Dave Bittner: [00:00:00:16] A quick reminder that if you're attending the RSA Conference this year be sure to stop by in the north hall to the Akamai booth, that's N3625 where I will be appearing daily, doing meet and greets and some interviews as well and of course we thank our Akamai for making these appearances possible. That's Akamai, harnessing the cloud without losing control. I hope to see you there.
Dave Bittner: [00:00:24:03] Facebook kicked some Russian trolls out from under its bridge. Why? Because they're Russian trolls, that's why. Facebook CEO Zuckerberg will testify about data security before a House panel next Wednesday. Privacy for the Old World, but maybe not as much for the new. The YouTube shooting may have been motivated by anger over the platform's policies. European air traffic control problems were a glitch, not a hack. Pipeline operators are recovering from IT hack. Homeland Security tells the US Senate hostile intelligence services have stingrays in Washington. And Panera Bread's response to its potential data exposure.
Dave Bittner: [00:01:05:14] It's time to tell you about our sponsor ThreatConnect. With ThreatConnect's in-platform analytics and automation you'll save your team time, while making informed decisions for your security operations and strategy. Find threats, evaluate risk and mitigate harm to your organization. Every day organizations worldwide leverage the power of ThreatConnect to broaden and deepen their intelligence, validate it, prioritize it and act on it. ThreatConnect offers a suite of products designed for teams of all sizes and maturity levels. Built on the ThreatConnect platform, the products provide adaptability as your organization changes and grows. If you're headed to RSA this year stop by ThreatConnect's north expo booth, 3225 for a live demo of the ThreatConnect platform and of course pick up one of ThreatConnect's famous t-shirts. And if you're not headed to San Francisco well you can register for a free ThreatConnect account or learn more by visiting threatconnect.com/free. That's threatconnect.com/free to learn more. And we thank ThreatConnect for sponsoring our show.
Dave Bittner: [00:02:21:08] Major funding for the CyberWire podcast is provided by Cylance. From the CyberWire Studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, April 4th, 2018.
Dave Bittner: [00:02:33:10] Facebook has kicked a large number of Russian troll accounts (associated with St. Petersburg's Internet Research Agency) from its platform. In total, they took down 70 Facebook accounts, 132 Facebook Pages and 65 Instagram accounts. As reported by TechCrunch, Facebook CSO Alex Stamos, who is still with the company, despite what you may have read in the New York Times, was clear and direct about the reasons for the takedowns. Because the Internet Research Agency uses, as Stamos put it, "inauthentic accounts to deceive and manipulate people," they're not welcome. That, he said, is the whole reason he said, “we don’t want them on Facebook. We removed this latest set of pages and accounts solely because they were controlled by the IRA - not based on the content." So it's not content management in this case as much as it is user management.
Dave Bittner: [00:03:28:05] Facebook CEO Mark Zuckerberg, having declined an invitation to testify in London before a Parliamentary inquiry into fake news, said he will testify before the US House Energy and Commerce Committee next Wednesday, April 11th. The hearings in Washington will be about consumer data protection. Perhaps the panel will ask him why Facebook appears to be preparing to give North American users a lesser degree of privacy than people elsewhere. The quick answer is because GDPR won't apply in the New World. Facebook's COO Sheryl Sandberg had in January made noises about extending the data protection and privacy measures it was implementing to remain compliant with the European Union's General Data Protection Regulation to all users everywhere, but this appears no longer to be the case. Since US law doesn't require the same degree of protection, US users won't get it. And this would seem to be something Congress would welcome some transparency on.
Dave Bittner: [00:04:25:21] And, sadly, yesterday resentment over content moderation apparently took a violent turn. A shooter wounded three before killing herself at YouTube headquarters in San Bruno, California. A fourth person was injured while escaping the gunfire. All of the injured are expected to recover. The shooter was apparently upset by the platform's age-restricted policies. There's been a great deal of misinformation circulating about the shooting, so it's worth going over what's known.
