ARN Roundtable: Real Time Security - Raising Threat Intelligence
- 09 March, 2015 09:22
From left: Mark Shaw (Symantec), Philip Dimitriu (Check Point Software), Julian Haber (Intalock), Chris Player (ARN), Allan Swann (ARN), Steve Miller (FireEye/Mandiant), Nigel Hedges (Hemisphere Technologies), Brett Williams (RSA), Brent Thurrell (BeyondTrust), Cam Wayland (Channel Dynamics), Chris Barton (FireEye), David Hook (Westcon Group), Scott Thomas (McAvoy Thomas), Andrew McHenry (Cyberoam), Jonathan Christopher (RSA)
The explosion in online crime gangs and nation state actors targeting customers’ data is seeing an arms race that requires more than a basic security response from every aspect of the channel. Instead you now need multiple threat prevention layers working in real time. Next generation threat prevention now has to encompass firewalls, anti-virus, content filtering and intrusion prevention, post-mortem cyber forensics and constantly updating threat intelligence to respond to problems as soon as possible.
In a digital world rapidly being redefined by poor data privacy and security due to the emergence of Cloud and other disruptive technologies, training staff and customers about the risks involved, is now also a lucrative opportunity for the channel beyond selling boxes or software.
ARN’s roundtable guest experts discussed how channel partners can better work with their customers, not just as managed service providers, but as business consultants and advisors to keep up to speed on the latest threats, and look at unique ways to value add.
ARN's slideshow of the event can be found here.
NEW WAY, NEW LIFE
The realisation that it can’t go it alone anymore is rapidly becoming a problem for the channel. It can’t simply sell an antivirus package or build an on-premise network firewall, provide customer support, and move on to the next customer. It’s an ongoing relationship, often provided ‘as-a-service’ and requires up to the minute threat intelligence.
The market is rapidly changing from a preventative, pre-emptive protection, to a more reactionary, damage minimalisation approach to security, and this requires a solid threat database. Whether that’s an industry shared database, or a government sponsored one, there needs to be more information made available so businesses can plan best practice accordingly, says Philip Dimitriu, Checkpoint Software’s regional SE manager for A/NZ.
“We need a more accurate mechanism of trying to map intelligence into our security technologies that will allow customers to then make conscious and appropriate decisions when it comes to securing the environment, and also aligning that with security awareness programs internally. That will then back what they are actually doing in terms of preventative measures, being supported by best practice, the accurate the use of technologies and internal processes,” he said.
This helps companies determine their risk profile, says FireEye threat analyst, Steve Miller.
“We know that there will be compromised systems. And the question I think most of the people that I talk to are asking is ‘what is my risk?’ And they need information; they need context around that. How do I drive business decisions? How do I mitigate the risk? How do I allocate the resources? How serious is the compromise? How do I stop it?”
BeyondTrust’s vice-president of EMEI and APAC, Brent Thurrell, agreed, noting that the government needed to step in and help.
“In terms of what I’ve seen in the Australian market, a lot of organisations in and outside of the government are actually looking for direction from the likes of the Australian Signals Directory, to help them come up with risk mitigation strategies,” he said.
Even so, once the threat intelligence is made available, a big problem for under-resourced security teams is filtering through that information, and determining what is actionable and how, says Brett Williams, RSA’s advisory security architect.
“We, as an industry, chuck a whole lot of data over the fence and it’s often not of any use to the businesses. There’s no what we call ‘actionable intelligence’. I get a lot of white list or black list information, now what do I do with it? How do I relate that to my business? That puts a lot of workload on security teams, because they’ve got to take this raw data and turn it into something that they can act on. The problem we have had traditionally with threat intelligence is there’s just no background or information on what we’ve been providing. There’s no context. How is it relevant to me as a business owner?” he said.
RSA head of channel and alliances, Jonathan Christopher, agrees that intelligence sharing is a key part of a vendor’s role in this space.
“Yes, we vendors create the IP, obviously we share that with our customers and partners, they then have the opportunity to collaborate across multiple vendors and make that connection actionable. So it’s a great opportunity for the channel,” he said.
Symantec’s ANZ technology strategist – information security, Mark Shaw, agreed.
“The future of security is to open that intelligence up to other people. To present that through APIs so that partners and specialists can come and consume that, run their own analytics against ours,” he said.
