Steve Grobman – McAfee Blogs https://securingtomorrow.mcafee.com Securing Tomorrow. Today. Wed, 18 Oct 2017 14:43:46 +0000 en-US hourly 1 https://securingtomorrow.mcafee.com/wp-content/uploads/2018/11/cropped-favicon-32x32.png Steve Grobman – McAfee Blogs https://securingtomorrow.mcafee.com 32 32 McAfee CTO @ RSA: Catching Lightning in a Bottle or Burning Bridges to the Future? https://securingtomorrow.mcafee.com/other-blogs/executive-perspectives/mcafee-cto-rsa-catching-lightning-in-a-bottle-or-burning-bridges-to-the-future/ https://securingtomorrow.mcafee.com/other-blogs/executive-perspectives/mcafee-cto-rsa-catching-lightning-in-a-bottle-or-burning-bridges-to-the-future/#respond Thu, 14 Mar 2019 16:58:29 +0000 https://securingtomorrow.mcafee.com/?p=94606

I spoke last week at the RSA Conference in San Francisco on the subject of AI related threats and opportunities in the cybersecurity field. I asserted that innovations such as AI can strengthen our defenses but can also enhance the effectiveness of a cyber attacker.  I also looked at some examples of underlying fragility in […]

The post McAfee CTO @ RSA: Catching Lightning in a Bottle or Burning Bridges to the Future? appeared first on McAfee Blogs.

]]>

I spoke last week at the RSA Conference in San Francisco on the subject of AI related threats and opportunities in the cybersecurity field. I asserted that innovations such as AI can strengthen our defenses but can also enhance the effectiveness of a cyber attacker.  I also looked at some examples of underlying fragility in AI that enable an attacker opportunity to evade AI based defenses. The key to successfully unlocking the potential of AI in cybersecurity requires that we in the cybersecurity industry answer the question of how we can nurture the sparks of AI innovation while recognizing its limitations and how it can be used against us.

We should look to the history of key technological advances to better understand how technology can bring both benefits and challenges. Consider flight in the 20th century. The technology has changed every aspect of our lives, allowing us to move between continents in hours, instead of weeks. Businesses, supply chains, and economies operate globally, and our ability to explore the world and the universe has been forever changed.

But this exact same technology also fundamentally changed warfare. In World War II alone, the strategic bombing campaigns of the Allied and Axis powers killed more than two million people, many of them civilians.

The underlying technology of flight is Bernoulli’s Principle, which explains why an airplane wing creates lift. Of course, the technology in play has no knowledge of whether the airplane wing is connected to a ‘life-flight’ rescue mission, or to a plane carrying bombs to be dropped on civilian targets.

When Orville Wright was asked in 1948 after the devastation of air power during World War II whether he regretted inventing the airplane he answered:

“No, I don’t have any regrets about my part in the invention of the airplane, though no one could deplore more than I do the destruction it has caused. We dared to hope we had invented something that would bring lasting peace to the earth. But we were wrong. I feel about the airplane much the same as I do in regard to fire. That is, I regret all the terrible damage caused by fire, but I think it is good for the human race that someone discovered how to start fires, and that we have learned how to put fire to thousands of important uses.”

Orville’s insight that technology does not comprehend morality—and that any advances in technology can be used for both beneficial and troubling purposes.  This dual use of technology is something our industry has struggled with for years.

Cryptography is a prime example. The exact same algorithm can be used to protect data from theft, or to hold an individual or organization for ransom. This matters more than ever given that we now encrypt 75% of the world’s web traffic, protecting over 150 exabytes of data each month.  At the same time, organizations and individuals are enduring record exploitation through ransomware.

The RSA Conference itself was at the epicenter of a debate during the 1990’s on whether it was possible to conditionally use strong encryption only in desirable places, or only for desirable functions.  At the time, the U.S. government classified strong encryption as a munition along with strict export restrictions.   Encryption is ultimately just math and it’s not possible to stop someone from doing math.  We must be intellectually honest about our technologies; how they work, what the precursors to use them are and when, how and if they should be contained.

Our shared challenge in cybersecurity is to capture lightning in a bottle, to seize the promise of advances like flight, while remaining aware of the risks that come with technology.  Let’s take a closer look at that aspect.

History repeats itself

Regardless of how you define it, AI is without a doubt the new foundation for cybersecurity defense. The entire industry is tapping into the tremendous power that this technology offers to better defend our environments. It enables better detection of threats beyond what we’ve seen in the past, and helps us out-innovate our cyber adversaries. The combination of threat intelligence and artificial intelligence, together or human-machine teaming provides us far better security outcomes—faster—than either capability on their own.

Not only does AI enable us to build stronger cyber defense technology, but also helps us solve other key issues such as addressing our talent shortage. We can now delegate many tasks to free up our human security professionals to focus on the most critical and complex aspects of defending our organizations.

“It’s just math..”

Like encryption, AI is just math. It can enhance criminal enterprises in addition to its beneficial purposes. McAfee Chief Data Scientist Celeste Fralick joined me on stage during this week’s keynote to run through some examples of how this math can be applied for good or ill. (visit here to view the keynote).  From machine learning fueled crime-spree predictors to DeepFake videos to highly effective attack obfuscation, we touch on them all.

It’s important to understand that the cybersecurity industry is very different from other sectors that use AI and machine learning. For a start, in many other industries, there isn’t an adversary trying to confuse the models.

AI is extremely fragile, therefore one focus area of the data science group at McAfee is Adversarial Machine Learning. Where we’re working to better understand how attackers could try to evade or poison machine learning models.  We are developing models that are more resilient to attacks using techniques such as feature reduction, adding noise, distillation and others.

AI and False Positives: A Warning

We must recognize that this technology, while incredibly powerful, is also incredibly different from what many cybersecurity defenders worked with historically. In order to deal with issues such as evasion, models will need to be tuned to high levels of sensitivity. The high level of sensitivity makes false positives inherent and something we must fully work into the methodology for using the technology.

False positive can have catastrophic results.  For an excellent example of this, watch the video of the keynote here if you haven’t seen it yet.  I talk through the quintessential example of how a false positive almost started World War III and nuclear Armageddon.

The Take-Away

As with fire and flight, how we manage new innovations is the real story.  Recognizing technology does not have a moral compass is key.  Our adversaries will use the technology to make their attacks more effective and we must move forward with our eyes wide open to all aspects of how technology will be used…. Its benefits, limitations and how it will be used against us.

 

Please see the video recording of our keynote speech RSA Conference 2019: https://www.rsaconference.com/events/us19/presentations/keynote-mcafee

 

The post McAfee CTO @ RSA: Catching Lightning in a Bottle or Burning Bridges to the Future? appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/other-blogs/executive-perspectives/mcafee-cto-rsa-catching-lightning-in-a-bottle-or-burning-bridges-to-the-future/feed/ 0
State County Authorities Fail at Midterm Election Internet Security https://securingtomorrow.mcafee.com/other-blogs/executive-perspectives/state-county-authorities-fail-at-midterm-election-internet-security/ https://securingtomorrow.mcafee.com/other-blogs/executive-perspectives/state-county-authorities-fail-at-midterm-election-internet-security/#respond Wed, 24 Oct 2018 07:00:10 +0000 https://securingtomorrow.mcafee.com/?p=92178

One of the things we at McAfee have been looking at this midterm election season is the security of election infrastructure at the individual county and state levels.  A lot of media and cybersecurity research focus has been placed on whether a major national attack could disrupt the entire U.S. voting infrastructure. Headlines and security […]

The post State County Authorities Fail at Midterm Election Internet Security appeared first on McAfee Blogs.

]]>

One of the things we at McAfee have been looking at this midterm election season is the security of election infrastructure at the individual county and state levels.  A lot of media and cybersecurity research focus has been placed on whether a major national attack could disrupt the entire U.S. voting infrastructure. Headlines and security conferences focus on the elaborate “Hollywood-esque” scenarios where tampering with physical voting machines allows them to be hacked in 45 seconds, and the entire election system falls apart via a well-orchestrated nation state attack.  The reality is, information tampering and select county targeting is a more realistic scenario that requires greater levels of attention.

A realistic attack wouldn’t require mass voting manipulation or the hacking of physical machines. Rather it could use misinformation campaigns focused on vulnerable gaps at the county and state levels. Attackers will generally choose the simplest and most effective techniques to achieve their goal, and there are certain targets that have been overlooked which could prove to be the most practical avenues an attacker could take if their objective was to influence the outcome of an election cycle.

A well-crafted campaign could focus on specific states or congressional districts where a close race is forecasted. An attacker would then examine which counties would have a substantive impact if barriers were introduced to reduce voter turnout, either in total, or a specific subset (such as those in rural or urban parts of a district which generally have a strong correlation to conservative and liberal voting tendencies respectively).

Actors could use something as simple as a classic bulk email campaign to distribute links to fraudulent election websites that give voters false information about when, where and how to vote.  Given the fact that voter data can be purchased or even freely obtained from numerous recent breaches, a very specific and targeted campaign would be trivial.  As we will see – there are multiple challenges for a typical voter to identify legitimate from fraudulent sites, and the legitimate sites are often lacking the most basic security hygiene.

With this in mind we looked at how constituents get information from their election boards at the county level. County websites are typically the first place a citizen would go to look up information on the upcoming local elections.  Such information might include voter eligibility requirements, early voting schedules, deadlines to register, voting hours and other critical information.

McAfee ATR researchers surveyed the security measures of county websites in 20 states and found that the majority of these sites are sorely lacking in basic cybersecurity measures that could help protect voters from election misinformation campaigns.

What’s in a Website Name?

Our first disturbing revelation was that there’s no consistency as to how counties validate that their websites are legitimate sites belonging to genuine county officials.

I stumbled upon this initially because I live in Denton County Texas, where the voter information site is votedenton.com. When I saw that, I was a little perplexed because the county actually uses a website address with a .com top level domain (TLD) name rather than a .gov TLD in the name.

Domain names using .gov must pass a U.S. federal government validation process to confirm that the website in question truly belongs to the official government entity. The use of .com raised the question of whether such a naming process is common or not across county websites in Texas and in other states.

This is important, because unlike .gov sites where there is a thorough vetting process and background checks (including government officials as references), anyone can buy a .com domain.

We found that large majorities of county websites use top level domain names such as .com, .net and .us rather than the government validated .gov in their web addresses. Our findings essentially revealed that there is no official U.S. governing body validating whether the majority of county websites are legitimately owned by actual legitimate county entities.

Our study focused primarily on the swing states, or the states that were most influential in the election process, and thus the most compelling targets for threat actors.  Minnesota and Texas had the largest percentage of non-.gov domain names with 95.4% and 95% respectively. They were followed by Michigan (91.2%), New Hampshire (90%), Mississippi (86.6%) and Ohio (85.9%).

McAfee researchers found that Arizona had the largest percentage of .gov domain names, but even this state could only confirm 66.7% of county sites as using the validated addresses.

The other thing that was very concerning was that significant majorities of county sites did not enforce the use of SSL, or Secure Sockets Layer certificates. These digital certificates protect a website visitor’s web sessions, encrypting any personal information voters might share and ensuring that bad actors can’t redirect site visitors to fraudulent sites that might give them false election information.