Dave Bittner: [00:04:55:17] San Bruno police identified the shooter as Nasim Najafi Aghdam, 39, of San Diego. As far as the police can tell - and this contradicts earlier reports that the shooting was a domestic violence incident - she didn't know any of the four victims, none of whom seem to have been "specifically targeted." She was of Iranian origin, but not, again contrary to early reports, a Muslim. She was an adherent of the Baha'I faith, and investigators can find no obvious religious motivation for her attack.
Dave Bittner: [00:05:26:22] She was a vegan, a bodybuilder, an artist and a strongly committed animal rights activist. None of these seemed to provide a motivation, either.
Dave Bittner: [00:05:35:08] What appears to be a likely motivation - to observers and, now, the San Bruno PD - was her anger at YouTube for age-restricting and demonetizing her exercise, advice, anti-animal cruelty and comedy parody videos. Aghdam's social media accounts have for the most part been taken down, but before they were, YouTube videos of her denouncing the platform for blocking kids' access to her videos and taking away the possibility of making some money from them, were readily available.
Dave Bittner: [00:06:04:21] Her father is said to have warned police in another town - by some accounts Mountain View, just down the 101 from San Bruno - that he feared his daughter would attack YouTube. Police there had questioned her when they found her sleeping in her car, which, while unusual, isn't a crime, so she was simply sent on her way.
Dave Bittner: [00:06:23:17] This story is still developing and please remember that early reports are often confused. We hope for the healing of the victims and consolation for all the families the attack touched.
Dave Bittner: [00:06:36:11] Jim Routh is the Chief Security Officer at the Aetna. I recently had the opportunity to speak with him for the Recorded Future pod-cast. One of the things we discussed was model-driven security and the rise of unconventional controls. Here's a segment from that show.
Jim Routh: [00:06:50:18] The future of cybersecurity actually happens to be here today but most cybersecurity professionals aren't aware of it and it's largely because the technology is creeping up on them and it's not self evident. But what's happening to security is we're moving into a world around where model-driven security is an essential component for the resilient enterprise and threat actors are using models and data science to attack the enterprise. So it's model versus model. Now I'll start from the good guy's side.
Jim Routh: [00:07:28:23] About three and half years ago I hired a chief data scientist dedicated to security, a very talented guy, had nine years of experience in the NSA, worked on security using data analytics. And I asked him - at the time I thought it was the right thing to do - to build us a data link for the enterprise for security then we could run models against it and figure out where to allocate our scarce resources to do cyber hunting to get the best bang for our buck. Seemed to make sense, a lot of people said "Yeah, yeah that's, it's worthwhile, it's a good application of data science." He did an outstanding job, he built 106 models in about a year and half. And while he did that and did exactly what I asked him to do, we implemented eight other implementations in production of models, which were unsupervised machine learning models driving front lines security controls. Whether it's authentication or privileges or management or an email filtering or end point production, these are all cases where we implement the technology, it's driving front line security control. So it's not just producing data and results that we're analyzing, it's actually part of the fabric of the control.
Jim Routh: [00:08:50:21] So today, using privilege as an example, every single registered user in the network has a behavioral score based on four different types of behavior, physical access email, web, browsing and entitlement information. All this combines into a massive data lake, a bunch of models that represent that numerically, so each individual registered user has that. Then they ask for a privilege and we don't grant privileges indefinitely, everything has a time frame in terms of every privilege, and when they get a privilege we measure their actual behavior against the pattern.
Jim Routh: [00:09:27:03] We see any deviation, if it's a slight deviation we send an email to their boss who has the context to know what they should be doing and when and their boss decides if it's good or bad, a green button in the email says it's okay. If it's a red button they hit that and it, the, the credential is automatically revoked. But if there's a number of anomalies, in terms of anomalistic events, the model decides to revoke privilege immediately in real time without any human intervention and initiates an orchestration for a security incident, again no human intervention. It allows us to essentially revoke privilege in milliseconds in real time in the case of a threat.
