RSA Special: Emerging Technologies

Dave Bittner: [00:00:03] In this special report, we take a look back at RSA, specifically at some of the technology trends we're seeing - machine learning and automated analysis of big data, the importance of integrating with comprehensive solutions and above all, the need to cut through the glare of too much information without missing what's really important. We'll also get some perspective on cyber risk and why coming up with random numbers is harder than one might suppose.

Dave Bittner: [00:00:29] This podcast is made possible by the Economic Alliance of Greater Baltimore helping Maryland lead the nation in cybersecurity with a large, highly qualified workforce, 20,000 job openings, investment opportunities and proximity to key buyers. Learn more at greaterbaltimore.org.

Dave Bittner: [00:00:49] I'm Dave Bittner in Baltimore with a CyberWire Special Edition on emerging technologies. It's Wednesday, March 9, 2016. And thanks for joining us. From the companies we spoke with at RSA, several trends appear to be driving technology development in the cybersecurity space. Above all, they talked about the value of automating as much of security as possible. We didn't hear a lot of grand promises to completely dispense with human analysts or decision-makers. Indeed, we didn't hear anyone in our one-on-one discussions make these kind of bold claims. There's an agreement that human talent seems to be, at some level, effectively irreplaceable.

Dave Bittner: [00:01:23] Instead, companies are offering approaches that enable human talent to raise its game. We saw repeated emphasis on solutions that reduce the need to review logs and watch alerts and that promise to free human operators to look at the big picture and perform the triage necessary to effective, timely incident response. Machine learning approaches to anomaly detection seem to be a popular option. These are seen as cutting through noise with relatively low loss of signal. And the ability to ingest and process very large amounts of data was featured by many of the experts we spoke with. Those data are increasingly accepted in unstructured form.

Dave Bittner: [00:01:58] Finally, scalable, comprehensive security solutions are increasingly seen as vital. This trend has a few interesting corollaries. It offers a space for big integrators to offer managed services that cut through another form of noise - the high volume and rate of introduction the market in security offerings sees. Comprehensive manage security services are also scalable and enables small and midsize enterprises to enjoy the security resources formerly seen only in larger, well-resourced organizations - dedicated security staff, SOCs, even IT teams - and to do so in an affordable fashion.

Dave Bittner: [00:02:31] The trend also strongly suggests that innovators with new products would do well to develop them into offerings they could easily integrate with larger comprehensive solutions. You can read about our discussions with AT&T, Verizon, CYFORT, Cylance, HEAT Software and Zimperium in today's special RSA retrospective on our website, thecyberwire.com. At RSA, we sat down and spoke with several innovative companies. After the break, we'll hear what they had to tell us.

Dave Bittner: [00:03:01] This podcast is made possible by the Economic Alliance of Greater Baltimore, helping Maryland lead the nation in cybersecurity with a large, highly qualified workforce, 20,000 job openings, investment opportunities and proximity to key buyers. Learn more at greaterbaltimore.org.

Dave Bittner: [00:03:26] There was no shortage of new and innovative technology on display at the RSA Conference. We sat down with a variety of innovators to get their perspectives. In this RSA Special Edition, we'll hear from Lance Cottrell, chief scientist at Ntrepid, about their secure browser technology. Emily Mossberg is from Deloitte Advisory Cyber Risk Services, and she'll give us her perspective on emerging trends in cyber risk management. Oliver Friedrichs is the CEO of Phantom, who were the winners of this year's RSA sandbox competition. He stresses the importance of automation. Richard Moulds from Whitewood Encryption Systems tells us about their true random number generation and delivery system. And finally, Vikram Sharma from QuintessenceLabs, whose flagship product Trusted Security Foundation aims to make security easier. We start with Lance Cottrell from Ntrepid, who contends that web browsers are a weak link in the security chain.

