Chris Poulin, research strategist, X-Force, IBM Security Systems, talks about Heartbleed and what it means for the security community, as well as why IBM is excited about the upcoming Black Hat USA 2014 conference August 2-7 in Las Vegas.
Chris, what does Heartbleed mean for the security community?
Chris Poulin: Heartbleed was more of a warning than the apocalyptic event that some reactionaries predicted it would be when first announced. The good news is that there weren't any catastrophic breaches due to Heartbleed – at least none that we know of.
What we do know is that most mature enterprises took appropriate steps to protect themselves by quickly revoking certificates in case they were compromised, patching the applications affected by vulnerable versions of OpenSSL, and notifying users to change their passwords and look for signs of account compromise. On the other hand, many organizations are still vulnerable or they simply acquired a new certificate, leaving the potentially compromised one available for attackers to impersonate their Web sites and applications.
Hopefully the lessons learned are making organizations rethink their security processes by taking inventory of assets to include certificates, collecting complete forensics information in advance to be able to perform rapid and accurate impact analysis, and updating incident response processes. Also, Heartbleed has caused organizations to reevaluate use of open-source software and libraries, as well as shed a light on code development and review processes. Finally, it's pointed out the shortcomings of the certificate revocation mechanism when subjected to a broad volume of requests.
You recently announced IBM Security QRadar Incident Forensics. How can this help companies?
Chris Poulin: QRadar Incident Forensics (QRIF) is critical for the type of rapid and accurate impact analysis that's needed for post-incident response.
Taking the Heartbleed vulnerability, for example, QRIF can help enterprises go back in time and determine if they've been attacked by an asymmetric TLS heartbeat request -- or not -- and to drive their response to customers. Or, in the case of many of the large retailer breaches, QRIF speeds up the time to determine how an attacker breached their systems, allowing the victim organizations to close the avenue of attack and notify their customers, oversight entities, and the press with confidence. Definitive and timely communication to the world is key to regaining the public trust and mitigating brand reputation damage, maintaining customer loyalty, and stemming potential financial losses.
QRIF can also be used proactively to mine data and detect signs of attack, including 0days, as well as identify rogue internal activities, such as an employee stealing intellectual property or malware exfiltrating data. Coupled with security intelligence, organizations can identify not only the potential for malicious activity and conclusive evidence of a successful attack, but also what accounts or data were affected.
You'll be at Black Hat USA 2014. What are you excited about at the show, and how can companies connect with you there?
Chris Poulin: IBM is delighted to be part of Black Hat USA 2014 as this event has become a strong platform for IT experts and specialists to meet, share expertise and insight, and gain a deeper understanding of the security technologies and trends. IBM Security offers one of the most advanced and integrated portfolios of enterprise security products and services. This security framework, supported by world-renowned IBM X-Force research and development, provides actionable intelligence to help organizations holistically protect their critical assets and infrastructure, offering solutions across security intelligence and analytics, identity and access management, network, database and application security, fraud protection, risk management, endpoint protection, managed services, and more. These capabilities and services are delivered through a comprehensive and robust set of tools and best practices, delivering distinct value throughout the process.
We hope everyone will join us in our workshops and visit our booth to see a live demonstration and how these solutions can help enable a secure enterprise.
Philip Lieberman, president and CEO, Lieberman Software, discusses why a third of IT security professionals don’t keep corporate data in the cloud, plus why Lieberman Software decided to become a Platinum Plus Sponsor of Black Hat USA 2014.
Philip, your recent study claimed "a third of IT security professionals do not keep corporate data in the cloud because of fear of government snooping." What can be done about this?
Philip Lieberman: There is pending legislation to define the scope and methods of data access by the government. The current model of data governance requires the government to publicly declare by subpoena and warrants their requirements for access to on-premises systems and data. The introduction of a third party (cloud provider) into the data governance model allows the government to go on a secret fishing expedition at the cloud provider's site without the knowledge or consent of the cloud's subscribers.
The idea that a third party (government and the cloud provider) can peruse data without oversight or due process concerns many people. The disclosure of Google's public policy of scanning e-mail and data for relevant content for targeted advertising as a requirement of their terms of service should bring chills to most people.
What needs to be done is the creation of clear and definite laws regarding the government's right to access third-party systems and the restoration of limitations of discovery scope and due process to all parties. The government should also ban the ability of cloud providers to scan the contents of their subscriber's e-mail, data, and transactions in a way similar to the current process that ISPs enjoy in order to have a safe harbor from copyright infringement (MPAA/RIAA infringement issues).
You've also been expanding within the EMEA (Europe, the Middle East, and Africa) region. How important are these markets, particularly those which are emerging?
Philip Lieberman: EMEA has historically represented a significant fraction of our worldwide business. Emerging economies have placed a focus on security and proper governance of their government and commercial enterprises -- especially financial concerns -- in order to be taken seriously and to enhance credibility when dealing with major foreign powers and their companies. Consequently, we see smaller and emerging countries aggressively implementing best practices in security that were generated in the First World economies, but are largely ignored there due to existing political silos of power and lack of government oversight.
Of particular interest to us has been Eastern Europe and areas of the world where government policies require that infrastructure be particularly secure due to lack of legal systems and/or issues of sovereign power and its projection (wanted and unwanted).
Lieberman Software is supporting Black Hat USA 2014 as a Platinum Plus Sponsor. What are you excited about at the show and how can readers connect with you there?
Philip Lieberman: In the last year, we have seen the emergence of a new reality of cyberwarfare where the perimeter is porous and existing security technologies simply don't work. With the reality that intruders are already in your network pretty much all the time, how do you keep them at bay? The goal of land and expand of attackers tries to capture credentials and as much of the infrastructure as possible. If we agree that intruders are no longer stopped at the perimeter, what's a company to do?
