The Security of Business vs. Business of Security
The security industry has spent a lot of time over the past 30 years thinking of imaginative ways to put lipstick on today’s cybersecurity pig.
It’s like a one hit wonder band who never adapted, playing the same song and putting on the same show over and over, even though their fans, the industry and the zeitgeist as a whole have evolved and transitioned.
We are more distributed and mobile than ever. Yet the security industry remains unevolved, putting on the same show – playing their all-time favorites like “On-Device Security” and their mega-hit “Gateway Security”. Gateway security is an especially nuanced piece with broad range. There’s the firewall, intrusion prevention, VPN gateway, the proxy, url and content filters, and the component that binds them – SIEM. And that’s the consolidated version of a lengthier and more complicated original score.
Compute has changed and continues to change dramatically in front of our eyes. Clouds, SaaS, Mobile devices and the big daddy of them all – IoT – are contorting traditional security models and tools in ways never intended – until something breaks. And today, everything is breaking since security as we know it dates back to the medieval ages.
Let’s Get Medieval On Security.
The king builds a castle (the network), puts a moat and draw-bridge around it (gateway security) and posts sentries at the gate with special instructions (security policy).
Need to operate outside the castle? If you have the strength (compute resources) and are wealthy enough to afford it (budget), you can put on custom armor (on-device security) and head out as a knight (remote user). Being a knight is exhausting though. Yes, you are well protected, but it burns a lot of energy (security team resources).
However, commoners have to assume risk and live in a state of constant vulnerability. Clouds and IoT have driven the vast majority of our functions and users to operate “outside the castle”. In fact, the business of the king’s court is now distributed. Commoners live and work remote, never needing to step foot in the castle.
There are even scenarios where some commoners operate and service other kingdoms near and far. When the court subjects are remote and distributed, the king has two options – insist on keeping the castle, moat and drawbridge or adapt. So far the security industry has bitterly resisted adapting. Why — Tradition? Lack of alternatives? It’s what they know? Or a combination of these.
Gateway security still has its uses, however, the gateway security model is long in the tooth and its use-cases diminishing by the week. And on-device security has been an expensive, ineffective and unsustainable failure. How can you package up an entire data center’s worth of security functions in a $5 sensor with the compute resources of a Timex watch.
What the cloud started, IoTs have finished. In the past compute was network-centric, now it is distributed all over and even mobile. And we like it. Initially CISOs tried to control users by saying no to cloud and SaaS. Users wouldn’t have it. They shrugged, walked away, and did it anyway. There was no putting that toothpaste back in the tube once they got a taste of cloud and SaaS.
Compute and technology has been democratized, however the way we secure is still medieval.
We have offered hackers the overwhelming advantage all the while spending billions and billions on security. Vendors continue to monetize on medieval security tools ill-suited to the new dominant compute model. How does this make sense?
There are a few reasons:
First, it’s what people know and have bought into. There are 30 plus years of approaches and methods, tools and technologies, processes and performance indicators that have been developed around medieval security. It has become muscle memory for many who spent years honing their skills around these approaches.
Just imagine if suddenly, through magical circumstances, the rule of thumb became NOT to apply pressure to bleeding wounds. The countless developed methods, processes, tools, and even tangential functions like billing would be impacted. The result would be chaos! Arguably security is experiencing a mild form of chaos now.
Second, there are a lot of vendor-centric security professionals that know and understand security through the prism of a particular vendor. This is not meant to be derogatory since these professionals are the backbone of the security industry. However many are not security operators, they are security product managers.
In most instances, along with functional and integration capabilities, security is but one of multiple features that security tools sport. Many security professionals are really, really good at keeping the lights on and packets flowing – and rely on the product do its security stuff.
Some vendors are so big and influential that more security professionals than we like to admit are exclusively committed to their tools. These professionals have done the economic calculus and have built their careers around a single brand, strictly based on market opportunity. Many evolve when vendors say it’s time to evolve for job prospect purposes. And the evolution of certain security professionals is curiously bound to the vendor’s business strategy. An arrangement that benefits the vendor and the professional – just not security.
