Hey, that’s my security system…and who are those guys?

Imagine you are sitting on an airplane in Atlanta and just as they close the door you receive this picture.  You look a bit closer and confirm that in the background is the control panel for the security cameras in your new house.

img_5091Now luckily I know these guys.  That’s Lee on the left and Stuart on the right and they work with me at IronNet Cybersecurity.  Lee and Stuart have some special skills and they put those skills to work testing the security on my new “smart” home.  Turns out I was pretty smart to have them test the system.  Turns out the camera system is not all that smart.

So here is what happened.  We built a new home and moved in this summer.  One of the sub-contractors I engaged early on was the sound and security guy.  He did great work and overall we are happy with the system he installed.  As we were going through the design and installation process I asked several times about the security of the system.  The contractor said the security was top notch, don’t worry.  I explained that I was going to trust, but verify once the installation was complete.

During the configuration process, I asked what it would take for me to be able to view the cameras remotely when I was away from the house.  Conveniently there is a proprietary app but it requires certain communication ports to be open on my router.  This did not sound like a good idea to me, but I was assured that appropriate access controls were in place, no problem.

After everything was up and working I gave Lee and Stuart the IP address of my house and in about three hours they had full control of my security cameras. Sparing the technical details, suffice it to say that Lee and Stuart found a flaw in the code that runs the camera system and they were able to obtain admin access without compromising any user names or passwords.

The first thing I did was close the ports and install a business grade firewall.  While that does not make me bullet proof, I am a significantly harder target.  The next thing I did was notify the installation contractor.  To my surprise, he was not that excited about the picture I shared or the revelation that he was installing a product with a significant security vulnerability.  Guess he is lucky that I am not the type to go out on Yelp and make a stink.

The next thing I did was call the system distributor.  It took about 15 minutes before I found someone who could understand that I was calling to notify them of a security flaw in their product.  The next day I did get a phone call from the company.  I asked if this was the type of company that would try to sue me for violating the product terms of agreement or was this the type of company that welcomed the information.  It turns out they were the latter.  According to the gentleman we spoke to, they were aware of this particular vulnerability and there was a fix on the roadmap.  No time frame was suggested nor was there an offer to retrofit or patch.  I imagine this distributor is at the mercy of the overseas company that builds the product.  He added that this was a common issue with other systems.  I did not find that comforting.   We provided them a detailed report of our findings, at no charge I might add.  Further attempts to contact them regarding the filing of a Common Vulnerabilities and Exposure (CVE) report went unanswered.

Several interesting points to ponder here.  First as a homeowner or a business owner, do not take for granted the security of your security systems.  There is going to be a tradeoff between security, privacy and convenience.  Just make sure you are making a conscious choice.  If you want to have Lee and Stuart check out your setup, send me a note.  Second, if you sell and install tech equipment these days, you should care about the security characteristics of the equipment you are putting in people’s homes and businesses.  Reputation damage is hard to measure and hard to fix.  Third, if someone notifies you of a security flaw in a system you produce, have a plan on how you are going to treat them.  Make it easy to reach the right person and follow it through to conclusion.  Finally, if you know there is risk involved that the average consumer would not consider, explain the trade-offs.  Help them make the right decision.

If you thought this post was useful, please share it.  Also, consider liking my Facebook page, The CyberSpeaker.  And check out my website:  www.thecyberspeaker.com.

Finding anomalies is easy, deriving alerts is hard.

Anomaly detection is a key component of next generation cybersecurity. And it doesn’t matter what kind of network it is–legacy enterprise, cloud-based or IoT-centric–once the “perimeter” is breached, a user’s credentials are compromised and a foothold achieved, the attacker will only be discovered by identifying unusual or anomalous behavior in the network.  Identifying anomalous behavior of entities—people, processes and machines—is the key to finding the most dangerous threats whether that is an external actor or a rogue insider. The challenge is moving from anomaly detection to useful alerting.

There are many companies trying to solve this problem through the use of big data analytics, behavioral modeling, machine learning (ML) and artificial intelligence (AI). It is actually pretty easy to find anomalies in a computer network since the environment is almost constantly changing and therefore fundamentally anomalous. The key is being able to sort through the anomalies and identify those that may dictate a corrective action by a machine or a human. I derived the model illustrated here to help think through the problem.

Hierarchy of anomaly detection
Hierarchy of anomaly detection

The base requirement is to identify anomalies in the data.  There are different approaches to this first step.  Some are looking just at endpoint data, others are looking at data already ingested into SIEMS and more ambitious approaches look very broadly at flow and log data to include full packet capture.  No matter what the data set is, step one is to identify anomalies in the data that indicate unusual behavior by entities on the network.

The next step is to categorize the anomalies into most likely cases.  I have listed four.  First is indicators of malicious activity.  This could be simple cases of unusual scanning or beaconing or more advanced indicators such as random domain name generation or subtle indications of lateral movement.  The second category is configuration errors and policy violations.  Some security types see these as IT issues and brush them off, but as we all know the initial attack frequently starts by taking advantage of a poorly configured device or the actions of a human that are not in compliance with established policies.  The third category is new activity on the network that is perfectly normal but was not part of the established baseline.  The fourth category is unusual but not malicious.  An example might be the emerging markets analyst who is poking around websites in Myanmar looking for the next hedge fund bet.