The bad guys have automated tools for penetrating your environment and spreading their access, and if your are trying to defend yourself by having humans manage credentials by hand, you have already lost the war before it began. We have automation solutions that take humans out of the privilege management process. We secure credentials throughout your infrastructure (physical and virtual stacks) and also control access to applications and cloud providers. We know what the bad guys are looking for and make their lives difficult by continuously moving/changing the secrets they need to do their job.
Today passwords, certificates, and keys that were once changed in years or months are now required to be changed in hours or days with regular frequency in an automated way. Stop by our booth and learn how Lieberman Software can provide privilege identity and privileged access management at scale to create an environment of just enough access / just in time for your users and IT administrators. Stop by and learn how.
Eddie Schwartz, VP of global cybersecurity and consulting solutions for Verizon Enterprise Solutions, explains how just three threat patterns cover 72% of all the security incidents in any given industry, and why Black Hat attendees should hear Verizon’s talk on "Big Lessons In Small Data."
Eddie you recently put out the 2014 Data Breach Investigations Report. What are the key takeaways?
Eddie Schwartz: This year’s report offers a deeper dive into the world of cyber threats based on an expanded data set that covers 10 years. The 2014 DBIR found that 92% of the 100,000 security incidents analyzed over the past 10 years can be traced to nine basic attack patterns that vary from industry to industry. In fact, this year’s report found that, on average, just three threat patterns cover 72% of the security incidents in any given industry.
By putting these attacks into nine recognizable attack patterns, security teams can better align and focus their security management and cyber intel programs to focus on what matters the most. Other key takeaways include that no organization is immune from a data breach and more times than not, money is the fundamental motivation behind a breach.
How is Verizon positioning itself to deal with the challenges discussed in the Data Breach Investigation Report?
Eddie Schwartz: Verizon has built incredible assets, such as our global IP network, that provide unique visibility into cyber threats. We also have developed the ability to perform large-scale data analytics 24 x 7 in a follow-the-sun model with security operations centers all around the world. All of these capabilities feed into the Verizon Cybersecurity Intelligence Center. Add to this the power of over 550 security consultants around the globe, including our world-renowned computer forensics team, and Verizon brings to the table a cyber security partnership that closes many skills, intelligence, and scalability gaps that many of our clients face today.
Verizon is supporting Black Hat USA for the first time, as a Platinum Plus Sponsor. What are you excited about at the show and how can readers connect with you there?
Eddie Schwartz: Black Hat is one of the most important go-to venues for security professionals, particularly for those who can understand the value that our Verizon Cybersecurity Intelligence Center brings to the table and the need for a partner ecosystem for computer network defense. We felt it was critical to be a part of the Black Hat Briefings community. Black Hat offers us a great opportunity to meet face-to-face with attendees and have in-depth discussions about new ways to solve the most challenging threat problems with our clients. Attendees can join our expo floor session talk, entitled “Big Lessons In Small Data” on Wednesday, Aug. 6 at 4:45 PM, or stop by our booth #119.
Dave Merkel, CTO of FireEye, focuses on the next challenges the security community will face, and he reveals the key findings in the latest report on advanced attacks methods, including the fact that organizations in general have yet to improve their ability to detect breaches.
Dave, you recently released a Mandiant M-Trends report. What are the key takeaways?
Dave Merkel: The M-Trends report provides a glimpse into advanced attacks methods as well as how defenders are faring against these campaigns. In this report, we found several things:
- It takes a while for breached companies to find out. The median number of days attackers were present on a victim’s network before being discovered dropped to 229 days in 2013 from 243 in 2012. This improvement is incremental relative to the drop from 416 days in 2011, however organizations can be unknowingly breached for years. The longest time an attacker was present before being detected in 2013 was six years and three months.
- Organizations in general are yet to improve their ability to detect breaches. In 2012, 37% of organizations detected breaches on their own. This number dropped to just 33% in 2013.
- Phishing e-mails largely look to capitalize on trust in IT departments. 44% of the observed phishing e-mails sought to impersonate the IT departments of the targeted organizations. The vast majority of these e-mails were sent on Tuesday, Wednesday, and Thursday.
- Political conflicts increasingly have cyber components that impact private organizations. Over the past year, Mandiant responded to an increased number of incidents where political conflicts between nations spawned cyber attacks that impacted the private sector. Specifically, Mandiant responded to incidents where the Syrian Electronic Army (SEA) compromised external-facing Web sites and social media accounts of private organizations with the primary motive of raising awareness for their political cause
- Suspected Iran-based threat actors conduct reconnaissance on the energy sector and state government. Multiple investigations at energy sector companies and state government agencies of suspected Iran-based network reconnaissance activity indicates that threat actors are actively engaging in surveillance activities. While these suspected Iran-based actors appear less capable than other nation-state actors, nothing stands in the way of them testing and improving their capabilities.
What do you see as the next challenges that the security community will face, and how is FireEye positioning itself to deal with them?
Dave Merkel: The challenges in the security community are twofold:
- How do we identify and block more advanced attacks? This requires staying on top of evasion methods, new approaches, and so on.
- If breached, how do you compress the time from infection to detection? Today, 229 is too much. If we can compress this down to minutes or seconds, defenders will have an upper hand in today’s cyber landscape.
FireEye is supporting Black Hat USA as a Platinum Plus Sponsor. What are you excited about at the show, and how can readers connect with you there?
Dave Merkel: I'm always excited to meet customers and prospects and hear about their challenges. Good conversations are always engaging. We don't bite … just walk up and say “hello.” I especially enjoy talking with people who disagree with me; a good debate always teaches me something.