Jim Routh: [00:10:05:00] I know of no other system in the world that has that across the entire enterprise. We've had it in place for about a year and a half, that's one example of what was put in place that's essentially a model, in this case several models, driving front line security controls and we're seeing that more and more. We have 200 bottles in production today and we're constantly growing that catalog of models. So I see in the very near future two, three years down the road where we'll be actually sharing models from one enterprise to another to deploy effective security controls across enterprises. Models and data science today represents the foundation of cybersecurity for the next decade.
Dave Bittner: [00:10:47:24] That's Jim Routh. He's the Chief Security Officer at Aetna. That's a cut down from a longer version of the interview that I had with him over on the Recorded Future podcast. If you want to check that out it's at recordedfuture.com/podcast. As you can probably tell he's an interesting guy and they're doing some interesting work over at Aetna, I recommend you check it out.
Dave Bittner: [00:11:07:20] If you were flying in Europe late last night, you may have experienced, well turbulence, of course, but more to the point some delays and disruptions. Europe's Enhanced Tactical Flow Management System (ETFMS), the continent's basic air traffic management system, failed late last night. The problems were glitches, not hacks, and service was restored early this morning. Several thousand flights were delayed, but backup systems functioned properly and flight safety was not compromised.
Dave Bittner: [00:11:38:02] In another disruption that was in fact a hack, four US pipeline operators have now reported experiencing an attack on their electronic data interchange (that is EDI) systems: Oneok, Energy Transfer Partners, Boardwalk Pipeline Partner and Chesapeake Utilities' Eastern Shore Natural Gas were all affected over the weekend and into the early part of this week. Energy Transfer Partners and Eastern Shore identified the issue as a third-party problem with service provider Latitude Technologies, a unit of Energy Services Group. Latitude Technologies has restored most of the affected services, but it's waiting until investigation is farther along before offering an account of how the hackers got in.
Dave Bittner: [00:12:21:24] The attackers hit the EDI that Latitude provides, not the operators' operational technology. The EDI is essentially a customer contact and data exchange system used for billing, scheduling and routing deliveries and the like. It did not affect industrial control systems, as far as we know. Some observers in the security industry speculate that the hackers' intention was to pivot from the IT to the OT, but there's no direct, publicly available evidence yet that this occurred.
Dave Bittner: [00:12:51:06] The US Department of Homeland Security told the Senate that some foreign intelligence services - hostile ones - are operating illicit Stingray intercept systems, mostly in Washington, but in other US cities as well.
Dave Bittner: [00:13:04:12] And, finally, Panera Bread is receiving poor reviews for its handling of the vulnerability in its on-line sale system that exposed customers to data loss. The company apparently at first dismissed the researcher who told them they had a problem - they misread him as a scammer, so the problem persisted from last August into this week. The company is the process of remediating the issue now.
Dave Bittner: [00:13:32:09] Now I'd like to share some words about sponsor Akamai. You've heard of the zero trust security model, well Akamai is the expert in deploying zero trust architectures to address the evolving security threats you face every day, that's because they're also the cloud experts. Akamai's approach to security was built for the cloud because it was born in the cloud. In the age of zero trust networks, the enterprise network is no longer the perimeter, the entire cloud is the perimeter with no inside or outside. And the threats can come from anywhere and anyone at anytime. Akamai's zero trust security model accelerates secure digital transformation, protecting your business and enabling growth. Visit akamai.com/zerotrust to learn more. That's akamai.com/zero trust. And if you're going to RSA this year stop by and say hi to me and the CyberWire team at the Akamai booth, north hall booth 3625. We hope to see you there and we thank Akamai for sponsoring our show.
Dave Bittner: [00:14:43:04] Joining me, once again, is Rick Howard. He's the Chief Security Officer at Palo Alto Networks and he also runs Unit 42, which is their threat intelligence team. Rick, welcome back. When you were on the show recently, we were talking about the whole notion of security platforms and your were singing the praises of security platforms. And since then, some folks have pointed out that could it possibly be that a security platform is really putting someone in a monopoly situation. If you're putting all of your eggs into one basket, this notion of having a monopoly could be problematic. What's your response to that?
