Next Generation Threats: The Best Defense. Jason Clark, Neil Thacker of Websense on New Strategies

Transcription

1 Next Generation Threats: The Best Defense Jason Clark, Neil Thacker of Websense on New Strategies

2 Is the cyber-criminals desire to steal critical data greater than our abilities to protect it? That s the question posed by advanced threats. Jason Clark and Neil Thacker of Websense discuss how to defend. Sophisticated exploit kits and nation-state sponsored cyber-espionage are among the advanced threats causing concern for Thacker, EMEA information security and strategy officer. But he s just as mindful of organizations levels of breach preparedness. What really concerns me is that these guys are after our data, Thacker says, and in some cases what I hear in the information security world is that they obviously want our data perhaps more sometimes than we actually can put controls around it. To Clark, chief security and strategy officer at Websense, the frightening aspect of advanced threats is how they can disguise themselves, so their damage is undetected. Those guys are getting in, and they re out there eating intellectual property, marketing the information and can be potentially making billions of dollars, Clark says. In an interview about how to improve defenses, Clark and Thacker discuss: How organizations are ill-prepared to defend against today s threats; A seven-step approach to tackling threats; New security solutions. Clark is chief security and strategy officer for Websense, Inc. In this role, Clark and his team are responsible for corporate strategy, information security, marquee account relationships, and providing strategic services to CIOs and CISOs worldwide. As a former CISO and vice president of infrastructure for Fortune 100 and 500 companies, Clark uses his business and security expertise to advise CXO executives on successful strategies to improve their IT infrastructure. Thacker joined Websense in 2012 and holds the position of EMEA information security and strategy officer. In this role, Thacker offers advice and recommendations to the security community around their security posture, business processes and the application of security technologies. Working closely with the Websense Security Labs team to understand the threat landscape, he offers organizations advice on how to apply the appropriate level of control to maintain security effectiveness against the latest threats.

3 For me personally, this is one of the biggest fear factors, that we have people out there focusing on cyber-espionage, cyber-terrorism and cyber-war Neil Thacker Next Generation Threats TOM FIELD: Neil, let me toss this question to you, and Jason, I m sure you re going to want to add some commentary. What are the next-generation threats that really concern you the most? NEIL THACKER: For me, it s the exploit kits and the exploit kit authors out there. These are the guys that pretty much produced tools, and they appeal to the mass market. These are guys that are putting together very advanced tools and selling them to lesser-skilled hackers. What they re looking to do is exploit lots of vulnerabilities out there, and again it s the fastest growing segment in organized cybercrime. obfuscations. They re hiding inside of SSL on the network, and they re also obfuscating the data when they re taking it out. The traditional detection tools of signaturebased stuff, or even if you have really good technology, because you re not seeing inside that packet since the bad guys are in SSL, that s very concerning. Unfortunately, of the Fortune 1000 and the Global 1000, we re seeing only 16 percent can see the SSL traffic. Those guys are getting in, and there are guys that are out there after intellectual property and market-moving information [with which] they can be potentially making billions of dollars. How Organizations are Ill- Prepared We also have state-sponsored attackers. For me personally, this is one of the biggest fear factors, that we have people out there focusing on cyber-espionage, cyber-terrorism and cyber-war. And my concern around the threat here is that we also have lots of financial services companies and utility companies concerned about this threat. They also see the impact of an attack on their organization. Finally, the threat that really concerns me is that these guys are actually after our data. In some cases, what I hear in the information security world is they obviously want our data more than, perhaps, we can offer on how we can actually put controls around it to protect it. It s something that kind of has evolved over a number of years now. The threats to me are one of our biggest concerns, how these guys are basically using technology against existing technologies. JASON CLARK: To me, on top of what Neil just said with the guys that are [creating] very targeted exploit kits, it s tricking the users, which are very vulnerable today to click on that link. And most organizations, if you tested their users, they re susceptible to spear-phishing. You ll find that percent of them will click the link. Obviously that s inviting the bad stuff in. That scares me because of how massively vulnerable we are. But further, choose the threats, and the top five percent are the worst threats, and they re the ones where the bad guys are leveraging FIELD: Jason, in what ways do you find that organizations are ill-prepared to defend against these threats that you and Neil have discussed? CLARK: The book on security was written 20 years ago. I ve built a lot of security organizations and a lot of companies, and the mistakes that we ve made in the past were the right thing at the time. But the world has changed and, unfortunately, most organizations are still doing what they ve always done. They re leveraging the same old framework to help them be compliant, but it isn t making them secure. [What] I m suggesting is to stop following those frameworks as the main strategy. Let s rethink security completely. We need to rethink people, process and technology. Focus on who is the enemy. How are they going to break in? What are the stages for them to get in the door, every single step of the way? What are they after? Understanding that threat model versus just trying to define these frameworks that are really high-level stuff - that does make you a better security organization, but it doesn t make you secure. Once you understand your threat model, you rethink that and then apply that, to then going back to the framework, I think you re going to be in better shape. Just doing what we ve always done is ill-preparing us. At the same time, we re spending 80 percent of our money on AV, firewall and IPF, and that only solves