SSL is one of the most basic forms of cyber hygiene, and something we expect all sites requiring confidentiality or data integrity to have at a minimum.  The fact that these websites are lacking in the absolute basics of cyber hygiene is troubling.

Maine had the highest number of county websites protected by SSL with 56.2%, but the state was something of an outlier. West Virginia had the greatest number of websites lacking in SSL security with 92.6% unprotected, followed by Texas (91%), Montana (90%), Mississippi (85.1%) and New Jersey (81%).

Above all, there was no consistency within states, let alone across the nation, in website naming or in how effectively SSL was applied to protect voters.

The following Orange County site protects user information with SSL at the voter registration section of the site, but not at the main home page, meaning an attacker could manipulate the content of the top-level site and replace the legitimate registration link with a fraudulent one. Those accessing the site would subsequently never be able to navigate to the legitimate protected site.

Florida’s Broward County became famous (perhaps infamous) during the 2000 presidential election as one of the state’s counties for which then-Vice President Al Gore requested a vote recount. Today, the site is not protected by SSL and has a .org address that is not distinguishable from a fake .org domain.  The browser itself actual calls out “Not Secure” when you go to the site.

Even sites that report election results are utilizing non-.gov domains, such as the Glades County site below.

This following site from Scioto County in Ohio uses an unvalidated .NET top level domain and doesn’t protect site visitors with SSL.

The Fulton County Ohio site uses an unofficial .com top level domain and is also missing enforced SSL support.

The following site from New York’s Albany County uses an unvalidated .com TLD. It also fails to use SSL protection on the site’s critical voter information pages.

Lacking Basic Protection

Because SSL protection is a very well understood website security practice, the lack of it does not instill confidence that other systems managed at local levels are adequately secured.

Given how important the democratic process of voting is to our society and way of life, we must work to better secure these critical information systems.

If you think about a close election race with rural or urban district elements to it, a malicious actor could simply send emails to hundreds of thousands of voters in rural or urban parts of the municipality and direct voters to the wrong voting locations. Such an actor would essentially be disrupting, misdirecting and perhaps even suppressing voter turnout through misinformation.  No systems would be taken off line, no physical harm done, and likely no one would even notice until election day when angry voters showed up to the wrong sites.

We developed the following phishing email message to provide an educational example of what such an election campaign message might look like (we did NOT uncover it as a part of a real phishing campaign currently in progress):

To avoid early detection, it is most likely that a coordinated attack would take place just hours, perhaps a few days before a critical vote; the threat actors would want to provide enough time to reach a critical mass for election disruption, but little enough time to avoid detection and remediation.  At that point what could you even do?

Influencing the electorate through false communications is more practical, efficient and simpler than attempting to successfully hack into hundreds of thousands of voting machines. Such a scenario is much easier to execute than tampering with voting machines themselves, and it scales to achieve the broad election objective any malicious actor might desire.

What Must Be Done Nationally

Regardless of whether central regulation or best practice publication are the best approaches to election security, we need better security standardization for all of the supporting systems that deal with elections.

While it might be difficult to pass a federal law that would mandate things like .gov naming standardization or utilizing SSL protection, an organization like the U.S. Department of Homeland Security could take a leading role by recommending these best practices.

How Voters Can Protect Themselves Locally

First, regarding SSL protection, anyone can always determine whether or not their communication with a website is protected by SSL by looking for an “HTTPS” in a site’s website address in the address bar of their browser. Some browsers also show a key or lock icon to make SSL protection easier for users to spot before they share street addresses, dates of birth, Social Security Numbers, credit card numbers or other sensitive personal information.  

As for the validity of election websites, McAfee encourages voters across the country to rely on state voter registration and election sites.  Such sites have a better track record of utilizing .gov TLDs and generally enforce SSL to protect integrity and confidentiality.   These sites may navigate voters to their local sites which may suffer from the security issues described in this blog, but utilizing a state secured .gov site as a starting point is better than a search engine.

State voter registration websites:

  1. Alabama
  2. Alaska
  3. Arizona
  4. Arkansas
  5. California
  6. Colorado
  7. Connecticut
  8. DC
  9. Delaware
  10. Florida
  11. Georgia
  12. Hawaii
  13. Idaho
  14. Illinois
  15. Indiana
  16. Iowa
  17. Kansas
  18. Kentucky
  19. Louisiana
  20. Maine
  21. Maryland
  22. Massachusetts
  23. Michigan
  24. Minnesota
  25. Missouri
  26. Montana
  27. Nebraska
  28. Nevada
  29. New Hampshire
  30. New Jersey
  31. New Mexico
  32. New York
  33. North Carolina
  34. North Dakota
  35. Ohio
  36. Oklahoma
  37. Oregon
  38. Pennsylvania
  39. Rhode Island
  40. South Carolina
  41. South Dakota
  42. Tennessee
  43. Texas
  44. Utah
  45. Vermont
  46. Virginia
  47. Washington
  48. West Virginia
  49. Wisconsin
  50. Wyoming

Finally, state governments provide information phone numbers allowing voters to confirm election information. McAfee encourages voters to call these official phone numbers to confirm any seemingly contradictory information sent to them, particularly if voters received any email or other online messages regarding changes to planned election processes (time, location, ballots, etc.).

Our country’s democracy is worth a phone call.

 

For more perspectives on U.S. election security, please read here on the topic.

The post State County Authorities Fail at Midterm Election Internet Security appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/other-blogs/executive-perspectives/state-county-authorities-fail-at-midterm-election-internet-security/feed/ 0
Perspectives On Securing Our Election Systems https://securingtomorrow.mcafee.com/other-blogs/executive-perspectives/perspectives-on-securing-our-election-systems/ https://securingtomorrow.mcafee.com/other-blogs/executive-perspectives/perspectives-on-securing-our-election-systems/#respond Wed, 18 Apr 2018 19:34:46 +0000 https://securingtomorrow.mcafee.com/?p=88553 I had the pleasure of sitting on a panel at CyberScoop’s CyberTalks event this week, which coincides this year with the RSA 2018 Conference in San Francisco. Our discussion focused on the need to protect election systems from would-be hackers seeking to change results, sow discord in our election processes, and undermine confidence in our […]

The post Perspectives On Securing Our Election Systems appeared first on McAfee Blogs.

]]>
I had the pleasure of sitting on a panel at CyberScoop’s CyberTalks event this week, which coincides this year with the RSA 2018 Conference in San Francisco. Our discussion focused on the need to protect election systems from would-be hackers seeking to change results, sow discord in our election processes, and undermine confidence in our system of government.

I’ve often made the point that information warfare is more likely to have an impact on elections than cyber warfare attacks are to have an impact on the voting infrastructure of our country.

In information warfare, malicious actors seek to polarize and divide an electorate through a manipulative information campaign along the lines of Cold War-era propaganda. This could include the carefully timed release of weaponized information intended to damage the reputations of candidates and parties just days before an election.

The decentralized nature of this country’s election systems actually protects our politics from cyber-attack campaigns.

Hackers would release authentic data and intertwine it with data that they would fabricate, giving it all the appearance of being believable, and severely damaging candidate reputations in the minds of voters. If the disclosure were to be released days prior to the vote, there might not be enough time to research and validate the information, let alone inform voters whether the information is true.

Our moderator, CyberScoop assistant editor Chris Bing, established that our CyberTalk would steer clear of information warfare as the discussion otherwise could be too broad.

First, we agreed that the decentralized nature of this country’s election systems actually protects our politics from cyber-attack campaigns. There are around 10,000 local jurisdictions running elections,  using different voting systems with a varied mix of digital, analog and manual processes. This complexity and variety requires potentially thousands of different cyber-attack scenarios to mount a large-scale, impactful cyber-attack.

An election hacker is like a thief casing a neighborhood; it’s not like there is one door lock that he has to know how to pick. He’s faced with dozens or hundreds of doors that each require unique methods to compromise. He might have the opportunity to try many times, wiggling and examining all the doorknobs to find the easiest locks to pick. But breaking into enough of them to make his crime pay would be difficult.

In the case of cyber-attacks on voting systems, the attackers are challenged by disparate voting  systems, built by different vendors with different technologies. Attackers can certainly try many times to find the weakest systems, but orchestrating a cyber-attack that manipulates the voting results broadly would be difficult.

That’s not to say that voting system decentralization and diversity means we don’t need to take the cyber-threats seriously. We absolutely do.

It may be difficult with any single attack to influence an entire national election result. The flip side of this is that a targeted attack on a specific locality could have very serious implications for the votes there. A tight congressional district in a swing state could be manipulated with dramatic results, even if the system as a whole cannot be manipulated dramatically.

Beyond technical issues, there are human issues.

Whenever we talk about election security, we need to remember that it’s not just about the mechanics of protecting the vote. It’s also about ensuring the integrity of the election process so the general population can trust the process.

Cybersecurity is inherently a complex topic, and you generally need a considerable level of skill to understand cyber-attacks and the ways to protect against them.

You need a voting system the public sees and trusts. This is why I strongly believe that any digitized, automated voting system we implement must be backed by paper trails that can be audited by normal humans.

There are other human issues.

Perhaps the best first step toward protecting against election cyber-attacks is to acknowledge the activity we did see in 2016.

As mentioned, the diversity in the number of systems an adversary has to go after to impact an election is immense. The challenge of protecting all of those systems is also immense.

Given that we have a cybersecurity labor shortage in the United States, we’re already having trouble getting world class cybersecurity professionals to protect government and the private sector. The very idea of having such pros actually on the ground in jurisdictions across the United States is impractical.

We shouldn’t make the assumption that vote manipulation won’t be possible in the future because of the challenges in hacking our decentralized electoral systems. The absence of a particular attack is no  predictor of the viability of such attacks in the future.

We’ve seen numerous cases in which voting systems have been manipulated in threat research environments. We need to take all the research in this area seriously to prepare for the attacks ahead.

As we near the 2018 midterm elections, perhaps the best first step toward protecting against election cyber-attacks is to acknowledge the activity we did see in 2016.

The post Perspectives On Securing Our Election Systems appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/other-blogs/executive-perspectives/perspectives-on-securing-our-election-systems/feed/ 0
Economic Impact of Cybercrime: Why Cyber Espionage isn’t Just the Military’s Problem https://securingtomorrow.mcafee.com/business/economic-impact-cybercrime-cyber-espionage-isnt-just-militarys-problem/ https://securingtomorrow.mcafee.com/business/economic-impact-cybercrime-cyber-espionage-isnt-just-militarys-problem/#respond Thu, 22 Mar 2018 19:15:56 +0000 https://securingtomorrow.mcafee.com/?p=87616 In a technology-driven age, entrepreneurs, organizations, and nations succeed or fail in large part based on how effectively they develop, implement, and protect technology. One of the most notable aspects of “The Economic Impact of Cybercrime” report released recently is the prominence of cyber espionage, the cyber-theft of intellectual property (IP) and business confidential information. […]

The post Economic Impact of Cybercrime: Why Cyber Espionage isn’t Just the Military’s Problem appeared first on McAfee Blogs.

