Dave Bittner: [00:00:03] This is a CyberWire Special Edition. I'm Dave Bittner. From time to time, we gather content from interesting people in the cybersecurity industry that doesn't neatly fit within the confines of our Daily Summary or Research Saturday show. Just before the RSA Conference this year, I spoke with a pair of industry experts for their take on the year so far and what they expect to see in the coming months. In this CyberWire Special Edition, we hear from Craig Williams, director of Talos Outreach at Cisco, and later in the show from Jon Rooney, vice president of product marketing at Splunk. Stay with us.
Dave Bittner: [00:00:44] Time to take a moment to thank our sponsor, Cylance. Are you looking for something beyond legacy security approaches? Of course you are. So you're probably interested in something that protects you at machine speed, and that recognizes malware for what it is, no matter how the bad guys have tweaked the binaries or cloaked their malice in the appearance of innocence. Cylance knows malware by its DNA. Their solution scales easily and it protects your network with minimal updates, less burden on your system resources, and limited impact on your network and your users. Find out how Cylance is revolutionizing security with artificial intelligence and machine learning. It may be artificial intelligence, but it's real protection. Visit cylance.com to learn more about the next generation of anti-malware. Cylance: Artificial intelligence. Real threat prevention. And we thank Cylance for sponsoring our show.
Craig Williams: [00:01:42] You know, I think for me, if I had to define 2017 in terms of, like, a single threat, I think everyone would agree that 2017 was really the year of ransomware.
Dave Bittner: [00:01:52] That's Craig Williams. He's the director of Talos Outreach at Cisco.
Craig Williams: [00:01:55] Ransomware's been around since the '80s, but when we combine the idea of ransomware with Tor and cryptocurrencies, that's really what allowed it to take off. And I think in 2017, the inertia from previous years really hit an all-time peak. What's really interesting is the cryptocurrency markets, right? We've recently published a study showing that most exploit kits that we've observed throughout the year are now moving over towards cryptomining.
Craig Williams: [00:02:23] So, think about the way ransomware works, right? If you have a ransomware network of victims, a very, very small amount of that actually pay. It's like one or two percent - potentially even less than that. You know, on the other hand, if you're mining some of these cryptocurrencies, like Monero, that are designed to be ASIC-resistant, you can still get about a quarter out per home machine. So, say we have a ten, hundred thousand-node botnet, we're getting a quarter per machine every day.
Craig Williams: [00:02:52] You combine that with the fact that it's relatively undetectable for the average home user, and it's not taking down networks, it's not taking down hospitals, it's not, you know, rendering MRI machines and CAT scanners useless - it's actually doing very, very little to the victims other than costing them power - it's very unlikely attackers are going to be investigated for it.
Craig Williams: [00:03:12] So, when you look at it from a high level, cryptocurrency mining is going to have a more regular payout, potentially a higher payout, and it's going to be much less likely for the attackers. So, if I had to throw a wild guess out, I think 2018 is going to be the year of cryptomining.
Dave Bittner: [00:03:28] Now, in terms of the market - I think last year, walking around the show floor at RSA, certainly, artificial intelligence and machine learning were hot topics, if not the hot topic. It was on everyone's lips. Do you think that trend is going to continue, or do you think we're going to move on to something different this year?
Craig Williams: [00:03:47] You know, I think there are going to still be people out there talking about it. You know, I think it's going to change a little bit though. The hype around cryptocurrencies has, technology like blockchain being a buzzword everywhere, even in a lot of places where it may not be appropriate. So I'm sure we're going to still see machine learning and AI, but I really think they're going to start taking a step back for things like blockchain that are centered around cryptocurrency.
Dave Bittner: [00:04:11] And what do you suppose the effect of GDPR is going to be on the industry this year?