4 Most organizations are still doing what they ve always done. They re leveraging the same old framework to help them be compliant, but it isn t making them secure. - Jason Clark

5 The book on security was written 20 years ago. Jason Clark probably 20 percent of the problem. We ve got to re-shift, and that s what s ill-preparing us against these new threats. THACKER: Lots of organizations out there don t understand what they re actually trying to protect. In most cases, it s going to be the data; it s going to be the information; it s going to be the intellectual property. But they don t know where that sits. There s a focus at the moment to try to understand what people are trying to protect. We also talk about how we have solutions in place as well. An organization will go out, and they ll bring in a solution to fix the problem, but they won t have to change that solution for a number of years, so they have to think ahead, and they have to make sure that when they re buying these solutions from these security vendors, the vendors ought to offer new controls and new kinds of active security solutions. We see too much invested in passive security solutions, solutions that basically all they do is detect attacks. What we really need to focus on is detecting, containing and mitigating the threat. Problems with Current Solutions FIELD: If I might follow-up, what do you find is wrong with the current solutions that are supposed to mitigate these threats? THACKER: To me, a lot of the security solutions that are put in place to mitigate threats are based on inbound only, and they re also focused on protecting infrastructure. Information security has changed over the years, where it s kind of transitioned away from infrastructure security to data-centric security. But we still have lots and lots of infrastructure security solutions that are focused on protecting availability. In security terms, we always focus on confidentiality, integrity and availability, but there are still too many security solutions that just focus on availability. We need to focus on the context and protect that confidentiality and integrity of the business. CLARK: My view is we re reactive. Existing solutions are reactive. A lot of things are letting the stuff through and trying to detect after the fact. The biggest issue is the technologies today might be good at the known threats, but it s the unknown; it s the zero-days. In fact, what we re seeing in our threat intelligence is there s about an average 1,000 new threats a day that aren t being caught and aren t known. They re not being caught by the standard signature-based controls, so there are a thousand new threats a day that are bypassing all the top products. That s obviously driving us to be very reactive. There are a lot of heads of security that say, Oh well. They re going to break in. It s just how we respond, detect and react after that. That s obviously putting us in a bad position where we re putting our hands up and saying, It s going to happen; it s just how we respond. That s true to some extent, but that could be maybe less than one percent of the time, whereas you can be preventive. There are strategies for being able to be successful and win this game. 7-Step Approach to Tackling Threats FIELD: Jason, I know you ve got a seven-step approach to tackling the next-generation threats. Could you outline that for us, please? CLARK: We found it to be extremely effective and, in fact, this isn t something that we necessarily invented. It has worked with a number of other very large and successful organizations. As kind of a think-tank, we all came together and we basically did threat modeling, and we broke down how these guys are breaking in and what s the stage of the attack. Then we built a defense posture around those seven stages, and we actually do strategy assessments against ourselves on a regular basis. People prompt the technology. The first stage is the recon stage. That s where the bad guy starts tying to understand. Maybe he goes on LinkedIn or goes on Facebook and tries to understand what he can learn about your users, your CEO or whoever that