]]>
In a technology-driven age, entrepreneurs, organizations, and nations succeed or fail in large part based on how effectively they develop, implement, and protect technology. One of the most notable aspects of “The Economic Impact of Cybercrime” report released recently is the prominence of cyber espionage, the cyber-theft of intellectual property (IP) and business confidential information. The report from the Center for Strategic and International Studies (CSIS) and McAfee estimates that the cost of cybercrime to the global economy is around $600 billion annually, or 0.8% of global GDP, and cyber espionage accounts for 25% of that damage, more than any other category of cybercrime. Furthermore, the report argues that “Internet connectivity has opened a vast terrain for cybercrime, and IP theft goes well beyond traditional areas of interest to governments, such as military technologies.”

When we think of cyber espionage, we tend to think of events such as the Chinese military’s theft of the F-35 joint strike fighter’s blueprints from U.S. corporations. Last month, the Associated Press reported a similar event where Russian hackers attacked several U.S. corporations attempting to steal drone technologies used by the U.S. military.

But there are also cases such as 2009 Operation Aurora attacks, in which nation-state hackers allegedly tied to the China’s People’s Liberation Army sought to steal IP and business confidential information from IT, chemical, web services, and manufacturing firms as well as military contractors. There is also the example from the 2004 Nortel Networks cyber-attacks that allegedly compromised IP later used to strengthen the market position of Chinese telecommunications giant Huawei.

Such examples suggest that nation states are seeking to steal IP not only to enhance their military strength, but also to achieve technological leadership throughout the rest of their economies without the investments, human talent, or other foundational elements associated with technical innovation.

Put simply, cyber espionage isn’t just the U.S. military’s problem. Organizations beyond military contractors should assume they could become targets of such cybercrimes.

If enough of a profit motive is there, it’s wise to assume that the hacking expertise and tools to steal IP are within your would-be attackers’ reach. Furthermore, it’s wise to assume that the beneficiaries of commercial cyber espionage are capable of copying your compromised product designs and building them into their own products, just as Chinese government engineers had integrated stolen F-35 design features into China’s J-20 stealth fighter.

The cyber theft of such IP could result in lost market share and revenues for corporations. Such theft could smother a nation’s most promising new startups in their Series A cradles, or drive its most innovative mid-sized companies out of business, erasing wealth and jobs in the process.

The CSIS report identified three key cyber espionage challenges facing organizations and nations today.

Challenges of Detection

 Cyber espionage maintains a lower profile than critical infrastructure attacks, ransomware, mega-consumer data hacks, and identity theft and fraud, and other threats in part because there’s no incentive to report cyber espionage incidents. Victimized companies don’t wish to report them, if indeed they ever become aware of them. The attackers don’t wish to alert their victims or the public to their crimes. Victim organizations still own the compromised IP or business confidential information and could easily attribute declines in market share and revenue to any number of tactical and strategic moves on the part of competitors. Unsurprisingly, such incidents go undiscovered and under reported.

Challenges of Attribution

As in every other area of cybersecurity, the difficulty of attribution makes the policing of cyber espionage complicated if not near impossible. Attacks of this nature are sophisticated and designed to obscure the identity of the actors behind them. Governments are in the best position to determine attribution because they can combine the analysis of technical cyber-attack forensics with analysis of traditional intelligence to identify actors. But holding adversaries accountable isn’t easy given the nature of the required inputs and analysis that enable attribution.

For instance, the U.S. government has accused Chinese hackers associated with the People’s Liberation Army (PLA) of being responsible for half of the cyberespionage activity targeting U.S. “IP and commercially valuable information,” and claimed that this activity had inflicted $20 billion in economic damage by 2014.

But the evidence used to make such attribution determinations is not easily exposed without revealing the means and methods by which cyber threat researchers and government agencies came by it.

Challenges of Definition

The CSIS report revisits the 2015 Barack Obama-Xi Jinping Summit, where the leaders of the U.S. and China agreed that their intelligence communities would cease to conduct “commercial espionage,” while allowing each nation to engage in military-related espionage appropriate to their respective national security interests. The nations comprising the world’s 20 largest economies agreed to a similar “no-commercial espionage” pledge later that year.

Any such agreement obviously requires accountability mechanisms to have an impact. But it also requires that the nations agree to specific and consistent definitions of what constitutes commercial versus military espionage.

CSIS notes that the evidence is mixed as to whether the Chinese government has slowed commercial espionage in accordance with the 2015 agreement.  But the think tank notes that despite high level dialogues and pledges between nations, officials from multiple countries maintain that commercial IP theft continues unabated.

Last month’s Worldwide Threat Assessment of the U.S. Intelligence Community confirmed that China and other nation-state actors are continuing to use cyber-attacks to “acquire U.S. intellectual property and proprietary information to advance their own economic and national security objectives.”

The assessment goes so far as to suggest that because the disruptive technologies of the 21st century are being developed by public and private competitors around the world, any significant loss of U.S. IP in pivotal areas—artificial intelligence, 5G networking, 3D printing, nano-materials, quantum computing, biotech, and advanced robotics—could ultimately weaken U.S. military and economic power, and result in a loss of national competitiveness in the global marketplace, as well as on the battlefield.

Preventing the Theft of our Future

 At its most basic level, the theft of IP and business confidential information is a theft of the future. It’s a theft of future national security, future business for companies, future wealth for a nation’s communities, and future high paying jobs and standards of living for a nation’s citizens.

Because technologies don’t fit neatly within civilian and military sector silos, particularly throughout their lifecycles, it’s important for organizations to take cyber espionage seriously. Even beyond technology providers, any organization producing anything of great value should take care to consider that that great value is valuable to others, and remember that anything of great value must be protected.

Please go here for more information on the report’s assessments.

The post Economic Impact of Cybercrime: Why Cyber Espionage isn’t Just the Military’s Problem appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/business/economic-impact-cybercrime-cyber-espionage-isnt-just-militarys-problem/feed/ 0
World Economic Forum Sets High Bar on Public-Private Cybersecurity Partnerships https://securingtomorrow.mcafee.com/other-blogs/executive-perspectives/world-economic-forum-sets-high-bar-public-private-cybersecurity-partnerships/ https://securingtomorrow.mcafee.com/other-blogs/executive-perspectives/world-economic-forum-sets-high-bar-public-private-cybersecurity-partnerships/#respond Tue, 30 Jan 2018 21:04:12 +0000 https://securingtomorrow.mcafee.com/?p=84104 This week’s World Economic Forum (WEF) in Davos, Switzerland featured the launch of the World Economic Forum System Initiative on Shaping the Future of Digital Economy and Society, a global platform for coalitions of public and private sector entities to “collaborate and accelerate progress against shared digital economy goals and to shape a digital future […]

The post World Economic Forum Sets High Bar on Public-Private Cybersecurity Partnerships appeared first on McAfee Blogs.

]]>
This week’s World Economic Forum (WEF) in Davos, Switzerland featured the launch of the World Economic Forum System Initiative on Shaping the Future of Digital Economy and Society, a global platform for coalitions of public and private sector entities to “collaborate and accelerate progress against shared digital economy goals and to shape a digital future that is sustainable, inclusive, and trustworthy.”

The Forum has partnered with The Boston Consulting Group to produce a report entitled Cyber Resilience Playbook for Public-Private Collaboration, which contextualizes cybersecurity policies through 14 key areas of potential cooperation between governments and corporations. While countries and cultures must make their own choices on how to address the public-private policy challenges facing us in the years ahead, we at McAfee argue that the government and business leaders meeting in Davos this week must answer critical policy questions in four critical areas to truly have a constructive, positive impact in shaping the evolution of cyberspace in 2018 and beyond.

The Uncertainty of Attribution

Attribution is among the most complex and challenging aspects of cybersecurity, and the implications of getting active defense responses wrong based on faulty attribution are particularly daunting. Government and business leaders must be wary of these dynamics as cyber-attacks inflict greater levels of damage, and as cyber-attack victims demand accountability and retaliation based on such imprecise attribution.

Digital forensic work can suggest a perpetrator behind a cyber-attack, but it rarely does so with certitude. Level-headed attackers will naturally seek to implicate some other party in their handiwork, so false flags and red herrings often litter the cyber-attack scene.

For instance, it could be risky to draw conclusions about a cyber-attack’s origin and perpetrators solely on things such as the presence of Cyrillic, Mandarin, Korean, Arabic, or Persian characters or words within an identified piece of malware. Once such methods of attribution become accepted best practices, attackers undoubtedly seek to manipulate that acceptance to hide their tracks.

This marks a profound difference from nuclear strategy or conventional terrorism, where proven techniques can source an incoming missile or trace a bomb’s origin. Cyberspace can allow a bit player terror group seeking to pit nation-states against one another with cyber aggression that appears to come from those countries.

There is a clear need for both the private and public sectors to understand where they add value. Pinpointing blame for a cyberattack takes a blend of cutting-edge digital forensics from the public and private sector, and traditional intelligence from public sector intelligence service or law enforcement partners.

The Unpredictability of Active Defense—Hacking Back

Offensive cyber weapons can be programmed to focus on an intended target. In some ways, they are the ultimate precision ordinance—at least in theory.

In actuality, active defense or “hacking back” cyber-attacks can have unpredictable consequences due to the complex interconnectedness of the today’s internet, and the ability of attackers to use that dense complexity to cover their tracks.

Even in capable, officially-sanctioned hands, retaliatory strikes can inadvertently, directly or indirectly impact online services, third-party assets, and individuals in addition to their intended targets.

Add to this wild card exercise any software bugs or coding errors within these cyber weapons, and small flaws could have large consequences, as cyber-attacks could go awry, damaging more unintended networks and third-party actors.

The unpredictable dynamics of “hacking back” should place a tremendous priority on the responsible governance and coordination of active defense efforts by public and private entities.

Zero day vulnerabilities

Governments must always recognize that the private sector’s willingness and commitment to cybersecurity collaboration reliant in part on how transparent governments are about knowledge critical to their mission, including disclosures of zero day vulnerability discoveries.

Private sector actors must always recognize that governments have the unique responsibility to balance vulnerability disclosures with the necessity to protect real human lives by any means necessary, including digital cyber-weapons exploiting such vulnerabilities.

Once such software vulnerabilities are discovered and publicly released “into the wild,” technology vendors can take action to address those vulnerabilities with security updates. Public knowledge of these vulnerabilities also provides hackers blueprints for exploiting them through cyber-attacks. If withheld, governments can use their knowledge of the zero day vulnerabilities for cyber-espionage or cyber-warfare campaigns.

While it is reasonable to assume that governments should take an active, responsible role in the research and timely public disclosure of such vulnerabilities, it is also reasonable to assume that governments should “stockpile” their knowledge of zero day vulnerabilities for use in future covert cyber activities.

After all, isn’t there real humanitarian value in using cyber-attacks to digitally disable power plants or other physical military targets without the physical destruction and loss of life caused by a kinetic weapon such as a bomb?

