A Proactive Approach To Incident Response: 7 Benefits

How implementing a digital forensic readiness program maximizes the value of digital evidence. The concept of digital forensic readiness focuses on two basic principles: 1) to maximize an organization's ability to gather digital evidence and 2) to minimize the cost of investigations.
Instead of the traditional reactive response to security incidents, digital forensic readiness acknowledges the fact that events will occur, and helps to make the most efficient use of electronically stored information (ESI) to mitigate data loss and risk. Here are six examples of how digital forensic readiness can enhance an organization’s proactive approach to incident response. Benefit 1: Lower Investigative Costs By operating on the expectation that events will occur, organizations can minimize business disruption by simplifying the focus of their investigative workflow specific to analysis and presentation activities. Benefit 2: Targeted Security Monitoring In “response mode,” the effectiveness of security controls is limited to notification, containment, and remediation capabilities. However, when using a proactive approach, there is greater opportunity to implement targeted security monitoring that identifies and mitigates a much wider range of cyber threats before they escalate into serious incidents. Benefit 3: Crime Deterrence Coupled with contextual intelligence, digital forensic readiness increases an organization’s ability to detect malicious activity and reduce the potential of an incident occurring.  Going forward, when a proactive approach comes more widely adopted, bad actors will be less likely to commit malicious activities because their probability of being caught will be higher.  Benefit 4: Investor Confidence With a good information management framework in place, organizations can demonstrate their ability to conduct incident prevention and response.

Displaying this level of maturity not only provides a sense of security and protection, but gives investors more confidence in the organization’s ability to minimize threats. Benefit 5: Enhanced eDiscovery International laws relating to eDiscovery, such as the Federal Rules of Civil Procedure (United States), Rules of Civil Procedure (Canada), or the Practice Direction 31B (United Kingdom), require that digital evidence be provided quickly and in a forensically sound manner. Meeting this requirement involves activities such as incident response, data retention, disaster recovery, and business continuity policies, all of which are enhanced through a digital forensic readiness program. Benefit 6: Fast Disclosure & Penalty Avoidance Regulatory authorities and law enforcement agencies may require the immediate release or disclosure of electronically stored information (ESI) at any time.

An organization’s failure to produce the requested ESI can result in financial penalties. With a digital forensic readiness program in place for information management, data retention, disaster recovery, and business continuity, organizations can process and present forensically sound ESI in a timely manner. Benefit 7: You’re Probably Already Doing It Organizations may not realize it, but some of these activities are already being performed today --  for example, preserving digital information in a Security Information and Event Management (SIEM) solution.

The bottom line is that implementing a digital forensic readiness program will be a “win-win” situation because it complements and enhances the overall information security program and strategies.  This article was sourced from the forthcoming book by Jason Sachowski, titled “Implementing Digital Forensic Readiness: From Reactive To Proactive Process,” available now at the Elsevier Store and other online retailers. More on this topic: Find out more about security threats at Interop 2016, May 2-6, at the Mandalay Bay Convention Center, Las Vegas. Register today and receive an early bird discount of $200. Jason is an Information Security professional with over 10 years of experience. He is currently the Director of Security Forensics & Civil Investigations within the Scotiabank group.

Throughout his career at Scotiabank, he has been responsible for digital investigations, ...
View Full Bio More Insights

Cybercrime And Hacking Atlas

A geographic guide with cybercrime threat and target trends in 10 notable countries. 1 of 11 When we picture hackers at work, it’s easy to get caught up imagining young men quietly working in a dark Dostoevskian garret in a bleak post-Soviet town. Or, rows of uniformed Chinese in a sterile Far Eastern military office.

But are these images realistic? While the former Soviet bloc and China certainly make up their share of global hacking, cybercriminals have a broadly global reach and a great deal of international diversity.