Craig Williams: [00:04:16] Well, I think we're going to see a lot more people taking data privacy seriously, especially, you know, in light of the things like the recent Facebook and Cambridge Analytica issues, right? I think we're going to all take a step back and look at, am I securing my data? How am I going to secure my data? And you know, you combine that with things like 2017 being the year of ransomware, I think data protection has really moved into the boardroom, and it's going to be a primary discussion.
Dave Bittner: [00:04:41] Looking at the business side of things, do you think we're going to see much consolidation? Are we going to continue to see an explosive growth of startups? What do you see the trends in that direction?
Craig Williams: [00:04:53] That's a tough question. You know, I think we're going to still see startups. You know, I think we're going to start seeing probably still niche startups coming out. You know, one of the things that I think is always frustrating from a researcher standpoint, is often we see startups with good ideas, but the product is just not quite there, right? It'll be a fragment of a good idea, but it won't be functional, it won't be able to meet the proper requirements. And so I hope, this year, that we're going to see some more solid products, some more leaps forward in detection technology.
Dave Bittner: [00:05:25] What do you suppose we're in for in terms of IoT?
Craig Williams: [00:05:30] I don't think there's going to be a magic bullet for IoT, right? The problem with IoT is that there are already millions and millions of devices out there that are unmanaged and unpatched. I hope, going forward, that we come up with something vendor-agnostic, something global, that will help us find a way to keep these devices updated. But the problem is, the issues already exist. So, we need to find a way to stop the issue from getting worse, and we need to find a way to fix the existing problem.
Dave Bittner: [00:05:59] Overall, do you think that 2018 is going to be a year that we gain ground, or are we going to keep pace with where we've been, or do you think we might lose ground this year?
Craig Williams: [00:06:10] I think it really depends on which markets we're talking about. You know, I think, for the average home user, this might be a year we gain ground, right? If what we're seeing now continues to hold true, and if the crypto markets don't crash, home users are going to seem more protected. We're going to see less people affected by ransomware because we're going to have more adversaries using cryptomining. And so, for the average home user, that's going to seem like a great success.
Craig Williams: [00:06:33] You know, on the other hand, when we look at well-sponsored threats or nation-state attacks, we're really seeing a surge in attacks against non-strategic targets, right? Attacks like NotPetya targeting Ukraine, just wiping out thousands of systems, and attacks like Olympic Destroyer, with seemingly no consequences for our adversaries.
Dave Bittner: [00:06:56] Now, in terms of advice and guidance for the people you work with, for your customers, what are you telling them, in terms of setting their priorities and shaping their budgets?
Craig Williams: [00:07:07] So that's a good question. I think there's lots of little, easy things that companies can do to try and protect themselves a little bit better this year. You know, the first one is let's learn from the NotPetya attack, right? Look for software that you're using that's not from a large company, and make sure that they're publishing CVEs. If they're not publishing CVEs, you may want to be concerned about a supply-chain attack, right? We saw several last year. We saw M.E.Doc in the Ukraine, and then we saw the CCleaner situation mostly spread out all over the world. But I think, given those two scenarios, we're going to see more people look at supply-chain attacks.
Craig Williams: [00:07:45] So, if you're using small, niche software, be sure and segment those machines off as aggressively as you can, right? Your thermostat shouldn't need to talk to your Web server, for example. And so, make sure that when you're segmenting those off, you plan on something going wrong and only give access where it's actually needed.
Craig Williams: [00:08:00] I think the second thing is, realize that every single hard drive ever will fail, right? You're going to lose that data. Now, the question is, do you want to back that data up before you lose it, or do you want to just roll the dice and hope you can recover from a dying hard drive as it starts spiraling down the hole?
Craig Williams: [00:08:16] The third one, that's really easy, is start turning on automatic patching where you can. You know, go into your Web browser, set it to update automatically. Go into your OS, set up that automatically if you can. I mean, obviously you can't do this on servers, but I think you could do it on most end-users' computers without too much of a problem. And if we wanted to go an extra mile, make sure that you're using unique passwords everywhere. Those simple things can really help make a difference if you get compromised.