Successful public-private cybersecurity partnerships must involve an ongoing dialogue, and a pragmatic give and take exchange between actors. Only by addressing this and other potential trust issues can governments, technology vendors, and other private sector actors hope to work together to gain a step on the cyber-attackers working furiously to uncover and take advantage of the same vulnerabilities.

Threat intelligence sharing

Ultimately, information is the lifeblood of cyber-defense. It’s not an exaggeration to say that success in the previously mentioned critical areas of public-private cybersecurity collaboration relies heavily on getting policies right in the crucial area of threat research, data, and other intelligence sharing. “Getting it right” requires that policies reflect the limitations as well as the advantages of sharing.

Data collected and shared by governments could be out of date in the minds of cybersecurity industry actors. There will always be concerns that government or industry members of information sharing communities might play “free rider,” benefiting from drawing volumes of other organizations’ data and intelligence, while contributing little information of their own.

Strong processes must enable effective, real-time sharing of the data that matters most to enable coordinated responses to security events, such as the cross-industry response to major developments like the WannaCry and NotPetya malware outbreaks, and the Meltdown and Spectre firmware exploit revelations of earlier this month.

Beyond episodic collaboration, information sharing must seek to achieve real security improvements over the long-term, while strong privacy protections must be in place to maintain the trust of those whom security efforts are meant to protect.

While leaders at Davos and beyond may understand that cybersecurity is one of the greatest digital challenges of our time, it’s even more important that they understand that no one organization, entity or sector can solve it alone. There’s a reason McAfee believes in the “Together is Power” mantra. The solutions to cybersecurity lie in collaboration and innovation, and public-private partnerships present one of the greatest challenges and opportunities facing us.

The post World Economic Forum Sets High Bar on Public-Private Cybersecurity Partnerships appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/other-blogs/executive-perspectives/world-economic-forum-sets-high-bar-public-private-cybersecurity-partnerships/feed/ 0
Out Innovating the Adversary, Part 2 https://securingtomorrow.mcafee.com/business/innovating-adversary-part-2/ https://securingtomorrow.mcafee.com/business/innovating-adversary-part-2/#respond Wed, 22 Nov 2017 15:00:53 +0000 https://securingtomorrow.mcafee.com/?p=82400 My last post discussed the challenges of working to out-innovate our adversaries given the growing variety of objectives they might pursue, and the growing variety of methods they might use in pursuit of those objectives. As mentioned, part of the answer to these challenges lies in thinking differently about threat defense, and in understanding that […]

The post Out Innovating the Adversary, Part 2 appeared first on McAfee Blogs.

]]>

My last post discussed the challenges of working to out-innovate our adversaries given the growing variety of objectives they might pursue, and the growing variety of methods they might use in pursuit of those objectives.

As mentioned, part of the answer to these challenges lies in thinking differently about threat defense, and in understanding that the correlation of detection technologies is as critical as their efficacy.

We also need to think about confidence. We benefit from independent technologies agreeing on what they are detecting. We need to think about some of the nuance on how to maximize the value of modern threat defense technologies.

Let me give you an example outside cybersecurity.

Anyone who travels by plane must put their bags through an x-ray machine, and bags are either pulled off for inspection or not. If airport security teams were only measured on detection, they could achieve 100% detection rates easily. Simply pull and search every bag. In this sense, threat detection is easy.

But such a practice would create lots of extra overhead associated with energy and labor costs, along with many false positives. Which is why, when you think about threat detection, you can’t think about threat detection alone. That’s easy. It’s threat detection without false positives that’s hard. In cybersecurity, where the adversary is constantly innovating, threat detection without false positives is incredibly hard.

Threat Detection is Easy…. Threat Detection Without False Positives is Hard

To address this, we have thought about the tools and capabilities we can use to solve problems like this. We have looked at the quality of each of our technologies, and acted upon our understanding of how false positives relate to detection.

For instance, given that I can have any level of detection if I’m willing to tolerate a number of false positives, I can simply graph the detection to false positive rate. The quality of the technology is indicated by the knee of the curve in the top left (below). Higher quality technologies will ramp to high detection rates before intolerable false positive rates occur.

What this also does is allow us to tune our technologies to give you the best outcome. We have looked at the underlying structure of threat defense, and dial in the right level of detection to give you a great outcome.

Either extreme will provide a bad result. If we go too far to the left (below) to where we see the green dot, we have a lot of headroom. We can achieve a much higher level of detection without incurring the cost of false positives.

Similarly, if we go all the way to the right, we start getting a lot more falsing without increasing our detection rate. There is an area of optimal sensitivity that is really key in order for us to tune the products we deliver to our customers.

At McAfee, we’re looking at each technology on its own, optimizing it to give customers the best outcome, and then making it work with all the other technologies in your environment to provide the best aggregate set of capabilities.

Strategy Anchored in Understanding

We have anchored the McAfee strategy on understanding adversary counter-evasion, and we’re investing in the building blocks we need to out-innovate the adversary.

We think about machine learning, but do so intellectually, understanding that every model will eventually be evaded.

Threat research is incredibly important because understanding what the adversary is going to do next, allows us to go where the puck is going to go, not where it currently is.

Being able to amplify your incident responders and other security operations personnel gives you the headroom to actually do the investigation to out innovate the adversary.

It’s also important that we don’t think about technologies in a vacuum for any product. For instance, we use many forms of analytics and data science and we use each of them across our product lines, from the backend systems of McAfee Labs to the endpoint.

McAfee Advanced Threat Defense (ATD), our sandboxing technology, can take the output of all the capabilities that different elements of the gauntlet provide to come to a better conclusion, a higher-quality analysis of whether a sample is malicious or benign. We’re using it in our enterprise endpoint product to counter adversarial machine learning.

Our McAfee Investigator product is all about the concept of human-machine teaming, amplifying how your incident responders and operations personnel can benefit from using this technology. Here we use machine learning to separate the good, from the bad, from the unknown, and then allow human intellect and intuition to determine critical context and next steps.

The only way McAfee is going to help you out innovate the adversary, is if McAfee is going to out innovate everyone else in the industry. I’m committed to helping lead the 7,000 employees at McAfee in embracing innovation as the only way we can win this battle.

One of the things you will always see from McAfee is a high level of intellectual honesty about our  technologies, what their capabilities are, and how we’ll innovate and build upon them to address the future attack landscape. Our commitment to you is to not only build great capabilities that work well when you install them, but further down the line, when you need resilience, efficacy and stability.

The post Out Innovating the Adversary, Part 2 appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/business/innovating-adversary-part-2/feed/ 0
Out Innovating the Adversary, Part 1 https://securingtomorrow.mcafee.com/business/innovating-adversary-part-1/ https://securingtomorrow.mcafee.com/business/innovating-adversary-part-1/#respond Tue, 21 Nov 2017 15:00:39 +0000 https://securingtomorrow.mcafee.com/?p=82388 Deep down, if I think about who I am, I’m a scientist who loves to solve problems. If you think about cybersecurity, its problems are unique in that we are not only competing against industry competitors, we are also competing against the adversaries behind the cyber-attacks. My recent keynote at MPOWER17 Las Vegas focused on […]

The post Out Innovating the Adversary, Part 1 appeared first on McAfee Blogs.

]]>

Deep down, if I think about who I am, I’m a scientist who loves to solve problems. If you think about cybersecurity, its problems are unique in that we are not only competing against industry competitors, we are also competing against the adversaries behind the cyber-attacks. My recent keynote at MPOWER17 Las Vegas focused on the problem of out-innovating these adversaries.

A year ago, I introduced a framework illustrating how defensive technologies are effective over time based on the innovation competition between defender and adversary. It shows that a defensive technology works best when it is first deployed. At that time, the threat it is designed to address is well-understood. Over time, however, defenders are incentivized to develop more and more countermeasures that will eventually degrade the technology’s efficacy. We have seen this play out with spam filters, sand boxes and numerous other defensive measures.

At McAfee, we have thought a lot about how we can use this cycle of attacker-defender innovation to benefit customers.

First, we take a platform approach by making it easier for you to install and maximize the value of the technologies within your environment. Value could mean things such as technology teaming enabled with OpenDXL, or human-machine teaming that marries machine power with human intellect to achieve better outcomes.

And finally, we think about how we can create new technologies that we recognize are going to be evaded by adversaries when they hit a key point in their life cycle.

Machine learning, deep learning and artificial intelligence are cornerstone technologies that McAfee and much of the industry are building upon, but we must recognize that the adversaries are going to work to innovate around them.

Evasion Innovation

During my MPOWER keynote, I used a machine learning model that is successful in recognizing different handwritten characters, and showed what it might take from a technical perspective to confuse it. The machine learning model initially predicts with 99% probability that the image represented a number “9” character, versus 1% probability that the character is a “4.” By slightly manipulating the pixels of the next the character, probability levels out to 50/50. The image on the right is now at the other end of the spectrum; to you and me it looks like a “9,” but the machine now thinks there’s a 99% chance it’s a “4.”

This same concept can be applied to machine learning capabilities used in cybersecurity defense. We took the same approach and applied it to a malware classifier that judges Android-based malware to be either malicious or benign. By making just slight modifications to the malware, we could fool models into thinking that the code is benign.

Why do I call-out some of the inherent weaknesses in machine learning?

It is because if we close our eyes and disregard that adversaries will attempt something like this, the cyber defense technology that works so well today will fall apart tomorrow. At the same time, if we recognize some of these weaknesses exist, we can put energy into developing defenses today to add resiliency.

This this exactly what we are doing at McAfee. We are looking at all our machine learning capabilities to understand not only how well they work today, but also how they will stand up over time and be resilient and resistant to the evasion attacks of the future.

Objectives, Methods and Innovation

We have to recognize that the adversaries are continuously innovating, and their objectives and methods evolve. They are not focused just on data theft, system breaches, and the sale of stolen information. New business models are driving things like ransomware, where the victim pays the cybercriminal directly, bypassing the risk of reselling data, and monetizing a breach in a very efficient model.

We see things like the weaponization of data, in which attackers can do damage to an individual or an organization by releasing information with the intent to harm them. They are even able to take advantage of changes in the technical ecosystem to find new objectives, such as attacking cloud environments wherein multi-tenant breaches can affect many organizations or users.

Adversaries can take advantage of vulnerabilities by using exploits. They can use stolen credentials to move around environments in such a way that the activity appears to be normal behavior and difficult for defenders to spot.

Sometimes the weakness is not technology. Sometimes it is social, or phishing, or configuration vulnerabilities. Malicious insiders may be authorized actors in an environment.

The Correlation of Detection

Imagine we have a new defense technology that can defend against 5% of the threats on our threat landscape. Should we bring this technology to market when it can stop only 5% of our threats?

You clearly cannot answer that question without more data. If the 5% of threats that this technology can catch is 5% for which existing technologies do not have an answer, such a new technology is very valuable.

This question is not just hypothetical. It is the way that we are engineering and innovating with our new endpoint technology.

McAfee ENS is the most innovative endpoint product on the planet because we have used a set of technologies, each covering a different portion of the threat landscape. You have signature based, you have reputation based, and you have multiple machine learning models. Each technology on its own detects many types of threats, while also leaving some holes.

We must understand what a technology can cover that another technology potentially misses, and how effectively they work together—versus how effectively they work on their own.