“They are going to take that raw data or that intelligence information and turn it into something meaningful and build a business around that, and ultimately service our customers through that mechanism. So the idea of sharing information is absolutely there. It’s pretty valuable. It takes a long time to build up that wealth of information and intelligence and it’s absolutely critical how those products operate in the field.”
Channel Dynamics co-founder and director, Cam Wayland, said this hypothetical intelligence sharing amongst partners, government and vendors is all very well and good – if you have the resources – but, realistically, at the smaller end of the market there have to be some hard choices made.
“In the real world partners have got to make some bets in terms of the program that they invest with, their skill sets and their certification levels and the people that they employ. They can’t actually sell Check Point, Symantec, FireEye, Cisco and all of the others vendors. They actually have to make some choices. And, unfortunately, for a lot of the vendors and their vendor account managers, channel account managers, you see each other as competitive,” he said.
“When you get down to the mid-market and the upper end of SMB, the partner has to make some hard choices because they may only have one security analyst or specialist or maybe one-and-a-half in the business, the rest of these guys are selling VMs and storage and whatever else that pays the bills. They aren’t security specialists,” he said.
McEvoy Thomas principal, Scott Thomas, said beyond education, there needs to be a fundamental disruption to the way vendors sell in the security market.
“That traditional or ‘legacy vendors’ have to change their model. Reactionary style solutions are really legacy. Signature-based solutions are legacy. I think that it’s more about that behavioural analysis. That’s really where the focus should be. There’s only about 20 documented malicious behaviours globally, so looking for those types of behaviours can’t be that difficult. But analysts are saying traditional AV, for instance, only stops about 40 per cent of malicious content. What use is that? That’s just one layer. Many of these organisations are making millions of dollars out of that technology, and they won’t change. That’s a completely different thing to shift because they’re telling their customers that it’s effective,” he said.
“Really it comes down to what’s the perfect fit for the client. Look, they’re trying to push websense out there because it’s a Web filter. There are number of vendors in each space and some of them are perfect for a business, but maybe their requirements change.
”I do think that the industry needs to have a hard look at itself. I think some of the information that’s being shared with end-users is not accurate and it all comes down to money.” Intalock CEO, Julian Haber, doesn’t believe the industry will ever work together cohesively.
“I can’t see sharing information. I mean if your intelligence is a significant competitive advantage, why would you want to give that to somebody else? It’s not going to happen.”
Cyberoam channel manager A/NZ, Andrew McHenry, said affordability is a big issue for smaller players when trying to keep out sophisticated threats, and that post mortem analysis as-a-service is increasingly important.
“I always use the analogy that when someone breaks in to your home, you’re ok if they take the cosmetic jewellery, rather than your real gold jewellery. The other analogy I always use is you can continue to build a brick wall higher, but attackers will just keep building bigger ladders and longer ladders, to reach your portfolio. The hackers who want to get in will eventually get in one way or another, in whatever way they need to. So there’s no approved security guideline here. From a security vendor position and service provider, your responsibility is to deliver security that fits their risk profile and affordability. Because otherwise most of them just won’t worry about it,” he said.
“In the SMB market it’s like selling life insurance, until somebody dies, it’s not a priority. Because it’s all about cash. Sure there’s damage, and reputational hurt, but it’s mostly about the cash they want to get out of your business.
All of our experts agreed, the biggest challenge for the channel is making that sale. Until there is tangible damage to the business, your customers are always sceptical about what you’re selling. However, the majority already think they have sufficient protection, according to Westcon Group A/NZ sales director, David Hook.
“We’re definitely seeing customers that are saying they are fully protected. We have a whole channel behind us or in front of us talking to customers about security
“Nine times out of 10 they have vulnerabilities; they thought they were protected and they weren’t. Our resellers have to become that trusted adviser who is diving in deeper and not just trying to sell them kit, but understanding what their requirements are,” he said.
Hemisphere Technologies general manager of sales and technical, Nigel Hedges, said he was noticing more threat activity occurring amongst his clients, but little response from customers.
“There’s a lot of complacency, I mean that’s just part and parcel of our industry. We see it regularly despite our warnings. Just the other night there was a service provider that had a fairly significant security incident and calls us on the phone saying ‘what should we be doing? What solution should I have done to mitigate this and reduce the four-day period that it took us to find out what was wrong?’”