6 The Seven Stages of Advanced Threats and Data Theft RECON LURE REDIRECT EXPLOIT KIT DROPPER FILE CALL HOME DATA THEFT Gather online information to build targeted lures. There are two types of lures: and web. Funnels and sends the user to a hidden server. User s system is inspected for an open vulnerability. If vulnerablity exists, malware dropper file is delivered. Calls home for more malware to expand attack. Cybercrime reaches out into internal systems for data to steal. Lots of organizations out there don t understand what they re actually trying to protect. Neil Thacker may be, and also how he can break into your organization. They then leverage that as ammo to create a targeted attacks or spear-phishing s to entice the user to click, because it s using the human curiosity. Maybe he knows you really like cars, and he sends you information about a car show that s coming up, offering you free VIP passes. More than likely, the person s going to click. Then we go down to the alert stage, which is the spear-phishing example I just gave. Then we have the redirect stage. Then there s the exploit kit, and the exploit kit goes down to the dropper file, then to the call-home stage and then to data theft. We can talk about these in more detail, but specifically the way you win here is that today the solutions make the mistake of focusing on just one of the stages. Say we re going to try to win in this one stage. A standard proxy is going to try and block the redirect stage. Your AV systems will try and stop the exploit stage. A malware solution will stop the dropper-file stage, and then you ve got the DLP that stops the data theft. Where in truth, all these things are all trying to focus on stopping these things by themselves, and they re betting all their bets on that one horse, on that stage, versus the real way to stop it, which is to look at all seven stages [and] share intelligence among those. That s the approach of people, process and technology. Everybody should be assessing themselves against those stages and asking themselves, How are we maintaining state? How are we learning and doing behaviorbased, artificial intelligence as this thing gains more context? As the threats go down to data theft across these seven stages, we try to stop it. By the time it gets to stage 3, 4, 5 and 6, we learn so much more context about the threat as it gets closer to the crown jewels. THACKER: It s something so powerful, understanding that seven-stage attack model. To me, what I hear back from customers that have our solution is that what they focus on is they want to make every single event count. They want to draw maximum value from each event that s generated as part of that sevenstage model, and they want to put in an active security solution, as Jason mentioned, to stop that attack. Perhaps what they ve relied on in the past is looking at a SIEM-type solution where they can take all these feeds in. But this is passive security. This is like a post-event, forensicstype solution. What customers are talking about and how they understand our sevenstage model is that we can actually block that attack. It s active security, not passive.

7 [Security] has gone up to the board level, where things like data security, legal requirements and regulatory compliance are driving the need for security. Neil Thacker Utilizing Websense Solutions FIELD: Neil, I understand you have a unique perspective because before you came to Websense, you were a customer. Perhaps you can speak to us about exactly how customers are employing the Websense solutions. THACKER: I ve been a security professional for over 10 years now, and just six months ago I started at Websense. I m using my experience in the field of going out, finding solutions, building requirements and understanding what customers want from security technology. One item I m focusing on and talking to them about is all the successes I wanted to share [about] the Websense solution. Something that customers talk about and that they focus on as part of deploying solutions is the in-bound and out-bound. Most traditional security solutions only focus on the in-bound, looking at malware analysis for in-bound, but also getting that great value from having digital forensics, so things can combine within DLP, looking at digital forensics on the out-bound as well as the malware analysis in-bound. They re looking at tactical and strategic-type solutions so [when there s] something they re hearing about and in the media around the latest hacks and things like that, they want to react. They want a tactical fix. They want something to go in straight away. But they re also looking at strategic. They re looking to mature their solutions at the same time, [which is] something to be aware of because we need to really look at these solutions that are going to be dominant going forward. They re going to add controls that you can actually then mature. Something I ve seen a big change in within even the last year is that security has gone up to the C-level. It s gone up to the board level, where things like data security, legal requirements and regulatory compliance are driving the need for security. Customers are focusing on data security and not, as you mentioned, for just infrastructure security. It s now a business requirement to have that type of solution. I m also seeing customers that actually want to test these solutions as well. They re not happy just based on getting feedback. or not just happy with the effectiveness that a vendor will offer them. They really want to test these solutions, and what they re doing is hiring and directing companies to come in and actually test these solutions as well. At the same time, [we re] also seeing auditors focusing on technology. Jason talked about people, process and technology. Auditors are always focused on the people and process. They re coming in now and learning how technology can help in that framework and how you can actually achieve great security. Addressing Mobility and the Cloud CLARK: Two pointed examples of the success that s common for people is leveraging our cloud infrastructure to protect the threats in-bound to all other laptops and mobile devices anywhere they go. Generally, we will ask the question, How are you protecting your laptops today? The answer will be AV. They kind of shrug and say, I know it s not very effective, but that s all we have. A real quick win for any organization is they put a lot of investment on their infrastructure, on the network, to protect stuff in-bound, but they re leaving those laptops. Seventy percent of your devices in your company are laptops. For most organizations, those are connected to the network 50 percent of the time. It s such a huge win for people to deploy that kind of threat protection in the cloud for those devices anywhere they go. As a result, which is real common, they ll see a percent reduction in help-desk tickets for reimaging laptops, but also they ll instantly catch some bad stuff happening on those devices. The second major win is on the data-theft side, the intellectual-property protection. We have a really big win quickly and instantly for any Fortune 1000 for our data-theft protection. They ll end up catching some insider doing some improper stuff, and they ll be able to adjust the behavior right away. That s a big win, just the education side. They re going to see 70 percent change in the behavior of users or employees that were sending stuff out that maybe was a gray area, and maybe that stuff shouldn t have been