Ultimately, part of the answer to out-innovating our adversaries lies in understanding that the correlation of detection technologies is as critical as their efficacy.

My next post will explain how McAfee is understanding correlation as well as efficacy, and how this understanding is paramount to McAfee’s approach to innovation.

The post Out Innovating the Adversary, Part 1 appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/business/innovating-adversary-part-1/feed/ 0
Equifax: Rethinking Social Security Numbers as Identifiers, Part II https://securingtomorrow.mcafee.com/business/equifax-rethinking-social-security-numbers-identifiers-part-ii/ https://securingtomorrow.mcafee.com/business/equifax-rethinking-social-security-numbers-identifiers-part-ii/#respond Fri, 15 Sep 2017 19:00:22 +0000 https://securingtomorrow.mcafee.com/?p=78323 In my last post, I argued that we need to view the Equifax breach as a catalyst moment for rethinking the way we handle identification for U.S. citizens. This involves determining the right balance among security, privacy, utility, and cost. In this case, the irony is that technology is likely going to be the easy part.

The post Equifax: Rethinking Social Security Numbers as Identifiers, Part II appeared first on McAfee Blogs.

]]>
In my last post, I argued that we need to view the Equifax breach as a catalyst moment for rethinking the way we handle identification for U.S. citizens. This involves determining the right balance among security, privacy, utility, and cost. In this case, the irony is that technology is likely going to be the easy part.

The Easy Part of Change

We have all the technology pieces to begin the journey to a high-quality, high-security, well-thought-out identity solution for U.S. citizens. We understand the cryptography, biometrics, how to build hardware devices, and how to deploy them to scale to millions of people. We can apply the lessons that we have learned, using proven technologies, from mechanisms such as our financial instruments, as well as look at what has and has not worked in countries that have moved to more modern identity systems.

There are several ways to do this, from simply implementing proven credit card technologies such as “chip and PIN” for personal IDs, to more advanced technologies such as biometrics. Chip and PIN technologies could allow individuals to electronically authenticate with a higher level of security than if they simply asserted a number that another party could keep and potentially use.

India has moved to a national biometric identity program, allowing 1.3 billion citizens to prove their identities through fingerprints, facial recognition, and eye iris scans. The country faced an even more difficult problem than compromised SSNs because there was no single starting database of citizens. Because benefits came with being a citizen, there were concerns that an individual might attempt to register in one town under one name, and then register in another town under another name.

The Indian government addressed this issue by creating a biometrics database to register its population. If your biometrics were already in the database, the government would know that you were a duplicate person. It also provided a mechanism that let you walk into any government office and reprove that you were you.

The Hard Part of Change

What’s going to be more challenging in my view is coming up with a solution that strikes the right balance between security and privacy, and deciding what the scope of this should be.

Is this a solution for individuals to prove their identity for government-related services and transactions, social security, and other government benefits? Or is this the solution for individuals to prove who they claim they are for other types of transactions? States currently provide identity solutions such as driver’s licenses or ID cards. Does the new standard complement that? Does it replace elements of that?

Change will require a good partnership between the private sector and federal, state, and local governments given that identity is something that is used where citizens interact with many forms of government. Even within the private sector, we will need partnerships to determine what is appropriate for different types of private transactions.

These are the difficult questions that need to be debated, but we need to move quickly. Every day that we do not solve this problem sets up the opportunity for criminals to use compromised consumer data for the impersonation of individuals whose data has been breached.

Will We Stop Using SSNs Altogether?

There will certainly be an interim period during the transition that will require SSNs to play a role.

There is a difference between using a number as an identifier and having that identifier be considered sensitive information. Given that lots of data already exist in all sorts of databases and SSNs are used as a part of those datasets, it would be unrealistic to ban their use overnight. But we do need to make sure that they act as part of the identity authorization or identification scheme so that they cannot be used to prove that imposters are the genuine individuals.

It is reasonable that the IRS uses an SSN as a part of its tax accounting solution at least for the near term. But if somebody calls the IRS and simply gives their SSN and date of birth, that in and of itself should no longer be sufficient for the IRS to believe that that individual is definitively who they claim to be. It is the difference between using something as a reference to an individual as opposed to being an authenticator, an instrument that proves an individual identity.

A Catalyst Moment

The world needs to operate during the transition, and we need to have a high level of pragmatism to work through this. At the same time, we should not indefinitely kick the can down the road and ignore the problem, forcing ourselves to default to systems that are inherently insecure.

If we continue to rely on private pieces of information to prove our identity, we will continue to have those pieces of information stolen and misused—which will impact millions of individuals in the United States.

The mega retail breaches of a few years ago changed financial institutions’ perspectives and pushed U.S. merchants to move to chip and PIN credit cards. That series of events was the catalyst that made major industries take a step forward in using available technology. This Equifax event is very similar; it is a catalyst that makes us say: “Let’s talk about this.”

Given the scale of this event, we need to talk and get to work on solving this now.

Read the recent post from Gary Davis for guidance on actions consumers can take to protect themselves in light of the Equifax revelations.

For more on this story and to join the conversation, follow @McAfee and @McAfee_Business.

The post Equifax: Rethinking Social Security Numbers as Identifiers, Part II appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/business/equifax-rethinking-social-security-numbers-identifiers-part-ii/feed/ 0
Equifax: Rethinking Social Security Numbers as Identifiers, Part I https://securingtomorrow.mcafee.com/business/equifax-rethinking-social-security-numbers-identifiers/ https://securingtomorrow.mcafee.com/business/equifax-rethinking-social-security-numbers-identifiers/#respond Thu, 14 Sep 2017 23:45:49 +0000 https://securingtomorrow.mcafee.com/?p=78314 Revelations about compromised social security numbers at Equifax remind us that the United States needs to modernize the national identification standard for its citizens. In 2017, it is unrealistic for a social security number (SSN) to be shared and distributed to many parties and stay confidential for the better part of a century.

The post Equifax: Rethinking Social Security Numbers as Identifiers, Part I appeared first on McAfee Blogs.

]]>
Revelations about compromised social security numbers at Equifax remind us that the United States needs to modernize the national identification standard for its citizens. In 2017, it is unrealistic for a social security number (SSN) to be shared and distributed to many parties and stay confidential for the better part of a century.

This is not a problem that we are just now recognizing. As early as 25 years ago, computer science advocates voiced concerns around sharing an SSN, a single piece of permanent information, with others as a means of proving your identity. Part of the problem is there hasn’t been a forcing function or an incentive to change the way these identity transactions work. Simply having these pieces of information constituted the ability of an individual to prove his or her identity.

The irony in all of this is that we have not taken steps to come up with a better standard despite recognizing that this single piece of information is not adequate in many other places, such as credit cards.

For many years, your credit card number, expiration date, and CID number were the things that proved that you could charge against an account. A few years ago, millions of credit card numbers were compromised during several major retail sector data breaches. We recognized that this model needed to be changed, and we transitioned to “chip and PIN” or smart card–based credit card capabilities. Although we are still transitioning to this model, we can see the benefits of the upgrade.

If you look at how the underlying technologies work for credit cards using a chip, there is never any disclosure of the secret information to parties with whom you are transacting. You are simply using math, cryptography algorithms to prove that you are you, as opposed to giving them something that would let them impersonate you. The simplest technical requirement truly boils down to that.

We need to move to a system in which an individual can prove his or her identity to somebody, but not make it such that when you prove your identity, you are giving the other party the ability to impersonate you in a completely different transaction.

The question we need to ask as U.S. citizens is why would we move forward to a more secure system for financial instruments such as credit cards, but lag in our progress toward a more secure system for proving our identities as individuals.

There are challenges to implementing any new standard, but the Equifax data breach means that the SSN toothpaste is already out of the tube. We cannot put it back. If almost half of U.S. citizens have their SSNs and other personal information compromised, we cannot assume that the information can be used any longer as the sole criteria for someone proving their identity.

My next post will dig into what a transition to a new U.S. identification standard will involve.

The post Equifax: Rethinking Social Security Numbers as Identifiers, Part I appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/business/equifax-rethinking-social-security-numbers-identifiers/feed/ 0
Why Human-Machine Teaming Will Lead to Better Security Outcomes https://securingtomorrow.mcafee.com/other-blogs/executive-perspectives/human-machine-teaming-will-lead-better-security-outcomes/ https://securingtomorrow.mcafee.com/other-blogs/executive-perspectives/human-machine-teaming-will-lead-better-security-outcomes/#respond Thu, 13 Jul 2017 11:32:04 +0000 https://securingtomorrow.mcafee.com/?p=75976 Artificial intelligence and machine learning have never been more prominent in the public forum. CBS’s 60 Minutes recently featured a segment promising myriad benefits to humanity in fields ranging from medicine to manufacturing. World chess champion Garry Kasparov recently debuted a book on his historic chess game with IBM’s Deep Blue. Industry luminaries continue to opine about the potential threat by AI to human jobs and even humanity itself. Much of the conversation focuses on machines replacing humans. But the fact is the future doesn’t have to see humans eclipsed by machines.

The post Why Human-Machine Teaming Will Lead to Better Security Outcomes appeared first on McAfee Blogs.

]]>
Artificial intelligence and machine learning have never been more prominent in the public forum. CBS’s 60 Minutes recently featured a segment promising myriad benefits to humanity in fields ranging from medicine to manufacturing. World chess champion Garry Kasparov recently debuted a book on his historic chess game with IBM’s Deep Blue. Industry luminaries continue to opine about the potential threat by AI to human jobs and even humanity itself. Much of the conversation focuses on machines replacing humans. But the fact is the future doesn’t have to see humans eclipsed by machines.

In my field of cybersecurity, as long as we have a shortage of human talent, and, as a 451 Research report released this week illustrates, we must rely on technologies such as these to amplify the capabilities of the humans we have. Furthermore, as long as there are human adversaries behind cybercrime and cyber warfare, there will always be a critical need for human intellect teamed with technology.

We recently commissioned 451 Research to delve into this area in one of its Pathfinder Advisories. Released this week, the report nicely frames the concept of “human-machine teaming” in cybersecurity. It identifies ways in which we can use machine learning to overcome the challenges of protecting organizations and do so with an insufficient number of cybersecurity professionals.

To quote the report:

“Machine learning makes security teams better, and vice versa. Human-machine teams deliver the best of both worlds:

  • Machine learning means security teams are better informed so they can, therefore, make better decisions. Security executives realize that the intelligence and creativity of their security operations experts are critical business resources. Machine learning is a technology that allows chief security officers (CSOs) to get the most out of human and security product assets.
  • Adversaries are human, continuously introducing new techniques. Creative new tactics and strategies dealt by adversaries force security teams to employ machine learning to automate the discovery of new attack methods. Creative problem solving and the unique intellect of the security team strengthen the response.
  • Machine learning becomes more accurate as more data is available to feed its algorithms. Enhancements in handling big data using high-performance and massive-capacity storage architectures have enabled the growth of artificial intelligence.
  • IT teams need help analyzing faults. In those rare instances when endpoint security cannot prevent damage from an attack, machine learning accumulates relevant data elements into one place, placing it at the fingertips of security analysts when needed.
  • Human-machine teaming makes for sustainable endpoint security. As new threats are introduced, security teams alone cannot sustain the volume, and machines alone cannot issue creative responses. Human-machine teams make endpoint security more effective without draining performance or inhibiting the user experience.”