Lance Cottrell: [00:04:21] The browser's really the least secured. That's where the biggest danger is because they're inherently difficult to secure. Firewalls are just not that effective because it's like dealing with vampires. You're inviting the malware in when you follow a link. You say, no, come in. I requested this link. Clearly I know what I was doing. The firewall's trying to scan it. And, of course, you've got to support every kind of content imaginable. The browser itself is a mammoth beast, right? - because it's got to be able to do all these things. You've got the plug-ins, like our favorite plug-in Flash. It's just riddled with insecurity and I think fundamentally so.

Dave Bittner: [00:04:57] Ntrepid's approach is to isolate the browser from the rest of the user's environment.

Lance Cottrell: [00:05:02] So what we're doing is we're taking the browser - standard Firefox - and we're putting it inside a hardened Linux virtual machine running on the user's desktop. And that virtual machine does not share file space with the host operating system. It has no direct communications with the host operating system except just the video feed out and the keyboard and mouse in. And we actually use a VPN inside that VM out to our cloud for all communication. So even if malware got into this little box, it can't scan your local network. It can't look for a vulnerable print server or your domain controller or something else. It's totally isolated from both the machine and the network.

Lance Cottrell: [00:05:45] And then at the end of the session, as soon as you're done browsing, we destroy the entire thing completely, so the malware can't persist. Trackers are totally destroyed. And one of the wins is because we're VPN-ing you out, you don't have your own IP address. You have our IP address. You don't have cookies because we destroyed them all. And they can't browser fingerprint you because all Passages, users, look identical because they're using the same virtual machine image. So the whole thing of going to a website and being targeted suddenly disappears.

Dave Bittner: [00:06:15] Ntrepid calls their secure browsing technology Passages. And you can learn more about it at ntrepidcorp.com.

Dave Bittner: [00:06:27] As we heard yesterday, actionable intelligence is intelligence that enables an enterprise to reduce risk. Today we hear from an expert on risk management as we talk with Deloitte's Emily Mossberg.

Emily Mossberg: [00:06:39] When we talk about cyber risk, there has been a lot of emphasis and focus over the last several years on the elements of vulnerability and threat. Vulnerability probably has been talked about for the longest period of time in terms of, what are the vulnerabilities specific to a piece of software or hardware? And how could an attacker potentially get into that hardware or software? The threat has been being talked about more recently. I think that the dialogue around threat has really evolved over the course of the last, let's say, three to four years - a lot more focus on, who is the adversary? What is their motivation? What are the kinds of tools and techniques that they are going to use? What is that going to look like in terms of what the threats are that are coming at your organization?

Emily Mossberg: [00:07:37] But the piece that really hasn't been talked about very much is the impact piece. So you think about risk. There's three elements, right? There's the vulnerability. There's the threat. There's the impact. And in my experience, most of the dialogue has been on the first two - the threat and the vulnerability - not on the impact. And I think that we need to start focusing more on the impact piece. But the important clarification there is that it's not just the technical impact of what these incidents or attacks may look like. But what is the business impact associated with this? And how do we bring that dialogue into the equation?

Dave Bittner: [00:08:22] Mossberg suggests companies take a broader approach to incident response.

Emily Mossberg: [00:08:27] If you look at the incident response lifecycle, there is the beginning triage phase and the immediate response. There's the intermediate phase, where you've now gotten things under control. You've cleaned them up, but you're dealing with the immediate impacts associated with what's occurred. Then there's the longer-term recovery. This is where you start looking proactively at, why did this happen in the first place? Are there some foundational or fundamental changes that I need to make in terms of the way that my business operates? - the data that I'm collecting, how I'm managing that data, etc. And I think that what's different about this approach is that we're looking across that entire incident response lifecycle, and we're also looking broadly across the enterprise.

Dave Bittner: [00:09:23] Emily Mossberg says she definitely sees a shift in the conversation along with who's having it.

Emily Mossberg: [00:09:28] This is evolving to the point where it's getting more executive management time than it ever has before. The boards are asking questions. They want to know, what is our posture? Are we doing the right things? So as this becomes less of a niche technical topic and more of a front-and-center board room topic, we've got to change our approach. We've got to change our language. So previously, this was about bits and bytes. Have we identified and are we alerting on all of the triggers that are happening? But that dialogue doesn't translate to the executive management board, you know, table.