Even though major attacks are increasingly carried out by multinational rings, there is still often a national flair to online crime, and countries in Latin America, Western Europe, and the developing world are all well-represented. Here are some of the notable countries, in no particular order whatsoever. Sources for population and economic data: CIA Factbook and Wikipedia.  Sources for photos: Pixabay Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio 1 of 11 More Insights

The Secret Life Of Stolen Credentials

Bitglass Threat Research Team's Project Cumulus demonstrates what happens when Google Drive credentials are 'stolen.' Everyone knows that stolen credentials can have disastrous effects on people's most critical accounts, but there's often no clear timeline for how exactly criminals put them to use.

That changed this week with a new experiment from researchers with cloud access security broker (CASB) Bitglass, who put together a fictional digital identity and then leaked its credentials to the Dark Web to track the secret life of credentials once they're stolen. This is the second-year running that Bitglass has done a "where's your data?" experiment.

For this one, dubbed Project Cumulus, the Bitglass Threat Research Team created an online persona of an employee for a fictitious bank.

This included creating a phony Google Drive account with fake bank data and files containing real credit card numbers and other data made to look like something someone would produce on the job.

The drive was then tracked using Bitglass watermarks embedded in the files and its CASB technology in monitor-only mode. From there, the team leaked the credentials for the Google Drive in a way that made it appear they were stolen during a larger phishing campaign.

They found there was an immediate spike in activity when the credentials were leaked, with over 1,400 visits recorded to them and to the fictitious bank's Web portal. From there, about 94% of the hackers who accessed the drive in question then also found the victim's other online accounts, including the faked bank Web portal. One in ten of them immediately attempted to log into Google itself with the Google Drive credentials in hand.

And 12% of hackers attempted to download files containing sensitive content, with a handful cracking encrypted files after they were downloaded. "Our second data-tracking experiment reveals the dangers of reusing passwords and shows just how quickly phished credentials can spread, exposing sensitive corporate and personal data," says Nat Kausik, CEO of Bitglass. [Experiment tracked the Dark Web journey of a cache of phony names, SSNs, credit cards, and other personal information. Read What Happens When Personal Information Hits The Dark Web.] Project Cumulus was the next step in Bitglass' experimentation on tracking stolen credentials or documents in the wild. Last year, it leaked watermarked documents and found these files were viewed 200 times in just the first few days of leaking.

At that time, not many attackers used any methods to anonymize their traffic to the documents in question. In stark contrast, this second incarnation had 68% of all logins coming from Tor-anonymized IP addresses. Find out more about security threats at Interop 2016, May 2-6, at the Mandalay Bay Convention Center, Las Vegas. Register today and receive an early bird discount of $200. Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio More Insights

Sony Hackers Still Active, 'Darkhotel' Checks Out Of Hotel Hacking

How some cyber espionage and other advanced attack groups don't go dark anymore after being outed.The epic and ugly cyberattack on Sony in 2014 may now be one for the history books, but the attackers behind it remain active and prolific.“They didn’t disappear when the dust settled” after the Sony attacks, says Juan Andres Guerrero-Saade, senior security researcher at Kaspersky Lab.

Guerrero-Saade and fellow researcher Jaime Blasco last week at the Kaspersky Security Analyst Summit in Tenerife, Spain, detailed new activity by the Sony hackers. “It took us two years to correlate all of the information we had  … The same people were launching campaigns using information from the Sony attack,” said Blasco, who is vice president and chief scientist of AlienVault.

The attacks are mainly intelligence-gathering efforts, but occasionally the attacks include wiping disk drives, he said. The attackers, which the US government say came out of North Korea, pummeled Sony, wiping disk drives, and doxing emails and other sensitive information. There has been a noticeable shift in how some advanced threat groups such as this respond after being publicly outed by security researchers. Historically, cyber espionage gangs would go dark. “They would immediately shut down their infrastructure when they were reported on,” said Kurt Baumgartner, principal security researcher with Kaspersky Lab. “You just didn’t see the return of an actor sometimes for years at a time.” But Baumgartner says he’s seen a dramatic shift in the past few years in how these groups react to publicity.