Once the anomalies are categorized, we need to prioritize them and deliver a list of alerts to the user.  We are looking for that elusive 1-to-n list where the top alert is the one we most care about.  Alert fatigue is not generated because we have too many alerts.  Alert fatigue comes from no prioritization.  In fact, I want to see all the alerts but I want them prioritized and categorized.  The categorization will help me decide who should analyze the alert and the prioritization will ensure that even if I only have one analyst, I know that single analyst is working on the most important problem.

Categorizing and prioritizing is not easy, otherwise we would have several solutions on the market to choose from.  The two arrows on the left of the model are the key to understanding what it takes to produce a useful 1-to-n list.  At the bottom of our stack, the work is data intensive.  Data scientists derive algorithms to find anomalies and, in general, more data is better.  As we move up the stack, we find context is the key to categorization and prioritization.  What does this entity do in the network, what business process does it support, what are the configurations and policies in place and is there a temporal nature to the analysis?  These and other contextual issues are the key to categorizing and prioritizing the alerts and this process requires extensive use of ML and AI to product the 1-to-n list.  It also requires cross-functional expertise from network engineers, data scientists, threat intelligence analysts and operators with both offensive and defensive expertise.

There is much more to discuss in this model, but I have exceeded the “optimum” length of a blog post.  In my next post, I will discuss the people, processes and technology it takes to make this all happen.

If you have read this far, you are probably someone who is a cybersecurity professional and I welcome your comments on LinkedIn or on my website, www.thecyberspeaker.com.  Also, please check out my Facebook page, The CyberSpeaker, where I provide thoughts on cybersecurity targeted at a more general audience.

Cybersecurity—an essential element to every business decision

Companies with an effective cyber-risk culture understand there is a strategic balance to be struck between activities that generate revenue, the associated IT expense and managing cyber-risk.  Everyone understands how to get to the bottom line:  Revenue – Expense = Net Income.  Unfortunately, there can be a tendency to focus on generating revenue and making the assumption we can control expenses and manage risk so the math makes sense in the end.   This is a bad assumption given the spectrum of potential outcomes that could result from a successful breach and the uncertainty in predicting the full costs of a compromise.

This model highlights the balance that must be achieved.

blog_insert

Given the uncertainty of predicting the cost of a successful breach, it is important that any strategic decision concerning a new line of business, a significant merger or acquisition (M&A) or an internal reorganization or consolidation, be based on a simple model that highlights the relationship between revenue generating activities, associated IT expenses and cybersecurity implications.  The challenge of working through this model is two-fold.  First, is the uncertainty associated with the potential costs of a successful cyber-attack and second, is that in most companies there is no single individual or even functional office that has the experience, expertise and credibility to decide how to balance resources, and therefore risk, across these three areas.  Estimating potential revenue and even IT expense is relatively straight forward.  The challenge comes when the business unit lead is unable to understand the cyber-risk implications.  At that point, he may rely on the CIO and the CISO to just “make it work.”  Unfortunately, the CIO and the CISO may not be in a position to understand all of the business implications resulting from decisions made to provision and secure the environment. The result can be a situation where the business unit and the CIO and CISO cannot agree on how this all comes together and based on the business leaders influence, security concerns are considered nominal and the initiative goes forward incurring significant unacknowledged risks to the company. 

A recent example of how a company failed to properly balance the potential for revenue generation against the risk of not accounting properly for cybersecurity was highlighted by a recent New York Times article, Defending Against Hackers Took a Back Seat at Yahoo Insiders Say, (Sep 28, 2016).  The article highlights Yahoo’s internal deliberations regarding the tension between enhancing their customer experience in order to generate revenue against the requirements to provide better security in response to hacks against a number of tech companies in the 2010-time frame.  According to the article, security was viewed as a drag on product development and revenue generation and, as a result, Yahoo did not take important steps to increase the security posture for their customers.  The result was a major hack that exposed perhaps as many as 500 million records.  The article also describes the approach Google took when faced with the same challenge.  Google prioritized security even at the cost of customer convenience and so far, that has worked.  Customers are embracing the use of things like multi-factor authentication using Google Authenticator and the company, as far as we know, has not suffered a serious breach.

This example highlights how cybersecurity has to be viewed through three lenses.  First, as an expense to control, second as a risk to be managed and third, as an asset that can support revenue generation.  The concept of expense is obvious as cybersecurity has a limited budget just like everything else.  It is clearly a risk to be managed.  Our ability to operate in cyberspace will be continually challenged and we cannot afford to disconnect from the internet, so we must manage the risk.  But, we should also consider how cybersecurity can support revenue generation.  Increasingly consumers are unwilling to do business with companies that have suffered a significant breach and cyber-risk due diligence is part of every partnership or M&A discussion.  Certainly in this example, Google appears to have been able to leverage its investment in cybersecurity into building customer confidence and generating revenue.

Yahoo or Google—who made the right strategic business decision?