Machine learning has enabled us to improve the accuracy of hurricane forecasting from within 350 miles to within 100 miles. Nate Silver’s best seller The Signal and the Noise notes that although our weather forecasting models have improved, combining this technology with human knowledge of how weather systems work has improved forecast accuracy by 25%. Such human-machine teaming has literally saved thousands of lives.

As we implement machine learning deeper into our cyber defenses, we must recognize that humans are good at doing certain things and machines are good at doing certain things. The best outcomes will come from combining them. Machines are good at processing massive quantities of data and performing operations that inherently require large scales. Humans have strategic intellect, so they can understand the theory about how an attack might play out even if it has never been seen before.

Of course, thunderstorms are not trying to evade the latest in machine learning technologies applied by human beings. Cybercriminals are.

Cybersecurity is very different from other fields that employ big data, analytics, and machine learning because there is an adversary trying to reverse engineer your models and evade your capabilities. Security technologies such as spam filters, virus scans, and sandboxing are still part of protection platforms, but their industry buzz has cooled since criminals began working to evade their technology.

Based on the information they receive, IT security staff on the front lines of an attack can anticipate new evasion techniques, exploits, and other tactics in ways detection models based on the past cannot. A major area in which we see this playing out is attack reconstruction, where technology assesses what has happened inside your environment, and then engages a human to work on the scenario.

Efforts to orchestrate security incident responses can benefit tremendously when a complex set of actions is required to remediate a cyber incident. Some of those actions might have very severe consequences to networks. Having a human in the loop not only helps guide the orchestration steps, but also assesses whether the required actions are appropriate for the level of risk involved.

The 451 report asserts that machine learning will manifest itself by optimizing the cyber professional’s user experience, automatically flagging suspicious behavior, and by automatically making high-value investigation and response data available. In this way, says the report, IT security teams will have “the ability to rapidly dismiss alerts and accelerate solutions that thwart new threats.”

In threat intelligence analysis, attack reconstruction, and incident response orchestration, human-machine teaming takes the machine assessment of new information and layers upon it the intellect that only a human can bring.

Doing so can lead us to better outcomes in all aspects of cybersecurity. Now more than ever, better outcomes are everything in cybersecurity.

The post Why Human-Machine Teaming Will Lead to Better Security Outcomes appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/other-blogs/executive-perspectives/human-machine-teaming-will-lead-better-security-outcomes/feed/ 0
WannaCry: The Old Worms and the New https://securingtomorrow.mcafee.com/other-blogs/executive-perspectives/wannacry-old-worms-new/ https://securingtomorrow.mcafee.com/other-blogs/executive-perspectives/wannacry-old-worms-new/#comments Sat, 13 May 2017 05:42:14 +0000 https://securingtomorrow.mcafee.com/?p=73980 The morning of Friday, May 12 multiple sources in Spain began reporting an outbreak of the ransomware now identified as WannaCry. Upon learning of these incidents, McAfee immediately began working to analyze samples of the ransomware and develop mitigation guidance and detection updates for its customers. By Friday afternoon, McAfee’s Global Threat Intelligence system was […]

The post WannaCry: The Old Worms and the New appeared first on McAfee Blogs.

]]>
The morning of Friday, May 12 multiple sources in Spain began reporting an outbreak of the ransomware now identified as WannaCry.

Upon learning of these incidents, McAfee immediately began working to analyze samples of the ransomware and develop mitigation guidance and detection updates for its customers.

By Friday afternoon, McAfee’s Global Threat Intelligence system was updated to identify all known WannaCry samples and the company had delivered DAT signature updates to all its customers.

McAfee urges all its customers to ensure these DAT updates have been applied, and furthermore ensure that security updates are applied for all the software solutions they use. For more information, read this Knowledge Center article.

This week’s attacks leveraging the WannaCry ransomware were the first time we’ve seen an attack combine worm tactics along with the business model of ransomware. The weaponization of the Eternal Blue exploit made public weeks ago, and unpatched MS-17-010 Windows OS vulnerabilities by the thousands enabled WannaCry to infect hundreds of thousands of computers, across industries, across continents, and within just a day. Furthermore, these attacks accomplished all this with little or no human involvement, as is typically the case in other ransomware campaigns.

A hybrid of the proven, less the human

WannaCry’s success comes down to its ability to amplify one attack through the vulnerabilities of many machines on the network. The impact of the attack is much greater than what we’ve seen from traditional data ransomware attacks.

Almost all of the ransomware we see in the wild today attack individual users typically through spear-phishing, meaning victims receive an email that appears to be coming from a legitimate source, it lures the victim into clicking on a link or opening an attachment that downloads or executes malicious code on his or her system. But it only impacts that victim’s one computer.

If you think back to the late 90s and early 2000s, when we had Code Red, NIMDA and SQL Slammer, those worms spread really rapidly because they didn’t require a human to take any action in order to activate the malware on the machine.  This week’s attacks did something very similar.

We’re still working to determine how a “patient zero” machine became infected, but, once it was, if other machines hadn’t received the MS-17-010 vulnerability patch, they were infected over their network.

Instead of stealing data or damaging other machines, the malware executed a classic ransomware attack, encrypting files and demanding a ransom payment. The attack essentially combined two techniques to produce something that was highly impactful.

With WannaCry, if the configuration of machines within an organization possessed the Microsoft vulnerability (addressed by Microsoft in March), the ransomware could infect one machine and then move very rapidly to spread and impact many other machines that still had not been patched.

What we’ve typically seen with cybercrime is that when any technique is shown to be effective, there are almost always copycats. Given that this appears to have been quite an effective attack, it would be very reasonable for other attackers to look for other opportunities. One of the things that makes that difficult is you need to have a vulnerability in software that has characteristics that enable worm-like behavior.

What’s unique here is that there is a critical vulnerability that Microsoft has patched, and an active exploit that ended up in the public domain, both which created the opportunity and blueprint for the attacker to be able to create this type of malicious ransomware worm capability.

Open for exploit

In the late 90s, it was common practice to leave all sorts of software running on machines even if it wasn’t used. For instance, one of the worms in the 90s took advantage of a vulnerability in a print server which was by default included on all servers even if there wasn’t a printer attached to the configuration of systems. That could enable a worm to connect to that printer port on all of the servers on a network, creating a worm propagation scenario that infected system after system.

A common practice for addressing this since those days is a best practice known as “least privilege,” which allows an application or service to run only the things on a machine or network that that entity needs to complete a task or function specific to its particular role. Least privilege has reduced the chances of the traditional worm scenario, but unpatched vulnerabilities mimmick this “open” element available for exploit, particularly if such vulnerabilities enable things such as file transfer or sharing across systems.

It would be difficult to orchestrate attacks such as the WannaCry campaign, without all the unpatched vulnerabilities, the publicly released exploit, and a set of proven ransomware technologies and tactics at the attacker’s disposal.

To patch or to not to patch

WannaCry should remind IT of the criticality to apply patches quickly. Part of the reason IT organizations hesitate to patch or run an internal quality assurance process is to ensure that there aren’t software incompatibility issues. One way I like to think about this is that whenever a patch must be applied, there is a risk to applying a patch, and a risk to not applying a patch. Part of what IT managers need to understand and assess is what those two risks mean to their organizations.

By delaying deployment of a patch, they can mitigate risk related to application compatibility. By delaying a patch, they are increasing the risk of being compromised by a threat exploiting a vulnerability. IT teams need to understand for each patch, what those levels of risk are, and then make a decision that minimizes risk for an organization.

Events such as WannaCry have the potential to shift the calculus of this analysis. One of the problems we often see in security is that the lack of an attack is sometimes interpreted as having a good defense.  Companies that have become lax in applying patches may have not experienced any attacks that take advantage of those vulnerabilities. This can reinforce the behavior that it’s okay to delay patching.

This episode should remind organizations that they really do need an aggressive patching plan in order to mitigate the vulnerabilities in their environment.

Why the hospitals?

Hospitals fall into a category I think of as “soft targets,” meaning hospitals generally focus on patient care as their top priority, as opposed to having the best cyber defenders on staff and best cyber defense technologies in place.

The reason for this is that, traditionally, there was very little incentive for cybercriminals to attack a hospital. They could potentially steal patient records or other data, but the total value of data from a hospital would typically be less than that of  the bulk data stolen from other industries such as financial services.

What ransomware has done as a criminal business model is provide an incentive to attack any organization. Given that criminals are demanding a ransom, it’s far easier to exploit an organization with weaker cyber defenses than an organization with stronger cyber defenses, which is why we’ve seen hospitals, schools, municipal police departments, and universities become victims of ransomware over the last year. While we’re now starting to see the targeting of “harder” organizations as well, at least for now, there are a lot of opportunities for criminals to continue to target these soft target organizations.

What next?

Although this attack is something new, and something we need to be thoughtful of, when we see such a vulnerability occur in the wild, and an exploit published that could be used by cybercriminals, we should always expect and be prepared for this kind of attack, and many more copy-cat attacks following soon after.

 

For French translation click here.

For German translation click here.

The post WannaCry: The Old Worms and the New appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/other-blogs/executive-perspectives/wannacry-old-worms-new/feed/ 2
Defense Evolved: From Threat Intelligence, to Investigation, to Orchestration with DXL https://securingtomorrow.mcafee.com/other-blogs/executive-perspectives/defense-evolved-threat-intelligence-investigation-orchestration-dxl/ https://securingtomorrow.mcafee.com/other-blogs/executive-perspectives/defense-evolved-threat-intelligence-investigation-orchestration-dxl/#respond Tue, 08 Nov 2016 17:20:25 +0000 https://securingtomorrow.mcafee.com/?p=64345 In my last post, I discussed the attributes of our adversaries, the drivers behind their activities, and their recent attack methodologies. I also discussed the threat defense efficacy curve, which illustrates how cyber defense capabilities decline in efficacy over time as attackers develop countermeasures to evade them. My FOCUS 16 keynote last week also explained […]

The post Defense Evolved: From Threat Intelligence, to Investigation, to Orchestration with DXL appeared first on McAfee Blogs.

]]>
picture11

In my last post, I discussed the attributes of our adversaries, the drivers behind their activities, and their recent attack methodologies. I also discussed the threat defense efficacy curve, which illustrates how cyber defense capabilities decline in efficacy over time as attackers develop countermeasures to evade them.

picture12

My FOCUS 16 keynote last week also explained how we can build more effective defenses that match our adversaries’ abilities to innovate and orchestrate.

At-the-Head of the Curve

It really all comes down to landing new technologies at the leading edge of the threat defense efficacy curve.

That is, it’s important that we add new technologies into our environment at the point where they can live with a high level of efficacy for the longest duration of time before adversaries develop countermeasures rendering them less effective.

picture13

To do this, McAfee is delivering a pipeline of technologies that can very rapidly be integrated and deployed into enterprise environments.