Rick Howard: [00:15:19:20] Well, it's funny you mention that, because after I did your show the last time, other folks had mentioned to me that there was actually a paper written back in 2003 by some cybersecurity luminaries, like Dan Geer and Bruce Schneier and a bunch of other really smart people, it wasn't about security it was about the perceived notion that Microsoft was a monopoly on the operating system level. And their whole thesis was that if we only have one operating system, if a vulnerability is discovered the impact could be exponential around the world. So they didn't like that idea.
Dave Bittner: [00:15:56:03] So there's whole genetic diversity thing from an organism point-of-view?
Rick Howard: [00:16:00:10] Well, I mean, that's why vendor-in-depth was invented by the security people, cause we don't want to be in that situation. So when I advocate for a security platform which - what I mean by that is we're trying to take everything that we're trying to do now with all these point products, and as I go around talking to people, even small organizations have 20 security products deployed. You know medium-sized ones have 50 to 60 and big ones like big banks they have over 125. That is a lot to manage and the whole industry is kind of at a tipping point where they can't manage one more box. So I'm advocating that you bring everything under one platform so that it can make it easier. But it does sound like I'm going against the most brilliant minds in the industry.
Rick Howard: [00:16:45:00] So I'm feeling pretty bad about myself and then I went back and re-read the monopoly paper and it turns out when you read what Dan Geer and Bruce Schneier and team recommended it turns out that I'm right on the money for what they are talking about of how to fix the situation.
Rick Howard: [00:17:05:22] So the monopoly paper recommends three things that the industry due to lower the risk of a single vendor operating system. Okay so the first one was publish interface specifications to major functional components of its code, so that would work on the operating system. That is exactly what the security platform does, platform vendors open their APIs to anybody who wants to connect to it. So the platform play goes along with the number one recommendation from the monopoly paper.
Rick Howard: [00:17:37:06] Number two: in the monopoly paper they say this, faster development of plug in play technology that provides alternative sources of functionality. So that is exactly the direction the platform vendors are heading. Last one: work with a consortia of vendors to define specifications and interfaces for future developments. Again, this is exactly what all of the security platform vendors are doing, all of them. I'm talking about Palo Alto Networks, Cisco, Check Point, Fortinet and Cisco, all belong to the Cyber Threat Alliance, they're building new sharing protocols and platforms so that prevention orchestration, the sharing of new intelligence and the deployment of new prevention controls, is done automatically at the vendor level so that network defenders don't have to manage it themselves.
Rick Howard: [00:18:23:02] So I, I think the platform parallels nicely what they recommended in the monopoly paper. To be clear though you still have to pick a vendor platform that you trust that will stay on top of all the technology and to continue integrating with other vendors. But by doing that, you come closer to the goal of automatic integration and orchestration and that will cause you less wasted time for your staff and it reduces the amount of complexity in your environment.
Dave Bittner: [00:18:50:09] Alright Rick Howard, as always, thanks for joining us.
Rick Howard: [00:18:52:24] Thank you sir, it was good.
Dave Bittner: [00:18:58:13] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible especially to our sustaining sponsor Cylance. To find out how Cylance can help protect you through the use of artificial intelligence visit cylance.com. And thanks to our supporting sponsor VMware, creators of Workspace ONE intelligence. Learn more at vmware.com.
Dave Bittner: [00:19:20:13] The CyberWire podcast is proudly produced in Maryland out of the start up studios of DataTribe where they're co-building the next generation of cybersecurity teams and technology. Our show is produced by Pratt Street Media, with editor John Petrik, social media editor Jennifer Eiben, technical editor Chris Russell, executive editor Peter Kilpe and I'm Dave Bittner. Thanks for listening.