Cybersecurity: Here’s how NOT to defend yourself

By Benjamin Cher July 27, 2016

Cutting off access is not even the last thing you should do
‘There’s something fundamentally wrong with the threat intelligence’

Cybersecurity: Here’s how NOT to defend yourself

WHILE it might seem like the cybercriminals are having a field day, there are steps companies can take to better protect themselves.

But unlike what the Singapore Government plans to do with its civils servants, you do not need to cut yourself off from the Internet, notes Mike Brown, vice president and general manager of the Global Public Sector business at cybersecurity firm RSA.

“I think that’s not the best solution,” he says, speaking recently to Digital News Asia (DNA) in Singapore.

“In fact, in the [US] Defence Department back in 1999, we did the same thing and we quickly learned that we couldn’t conduct our missions,” adds Brown, a former US Navy man who also served with the US Department of Homeland Security.

Even limiting access to supposed frivolous functions such as social media has unintended consequences, he argues.

“The Department of Homeland Security wanted to reduce all risk by mandating no Internet access for social media, but I pointed out that it was an unacceptable risk because first responders such as firemen and policemen conduct enormous amount of situational awareness and deliver information via Twitter,” he says.

“If you take these types of examples, you end up making individual decisions based on that particular element – you’re not truly looking at business or mission risk. In fact, you open up more vulnerabilities to the mission or business,” he adds.

Threat (un)intelligence

Threat intelligence – know thy enemy, as Sun-Tzu would have it – has been heralded as a way for chief information security officers (CISOs) to defend their organisations, but many have come to question the need for threat intelligence and whether there is any value in it.

“Two years ago, everyone [at the RSA conference] was doing threat intelligence, it was everywhere,” says Chris Richter, senior vice president of Global Security Services at Level 3 Communications.

“What I’m hearing now is that these startups are finding their venture funding is drying up, because threat intelligence is not selling that well and venture capitalists are looking for their returns.

“What some of my customers are telling me is that they are buying these threat intelligence solutions but they’re useless – they are just generating more and more work, and it is a distraction … it does not give truly pinpoint actionable data,” he declares.

Matt Alderman, vice president of Global Strategy at Tenable Network Security, also wonders about the value extracted from threat intelligence.

“A year ago, Norse [Corp] was in business – now they’re gone,” he says, referring to the threat intelligence company that imploded in February 2016 after its chief executive officer was asked to step down, according to a report by CSO.

While there might be doubts out there, the experts DNA spoke to actually believe there is some value to threat intelligence.

“The quick answer is yes, there is a lot of value in threat intelligence,” says Demetris Booth, head of product management and solutions marketing of Cisco System’s Cyber Security Solutions, Asia Pacific, Japan & China unit.

“But is it the right threat intelligence? There’s a lot of organisations with security products generating … alerts and logs, but they don’t necessarily have the capability to collect and aggregate the data from multiple sources to do correlation to see what the similarities are,” he adds.

Threat intelligence also has to evolve beyond just pointing out bad Internet Protocol (IP) addresses, argues Tenable’s Alderman.

“There has to be good actionable intelligence in there, but there’s very little in it if you dig into the threat intelligence feeds,” he says.

“Can we get value out of it? Yes. But at the pace the market expects? No.

“I think the bubble has started to burst … there’s something fundamentally wrong with the threat intelligence.

“We’ve probably hit our limit, unless someone comes up with something better or more actionable,” he adds.

Cybersecurity: Here’s how NOT to defend yourself Jason Rolleston (pic), vice president of corporate products at Intel Security, also echoes this call for more actionable threat intelligence.

“We see threat intelligence as a key data source – the challenge is how to make it actionable, and how to make that not require a lot of human effort,” he says.

“The more you require people to read these things and bring them in and do something about it, the more challenging it becomes to bring value out of it,” he adds.

Rolleston says that even among the CISOs he speaks to, there is no consensus on the value of threat intelligence.

“We had a CISO summit where we asked them about threat intelligence, and we got largely varied feedback,” he says.

“They didn’t necessarily think it was paying off the way they wanted it to, but a lot of them are still using it, so they are getting some benefit even if it was simply training and looking at new ways that hacks are happening.

“It was of some use but it wasn’t the promise that everyone had for it,” he adds.

Level 3’s Richter agrees, giving an example: “I think the vendors that are going to win in threat intelligence will send you an alert and tell you what to do to stop your data from being exfiltrated when infection is in process – not strategic data that says, ‘We’re seeing a new strain of malware floating around and it looks like it’s pinging some of your systems.’

“I met a CISO last week who told me that he sees so much information going around that he knows there are hackers working inside of his network, on the payroll, and he’s getting threat intelligence that tells him that.

“But he can’t do anything about it because he can’t see who they’re talking to and if these IP addresses on the outside are good or bad,” he adds.

Trust the machine

Automation would be one way for threat intelligence to be truly useful, but trust has to be built for that to happen, argues Tenable’s Alderman (pic above).

“This is how we build trust: Better data and analytics, bubbling up a set of prioritised actions to be done but still with the human doing the work,” he says.

“Once the human realises the patterns are repeatable, then the next step would be to trust the analytics.

“…That will be a natural progression to get to when a human does it over and over again, until the human says, ‘It doesn’t make sense, why don’t you automate the action?’

“And that’s when you get automated remediation activities,” he adds.

Level 3’s Richter agrees, arguing that humans need to trust machines enough to take their own action. “Just as attack are automated, threat intelligence has to be automated as well,” he says.

“Instead of providing the customer with just a report, we need to do machine-to-machine communications.

“Threat intelligence data based on machine learning has to evolve to the point where we trust it enough to use the threat intelligence to block IP addresses, change firewall rule sets, and update systems automatically so we can remove humans from the defence.

“Because today, we’re generating alerts and reports that humans have to ingest, but humans are weak and miss things.

“Half of the companies that have been breached already knew that there was malware inside their systems, but they were getting flooded with so much information that they missed it.

“We are so afraid of having our production systems interrupted from false positives that we are not at the point of society where we will trust the machines,” he adds.

Next Up: Tools and steps to a brighter, safer and more secure digital world

Previous Instalment: Most APAC organisations breached, the rest don’t know they’ve been hit!