Take Darkhotel, the Korean-speaking attack group known for hacking into WiFi networks at luxury hotels in order to target corporate and government executives.

Darkhotel is no longer waging hotel-targeted attacks -- but they aren’t hiding out, either. In July, Darkhotel was spotted employing a zero-day Adobe Flash exploit pilfered from the HackingTeam breach. “Within 48 hours, they took the Flash exploit down … They left a loosely configured server” exposed, however, he told Dark Reading. “That’s unusual for an APT [advanced persistent threat] group.” The Darkhotel group appears to care less about its infrastructure and more about its advanced attack techniques, he says. “Public exposure isn’t going to affect them,” he says. “The hotel [attack] activity focused on business travelers has come to an end, but the other operations are highly active,” including sending rigged links to Southeast Asia targets via Webmail services. ‘No Such Actor’ Meantime, one of the most advanced and infamous nation-state threat actor groups has been dark for more than a year. Kaspersky Lab still hasn’t seen any sign of the so-called Equation Group, the nation-state threat actor operation that the security firm exposed early last year and that fell off its radar screen in January of 2014. The Equation Group, which has ties to Stuxnet and Flame as well as clues that point to a US connection, was found with advanced tools and techniques including the ability to hack air gapped computers, and to reprogram victims’ hard drives so its malware can’t be detected nor erased. While Kaspersky Lab stopped short of attributing the group to the National Security Agency (NSA), security experts say all signs indicate that the Equation Group equals the NSA. “I would assume they are active but just changed their” communications, says Costin Raiu, director of the global research and analysis team at Kaspersky Lab. “We don’t detect them anymore.” Just how APT groups from various regions react to being outed is often a cultural thing. “The Far Eastern [APTs] don’t seem to care too much” about hiding out after being outed, he told Dark Reading. “The rest of the world cares a bit more.” On exception to that is the attack group behind the US Office of Personnel Management (OPM) breach, he says. “They are different kind of fish.

The moment they got discovered,” they shifted gears, he says. “We found traces of activity related to those guys.

But it was at another level of skills and capabilities versus other Chinese-speaking groups.” Related Content: Find out more about the latest security threats at Interop 2016, May 2-6, at the Mandalay Bay Convention Center, Las Vegas. Register today and receive an early bird discount of $200. Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ...
View Full BioMore Insights

Ukraine Railway, Mining Company Attacked With BlackEnergy

Weeks after the malware played a role in a massive power outage in the Ukraine, BlackEnergy and its cohort KillDisk were used in other attacks as well, Trend Micro says.Even as questions continue to swirl around the role of the BlackEnergy malware family in the widespread power outage in Ukraine on December 23, there are signs the same toolkit is being used in attacks against industrial control systems in other sectors as well.
Security vendor Trend Micro says new intelligence shows that whoever was behind the power grid attacks also may have attempted similar attacks against a large railway operator and a mining company in the Ukraine.

An inspection of telemetry data obtained from the open source intelligence community shows that BlackEnergy and its integrated KillDisk component for erasing hard disks were used in both attacks. The BlackEnergy and KillDisk infrastructure used in the attacks on the mining and rail transportation firms was the same as the one used to launch the December attacks on Ukraine power distributor Prykarpattya Oblenergo that resulted in 30 substations getting knocked off the grid, according to Trend's findings. More than 100 cities suffered a total blackout while dozens of others experienced a partial power disruption as a result of that attack. “Based on our research, we can say we believe that the same actors are likely involved in some regard to these two victims and to those behind the Ukrainian power utility attack," Trend Micro senior security researcher Kyle Wilhoit said in a blog post.

