Russia versus routers. Desert Scorpion swept out of Google Play. ZTE faces sanctions. RSA notes, and a Sandbox winner.
Dave Bittner: [00:00:03:16] Western governments attribute a large-scale campaign against poorly secured connected devices to Russia. Battlespace preparation is suspected. No new US sanctions against Russia, yet, but the matter remains under consideration. ZTE falls under the same cloud as Huawei. Desert Scorpion spyware's been ejected from the Google Play store. And there's a winner in RSA's Innovation Sandbox: BigID took away the prize.
Dave Bittner: [00:00:35:23] Time to share some words from our sponsor, Cylance. Are you headed to RSA? Don't forget to look up Cylance while you're there. Drop by booth 3911 in the North Hall and meet up with their expert professional services staff or attend one of their featured conference sessions. If you're in a festive mood, you can connect with them at the Digital Shadows Security Leaders party. Wherever you make your connection, they look forward to talking with you. You can ask them about AI and machine learning or ask about their industry leading research into threat actors who threaten our power grid. You can learn more about their presence at RSA by searching "Join Cylance at RSA conference 2018." And we thank Cylance for sponsoring the CyberWire. That's "Join Cylance at RSA conference 2018," and be sure to connect with the company that's making a difference in security. And we thank Cylance for sponsoring our show.
Dave Bittner: [00:01:34:24] Major funding for the CyberWire podcast is provided by Cylance. Coming to you from the RSA conference in San Francisco, I'm Dave Bittner with your CyberWire summary for Tuesday, April 17th, 2018.
Dave Bittner: [00:01:48:04] The US, British, and Australian governments yesterday unambiguously attributed a large-scale campaign against vulnerable routers to Russian security services. US-CERT, in an advisory worth reading in its entirety, identified the affected systems, "Generic Routing Encapsulation (GRE) Enabled Devices, Cisco Smart Install (SMI) Enabled Devices, and Simple Network Management Protocol (SNMP) Enabled Network Devices." These are, US-CERT notes, widely used by both enterprise and private individuals. Exploitation would need no zero-days. The campaign has successfully taken advantage of insecure legacy installations, beyond end-of-life systems that no longer receive patches, and other poor practices.
Dave Bittner: [00:02:36:17] The governments making the attribution do so at a time of markedly increased tension between Russia and Western countries. The Salisbury nerve agent attack and Russian support of Syria's Assad regime contribute to those tensions. Observers in the US and UK suggest that Russia is preparing for a cyber campaign against critical infrastructure. Russian motives against connected devices strongly suggest ongoing battlespace preparation, and the prospective targets warn that Russia can expect retaliation.
Dave Bittner: [00:03:07:18] Chinese equipment manufacturer ZTE has been subjected to US sanctions, joining Huawei in the business penalty box. The US decision made note of ZTE's sketchy record with respect to observing international sanctions. The UK also issued warnings about Huawei devices. The British concerns were directly and explicitly addressed to security issues in the company's products.
Dave Bittner: [00:03:32:01] Lookout finds "highly targeted" Desert Scorpion surveillance-ware in Google Play. It's associated with APT-C-23, and seems most interested in Palestinian targets. Google has removed it from the Play Store and updated PlayProtect to keep it out.
Dave Bittner: [00:03:50:11] NSS Labs made news at last year's RSA conference with the release of their Advanced Endpoint Protection Group Test, evaluating market leading security products on effectiveness and total cost of ownership. They're back with a new edition of the report for 2018 and we've got Jason Brvenik, CTO at NSS Labs, to take us through what they found.
Jason Brvenik: [00:04:11:18] We assess whether or not and how a product does against attacks you're recently likely to face in the wild. We capture live exploitation and live malware and then we replay them in a comparable way against all the technologies and represent that as a security effectiveness score. This year, we observed an effectiveness between 59 and 99%, roughly, between the 20 products we've verified.
Dave Bittner: [00:04:36:01] What does that range represent?
Jason Brvenik: [00:04:38:13] That range represents protecting 60% of the attacks you're likely to face or 99% of the attacks you're likely to face. It's interesting that there could be that much disparity. Also, though, in testing, we saw that there's a pretty rapid exchange between vendors in the "intel space," if you will, where, when one vendor notices a new piece of malicious code, a lot of the other vendors then benefit from that observation at the same time. So we had to actually take some specific steps to avoid tainting the results in that way and insuring that everybody had an equal shot.