This brings me to the third point: the security of business.
It takes many years for new and emerging approaches or technologies to become mainstream. Large influential vendors are focused on squeezing every last bit of economic value from their existing technology investments, while small innovative companies just don’t have the market megaphone. And pay-to-play analyst firms confuse matters further by offering tilted and skewed recommendations.
Now, let’s talk about the Cyber Hare vs. the Security Turtle.
Hackers are cutting-edge. They are imaginative. They formulate crazy ideas meant to break the rules. The security industry counters with security professionals who are compelled to be conservative – to a fault.
Hackers don’t care about function and performance, whereas organizations prioritize both over security. Hackers can experiment and fail countless times, forging their own path along the way, while organizations identify gaps by virtue of emerging product categories. Often it takes anywhere between three to five years, depending on the organization, to implement new product categories for an emerging threat type. At that point the threat is not so emerging anymore!
Moreover, organizations befuddle themselves by implementing a process, a very organized one at that, developed to assure failure. This includes assessing requirements, assigning budget, talking to Gartner to see who paid them most, evaluating several brands, selecting a technology, negotiating legal, purchasing, implementation, integration, administration, management, monitoring and troubleshooting. Where is the agility?!
Aside from the security functions the product offers, nothing in the process above even comes close to security operations.
What does this mean? It means that hackers have a significant upper hand. This upper hand is so overwhelmingly one-sided that it has evolved from having the ability to impact business, to the ability to devastate economies and undermine democracies.
Cyber – The Longest War.
Today, everyone talks about the war in Afghanistan as our longest running conflict. In the near future this distinction will easily be awarded to the global cyber-war. Every day, much like other security professionals, I see this war from our operations center. I see Russia, China, North Korea, Iran and even some allies wage war against our infrastructure. If not by Name (IP Address), then by reputation (APT).
If we have learned anything from the Afghani and Iraqi conflicts it’s that success does not always require a standing army. Special Operations have radically shifted the methods of war. Not only is this cheaper and faster, but also more effective to achieve many missions around the world. Today the SpecOps model is being employed in the Syrian conflict.
Maybe we should learn from the military and apply seismic shifts to our security approach. Here’s how:
First, let’s eliminate products from the equation. Building one-off security using tools that are ill-fitted to address the emerging distributed and mobile compute model is security suicide. Products are always out-of-date and security teams burn valuable resources performing technology refreshes, managing and troubleshooting products rather than operating security.
Security as a utility is a much more effective approach. It is simpler and much faster to sign up and turn on, than to buy and build out! Make implementation easy and let the development, upgrades, updates and keeping the lights on be someone else’s problem. The time your team is not spending on babysitting products can be put to better use operating security.
Second, fight hackers with (ethical) hackers. Build or train security teams of operators – not product administrators. Make your team critical thinkers who focus on “how to break things” rather than the mundane keeping the lights on tasks. Not all hackers are foul tempered, tattoo laced, twenty-something rock stars with an ego. There are many agreeable, thoughtful and reliable ethical hackers that can serve in foundational roles on your team. Most importantly, empower them and involve them from the beginning at the application design, development and roll out phases.
The traditional medieval security model is not failing, it has already failed spectacularly. Arguably, it was never successful in achieving any of the objectives for which organizations have paid billions of dollars. The product management approach to security is like trying to change the wheels while the car is doing a 100 mph. You won’t be able to do it and you WILL get hurt along the way.
About Acreto:
Acreto is the first cloud-delivered, end-to-end connectivity and security platform that can connect and protect any technology, on any network, anywhere. Acreto SASE+ Plus delivers Secure Access Service Edge (SASE) functionalities for access technologies such as devices, networks, IoT / OT and third-parties; while Acreto Secure Application and Data Interconnect (SADI) connects and protects application delivery infrastructure such as clouds, SaaS, data centers and co-locations. Acreto SASE+ Plus is SASE plus SADI — one platform with one interface from one provider for all of your technologies around the world.