The remarkable overlap between the malware used in the attacks, the naming conventions, the infrastructure, and the timing of the attacks hint strongly at a connection between the three campaigns, he concluded. The attacks suggest that the attackers are either seeking to use cyberattacks to cause massive and persistent disruption to Ukraine power, transportation, and mining infrastructure. Or the attackers could be deploying the malware on different critical infrastructure targets in Ukraine to try and figure out the most vulnerable ones, he said. The hacking of industrial control systems at the railway and mining companies in Ukraine, if true, represent a troubling expansion of the BlackEnergy campaign, says Dean Weber, chief cyber architect at Mission Secure Inc., which specializes in control systems security. The attack on Ukraine’s power grid represents the first time since Stuxnet degraded Iran’s uranium processing capability in 2010 that a cyberattack has been used to cause a physical outcome, he says. To pull it off, the attackers basically appear to have compromised a human-machine interface (HMI) system at Prykarpattya Oblenergo and used the access to instruct the underlying industrial control system to open a series of circuit breakers causing power to be shut down in multiple areas, Weber says. Some have attributed the attack to a Russian hacking group dubbed the Sandworm team, which has been associated with BlackEnergy related attacks on energy companies in the US and Europe for years, he notes. Though an inspection of the compromised system at the Ukraine power distributor revealed the presence of BlackEnergy 3 and KillDisk, security researchers are not entirely sure what role the malware played in actually leading to the switches being thrown open.  ['KillDisk' and BlackEnergy were not the culprits behind the power outage -- there's still a missing link in the chain of attack. Read More Signs Point To Cyberattack Behind Ukraine Power Outage.] BlackEnergy has been floating around since 2011 and was originally used to collect information from industrial control systems.

The US ICS-CERT -- which yesterday issued a new YARA signature for detecting BlackEnergy -- recently confirmed that several US organizations have reported infections on Windows-based human-machine interface systems (HMI) that are used to interact with back-end industrial control systems. ICS-CERT has not identified instances where BlackEnergy has been used to damage or modify control processes on a victim system, or if the malware operators used it to expand their access beyond the compromised HMI.

The CERT also has noted in its analysis of the attack on the Ukraine power grids that a version of BlackEnergy 3 with the KillDisk utility was indeed present on the system that was compromised.  “Everybody should be up at night about this,” MSi's Weber says. “Everything that relies on an industrial control system, whether it be an oil and gas facility, a pipeline, a ship or a power generator, are run by HMIs,” and such an attack shows how they could be compromised. Find out more about the latest security threats at Interop 2016, May 2-6, at the Mandalay Bay Convention Center, Las Vegas. Register today and receive an early bird discount of $200. Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ...
View Full BioMore Insights

3 Flavors of Machine Learning: Who, What & Where

To get beyond the jargon of ML, you have to consider who (or what) performs the actual work of detecting advanced attacks: vendor, product or end-user. The great promise machine learning holds for the security industry is its ability to detect advanced and unknown attacks -- particularly those leading to data breaches.

These range from traditional uses -- such as malware detection -- to new areas like attack detection for hackers who have circumvented preventative security. Unfortunately, machine learning , which is rapidly becoming a popular marketing term, has lost much of its meaning because virtually all vendors define it differently. One way to get beyond the jargon is to look at ML from the perspective of who actually performs it, and where.

But first, some basic concepts and definitions. The strength of any ML algorithm is only as strong as the data modeling behind it; the actual algorithm in use only plays a secondary role.
If the selected data parameters do not contain parameters that can predict the result, you can use fancy algorithms, but the accuracy of the results will be very low.

They will also generate a lot of noise when used outside of a lab environment. A basic principle in data science is that simple schemes with the right data modeling work better than complex schemes. So in evaluating options, it’s wise to look for vendors that have real domain expertise rather than a large staff of PhDs.

That’s because understanding the parameters and various scenarios is more important than the development of an algorithm for correlating data.

Domain expertise directly affects the quality of the data modeling.