Dave Bittner: [00:05:13:11] So, was there anything outstanding this year that surprised you, that was unexpected?
Jason Brvenik: [00:05:19:09] A couple things, actually. The one that stands out the most and is always interesting is what we call evasions. The ability of a product that detects something malicious, whether it's an exploit or a piece of malware, and then to have that product re-subjected to that same known thing and have it miss it when we apply evasive techniques to it is interesting. It says that the bar's not very high on the attacker's side to be able to get their malicious deeds done. We saw nine of their products tested missing at least one evasion.
Dave Bittner: [00:05:52:20] Well, then let's dig in here. What are some of the results? Who came out ahead and who needs to do a little work?
Jason Brvenik: [00:05:59:12] That's a great question. If I look at the security value map and what the data's telling us and we understand the premise of operations and headcount and unprotected costs versus protected costs, there's some strong players in this space. In the upper right quadrant, you've got SentinelOne did really well. Palo Alto did really well. And they have what would appear to be some strong products that can unify the AV and EDR capabilities that are necessary in the market. Of course, there's variances in each of the technologies but the very simple premise of, "Do you stop the effects you're facing, and when you don't, do you provide the details necessary for an enterprise to respond?" I think we have some pretty strong products there.
Dave Bittner: [00:06:44:00] Certain companies in their marketing materials and when they describe their technology, they come at it from different directions. For example, some companies are all in one artificial intelligence, those sorts of things. Do you find any alignment between the types of systems that people say they're using and how they come out in your tests? Are there any trends there? Are there any patterns?
Jason Brvenik: [00:07:07:13] Yeah. So, last year, we saw some interesting things there where machine learning was all the rage and AI and that kind of stuff and what we observed were the new players had promise but there were a lot of edge cases that they just weren't yet up on. I think we saw a more robust showing this year from the machine learning vendors. Relative to their more traditional peers but still a number of edge cases.
Jason Brvenik: [00:07:35:06] In cases, for example, where offline protections where the most promise exists, we're not connected to anything, we don't have any cloud intelligence with signatures, we can still protect you, I think we saw a number of areas where that really could be summed up as we protect you from the things that we've experienced in the past, not the new creative things we're likely to experience. There's some promise, certainly, in that space but I think we're not yet seeing a realization or the promise entirely. But I'm not seeing an incredible difference between the two approaches other than when you weigh the intelligence they can provide back to the enterprise in order to further action these things.
Jason Brvenik: [00:08:13:03] The traditional vendors and the more advanced AEP vendors that have EDR-like functionality built in are providing a lot more context around the attacks they're facing than the vendors that simply make a conclusion that don't have the supporting details. And so, there's a gap, I think, in the market there that shows in our scoring and representation that will be interesting.
Dave Bittner: [00:08:35:18] So, in terms of recommendations for those folks who are out there shopping for these technologies, based on the results that you've seen, do you have any guidance for how people should go about looking for what's right for them?
Jason Brvenik: [00:08:48:20] Certainly. There's a number of strong products that made recommended in our testing. Beyond having been validated as providing quality protections in insight and visibility, you need to look at the ecosystem you're dealing with, manageability, agent proliferation, total cost of ownership or ORI that we represent in the testing as well. How many head count it takes to manage it, it's that kind of stuff. There's a number of players, both in the traditional space where you probably have existing relationships and in the emergent space that are very strong in the end point realm that could probably unify your endpoint presence pretty well. I think that should be a consideration for anybody that's today looking at defending the enterprise holistically and looking to have a leg up on the ability to respond quickly to an emerging attack.
Dave Bittner: [00:09:42:03] That's Jason Brvenik from NSS Labs. You can find their complete Advanced Endpoint Protection group test on their website.
Dave Bittner: [00:09:50:22] RSA is in full swing today as keynotes begin at the Moscone Center. Yesterday's highlight was the Innovation Sandbox, in which ten of the most interesting start-ups in the sector competed for recognition.
Dave Bittner: [00:10:02:15] Two finalists were selected from the field. One was Fortanix, whose runtime encryption protects data in use, and thus offers cloud users a trusted enclave. Applications run inside a secure envelope that travels with the app wherever it moves. The other finalist was BigID, which offers a solution to a range of privacy challenges by identifying personal data, correlating it with persons, and placing those data in context.