Emily Mossberg: [00:10:17] It doesn't translate to the boardroom, so you've got to change the way that you're talking about it. And there's an expectation that this is part of the executive dialogue. And so it's not that the other things aren't important anymore. But the translation layer has got to be there in order for the leaders of the organizations to feel like they're making the right decisions and to have confidence that their cyber risk program and practitioners are doing the right things.

Dave Bittner: [00:10:49] You can learn more about Deloitte and their cyber risk services organization at deloitte.com.

Dave Bittner: [00:11:00] Phantom gained notice by winning the RSA innovation sandbox competition. Their technology aims to use automation to connect cybersecurity systems. Oliver Friedrichs is Phantom's founder and CEO.

Oliver Friedrichs: [00:11:12] Yeah. So we deliver a purpose-built layer of connective tissue for the entire industry. It's really the industry's first open and extendable security automation and orchestration platform, tying together the dozens of products that the typical large enterprise has in their environment today. You know, on the showroom floor here today, we have 551 vendors. Each of them solves the problem in a different way. And they believe that they're the solution.

Oliver Friedrichs: [00:11:40] What we found, though, in the large enterprise is that they've bought 50, 60, 70 of these products from different vendors here, and none of them actually interoperate or actually work together in any meaningful way. So as a result, the security team is literally pivoting between dozens of different consoles on a daily basis to try to manage their security environment. And it just doesn't scale.

Dave Bittner: [00:12:02] Phantom is built around a response technology that they call Playbooks.

Oliver Friedrichs: [00:12:06] We take an alert or an input from some data source. I mean, it might be your sim or your threat intelligence feed that you're getting from a threat intel provider or even phishing emails coming out of a mailbox that your organization might be managing. What we do is we work on that high fidelity data source, and we allow you to build a playbook.

Oliver Friedrichs: [00:12:30] Now, a playbook represents, really, a digital version of what your manual playbook might look like. So if you have an analyst looking at certain types of alerts coming out of your technology, those analysts are typically following some set of procedures to take action, whether it's investigation, containment of threats, recovery from a breach and so on. We codify those into a playbook - a digital playbook that then allows the platform to also connect to the other security products and then execute actions on those products. You might have a firewall. And the obvious thing to do on a firewall would be to block traffic, to block an IP address or a port. You might have endpoints. And the obvious thing to do there might be to quarantine an endpoint from the network so that it can't continue spreading. So there's about 120 different functions that we support across around 40 different products today in the current platform.

Dave Bittner: [00:13:27] According to Friedrichs, there are multiple factors at play that make automation a must.

Oliver Friedrichs: [00:13:32] The other challenge is we can't hire the talent we need. There simply aren't enough people that are qualified to be able to staff the open positions in the industry right now. So it's this confluence of just more events, more velocity, more products, fewer people. And it's all compounding where we have no choice but to automate now.

Dave Bittner: [00:13:52] You can learn more about Phantom at phantom.us.

Dave Bittner: [00:14:00] When I was 12, I used the money I'd saved from my paper route to buy my first computer - a TRS-80. I couldn't afford an Apple II. I made games in BASIC and quickly realized that every time I restarted the computer, the random numbers I needed to make my game work were coming up the same. The built-in random number generator wasn't truly random. So I coded an endless loop, generating random numbers until the user pressed a key on the keyboard. And just like that, my game had the random numbers it needed. Needless to say, things are a bit more complicated today. Richard Moulds is from Whitewood Encryption Systems.

Richard Moulds: [00:14:35] Capturing keystrokes in a keyboard is a way of generating random numbers. I mean, it's not perfectly random, but it has randomness in it. That's OK for applications that - you know, shuffling songs on your iPod, that's fine. That's not OK for generating, you know, thousand-bit keys for encryption. So we use, actually, quantum mechanics. You actually use the random behavior of photons. It sounds - you know, it sounds crazy like a science experiment. In many ways, it is.