Consequently, if it’s hard to understand how ML is used, it probably means that it is not relevant to the way the product works. As for understanding the various flavors of ML, one approach is to divide products into categories based on who (or what) actually performs the machine learning work: the vendor, the product or the end-user. The VendorThe vast majority of cases using the term machine learning actually describe one of the tools that the vendor uses to develop their product or generate threat intelligence.
In these cases, the vendor is actually performing ML in their lab, rather than the product doing it on premise. A typical example: AV and URL filtering vendors that perform ML behind the scenes.
In order to keep their signatures (or threat intelligence) reasonably current and to process heavy loads of malware and viruses that have been encountered, vendors need to leverage ML in their labs to automate the classification and signature creation process.

This use of ML occurs in the vendor’s lab and results in signatures or threat intelligence that the product then uses to detect specific patterns or artifacts. Typical products: AV, sandboxing, anti-bot, whitelisting and rule-based event correlation. Advantage: the products are deterministic and will always operate in the same way, regardless of the environment. Disadvantage: the products are rule-based and can leverage only known artifacts, which leads to low detection accuracy (e.g.

AVs inherently don’t detect new malware well).

Attackers can circumvent detection and test against the product. The ProductSome products perform ML as an integral part of their function, typically for behavioral detection.
In this case the product “learns” the specific environment and uses that information for detection.

For example, observing a user or machine starting to access resources it never accessed before and ones that the user’s peer group doesn’t typically access.

There is no predetermined rule, signature or pattern that can detect this. You can only achieve an accurate detection by profiling normal behavior in the particular network and applying that knowledge to detect anomalous behavior. “Behavioral analysis” by itself doesn’t mean machine learning. Many products look at behaviors and apply rules or signatures.

For example, sandboxing products typically run a malware in a sandbox environment, examine its behavior and then compare the behavior against a list or rules previously developed by the vendor in their lab (using different methods, including machine learning).
In this case the product itself does not perform any ML.

A product that performs ML must have a self-training/learning/profiling period. Products that don’t operate this way do not belong in this category, even if they are said to perform “behavioral analysis” or “detection”. A relatively new security application for machine learning is detection of attacks that have evaded preventative security. While malware detection doesn’t necessarily need ML-capable products, more general behavioral attack detection is usually based around the activities of a human attacker or insider.

The system has to essentially customize its logic to the environment in order to accurately detect the activities.

This area represents a substantial break from traditional security in that the goal is to identify unknown anomalous behaviors that neither the end user nor the vendor specified in advance, rather than evaluate against known, already-defined technical artifacts. Typical products: fraud detection, anomaly detection, attack detection, behavioral detection.

A product in this category has to have a self-learning/profiling period, so other “behavioral analysis” products are not included here. Advantage: Leveraging ML, these products can obtain higher detection accuracy and a lower rate of false positives.

They automatically optimize their detection to every specific environment and could detect unknown things that the end-user or vendor would not need to specify in advance.

Additionally, these can’t be “gamed” by hackers in the way a statically defined technical artifact can be known and thus circumvented by an attacker. Disadvantage: The detection depends on the profile of the specific environment, making the process less predictable.

The products are less optimized for generic queries on the data, but more on automated detection. The End-userThis category includes products that are are toolkits used by data scientists to perform ML.

For example, business intelligence (BI) tools enable the end user to define datasets, run correlations, regressions and clustering algorithms.
In this case the end user is the data scientist who leverages ML, and the product is only a tool at his or her disposal.

The end user decides which data to process, what parameters to use and how to interpret the results. Typical products: Business intelligence products, mathematical/statistical analysis toolkits, SIEM products with analytics toolkits. Advantage: Lets the user perform custom analytics on custom datasets. Disadvantage: Can only be leveraged if the security team has data scientists.

The responsibility is on the analyst rather than the tool to define the problem, the input data and the conclusions.

The analyst would not be able to see patterns that he or she wasn’t looking for.
In order to allow custom analytics the collection of data is a heavy task that requires additional products and storage.  More on this topic: Find out more about security trends and technologies at Interop 2016, May 2-6, at the Mandalay Bay Convention Center, Las Vegas. Register today and receive an early bird discount of $200. Giora Engel, vice president, product & strategy at LightCyber is a serial entrepreneur with many years of technological and managerial experience.