Dave Bittner: [00:10:29:13] The judges finally selected BigID as the winner. The topicality of the challenges the company addresses, and those challenges' attendant market needs, carried the day. Privacy rights are in the forefront of most enterprises' concerns, especially, if you'll forgive us for reminding you again of something you already know, with the full implementation of the European Union's General Data Protection Regulation, GDPR, just a month and change away. As pointed out in their presentation, rights adhere to persons, and if you can't associate the data with the people, you can't really protect their rights to that data.
Dave Bittner: [00:11:06:17] Most Innovation Sandbox finalists have, over the years, compiled impressive records in the market. Success has by no means been confined to the winners, so it's worth giving another look to all of 2018's finalists: Alcavio, Awake, BigID, BluVector, CyberGRX , Hysolate, ReFirm Labs, ShieldX, and StackRox.
Dave Bittner: [00:11:29:02] We'll have continuing coverage of the RSA Conference throughout the week. If you'll be at San Francisco's Moscone Center this week, stop by and say hello to the CyberWire team. We'll be at the Akamai booth 3625 in the North Hall. We hope to see you there, and we thank Akamai for their hospitality.
Dave Bittner: [00:11:45:23] And, finally, a musical note. All of the Innovation Sandbox finalists came to the stage to walk-up music of their own selection, and we always look forward to their stylings. Yet no one this year, or, to our knowledge ever, have chosen Metallica's Enter the Sandman, despite its excellent track record introducing Mariano Rivera when he emerged from the Yankees' bullpen to shut down some hapless opposition. The absence of Enter the Sandman from the Sandbox is curious, and would seem to stand in need of explanation.
Dave Bittner: [00:12:22:20] And now, a bit about our sponsors at VMware. Their trust network for Workspace ONE can help you secure your enterprise with tested best practices. They've got eight critical capabilities to help you protect, detect and remediate. A single open platform approach, data loss prevention policies and contextual policies get you started. They'll help you move on to protecting applications, access management and encryption, and they'll round out what they can do for you with micro-segmentation and analytics. VMware's white paper on a comprehensive approach to security across the digital workspace will take you through the details and more. You'll find it at thecyberwire.com/vmware. See what Workspace ONE can do for your enterprise security, thecyberwire.com/vmware. And we thank VMware for sponsoring the CyberWire.
Dave Bittner: [00:13:23:18] And joining me once again is Justin Harvey. He's the Global Incident Response Leader at Accenture. Justin, nice to connect here at RSA in person.
Justin Harvey: [00:13:32:06] Hi. It's great to be here, Dave. We are really, really, really excited to be here to talk to you about the 2018 Accenture Security Cyber Resilience Report. We get asked all the time, what is happening in our industry, not only from a cybersecurity perspective but from a business perspective. And not only that, I think, probably, the number one question that we field from our CISOs and from the C-suite and boards is, how are we doing versus everyone else in our insights and the way that we are conducting and building our cybersecurity programs?
Justin Harvey: [00:14:07:20] So, today, I brought with my Ryan LaSalle. Ryan LaSalle is the Global Managing Director for Accenture's security, strategy and growth. I'm really proud that he's here with us because this is the second year that we've been doing this report and it's got a lot of great insights.
Dave Bittner: [00:14:25:13] All right. Well, Ryan, welcome. Why don't we just start off? Why don't you take us through some of the highlights of what you found in this report?
Ryan LaSalle: [00:14:32:07] When we launched this last year, we started with about 2,000 security leaders across several different counties, and this year we're pretty excited because we've expanded that to 4,600 security leaders in companies over a billion dollars across 15 countries. And what we saw in the changes from last year has really been the start of a return on the investment that people are making in security. We've seen dramatic improvements across several different areas of performance and security. We've seen improved detection rates. We've seen improved defensive effectiveness from many of these organizations, and we're seeing that, on average, the time to detection is getting better and better.
Ryan LaSalle: [00:15:11:07] There's still some areas to address. I think many organizations see that they needed to continue to invest, and almost 40% of the companies surveyed are planning to significantly or up to double their security investment next year. We see that there's a path, though, towards getting to a steady state in security.
Ryan LaSalle: [00:15:29:03] And the last thing I'll say is we've also noticed that there's a bit of a disconnect between where our organizations are investing and their priorities and their adoption of what I'd consider innovative and breakthrough technologies.