Richard Moulds: [00:14:59] Photons operate and have behavior in certain conditions that is fundamentally random. You'd literally have to change the laws of physics to be able to influence this stuff. So we generate large volumes - hundreds of megabits per second of perfect random numbers. And then we actually deliver them over the network to virtual machines up in clouds or IoT devices or, you know, servers running encryption algorithms.

Dave Bittner: [00:15:23] Richard Moulds says that at Whitewood, they envision a time in the not-too-distant future where entropy is delivered just like so many other services we've come to take for granted.

Richard Moulds: [00:15:32] So I think a good analogy is time, OK? Five years ago, we would program all of our laptops and our cell phones and our servers with time. If I had a rack of a thousand servers in my data center, I'd have to go along and configure the time on all these things. And that may have been fine back then. But in the era of iTunes and Apple Pay and - all of our phones have the same time, so time has moved from being a local issue to being a networked issue, you know, in living memory. And I think entropy goes the same way. When you have a thousand virtual machines or 10,000 phones or 100,000 smart meters generating keys, you expect them to be equally good at generating keys.

Richard Moulds: [00:16:11] But if they're all generating entropy locally on their own bits of hardware out of their own little, natural environment, by definition, their ability to generate entropy and, therefore, run their numbers is different for every single one of those devices. So that's the opposite of what you want if you're a security person. You want all of your systems to be equivalent from a security point. You want consistency. So our argument is entropy and random number generation is too important to be left to individual devices on a sort of best-effort approach. It should be something that's rigorous. It should be professionalized. It should come from a trusted source. And it should be made available to systems, you know, ubiquitously as if it's, essentially, a utility.

Dave Bittner: [00:16:50] There's more information on Whitewood and their random number generator at whitewoodencryption.com.

Dave Bittner: [00:17:01] Vikram Sharma is CEO at QuintessenceLabs, where they know a thing or two about random numbers. They use quantum properties as part of their flagship product called Trusted Security Foundation or TSF.

Vikram Sharma: [00:17:13] So the TSF is a single appliance which integrates in three capabilities. It has a true random number generator at its core - indeed, the world's fastest true random number generator. We measure a property called quantum noise, and we generate one billion random numbers - a gigabit per second - of full-entropy true random numbers. The reason you do that is to do high-quality encryption, you need a good stream of true random numbers. To date, how we've largely done that has been through pseudo-random number sources. So you'll have some software that tries to approximate true random numbers.

Vikram Sharma: [00:17:49] However, with the advent of ever more powerful computers - indeed, maybe even quantum computers - there is a risk that the strength of the encryption that you hope to achieve could be compromised if you don't have true random. So that's the first component - a true random number generator. That then feeds into an advanced key management system. And it's compatible with the standard called KMIP - key management interoperability protocol - which allows a key management server to serve up keys to any consumer that's KMIP compliant. And we also have a piece which enables you or allows you to implement data security policy to govern who has access to what sorts of data and what kinds of security measures you wish to put in place - what types of encryption - to protect different types of data.

Dave Bittner: [00:18:41] According to Sharma, it's a situation of the sum being greater than the parts.

Vikram Sharma: [00:18:46] The loose analogy is like when the iPhone came out, we had an iPod for music. We had a BlackBerry for texting, and we had a cell phone. When the iPhone came together, it integrated these capabilities in one form. In fact, the customer said, this is a very logical grouping of technologies. I would like to have one of those. That's what we see for the TSF. And as we look into the future, our goal is that every global - Forbes Global 2000 company - at the heart of its security infrastructure should have a series of TSFs to be the root of trust.

Dave Bittner: [00:19:20] You can learn more about Quintessence and their products at quintessencelabs.com.

Dave Bittner: [00:19:28] And that's our CyberWire RSA retrospective. We'll have another edition tomorrow covering trade and investment.

Dave Bittner: [00:19:34] The CyberWire's produced by CyberPoint International. Our editor is John Petrik. I'm Dave Bittner. Thanks for listening.