For nearly a decade, he served as an officer in an elite technological unit in the Israel Defense Forces, where he initiated and ...
View Full BioMore Insights

Newly Fired CEO Of Norse Fires Back At Critics

Critics maintain that Norse Corp. is peddling threat data as threat intelligence.A massive and potentially company-ending shakeup at security vendor Norse Corp. in recent weeks amid controversy over its practices may be a signal that the threat intelligence industry is finally maturing.KrebsonSecurity last week reported that Norse had fired its CEO Sam Glines after letting go some 30% of its staff less than a month earlier.

The blog quoted unnamed sources as saying Norse’s board of directors had asked board member Howard Bain to take over as an interim CEO. The remaining employees at the Foster City, Calif.-based threat intelligence firm were apparently informed they could continue showing up for work, but there would be no guarantee they would be paid, KrebsonSecurity reported. Shortly thereafter, Norse’s website went dark and remained unavailable through the week -- prompting some speculation on whether the company had been shuttered.

A spokesperson for a PR agency representing Norse today said the company is still operational, but she did not elaborate. The KrebsonSecurity article, which was contested by Glines and former Norse chief architect Jason Belich, blamed Norse’s problems on a fast and loose business culture focused on taking quick advantage of the booming interest in threat intelligence rather than on delivering real value for customers. One former employed quoted by Krebs described Norse as a "scam" operation designed to suck in investors. Norse, once a rising star in the threat intelligence industry and which as recently as Sept 2015 received an investment of over $11 million from KPMG, has been in the news for wrong reasons before. As KrebsonSecurity noted in its blog, a Norse report last year on growing attacks against critical industrial control systems in the US was soundly trashed for being grossly exaggerated and unsubstantiated by facts.

A subsequent review of the report showed that what Norse had described as dangerous attacks was really network scans conducted from locations in Iran against honeypot systems.

Another Norse report that claimed Sony’s massive data breach was the result of an insider attack was similarly slammed for being unsubstantiated. In comments to Dark Reading today, Glines accused his critics of harboring an agenda against Norse. He described Krebs’ article as causing “incredible damage in very short order” and confirmed that Bain had been named interim CEO. “The quality of Norse's threat intelligence data is extremely good,” says Glines. “The company has one of the largest malware pipelines in the industry and just one of the sinkholes in use has over 1 billion callbacks, after being in operation for less than 3 months,” he says. He described the sinkhole as just one example of the many techniques used by the company to collect threat intelligence. Glines downplayed the criticisms about Norse’s threat intelligence reports being over the top, but conceded to Norse being beaten up in the media over the past year. He says that was mainly the result of handful of individuals complaining about the company’s practices; others have jumped on the bandwagon because Norse chose not to respond, he says. Critics have accused Norse of going to market too soon with the data in had, and of drawing conclusions not actually supported by the data. “I’d respond that the entire cyber threat intelligence industry is still young, growing, but relatively immature,” Glines says. “But I’d also add that our customers and partners were getting tremendous value from the data.

Every product, every application, every service, is a work in process.” Robert M. Lee, founder and CEO of critical infrastructure security firm Dragos Security and one of Norse’s strongest critics, says Norse’s problem is that it is tries to make too much of the data it has. A lot of the raw data that Norse collects from its sensors around the world is threat information, not threat intelligence, he told Dark Reading. “Data is just data without context,” Lee says. Some of it can help organizations answer fundamental questions like whether their systems are infected or not.

But that is not the same thing as threat intelligence, which involves the ability to take data from multiple sources, analyze it and predict with a high degree of confidence, he says. “Real threat intelligence is not something you can plug into a firewall," he says.
It requires a much higher degree of expertise both technical and domain, than simply gathering and looking at threat data. “If Norse had used their data for what it was, it would have helped companies simplify what they were looking at,” he says. “Instead they were taking threat data and billing it as actionable intelligence.” The questions being raised over Norse’s practices pointing to a maturing overall of the threat intelligence industry, Lee says. “I don’t see this as impacting the larger threat intelligence industry.
I see this as an indicator that the market won’t accept bad threat data anymore.” Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ...
View Full BioMore Insights

Cybersecurity Smackdown: What Side Are You On?