MALWARE BLACK MARKETS
So what kinds of industries are being targeted the most, and what methods are being used? Thurrell said it’s not so much the sophistication of the attacks technologically, its the methodology employed.
“The majority of the attacks in this market are still along the lines of DDoS attacks. We’re still seeing a lot of those, rather than the likes of the high profile target or Anthem Insurance breaches we see in the US. Those kinds of attacks, where people are reaching in to try and get huge amounts of user data, personal data and to be transacted, aren’t here yet – but it is only a matter of time until that starts happening,” he said.
Miller agrees that the Australian market is 12-24 months behind the kinds of attacks being seen in the US – an opportunity for the Australian channel to strike.
“Industries here have exactly the same risk that the US industries have, so natural resources are being hit hard globally, even here in Australia, and we’re seeing more actively compromised industries like aerospace, and anything to do with ship building; all these industries that come up with IP. Obviously, that’s totally different to user data or healthcare data or financial data breaches. But all the same risks are here and it’s probably just a matter of time."
Williams said the black market for hacking and security breaches is seeing increased collaboration between criminal elements.
“There never used to be collaboration between criminals and nation states, or say, Anonymous. Now they’re actually starting to collaborate and say ‘you’ve got this technology, we’ll buy this off you’. You’ve all heard the term Cybercrime-as-a-Service, DDoS-as-a-Service, and whatever is in your Cloud is now being targeted. Healthcare data is now worth 10 times that of credit card information. Credit card information is easy to get; it’s a commodity. Healthcare is much more expensive to buy on the underground,” he said.
In the wake of serious breaches overseas, such as Sony Entertainment and Target in the US, FireEye’s manager of strategic alliances and channels ANZ, Chris Barton, said the climate in Australia is changing and they are having more indepth conversations with C-level executives. “In the last 12 months we’ve seen an awareness shift in the Australian market. I think some of the big breaches have scared the living crap out of some boards. We’ve seen some C-level guys and board members reaching out directly to us and our partners, and they want to have some reassurance around their security posture,” he said.
“Twenty-four months ago, 36 months ago, that was a very, very rare occurrence. There are certainly some guys that are always ahead of the curve. Defence and banks have already got a fairly significant security posture. But at the layer below that, most customers think ‘it’s not going to happen to me’. The simple fact that Australia doesn’t have any mandatory disclosure laws is a concern.”
FAILED FEDERAL POLITICS
The key problem for Australia has been politics – two successive governments have failed to update Australia’s cybersecurity legislation sufficiently. Even though Canberra is due to open its new Australian Cyber Defense Centre, which the government hopes will see more businesses sharing breaches and threat intelligence, the nation still has no form of legislated mandatory disclosure for breaches.
So in reality, we don’t know how bad the extent of the problem is, says Haber. “The vast majority of breaches that we see from businesses, colleagues, our friends aren’t reported, so we actually don’t know how big the problem is. It just doesn’t appear in the papers. In comparison, the US and a number of other countries do have that mandatory disclosure. It’s more out there in the open. The problem is much, much bigger than what we think it is,” he said.
“The reality is if our clients are compromised by an APT or something like that, we probably don’t know. The first thing they know is when ASIC comes and knocks on the door and that’s a reality. That is absolutely relevant. Nation states have more resources, more money, more perseverance than what most of our customers have, quite far, so we just need to worry about threats that are real to us that we can actually defend against.”
Thurrell agrees. I think the only scary answer for the Government’s inaction is that there hasn’t been a cyber 9/11 yet in any government. “
Shaw believes there is an informal arrangement going on in certain market verticals regarding information sharing, but that the market as a whole remains quite naïve.
“Banks are actually very good at sharing information. That’s pretty sensitive stuff, but they do share, not everything, but a lot of the information because they want to make sure they’re safe too. It happens across other verticals, such as public sector and government. But we’re naïve and missing a trick if we think that because we’re geographically separated from the rest of the world then these attacks aren’t going to have an impact on us,” he said.
The conversation now is with risk officers, CEOs, CFO, chief digital officers, board members, says Haber, but they are also looking to protect their own skin and the skin of their shareholders.
“Mandatory disclosure is the only option. Boards, CEOs, etcetera, need to be held liable. The reality is, at the end of the day, that these people control the vast amount of information, citizens’ data, financial data, etcetera. There has to be some obligation on them to tell us the truth when something happens,” he said.