Dave Bittner: [00:15:40:22] Describe to me, what do you mean by that disconnect? How is that playing out?
Ryan LaSalle: [00:15:44:11] Well, only about 40% of the companies we've surveyed are investing in capabilities like artificial intelligence, machine learning, block chain and some of the bedrock stuff that we see in the market in security as being innovative and transformative to how organizations can improve their defenses. But we also see that many organizations are expecting that their providers are doing that for them as well, so we see that that's going to be one of the ways that the other 60% start to achieve some of those outcomes.
Dave Bittner: [00:16:11:24] So, Ryan, I think one of the things that stands out about this report is that there's actually, as you look forward, some good news here. There's some reason to be hopeful.
Ryan LaSalle: [00:16:20:08] Yeah. I think that is a very positive sign that picked up in this report and our research. One of the key insights we saw was, given the performance improvements we've seen over a year, and the way that organizations have tackled the critical cybersecurity capabilities they need to be effective, we see that, in about two or three years, many organizations will be at a point where it won't require stair step increases in security budgets to achieve the capabilities that they need to get good at. They'll be able to get to almost a steady state in their operations where they can innovate within their budgets and investments. I think one of the reasons that's happened is one of the big changes we saw from last year was almost twice as many organizations have had their security budgets authorized and directed by their board or CEO.
Ryan LaSalle: [00:17:06:20] So, now that CISO has a direct line of communication up to the part of the organization that is most determined to manage risk, and they're able to be more effective in their spend and in business adoption of the kind of behaviors and capabilities they need to be successful.
Dave Bittner: [00:17:21:18] Justin, the report has some practical steps here, some advice for reaching resiliency. Can you take us through those steps?
Justin Harvey: [00:17:30:13] Sure. The first would be building a strong foundation, and your listeners should be not surprised how many times I've harped around doing the basics well. And so, our research really has shown that focusing on the basics, for instance, network segmentation or multi-factor authentication or encryption, et cetera, is really making a big difference with these results.
Justin Harvey: [00:17:58:02] The second would be pressure testing resilience like an attacker. This is something that our team embraces across cyberdefense which is thinking like the adversary. Instead of thinking more in terms of how can I do blanket security, thinking in terms of what an attacker or what the enemy or what the adversary could do or want to do to your environment.
Justin Harvey: [00:18:20:06] The third would be employing breakthrough technologies. We're starting to actually see the fruits of our industry's labor by focusing on artificial intelligence, on machine learning and next generation type of approaches to cyberdefense such as on the endpoint, and we're starting to, finally, see the results of that, even though it's taken several years.
Justin Harvey: [00:18:43:03] The fourth would be being proactive and using threat hunting. As you know, this is near and dear to my heart because I run the threat hunt team. Being able to constantly look for the adversary or look for malicious events through the three main areas. Number one would be application of known bad, which is threat intelligence. Second would be looking for anomalous behavior and the third one would be looking for suspicious behavior.
Justin Harvey: [00:19:08:07] And the fifth is evolving the role of the CISO. This is exactly the heart of the matter we're trying to drive toward in a report like this, and that is cyberdefense and cybersecurity is not just IT's problem. It's not an operational issue, it is a risk to the business, and the more our CISO can speak in terms of the business and communicate that to business stakeholders and to the C-suite and to the board, the more successful they will be at not only getting the money, getting the necessary budget, but also in creating an environment where the true business leaders of an enterprise or the corporation or the military or the government are making informed risk decisions based upon what's happening to their business.
Dave Bittner: [00:20:01:01] All right. Justin Harvey and Ryan LaSalle, thanks for joining us.
Dave Bittner: [00:20:06:13] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially to our sustaining sponsor Cylance. To find out how Cylance can help protect you through the use of artificial intelligence, visit cylance.com.
Dave Bittner: [00:20:19:14] And thanks to our supporting sponsor VMware, creators of Workspace ONE Intelligence. Learn more at vmware.com.
Dave Bittner: [00:20:28:09] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe where they're co-building the next generation of cybersecurity teams and technology. Our show is produced by Pratt Street Media with editor John Petrik, social media editor Jennifer Eiben, technical editor Chris Russell, executive editor Peter Kilpe, and I'm Dave Bittner. Thanks for listening.