighting and threat awareness?
Maor: In one sentence - fighting cybercrime requires real time global threat intelligence. This can be archived when (1) we all contribute and share data, (2) we use tools that can be updated in real time and (3) when we realize it is not a problem of a specific industry - any type of business can be a target.
Q: How has the sudden proliferation in ransomware attacks affected demand/interest in cloud data backup products like those offered by Code42? Are you seeing more interest from enterprises or consumers?
John Durant: Our customers regularly confirm that having endpoint backup that employees can easily self-restore on a re-formatted or new machine is far superior to paying ransoms. These customers also remind us how important it is that all of this work at full scale, securely and efficiently—and these are all areas where we believe we excel.
The rate and scope of threats to corporate data is not just an information security issue. More importantly, it's a business problem. Leaders from many companies have begun to realize that encrypting and protecting endpoint data in the cloud guarantees recovery—not just from ransomware, but from disaster, hardware failure, snooping governments and other threats that could compromise endpoints and the precious data they contain.
Q: There's obvious security value in backing up data. But are there other reasons organizations should consider implementing endpoint backup technologies?
Durant: Endpoints are where most people get their work done. They take their computers on planes, to coffee shops and all over the world. Even within the safer walls of the enterprise network—the data on these endpoints is at risk due to many things. The value of backup is first and foremost about ensuring that your corporate data—whether IP, customer data, PII, etc.—is safe.
It has to be encrypted on the device, in transit and in the cloud—no matter where employees access it. Second, it's about mitigating the risk of insider threat—intentional or inadvertent—and using the powerful file system monitoring and reporting that is inherent in backup operations to respond to these threats.
Third, it's about protecting user productivity and providing a fast, secure and easy way to recover problems. For example, with the right endpoint backup in place, employees restore data on demand from lost/stolen devices on their own instead of relying on the IT department to do these tasks. If a breach occurs, you can also conduct mass remediation of endpoints and restore an entire enterprise from backup. Seeing everyone up and running quickly is always a great relief.
Q: Why is being at Black Hat USA 2016 important for Code42?
Durant: Black Hat attracts the kind of people that become our customers: they care deeply about real security and proven solutions for protecting the assets that are often at greatest risk—the data on endpoints. Black Hat sessions and other activities help attendees see just how easily devices and enterprise security systems can be compromised when the proper tools and processes are not in place. The briefings and practical training sessions at the show are invaluable, to any security organization, like Code42. We are keenly interested to find out how the current and future threat landscape will affect data at the endpoint—and we want to hear it from those in the security industry who share our convictions.
Q: Governments are a big area of focus for DarkMatter. How would you describe the nature and scope of the security challenge facing government organizations these days?
Faisal Al Bannai: Indeed, DarkMatter is a strategic cyber security partner to governments, and we recognise that as custodians of national infrastructure they are high profile targets for cyber attacks. We only need to look at news reports to gain an idea of the scale and regularity with which critical infrastructure is being successfully breached by attackers with varying motivations.
The heightened security requirements of many government agencies are required because a breach of infrastructure has the potential to result in severe disruptions to the lives of citizens. At DarkMatter we advise that entities assume a state of breach with respect to their cyber security posture. That is to say, they identify the threat landscape as it relates to them and plan according.
The DarkMatter Cyber Security Life-Cycle advises entities to consider a four-step approach to securing their digital assets, which extends to planning, detection, protection, and recovery. In an increasingly digitised landscape, the requirement is for infrastructure to become more resilient to cyber attacks, and this involves understanding the digital assets an entity possesses, where they are located, who has access to them, and who might want to gain access to them unlawfully. This data informs the cyber security posture to be adopted.
Q: How is protecting the government different from securing enterprises against cyber threats?
Al Bannai: The nature of the global interconnectivity of networks and infrastructure – be it public or private - makes the difference between protecting government infrastructure and commercial infrastructure less significant. Typically, the motivation behind all cyber attacks can be broken down to two things: The attacker is looking for the victim of the attack not to function correctly if at all, or to steal information.
What is becoming abundantly clear is that legacy critical infrastructure is now susceptible to attack and needs to be better secured. The requirement to secure governments and national infrastructure from attack is higher given the sensitive nature of the activities those networks operate. The impact of a customer not being able to access a bank account online is clearly different to a government hospital having its power cut off, or air traffic control at an airport having its radar system compromised. Thus the requirement to secure national infrastructure is heightened given the potential losses as a result of a compromise.
Q: What does the private sector need to understand about the threat posed to them by nation state actors?
Al Bannai: The private sector needs to understand that the threat posed by nation state actors and non-nation state actors alike is real and growing. Nation state actors may have additional resources and in some cases organisation, though the underlying principle is for entities to be aware that they need to protect their digital assets from breach, and ensure they add resilience against cyber attacks to their infrastructure. Education and awareness are two critical ingredients to gaining a better understanding of the evolving cyber threat landscape and preparing for it.
A holistic, end-to-end approach to cyber security is required, regardless of the source of the threat. Cyber security needs to be placed at the centre of digitisation developments, and an on going monitoring and pro-active security stance adopted.