“In the UK, they went through disclosure and a whole raft of measures back seven or eight years ago now. The US has now as well. I don’t know why the federal government won’t intervene. It just doesn’t seem to be anything that any of the previous governments or the current one wants to actually talk about. They are just not interested in having that discussion.”
Whether it was malicious or a business process that’s gone wrong, the table agreed that the reality is that some sort of federal government intervention will force organisations to get serious about it. It’s not always a negative discussion, but these law changes will create huge new opportunities for the channel, says Barton.
“It’s a positive discussion because it will make it easier for customers too. Those guys that have struggled to get funding in the security department will be able to go up to the board and say ‘please sir, can I have a lot more cash? Because we need to improve our security posture, otherwise we’re going to have issues from bad reputation, cash losses and all that’.”
EDUCATION AND HUMAN FAILINGS
In terms of preventative measures, the key issue is user education, from the receptionist to the CISO. Whether this needs to start as part of a company training policy, or courses in school – the fact is most end users take a lackadaisical approach to security in the workplace – from Baby Boomers through to the Millennials, who are supposedly meant to be the most tech savvy of all.
“I look at my kids and they just assume that everything is fine. They click on links everywhere, they go to YouTube. Even as users in organisations, people just click on stuff and assume it’s all right. It starts at the bottom. You don’t just get to drive a car, you actually have to do a driving test. Do we need to actually have end users do a test to understand using technology in this new world of cyber crime? I don’t know,” Hook said.
The market is now seeing malware inserted into trusted websites, realistic looking emails and specifically regionally targeted campaigns. Malware such as Cryptolocker last year already saw a regional variant written specifically to target New South Wales businesses, via Telstra and Australian Post labelled emails. An estimated 20,000 machines were breached.
An emerging part of the channel’s security consultancy operations is that of security simulation, testing these human responses. Haber says he’s never surprised at how many users fail.
“Say you’ve gotten an email saying you’ve got a fine from a speed camera. It’s believable; you do drive a car. So you click on it. The fact is, they’re getting smarter and more targeted. It is hard for the average consumer right now to tell what’s good and what’s bad. It really is incredibly hard. I won’t go into detail, but we did an official exercise with an incredibly large client of ours. We sent out 18,000 different emails to users inside the organisation. We made it probably 50 per cent passable. The policy of the company is that if you get something suspicious, delete it; don’t contact the person that sent it to you and send it to the security team. One of these emails was sent to the CISO, who opened it and put in his login details,” he said.
If attackers will invariably get in, the metrics for success have drastically changed in the enterprise. Previously, you’d measure malware infections, now FIS Global measures unauthorised access activity. Because once an attacker is inside your security wall, they tend to use your own tools against you to lower their profile, and achieve more. Hence why obtaining security credentials is so vital.
The tools to do so are readily available online in blackmarkets – attackers don’t even need to know how to code anymore. These tools can be bought similar to any other as-a-Service piece of software – these hacker tools even have regular software and firmware updates to keep up with vendor updates. This means that everyone from minor ‘hacktivists’ to nationstate actors can easily obtain top shelf tools, says McHenry.
“Some of them even have bigger sales forces than the vendors. I’ve sat in on demonstrations and sales calls with the underground who are selling these tools,” he said. Thurrell and Haber concur.
“They will give you service guarantees on stuff like I’ll give you a sustained DDoS attack for 25 minutes,” Thurrell said.
“It’s incredibly professional. It is funny isn’t it? I can go out and employ somebody for $200 to perform a DDoS attack for me, but you need $100,000 in preventative measures to actually stop it. It hardly sounds fair does it?,” Haber said.
R&D departments at the security vendors regularly engage with these marketplaces to research and buy these exploits, if only to protect against them.
“One of the things that our research team in California spends a lot of time on is looking at what these latest exploits toolkits are that are out there in the wild, and how they actually map to the latest known vulnerabilities. The statistic that we came up with through our research was about 4.7 per cent of all total known vulnerabilities and threats that are out there in the market are being used. They’re the ones you prioritise and fix,” Thurrell said. The danger is that it becomes a numbers game of risk management, Haber said.