Russian Nation State Hackers & What We’re Not Doing
The effective use of Russian nation state hackers led to a hacked election that has resulted in a hacked America. We’re still licking our wounds and not doing anything about it. In fact, we are arguing if it happened at all!
Cybersecurity strategy incorporates the confluence of technology, business and geopolitics with so many moving parts that to call them complex is an understatement. Strategies must span multiple geographies across a plurality of nations and continents. That is why no one can “go it alone”. Today we need our friends more than ever – not just for geopolitics, but also for cyber defense. Collaboration is the underpinning of cybersecurity.
As the largest global economy that comprises infrastructure, industry, enterprise and institutions, the US is the most technologically advanced. Many American companies span the globe making them one big glass house while the rest of the cyber world are kids with rocks on a dare. These “kids with rocks” fall into four major categories.
Four Major Types of Hackers
First, there are hacktivists, who hack for their cause. The most well known of these being the loosely bound group called Anonymous. The second category is terrorist organizations such as ISIS and Al Qaeda. These organizations recognize cyber warfare as a cornerstone to their mid to long-term strategy and are working feverishly and investing heavily to get them to maturity. The third group is financial hackers. The best way to describe financial hackers is the Mob and Cartels’ online arm. And finally, the most dangerous are state-sponsored hackers.
Even though they operate behind triple or quadruple blind systems, which makes tracking them extremely difficult, they can be identified by their unique hacking techniques or fingerprints.
Nation state hackers are not the moody lone-wolf nocturnal teenagers cranking death metal and surviving on Amp energy drinks. That’s a TV cliche. And hacking is not an organic game of pickup, where individual hackers are swapped indiscriminately. Nation state hackers are carefully curated teams that train, collaborate and solve problems together. Not only do they have to get along and gel over time, but they have to build and test many foundational tools they need to perform the advanced objectives they are charged with. Sometimes this can take years!
Hacking Fingerprints
Cyber-threat intelligence organizations that monitor and track Advanced Persistent Threats – APTs – use their threat fingerprints to build a profile on each team over time. The collection of fingerprints defines each team, otherwise called an APT. The profile fingerprints for the Russians, Chinese, North Koreans and Iranians all vary.
Each APT, or different hacking group, is assigned a unique number for identification. For example, APT37 is North Korea, APT34 is Iran, and the American election hacks are associated with APT28 and APT29 – which are obviously Russian nation state hackers. In fact, APT28, otherwise known as “Fancy Bear”, is a completely different team than APT29, “Cozy Bear”, both of which work for the Russian Government. As an example, here is a sample of the fingerprint for Fancy Bear (APT28) that has been tracked since 2007, and the reasons for American intelligence agencies’ confidence in Russia as source for the election hacks:
APT28 | Source: FireEye |
|---|---|
| Target Sectors: | The Caucasus, particularly Georgia, eastern European countries and militaries, North Atlantic Treaty Organization (NATO) and other European security organizations and defense firms |
|
| |
| Type: | Cyber Espionage |
|
| |
| Overview: | APT28 is a skilled team of developers and operators collecting intelligence on defense and geopolitical issues—intelligence that would be useful only to a government. This APT group compiles malware samples with Russian language settings during working hours (8 a.m. to 6 p.m.), consistent with the time zone of Russia’s major cities, including Moscow and St. Petersburg. This suggests that APT28 receives direct ongoing financial and other resources from a well-established organization, most likely the Russian government. |
|
| |
| Associated Malware: | CHOPSTICK, SOURFACE |
|
| |
| Attack Vectors: | Tools commonly used by APT28 include the SOURFACE downloader, its second-stage backdoor EVILTOSS and a modular family of implants dubbed CHOPSTICK. APT28 has employed RSA encryption to protect files and stolen information moved from the victim’s network to the controller. It has also made incremental and systematic changes to the SOURFACE downloader and its surrounding ecosystem since 2007, indicating a long-standing and dedicated development effort. |
|
| |
| Operations: | Operation RussianDoll: Adobe & Windows Zero-Day Exploits Likely Leveraged by Russian APT28 in Highly-Targeted Attack |
|
| |
| Detailed Report: | https://www.fireeye.com/blog/threat-research/2015/04/probable_apt28_useo.html |
There are other means for determining the source of attacks. Aside from fingerprinting, intelligence agencies do track the sale of zero-day exploits purchased on the markets. Zero-days are exploits for previously unknown vulnerabilities.