8 All the best companies in the world are getting compromised and they re all compliant with everything that s out there. It comes down to threat modeling. - Jason Clark Websense, Inc. is a global leader in protecting organizations from the latest cyber-attacks and data theft. Websense TRITON comprehensive security solutions unify web security, security, mobile security and data loss prevention (DLP) at the lowest total cost of ownership. Tens of thousands of enterprises rely on Websense TRITON security intelligence to stop advanced persistent threats, targeted attacks and evolving malware. Websense prevents data breaches, intellectual property theft and enforces security compliance and best practices. going out. By just popping up and saying, Are you sure this is okay with company policy? they see 70 percent behavior change and only 30 percent of that data going out anymore. Next-Generation Threats: Assessing Your Readiness FIELD: Jason, let s talk about the bottom line. How do organizations start to assess their own readiness to defend against these nextgeneration threats? CLARK: It s not about the old-school framework. That s not going to get you there. All the best companies in the world are getting compromised, and they re all compliant with everything that s out there. It comes down to threat modeling. We re very big believers in threat modeling and letting that thrive through a risk-based, data-centric security program. We actually have developed strategy assessments that we offer out to people, and this is a free service. We can walk people through how to form it themselves people, process and technology - and we break it down. What are you trying to protect? Is it DDoS? What s the threat? Is the data you re trying to protect your intellectual property or PII? Let s talk about how the bad guy is going to get to that. We have a strategy assessment we developed which we re happy to share with anybody, so that they can be successful. Grade yourself at each stage of the attack. Ask yourself: What s my control? How am I measuring myself? What s the people side of things? What s my process? If an employee catches something that s suspicious, is he incentivized to let your help desk know? We do a lot of stuff internally to incentivize users to do something called catch of the day in that space. But now, get everybody engaged. We have a lot of wins there. By using these tools, you can really change the game. LISTEN TO THE INTERVIEW We also have invented some really cool, free technology tools. One is an ipad app. One is something called our Threat Simulator. That s on a laptop that we can bring in and we actually bring down 150 pieces of malware through all your controls to a sandbox environment in a very safe manner, and then we do 150 calls home. We can quickly tell you right away how effective your existing controls are against the advanced attack. We can tell you if it s only 12-percent effective and we ll tell you why. What stages did your stuff break down in? That 12 percent where you were effective, we ll tell you how you won. We can give you a roadmap to success pretty quickly. THACKER: For me, it s that effectiveness, as Jason mentioned. It s being able to demonstrate effectiveness as well. It s looking at requirements. It s about understanding where the threats are coming from. We ve talked about that over the last 10 minutes, and to me that s the big focus. Check and see how effective you are. It s looking at the percentages. Risk management is pretty unique to most organizations. Most organizations don t understand what they need to protect. That s one of the first key exercises. Prepare and become ready for the latest threats. Understand exactly what you re trying to protect. Then look again: Your strategy - is it one around passive or active security? Do you want to make every event count? For me, focusing on data security for over 10 years, putting a data-security control in quickly became the number-one technical control I had in my previous organization. Being able to monitor, identify and have the visibility that data-security solution gave me became the number-one control and it became a firm favorite around the business. The board level is being engaged in security for the first time.

9 About ISMG Headquartered in Princeton, New Jersey, Information Security Media Group, Corp. (ISMG) is a media company focusing on Information Technology Risk Management for vertical industries. The company provides news, training, education and other related content for risk management professionals in their respective industries. Contact (800) sales@ismgcorp.com This information is used by ISMG s subscribers in a variety of ways researching for a specific information security compliance issue, learning from their peers in the industry, gaining insights into compliance related regulatory guidance and simply keeping up with the Information Technology Risk Management landscape. 4 Independence Way Princeton, NJ