“We had a major exercise with a client at the end of last year, for about six months. We had 65,000 assets that we were doing work around, and we could tell them they had 157 critical vulnerabilities. That doesn’t mean anything without content. The industry doesn’t look at what the risk is, the likelihood, what kind of data it is, where it’s located and all that. That’s where the intelligence needs to come from. You need to understand the client’s industry, the context,” he said.
MULTI-VENDOR APPROACH REQUIRED
Miller believes any solid security solution requires a multi-vendor approach, with multiple levels of detection and prevention in place. Then it needs the right people to put the alerts into context – high, medium and low risk. Otherwise there are simply too many threats for any one organisation to combat.
“You have to read through the noise. A university we worked at had a security simulation. We probably averaged 600,000 alerts a day; maybe 400,000 were medium severity. That’s not even based on intelligence, it’s based on all these different alerts coming from firewalls and different appliances all over the place. Where is the intel? How do you operationalise it? There’s the one guy who’s sitting, looking at that interface, he looks at 20 alerts today, which of those alerts are the actual risks?”
Shaw said people, especially well trained security experts, remain a vital part of any organisation’s security apparatus. The technology can only do so much.
“As technology vendors, traditionally we’ve tended to focus on the products and the technology and the intelligence. While, ultimately, all that stuff plays a part, because you do want to get those 600,000 events a day down to say 500, but you still need skilled analysts that have extremely good experience and have been through all this to understand what it is they are looking for. Technology can only go so far. And that’s where customers struggle. Even to a certain extent partners struggle because those are very, very expensive resources. They Are expensive to hire, they are expensive to retain and there are not that many of them,” he said.
Beyond employing high end security staff resources, companies need to produce security best practise for their businesses. This comes collaboratively, from the vendor, through to the distributor, to their reseller partners. Dimitriu believes consulting on security awareness programmes is vital.
“We’ve got organisations that have got call centres, or have a highly volatile or rotating turnover staff environment. You’ve got backpackers that come in; they’re there for three to six months; they’re on a holiday; then they leave. What level of security knowledge do they have in terms of basic fundamentals? Having some type of security awareness program that is not just a one-off, but an ongoing scenario not just for these high churn type environments but the stable environments, is critical. However, a one-size-fits-all security awareness program is not the silver bullet. It has to be adaptive,” he said.
Williams said RSA has been partnering with universities worldwide to improve cyber security in the syllabus, treating it as a fundamental skillset and helping them build SOCs, resources and tools and that flows on into other areas.
Dimitriu goes a step further and believes that, as the Internet of Things emerges, cyber security skillsets need to be taught to the entire population. “Everything is connected. You go to buy a television nowadays, you buy a toaster, buy a microwave they will all one day have some type of connection to the Web. So the fact is it has digressed and been brought in so fast, we need to start at the grassroots. We need to be going into the high school or even the late primary school level and kicking in on basic security practices around passwords.
“The top 20 most used passwords still involve the 1, 2, 3, 4, 5s, still involve Monday. They’re very basic. Replacing an E with a 3 in a word is now not a secure password. But getting that embedded into your basic thinking from a young age will go a long way towards achieving that goal of a more robust and more secure environment,” he said.
The skill shortage is also being felt at the high end. Hedges said vendors should also be getting more involved with current workplace certifications, as well as working with government educational and university courses.
HARSH COMMERCIAL REALITIES
So why is it so hard to get the necessary investment in security, be it board level funding, government legislative leadership or education? Wayland believes that there needs to be a commercial incentive.
“It has always been my philosophy, that security should have been built into everything. But it wasn’t. The reality is that for a lot of the channel partners it’s still the box or the license, whatever is going to drive the sales commission in. They’re going to chase those sorts of sales, rather than thinking about the rest of the picture – such as how to decrease my margin, how do I differentiate my business, how do I get into a new set of customers by integrating security, and convince the business owner to make that investment in certification or other security requirements. Once the channel sees the commercial reality of it, how it works with the ‘everything as a service’ phase, they’ll invest in it and will go and chase it,” he said.
Hook agrees that chasing that value is the biggest problem in a tight market right now.
“From a distribution level, we want to invest and get more capability. But there are some vendors at the moment where you’ve been forced down to one or two per cent margin, alongside potentially paying rebates on top of that. We’re just walking away from business at the moment because it’s not profitable. There are some vendors that are actually supporting the distributor and the channel partner at the same time, and that’s when both parties are prepared to invest time and energy and resources beyond just the transaction but to add that value,” he said.