Analytics vs.

Encryption. Prevention vs.

Detection. Machine Learning: Promise or Hype? The Firewall: Dead or Still Breathing? The sharpest minds in the security industry debate some of the industry's most contentious issues.It’s debate season – at least in the political realm. So to get into the spirit of the US primary election, Dark Reading has put together in one place excerpts from our ongoing series of great cybersecurity debates about four hot new information security technologies versus their legacy counterparts.
Industry leaders make impassioned arguments for the new versus the tried and true, or a combination of the two.   ANALYTICS VS.

ENCRYPTION Encryption Has Its Place But It Isn’t Foolproof By Doug Clare, Vice President of Product Management, FICO Encryption technology is improving, as are best practices in deploying it; and everyone should embrace these improvements.

But encryption alone is not enough, and may induce a false sense of security among those who depend on it. Read more. As Good As They're Getting, Analytics Don't Inherently Protect Data By Scott Petry, Co-Founder & CEO of Authentic8 The suggestion to “use analytics to secure your system” is flawed, and the argument to shift away from data security systems like encryption and move to analytics is fallacious.
In fact, analytics is not an either-or-choice with encryption. Suggesting that firms choose between the two is like a doctor telling a patient to choose either vitamins or exercise.

Both have their place in a healthy lifestyle. Read more.   MACHINE LEARNING: HYPE VS. PROMISE    Machine Learning Is Cybersecurity's Latest Pipe Dream By Simon Crosby, co-founder and CTO at Bromium There is a huge difference between being pleased when Netflix recommends a movie you like, and expecting Netflix to never recommend a movie that you don’t like. So while applying machine learning to your security feeds might deliver some helpful insights, you cannot rely on such a system to reliably deliver only valid results. Read more. Machine Learning: Perception Problem? Maybe. Pipe Dream? No Way! By Mike Paquette, VP Products, Prelert In the most common misperception, machine learning is thought to be a magic box of algorithms that you let loose on your data and they start producing nuggets of brilliant insight for you.
If you apply this misperception to the use of machine learning for cybersecurity, you might think that after deploying it, your security experts will be out of a job since algorithms will be doing all their important threat detection and prevention work.

The reality is that ML is a practical way to use newer technology to automate the analysis of log data to better detect cyberthreat activity, under the direction and guidance of an organization's security experts. Read more.    PREVENTION VS.

DETECTION Time’s Running Out for the $76 Billion Detection Industry By Simon Crosby, co-founder and CTO at Bromium Enterprises spend a mind-boggling $76 billion each year to “protect” themselves from cyber-attacks, but the bad guys keep winning because most protection solutions are based on detection instead of prevention. What’s wrong? The answer is the same today as it was in ancient Troy when the Greek army suddenly disappeared, leaving behind an innocent-looking horse that the Trojans willingly brought inside the gates. Read more. Detection: A Balanced Approach For Mitigating Risk By Josh Goldfarb, VP and CTO - Emerging Technologies, FireEye Prevention is necessary, but not sufficient, for a robust and mature security program. Only detection and response can complete the security picture that begins with prevention. Read more.    THE FIREWALL IS DEAD. LONG LIVE THE FIREWALL. Why the Firewall is Increasingly Irrelevant By Asaf Cidon, Co-Founder & CEO, Sookasa Firewalls only protect what work used to be, not what it is today, a distributed collection of employees connected by mobile devices, in turn connected to the cloud.