Exploits on the Market
There are numerous commercial and underground organizations whose business is finding, exploiting and weaponizing vulnerabilities. Once the exploit is developed, it’s put up for bid – and governments are the most affluent bidders. Commercial organizations offer them for sale on the public market to sanctioned agencies, while underground groups sell their exploits on the black market to the highest bidder indiscriminately. In the case of juicy exploits, the buyer may pay significant sums for the privilege of exclusivity. The buyer wants the advantage of a weapon that nobody else has. All governments use a variety of proprietary techniques, technologies and informants to track the exploit inventory of both rival and ally countries.
Ultimately the recourse to cyber attacks is a blunt instrument in the form of counter-attack. Counter attacks may be counter hacks, economic sanctions, embargoes, or a combination. However, countering the attacks on commercial and critical infrastructure is often reserved for the largest organizations and limited to the largest and most egregious attacks. American election compromises is such an example.
At this particular point in time, America has opted for a “go it alone” approach to global relationships. Collaboration on cyber issues is not exempt from this. As the occupant of “The Big Glass House” in a world of rock-throwing kids, especially Russian nation state hackers, America needs its friends more than ever.
Hacked America Not Minding The Store
Collaboration between government and commercial threat intelligence is key to a successful cyber strategy.
The nation’s top intelligence officer, Director of National Intelligence Dan Coats, indicated on Friday, July 13 that the “persistent danger of Russian cyberattacks today was akin to the warnings the United States had of stepped-up terror threats ahead of the Sept. 11, 2001, attacks.” (nytimes.com) “The system was blinking red,” Coats said. “Here we are nearly two decades later and I’m here to say the warning lights are blinking red again. Today, the digital infrastructure that serves this country is literally under attack. Every day, foreign actors – the worst offenders being Russia, China, Iran, and North Korea – are penetrating our digital infrastructure and conducting a range of cyber-intrusions and attacks against targets in the United States.”
Recently, Congress has zeroed out nearly $400 million from the fund used to protect the integrity of our election and has blocked subsequent efforts to fund it across partisan lines. In April 2018, the White House Cybersecurity coordinator was relieved from his role less than six months from the November elections. As of the end of July no replacement has been named. Moreover, tough sanctions passed by congress in July 2017 are yet to be implemented as of July 2018. It may be too late for anyone to take the helm and implement meaningful protections at such a late stage.
Collaborating to stop these attacks requires leadership, funding, a competent team, communications and sharing. At this point in time we have the competent team members in the form of our intelligence agencies that are raring to be let loose. However there is no leadership, no mandate and no funding. We also find ourselves in a strange situation with sparse dialog with our allies due to newly formed political trust issues. The patient is not in trouble because a first- year med student is the surgeon. Rather, the patient has been abandoned by the surgeon with little time to live while the operating room is dark because nobody paid the utility bill.
Next in this series we will look at an example of Russia’s nation-state hacking teams and their construct in our blog: Putin’s Eleven: Nation State Hacker Teams Uncovered.
About Acreto
Acreto is the first cloud-delivered, end-to-end connectivity and security platform that can connect and protect any technology, on any network, anywhere. Acreto SASE +Plus delivers Secure Access Service Edge (SASE) functionalities for access technologies such as devices, networks, IoT / OT and third-parties; while Acreto Secure Application and Data Interconnect (SADI) connects and protects application delivery infrastructure such as clouds, SaaS, data centers and co-locations. Acreto SASE +Plus is SASE plus SADI — one platform with one interface from one provider for all of your technologies around the world. Learn more at https://acreto.io or @acretoio.