Last week at FOCUS, Brian Dye and Candace Worley showcased Real Protect and Dynamic Application Control. These capabilities will integrate within platforms like McAfee Endpoint Security, where it’s not about deploying an entire new product, but simply reconfiguring and selecting new functionality that can flow into the platform with a much lower level of effort than deploying entirely new solutions.

What we’re committing to is creating a strong pipeline of capabilities that is constantly looking at how to defend against the latest threats, including working on things that will counter some of the most difficult problems that we have in the industry today.

These capabilities could address the latest ransomware strains, or the challenge of real-time polymorphic packing of executables, where it’s very difficult to use traditional signatures or hash-based approaches because every time something is packed, it’s going to be 100% unique to a target victim.

Human-Machine Teaming

Today I explained that when we move beyond the individual technologies, we need to think about how we protect our environment overall. At McAfee, we believe the strategy really needs to be around “human-machine teaming.”

If you look at the “human” and “machine” elements of cyber defense, each of them has unique properties which, put together, can deliver the best possible solution.

Machine learning is really the only way we can deal with the massive scale of data required to analyze and understand cyber events within environments. But we also need to recognize that there will always be a human adversary on the other end of an attack, always working to confuse and evade our technologies. So, it’s absolutely critical that we put our incident responders and security operations personnel into the equation, where they can bring unique strategies and intellect to think like the attackers think.

To do this, however, we need to build out a new structure for talking about cyber defense.

Moving Beyond Threat Intelligence

For years we have been talking about threat intelligence, which started as object reputation and over time has come to include additional elements such as tactics, techniques, and procedures, or specific information about campaigns.

The problem with threat intelligence is it can tell you what the threats are, but it doesn’t actually tell you how to defend against them.

We need to augment this nomenclature with other key elements, namely, investigative methods to determine what is going on in our environments. We need visibility into events, analytics to process and determine what those events mean, and assessment recalibration to go from recognizing what is happening to deciding what must be done about it.

Finally, once we identify threats operating in our environments, we need to be able to orchestrate the right responses effectively and efficiently, allowing us to both recover and update our protections.

To build technologies that link threat intelligence, investigative methods, and orchestrated response capabilities together, we need a high degree of scalability from an infrastructure perspective, and the right underpinnings in the fabric upon which these capabilities rely.

McAfee built McAfee Data Exchange Layer (DXL) with these requirements in mind, and, this week at FOCUS, we announced that we are making DXL available as an open industry protocol:

https://github.com/openddxl

From a connectivity perspective, DXL allows us to communicate about events with clients even when they are in complex network situations, and get information to or from them with ease. The protocol also favors efficiency, making sure that enterprises can move data across their networks once, and have one-to-many or many-to-one sorts of data transfers. Moreover, DXL enables a security model that allows integrity and attestation, such that data goes only where it should go.

picture14

My keynote featured an example of DXL in action.

We showed how command and control traffic could be reported to McAfee solutions by a Checkpoint solution, and allow McAfee defenses to quickly determine the right analysis and, later, the response.

Our demo system captured events and turned around and executed searches to determine where the event came from. Based on the “machine” results of the search, we humans then took action to address it. We could tag an impacted system and change policies if needed.

Finally, we sent a request to a Rapid7 vulnerability management solution, set a tag in an Aruba access control solution, and contained the incident within the network.  All with a sophisticated 218 lines of code.

picture15

This human-machine teaming example showed how our threat intelligence, investigative methods, and orchestration framework could be implemented by organizations.  Today’s announcement of the release of OpenDXL means that such a framework can be built with and even extended beyond McAfee and McAfee Security Innovation Alliance (SIA) partner solutions to include any number of other third-party solutions.

But, more importantly, it means McAfee customers can evolve however their situations require. They now have the power to design cyber defense capabilities unique to their environments, however specialized and complex they may be, whatever their functions or businesses are, and however they might be confronted on the cyber-threat landscape.

Please see the replay of my FOCUS’16 keynote for more information and insight.

 

 

The post Defense Evolved: From Threat Intelligence, to Investigation, to Orchestration with DXL appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/other-blogs/executive-perspectives/defense-evolved-threat-intelligence-investigation-orchestration-dxl/feed/ 0
Security, Time, and the Decline of Efficacy https://securingtomorrow.mcafee.com/other-blogs/executive-perspectives/security-time-decline-efficacy/ https://securingtomorrow.mcafee.com/other-blogs/executive-perspectives/security-time-decline-efficacy/#respond Fri, 04 Nov 2016 21:55:21 +0000 https://securingtomorrow.mcafee.com/?p=64220 This week at the FOCUS’16 conference in Las Vegas, I shared perspectives on today’s changing threat landscape, how we must re-think cyber defense technologies, and McAfee’s vision for thwarting the cyber-threats of tomorrow. In 2016, we saw significant cases of cyber activity from criminals, nation-states, and hacktivists. In each case, they’ve really upped their game. […]

The post Security, Time, and the Decline of Efficacy appeared first on McAfee Blogs.

]]>
picture1

This week at the FOCUS’16 conference in Las Vegas, I shared perspectives on today’s changing threat landscape, how we must re-think cyber defense technologies, and McAfee’s vision for thwarting the cyber-threats of tomorrow.

In 2016, we saw significant cases of cyber activity from criminals, nation-states, and hacktivists. In each case, they’ve really upped their game.

We saw ransomware evolve from holding consumers’ data hostage, to going after larger “soft targets” such as hospitals. Front and center in our presidential election, we’ve seen nation-state actors become mainstream by using cyber activities to manipulate voter thought processes. Hacktivists have been effective in using cyber events and disclosures to change the way that we think about certain people, organizations, and issues.

In all of these cases, bad actors also changed their underlying arsenal of tools and techniques. In some cases, we saw them use tools we defenders use, but for malicious purposes. They’re using artificial intelligence to do a better job at spear-phishing. As we’ve seen in the current presidential election, they’re not just stealing data, but weaponizing it to cause harm.

They’re also looking at ways to take advantage of vulnerabilities among the armies of IoT devices (including connected cars) that are now beyond the physical reach and corrective capacity of their manufacturers. Some of these devices can’t be updated at all even if manufacturers wanted to. Any vulnerabilities that may exist within them could allow attackers to compromise and use them as cyber-attack vehicles for the current and future generations of hackers.

picture3

What we see in all of these cases is that there is a way to think about the problem statement of “what might be attacked.” It’s really about the incentive to the attackers, how easy it is to achieve their goal, and what the risk of discovery is.

Cybercriminals will always look to maximize profits, while minimizing the risk of prosecution. Nation-states will look to amplify their ability to change opinions, or steal intellectual property. They will weigh this against the risk of being identified through strong attribution, and the prospect of retaliatory steps taken in either the cyber or kinetic domains.

In all of these cases, it’s really about understanding how we defend against the next generation of attacks, and, in many ways, it requires thinking about our cyber defense technologies and their efficacy over time.

Cyber Defense Efficacy

One of the ways to do this is to think about security technologies from a time perspective, in contrast to typical IT technologies.

In most IT technologies, there is an inherent benefit to being a late adopter. Whether a database, architecture, or network technology, most technologies get better over time, meaning there are advantages to waiting for early adopters to implement and work the bugs out.

The problem is that cyber defense technologies are typically most effective right after invention. The reason for this is that a security defense capability will initially focus on solving a problem for a very well-understood issue or set of threats. During the initial deployment phase, there isn’t enough volume for adversaries to build countermeasures or evasion tactics.

But once it becomes part of a widely deployed defense, we see that new techniques by the attackers work to directly influence and reduce the effectiveness of the technology. Its effectiveness inevitably declines.

picture2

Threat Defense Efficacy Curve

We’ve seen this time and time again:

  1. Bayesian spam filters worked well until there was enough deployment to force the cybercriminals to use HTML formatting tricks and other techniques to bypass them.
  2. When we implemented the use of hashes to very quickly convict files without waiting for signature detection, adversaries were driven to build countermeasures such as creating polymorphic downloads to make each malware sample unique.
  3. Sandboxing helped us find never seen before malware, but very quickly we began to see malware that was sandbox aware, adding evasion tactics to determine whether it was operating within a sandbox or on a victim’s machine.

We need to recognize that this cycle is going to remain true for every technology, even some of the most powerful technologies at our disposal today. So, as we walk around the floor at RSA and Black Hat, and hear about the promise of big data, machine learning, and artificial intelligence, we need to think forward to what the next generation of countermeasures could be.

picture4

That’s one of the key things we’re focused on at McAfee: as we build out new technologies, we’re figuring out how adversaries will attack them to make them more inherently resilient.

In my next blog post, I will share how we can use the curve to develop better defensive strategies, and how McAfee is delivering the solutions to enable partners to improve their defenses and amplify outcomes.

The post Security, Time, and the Decline of Efficacy appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/other-blogs/executive-perspectives/security-time-decline-efficacy/feed/ 0
The Cybersecurity Talent Deficit Goes Global https://securingtomorrow.mcafee.com/other-blogs/executive-perspectives/cybersecurity-talent-deficit-goes-global/ https://securingtomorrow.mcafee.com/other-blogs/executive-perspectives/cybersecurity-talent-deficit-goes-global/#comments Thu, 28 Jul 2016 12:00:34 +0000 https://blogs.mcafee.com/?p=51522 I’m privileged to lead a group of McAfee leaders to the annual Aspen Security Forum this week. This event is among the most prestigious gatherings of its kind. Dozens of government leaders, tier one journalists, and private-sector companies like ours connect in Aspen each July to discuss the most pressing national security issues facing the […]

The post The Cybersecurity Talent Deficit Goes Global appeared first on McAfee Blogs.

]]>
I’m privileged to lead a group of McAfee leaders to the annual Aspen Security Forum this week. This event is among the most prestigious gatherings of its kind. Dozens of government leaders, tier one journalists, and private-sector companies like ours connect in Aspen each July to discuss the most pressing national security issues facing the United States. The candid, diverse and direct discussions cover a broad array of topics of concern to our industry and yield helpful insights both to our team and the officials we meet.

I’ll be participating on a panel discussing the role of cybersecurity in our national security apparatus. CNN Justice Correspondent Evan Perez will moderate the discussion, and I’ll be joined on the panel by Assistant Attorney General for National Security John Carlin, Michael Daly of Raytheon, and Vinny Sica of Lockheed Martin.

While there are many issues of concern, I look forward to discussing the global cybersecurity talent deficit, and the potential national security ramifications of failing to address it.

The Looming Cyber Workforce Shortage

Not everyone may be willing to define thousands of unfilled tech jobs as a national security crisis, but we are. This week, the Center for Strategic and International Studies (CSIS) released a report supporting our assertion. It surveyed public and private IT decision makers on the quantity and quality of cybersecurity professionals in Australia, France, Germany, Israel, Japan, Mexico, the United Kingdom, and the United States.

The study reveals a global cybersecurity skills shortage, and it is allowing malicious actors to inflict real, quantitative damage to public and private interests alike.

Eighty-two percent of all survey respondents report a shortage of cybersecurity skills. Seventy-one percent say the talent deficit has hurt their organization. One in four blame it directly for data loss and reputational damage.

