Cyber threats have been gracing national headlines around the world the past few years. From the infamous Target case, to the recent DDoS attack that took down the DNS servers; cyber-attacks are evolving and they are not stopping at ransomware.
The last couple decades we have seen companies scrambling to protect themselves with antivirus programs. Traditionally, these rely on signatures to detect threats. While that has worked well over the past years, Kane Lightowler isn’t convinced this is a sustainable option though.
“The challenges is that, [signature based protection] means someone, somewhere in the world must have seen that attack, and have been compromised; while security companies will make copies of that attack and deconstruct it so everyone else is protected. So a number of companies will have to suffer – for everybody else to be protected.”
Signature based protection as a security model was effective, for quite some time. That was when attackers were still using the same tactics and malware repeatedly. “Build on one variant and use it against many companies.” was the modus operandi. Things has since changed and ransomware has taken the new crown – it’s easily modifiable to be unique. Precisely because attacks has changed and the methods are different, it renders traditional defences useless against those attacks.
Times are changing
Kane is the APJ Managing Director for Carbon Black. Carbon Black focusses on next generation endpoint security, designed to protect, detect and respond to advance threats. Using AI and machine learning in the cloud, as well as threat intelligence, Carbon Black relies on data analytics in their collective defence cloud to produce threat intel to identify and provide protection against these malicious attacks.
“Industry must change to adapt to new type of technology. [Attacker] behaviour has changed.”
Attacks are getting more and more sophisticated, and Kane sees that trend continuing. Traditional attacks involve malware - files of a virus or a trojan. Recently the industry is looking more script based attacks, using system admin tools like powershell, as well as in memory attacks.
Kane shared some data from a research presented by CyberSecurity Malaysia during his visit last week. Purely on incidents reported this year, they had 2328 intrusions reported up to the end of November.
“That’s certainly not all of the intrusions that happened here – that’s a very small percentage – these are just the ones that has gone through law enforcement and reported to CyberSecurity Malaysia.”
“The difference in Asia, versus somewhere like North America, is that less transparency about incidents that has taken place. For example, in the US, it’s legislated mandatory disclosure; therefore in the US press we see much more published incidents. I’d argue that there’re just as many incidents, if not more happening in Asia than there are in US, it’s just not well publicised.”
Individuals and organisations are not as informed as they should be about some of the specification of the threats and how often they are occurring locally. Organisations could be currently under attack but they might not notice; in fact in Asia, it has been recorded that on average it takes over 200 days to identify an incident.
In Malaysia, Kane doesn’t see many organisations adopting new technologies to protect themselves at the moment. Earlier in April, an alert was issued regarding ransomware targeting Malaysian businesses. While this has been a challenge across the region, it shows that Malaysian companies are being targeted.
The dangers of IoT
Targeted and this isn’t just the region. The recent DDoS attack on the Dyn DNS host took down half the internet on the US Eastern seaboard, with follow up attacks seen in other regions including locally in Singapore and Malaysia. While this didn’t affect data confidentiality or integrity, it certainly affected the availability. The Mirai botnet infected and compromised a large number of IoT devices.
Mirai’s source code had since been released publicly. It’s easy for anyone to download that source code to launch an attack. This proves to be a challenge for the cybersecurity industry moving forward.
“IoT is a different ballgame. The IoT vendors themselves, they need to put the right controls and measures in the systems. Things with IoT systems is that they aren’t open systems – you can’t just install security system on a product. Consumers need to start demanding that, but today consumers are demanding cheap IoT devices rather than expensive and secure.”
“The example of the DYN attack – that’s an example of what could happen. For a lot of organisation, they’ve put the vast majority of security, whether people, process or technology, into protection and protecting from an incident and they are not prepared to respond when an incident does take place.”
With IoT, it’s always a trade-off between convenience and security. As Kane states, companies need to measure their level of risk and decide what level of risk is acceptable. It’s not just about recording and logging – it’s also about pulling the metadata out, analyse it and find abnormalities, and responding to it.
“We need to share – we need to share data, intelligence around threat, attack techniques and tactics, and we need to take that intelligence and make it actionable in near real time across the organisation’s endpoints.”
Some companies are already sharing data. With open source threat intelligence sharing platforms like STIX and TAXII, many organisations could take advantage of those data, and make necessary steps to rectify any vulnerabilities.
While many security companies are highly successful, “their products only talk to their products.” Carbon Black’s portfolio is opened up with open API, allowing for third party integration whether to other existing technologies customers are already using, or other security measures like network security.
Securing perimeter in the cloud
“We’ve moved a lot of our monitoring out onto the network and the perimeter, and concentrate our monitoring and security on network and perimeters. But today the macro trends of cloud, means your perimeter is ineffective in the office environment. Secondly, mobility. Companies are investing huge amounts in building a porous perimeter, but if my laptop leaves the company and connects to a public network, it becomes an access point. Thirdly, more and more traffic is encrypted, so there’s less ability to protect and secure it as it traverses the network. All these three trends are driving the need for a closer and more effective protection of endpoint.”
Endpoint, as Kane describes it, isn’t just devices. It could be in the cloud, storing sensitive data that is being shared with the organisation. That equally needs to be protected just like the systems and accesses. With cloud and mobility and encryption, investment made on network becomes less effective.
“The endpoint is where the attack takes place, they compromise the systems at the end points. If you don’t have visibility on that endpoint, you can’t detect, and without detection you can’t prevent. Traditional antivirus doesn’t protect these threats. Today, it’s inevitable that at some stage something may take place.”
“Security must leverage the cloud, because there are vast amounts of data that needs to be analysed and by leveraging the cloud over a large dataset of customers from different countries, and different industries can provide extremely valuable insights to a company rather than what they are currently looking at in their environment.”
Kane tells us that Carbon Black technology helps expedite an investigation and incident response, which negates the needs to use traditional forensics processes. Traditional processes require an experienced and skilled forensics team with a very specific kind of skill set; it takes time, and it’s inefficient.
“Today there are millions of unfilled cybersecurity roles. We just don’t have enough forensic investigators globally.”
Many a times, for convenience sake, organisation staff may make copies of data/document on other platform such as public cloud, and precautionary measures need to be taken to whether that is considered a breach in the perimeter or not. However, there is a peace of mind that can be kept in those instances.
“The thing to keep in mind about cloud is, a cloud provider, is in the business of operating technology, keeping it secure and available. That is their core business. Take for example a transport company – their core business is logistics. Moving products or people from point A to point B. it’s not keeping businesses secure. In the likes of a cloud provider, they have more resources to do a better job.”
Boiling it down in a nutshell
In the 45 minute interview, there were many bases covered in the world of cybersecurity trends. However, Kane neatly summarised in 2 key observations. We think it apt for the expert to end this with his remarks below.
“The fundamental thing right now is the realisation and acceptance that incidents are inevitable, so organisations are starting to prepare to be able to detect and respond when an incident happens. Secondly, a shift away from signature based technologies, technologies are moving to behaviour detection. These are the key things that are happening today in cybersecurity in general.”
“We are at an infliction point, where organisations need to acknowledge and ask starting with knowledge that it’s not about if but when it’s going to take place, and starting the journey to put in the right technology and processes to be able to detect and respond when inevitably the incident takes place.”