Craig Williams: [00:08:41] You know, I think with Olympic Destroyer having recently happened, we did see a very new technique of attackers intentionally planting false flags in that malware. And so, I think we're going to start seeing more of that in 2018. You know, Olympic Destroyer was a very, very effective piece of wiper malware designed to disrupt the Olympics, right? And potentially embarrass the Olympic Committee. And I think people need to realize that because it got so much press and because it was so effective, and the fact that the false flags worked and tricked a lot of research organizations, and tricked a lot of members of the press, we're going to see that used in other ops. And so, what I think everyone needs to realize in 2018 - you cannot do effective malware attribution based off the sample alone. In order to do effective threat attribution, you've got to combine your malware research with a traditional intelligence apparatus.
Dave Bittner: [00:09:35] Yeah, that's an interesting point, because one thing I hear more and more is people saying that, well, attribution doesn't really matter for most folks.
Craig Williams: [00:09:43] And that's true - it doesn't, right? You know, I keep asking Chuck when he's going to get Talos it's own battlegroup, but I really think it's not going to happen anytime soon. And so, you know, when we track malware, we don't worry so much about attribution. We worry about tactics, techniques, and procedures, so that we can identify similar campaigns, and so we can identify campaigns that we believe may be related, and that can help us predict what the attackers are after, what their motive might be, and what their end-goal might be. And that's really what we use to protect customers.
Jon Rooney: [00:10:16] One of the things that we've seen is this shift towards sort of analytics-driven security.
Dave Bittner: [00:10:21] That's Jon Rooney. He's the vice president of product marketing at Splunk.
Jon Rooney: [00:10:25] Rather than just sort of pulling stuff in and trying to detect, but understanding, you know, we've said for years at Splunk that all data is security-relevant data. You know, the broader market - and, you know, whether you're talking about customers or additional vendors - are starting to get on that page, and realizing that, you know, the attack surface is the horizon, and that the only way, you know, to have a chance against, you know, an attack surface that large, is to look at all the data and take an analytics-driven approach. That's at sort of a very broad level.
Jon Rooney: [00:10:58] I would say on a more specific level - and I think you've seen it, you know, with what the individual vendors are doing - is two, three, four years ago, the notion of sort of machine-learning techniques applied to security-use cases felt very much like a sidecar, like it was a sort of additional thing. You know, you thought of UBA products as something that might be complimentary to what you would see in a SIEM, versus, you know, it's actually part of the same processes. It's part of the same workload, whether you're talking about what the vendors are doing, or sort of the influential industry analyst, I think there's just convergence. The same way that, whatever it was, ten, fifteen years ago people had TiVo and now it's just a feature that's sitting in your DVR box, if you're not a cord-cutter and old like me.
Dave Bittner: [00:11:49] I think it's fair to say that AI and machine learning were very much a buzzword, and so I think that made it challenging to cut through some of that marketing noise. Do you suspect that this year things are going to settle down on that front some?
Jon Rooney: [00:12:01] I don't know that that noise is going to subside at all. I think you see it more and more. However, I think what people are doing, is people are spending the time to dig in, like, what does that really mean? And even from a terminology standpoint, you know, we've talked about machine learning in very specific ways for a number of years, and that's more, I think, a function of how our software works and how our software has always sort of worked, and the notion of training your data to look for anomalies, to look at patterns, to suppress events, to being very specific functions that tie into the work that, you know, security professionals need to do as part of their day-to-day jobs.
Jon Rooney: [00:12:39] So, if anything, you know, we maybe underplayed it a little bit, in terms of those capabilities. There's always going to be hype, there's always going to be - it's nice that AI is the new DevOps, which is the new Cloud, which is the new SOA. Like, you know, we know that this happens, it gets frothy in our industry. But I think that we're finally at a point of deeper consideration, where people are - they're doing their homework. They're reading the back of the box and saying, what is this again and how does this work?