The only way to secure all company data, then, is to extend enterprise-grade security to these employees’ devices and cloud applications. Read more. Firewalls Sustain Foundation of Sound Security By Jody Brazil, Co-Founder & CEO, FireMon Effective security management will always retain a multi-layered approach necessitating mechanisms that control and limit access. While this may not someday require dependence on network security devices, in today’s environment the firewall remains one of the critical building blocks of network security. Read more.   Find out more about cutting edge security at Interop 2016, May 2-6, at the Mandalay Bay Convention Center, Las Vegas. Register today and receive an early bird discount of $200. Dark Reading's Quick Hits delivers a brief synopsis and summary of the significance of breaking news events.

For more information from the original source of the news item, please follow the link provided in this article.
View Full BioMore Insights

New Kid On The Block: Cyber Threat Analyst

Drawing from the financial service industry, this new role uses the "art of the intelligence cycle" to drive efficiency in the security operations center. With the rapid rise, frequency, severity and cost of cyber attacks, many companies today are looking to the government military intelligence industry for the skills, talent and experience to run their security operations center. Leaders in the financial markets were the first to realize that an SOC driven by intelligence could be a force multiplier in achieving operational efficiency and effectiveness.

Early adopters such as JPMorgan Chase & Co. used this expertise to restructure personnel into new tiers with new priorities and job functions. One of the newest roles to emerge from this shift is that of the cyber threat analyst.  What is the exact role of the cyber threat analyst and how does the analyst’s work help prevent attackers from stealing critical data or causing other harm to a business? What the cyber threat analyst brings to the table is the “art of the intelligence cycle.” This is where information is directed, collected, processed, analyzed, produced, and disseminated. For example, in an organization where I once worked as a cyber analyst, my team was tasked with finding a better way to identify insider threats within the company.

First, I identified the relevant sources of data by which could identify insider threats, in this case, badge logs, web proxy traffic, and print logs.

Then I began determining the patterns likely to be associated with malicious activity.

These patterns allowed me to narrow down potential suspects to only .0001% of the employee pool. After we disseminated our report, others on the security operations team became much more effective in monitoring insider threats.
Intelligence truly began to drive operations – which was the optimal outcome. Worth the effortBuilding the capability of cyber threat analysis is a challenging endeavor that will yield tangible results – but it takes time and discipline. Here are three key principles for developing a successful cadre of analysts: The rule of three.

Cyber threat analysis is composed of three distinct skillsets, and very rarely will one individual maintain all three.

To properly learn cyber threat analysis, an analyst must learn information security (e.g. network defense, information assurance), intelligence analysis (e.g. the mastery of the intelligence cycle), and forensic science (e.g. investigations, evidence handling, discovery).
It is essential to recruit individuals strong in one or two of these areas and also facilitate a training program to compliment skillsets.  Intelligence is a journey, not a destination.

Building an intelligence program is an iterative process.

The maturation of the program should be laid out in a phased approach, where simple “quick wins” can be achieved early on in the process.

For example, a four-phased approach would include: ad hoc analysis, integration of non-traditional data into security analysis, increasing speed of searches in addition to higher tier threats, and finally, continuous feeds of real-time data and automated detection analytics. Knowledge is cumulative and must be nurtured over time.

Cyber threat analysis is like many other professions where practice is necessary to continue learning the craft.

Consider a surgeon: after eight full years of classroom education, can a newly minted physician walk into an operating room and conduct surgery? No, they must enter a five to eight year residency where they learn the craft under a seasoned, attending surgeon. Similarly, cyber threat analysts learn best under a “master operator;” a recent college graduate simply cannot operate close to the same level as a seasoned pro.

During my experience in the intelligence community, it took over a decade to develop a cadre of cyber threat analysts with the requisite skillsets. Companies implementing any of the three principles outlined above will see a reduction in the severity of cyber attacks impacting their organizations.

But those implementing all three will see the best results.  Bob Stasio is currently a Senior Product Manager at IBM i2 Safer Planet. Prior to this role, Bob worked in the private sector standing up threat intelligence programs at Bloomberg and global financial firms. He accomplished these efforts as the owner of his own consulting ...
View Full BioMore Insights