Jon Rooney: [00:13:08] And so, we've been really specific, where we're not necessarily, you know, spray-painting the market with AI all over the place. We're very specific in the areas in which, you know, we apply AI for - in our User Behavior Analytics product, to do threat detection - in particular, insider threat detection - through anomaly, you know, single and multi-variant anomaly detection as well as, like, a number of other very specific techniques.
Jon Rooney: [00:13:34] And I think that's where - I think the interesting thing about what's going to happen in the market with AI this year, is there's going to be a bridge built between the super high-level marketing fuzz and then the super down-in-the-weeds algorithm talk that most people's eyes glaze over with. There's going to be a translation layer. And it's on the customer, you know, it's on every customer, it's on every vendor, to sort of make that translation layer as meaningful as possible.
Dave Bittner: [00:13:58] And have you seen an evolution in the types of questions that your customers are coming to you with?
Jon Rooney: [00:14:04] Absolutely, yeah. I mean, I think, you know, two, three years ago, it was - it wasn't even a shotgun. It was sort of like, tell me about what, you know, AI is. Whereas now, we're getting very specific questions about event grouping. We're getting very specific questions about, you know, what types of anomaly detection. How can you train the data? What is the interaction that I have, as an operator, to sort of be on a dimmer-switch between having this be a black box, and then having it be hard math that I need to hire a Stanford-Berkeley Ph.D. to to man the other end of.
Jon Rooney: [00:14:37] Again, I think that is indicative of people realizing, hey, this stuff is valuable. Again, as I mentioned before, the attack surface is the horizon. So, I can't hire enough smart security professionals. How do I I get leverage? How do I get sort of logarithmic leverage and the war, and what does it actually mean to me?
Dave Bittner: [00:14:58] And in terms of the evolution of the threats themselves, what directions do you see those taking in the next year or so?
Jon Rooney: [00:15:06] I mean, I think, you know, we've certainly seen the gamut this year, in terms of the popular imagination being taken over by some pretty sophisticated, pretty nuanced stuff. It's also been some, like, a lot of just brute-force, dumb, you know, bad hygiene stuff. And I think that the fact that both of those, you know, both ends of the continuum are still something that every organization needs to worry about, just sort of highlights the problem. That we haven't outgrown just poor password hygiene. We haven't outgrown just, you know, people leaving dump ports open that they should be leaving open. And I think the notion is no amount of automated hardening will forever wipe the Earth of that.
Jon Rooney: [00:15:50] That being said, on the other - sort of the other front that people are fighting, is very sophisticated, very nuanced attack surfaces. You know, and then you get all the way down to sort of the hardware and the chip-level, like everyone dealt with over Christmas vacation with some of those issues. You know, that's a big span - I mean, that's a big span to have to worry about.
Dave Bittner: [00:16:08] When you look across the industry, do you think that we're going to be seeing more of these consolidations, more of these acquisitions? Are there too many providers right now?
Jon Rooney: [00:16:19] I think these things are always cyclical. I mean, I think, as additional capabilities and as additional categories exist, it's possible you'll see additional rounds of acquisitions. I mean, we - you know, going back to the AI stuff - you know, we picked up Rocana and SignalSense this year as additional acquisitions that were, you know, in some cases around technology, but also in other cases were really more about talent.
Jon Rooney: [00:16:43] But, you know, I think that's the the question, that's the eternal question that every venture capital firm makes when they make an A Round of funding. Is this a feature, or is this a company? In some cases, it just - it's just going to end up being a feature in a suite. In other cases, it's going to be a massive company.
Dave Bittner: [00:17:02] Our thanks to Craig Williams and Jon Rooney for joining us. Thanks to our special edition sponsor, Cylance. To find out how they can help protect you, visit cylance.com. The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our show is produced by Pratt Street Media, with editor John Petrik, social media editor Jennifer Eiben, technical editor Chris Russell, executive editor Peter Kilpe, and I'm Dave Bittner. Thanks for listening.