Whose problem is this? Public and private entities, including institutions of higher education, share blame for not doing enough to sync the supply of cybersecurity skills with soaring demand. In our survey, three out of four respondents criticized their governments for inadequate cultivation of cyber talent.

These decision makers fault colleges and universities for failing to develop and market attractive cybersecurity coursework. They view the standard four-year college degree as insufficient, and praise the value of hands-on experience, including gaming and hacking exercises.

A National Security Crisis?

Countries lacking the human beings to adequately protect their most vital data, national secrets, financial markets, and ground-breaking intellectual property are unlikely to be economically competitive with those nations who can. But, beyond the economic implications of the shortage, consider the billions of connected devices coming online throughout the critical infrastructure that increasingly run our world.

From train systems, to water utilities, to smart power grids, to first responder communications, as the Internet of Things becomes ubiquitous, digital attacks now threaten physical damage. If we do not address the shortage of cybersecurity professionals soon, nations could find themselves unable to maintain adequate cybersecurity postures to protect and defend their critical infrastructure.

Automation and Unpredictables

The survey reveals across-the-board confidence that automation technology solutions will prove up to the task of mitigating ongoing cybersecurity threats. It’s true that the next phase of the cybersecurity era will redefine the symbiotic relationship between automated solutions and their human managers, analysts, and decision makers. The incoming cybersecurity workforce will adapt to increasingly automated environments, from “human in the loop” to “human on the loop” processes.

Security Leaders

Moving Forward with Solutions 

This week in the Rockies, we expect to hear sober talk from America’s best and brightest about encryption, ISIL threats, spyware, foreign espionage, extremist propaganda, and more. All well and good. Having enough smart, discerning professionals on deck to manage these issues, however, is just as pressing a concern. It should, in fact, be near the top of the list.

The CSIS survey delivers a clear call for more public investment in cyber education by higher education institutions – and more ongoing learning programs for private sector workers. While the private cybersecurity industry continues to innovate, our expertise shortage is an essential national security challenge that cannot be solved in the private sector alone.

Just as we have in past conflicts, government and private industry must collaborate, set priorities together, recruit talent, and seriously invest in skills development to address the cybersecurity workforce shortage facing our nation.

 

Fore more, watch ‘Cyber’s Role in America’s Security Arsenal‘ panel with John Carlin, Assistant Attorney General for National Security, Evan Perez, Justice Correspondent, CNN, Vinny Sica, Vice President, Defense and Intelligence Space Ground Solutions, Lockheed Martin, Michael Daly, Chief Technology Officer, Cybersecurity and Special Missions, Raytheon and myself.

The post The Cybersecurity Talent Deficit Goes Global appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/other-blogs/executive-perspectives/cybersecurity-talent-deficit-goes-global/feed/ 7
The Machines Are Coming! The Machines Are Coming! https://securingtomorrow.mcafee.com/other-blogs/executive-perspectives/the-machines-are-coming/ https://securingtomorrow.mcafee.com/other-blogs/executive-perspectives/the-machines-are-coming/#comments Mon, 21 Mar 2016 16:57:05 +0000 https://blogs.mcafee.com/?p=48582 A revolution in human-machine teaming for security operations is at hand. Cybersecurity has two great resources that work well together — experienced security ops personnel and learning machines. Machines can work at the speed of electrons and process enormous quantities of data, but they are challenged when dealing with unforeseen scenarios. Human judgment and experience […]

The post The Machines Are Coming! The Machines Are Coming! appeared first on McAfee Blogs.

]]>
A revolution in human-machine teaming for security operations is at hand.

Cybersecurity has two great resources that work well together — experienced security ops personnel and learning machines. Machines can work at the speed of electrons and process enormous quantities of data, but they are challenged when dealing with unforeseen scenarios. Human judgment and experience cannot be replicated by machines, but humans struggle to find patterns in massive data sets and they operate in minutes, not microseconds. For us to be truly effective as an industry, we need to deliver solutions that combine human and machine working together to fend off cyberattacks that can multiply and adapt in microseconds.

We are facing a significant labor market shortage in cybersecurity, both in numbers and experience. At the same time, there are traditional fears about automation and machine intelligence. One is that people will be replaced by machines, and another is that the machines will create enormous messes by compounding poor decisions. In this case, we are talking about using the machines to amplify the effectiveness of security operations and incident-response teams. Technology is not replacing people, but in the spirit of the best teams, each is working to its strengths.

One example of this is computers and chess players. In 1997, an IBM supercomputer beat a human chess grandmaster for the first time. Chess has a large quantity of data and a lot of patterns, which plays well into the strengths of the machines. However, in 2005 a couple of amateur chess players augmented with three PCs beat a whole range of supercomputers and grandmasters. The human/machine team was better than either alone.

In cybersecurity, we are gathering vast amounts of data, and there is an assumption that with increased visibility, enough data, and the right algorithms we will be able to predict threats. However, cyberattacks are not deterministic, as they contain at the core a human who can be innovative or random in his approach, and visibility does not give you insight into your adversary. Algorithms and analytics on their own cannot comprehend the strategic nature of the adversarial game that is being played against the cybersecurity bad actors.

So technology will not be replacing security professionals anytime soon, but it does bring tremendous advantages to the defense. Shared threat intelligence helps prevents attacks from being used over and over again, or from propagating rapidly throughout your network. You need a learning machine to detect and contain attacks at the speed of light, while humans work to mitigate the problem and develop long-term solutions.

With the increasing number of targeted attacks that are executed only once, threat intelligence might not help. The same is true of zero-day exploits or new attack types. The machines won’t have rules to deal with this, but they can help filter the alerts and correlate actions to raise the alarm to their human colleagues sooner than a human acting alone.

The machine revolution is coming, but not the way Hollywood movies portray it. Machines are coming to be the best teammate you could ask for.

View the original post on Dark Reading.

The post The Machines Are Coming! The Machines Are Coming! appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/other-blogs/executive-perspectives/the-machines-are-coming/feed/ 1
Validating Supply Chain Cybersecurity https://securingtomorrow.mcafee.com/other-blogs/executive-perspectives/validating-supply-chain-cybersecurity/ https://securingtomorrow.mcafee.com/other-blogs/executive-perspectives/validating-supply-chain-cybersecurity/#respond Tue, 22 Dec 2015 15:00:21 +0000 https://blogs.mcafee.com/?p=46754 How to identify risks, understand downstream effects, and prepare for incidents. You’ve got your organization protected as best you can, but what about your supply chain? Like any type of chain, the security in your supply chain is only as good as the weakest link. Can malicious software find its way into your company or […]

The post Validating Supply Chain Cybersecurity appeared first on McAfee Blogs.

]]>
How to identify risks, understand downstream effects, and prepare for incidents.

You’ve got your organization protected as best you can, but what about your supply chain? Like any type of chain, the security in your supply chain is only as good as the weakest link. Can malicious software find its way into your company or your products through your supply chain? Can a weak downstream link lead to an opportunity for exploits that take advantage of your intellectual property? Or can disruption of one link disrupt your profitability?

Almost every business is dependent on far-reaching supply chains, and we have already seen some serious cyber incidents from security lapses. Historically, supply chain professionals focused on protecting links through supplier qualification, insurance, and physical security, protecting against risks ranging from theft to delayed deliveries. While those practices remain essential, today’s supply chain professional must add a focus on information security to their defensive strategy. New efforts must focus on protecting intellectual property, defending against hacktivism and espionage, detecting embedded malware, and ensuring continuity of operations.

Managing security risk in your supply chain is new, but you have probably already been through a similar process with quality. First, you identify and classify each of your suppliers with regard to what they do now and the critical aspects of their contractual obligations. Then you define a clear baseline of security and privacy requirements for the group. Standards tools such as ISO/IEC 27036 (information security for supplier relationships) can provide a solid baseline.

With a baseline established, the next step is regular validation of security and privacy controls. Validation can be challenging, full of competing acronyms, contractual issues, and resource constraints. Doing this for every supplier in your chain is unrealistic for most companies, so it is important to prioritize. And fortunately there are standards and processes emerging for various industries that range from self-assessment to third-party certification.

One example is the Cloud Security Alliance’s Security, Trust, and Assurance Registry (STAR) for various cloud computing offerings. STAR is a straightforward three-level certification, accompanied by a publicly accessible registry. STAR provides important information about product certifications, including the date, country, term, and level of certification. Decisions can be based on a simple cost and risk comparison, or on more thorough analysis of the strengths and weaknesses of current or potential suppliers. Analogous to ratings systems in other industries such as banking or tourism, STAR requires little technical training to understand the difference between level 1, 2, and 3 certifications.

These certifications are also valuable to your supplier. Suppliers can readily compare themselves to their competitors and build a strategic perspective of their own organization’s risks and opportunities.

From your customers’ perspective, your company includes the extended network of people, processes, and partners involved in delivering products and services. You cannot “go it alone” or dismiss these issues as limited to supply chain experts.

Validating the supply chain, whether it is for product quality or information security, is now an essential part of your success. You need to identify risks, to understand the potential downstream effects of a security breach or cyberattack, and to prepare response plans so that you can respond quickly to an incident. The alternative could be a serious loss of reputation, customers, and profits.

The post Validating Supply Chain Cybersecurity appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/other-blogs/executive-perspectives/validating-supply-chain-cybersecurity/feed/ 0
Hardware.Next: Diving deeper into the stack—understanding the dangers of hardware and firmware vulnerabilities https://securingtomorrow.mcafee.com/other-blogs/executive-perspectives/hardware-next-hardware-firmware-vulnerabilities-provide-tools-attackers-defenders/ https://securingtomorrow.mcafee.com/other-blogs/executive-perspectives/hardware-next-hardware-firmware-vulnerabilities-provide-tools-attackers-defenders/#respond Tue, 03 Nov 2015 01:19:33 +0000 https://blogs.mcafee.com/?p=45974 The security industry has, for years, been developing technologies to secure our applications and operating systems. 2015 was the year, however, I feel hardware vulnerabilities truly became real. We saw multiple instances of attackers using hardware, firmware, and BIOS as an element of their attack, from Rowhammer exploiting DRAM to the Equation Group showcasing vulnerabilities […]

The post Hardware.Next: Diving deeper into the stack—understanding the dangers of hardware and firmware vulnerabilities appeared first on McAfee Blogs.

]]>
The security industry has, for years, been developing technologies to secure our applications and operating systems. 2015 was the year, however, I feel hardware vulnerabilities truly became real. We saw multiple instances of attackers using hardware, firmware, and BIOS as an element of their attack, from Rowhammer exploiting DRAM to the Equation Group showcasing vulnerabilities in HDDs/SDDs. Despite our extraordinary efforts, attackers can effectively render what we do at the upper layers of the stack moot if the underlying hardware or firmware is vulnerable. Significant value lies below, if the adversaries have the patience and the intelligence to exploit it. As attackers move deeper into the compute stack, they are discovering significant benefits, including denying access to a machine permanently, surviving even a complete reimaging, and escalating into higher privilege levels. This has triggered serious discussions about hardware and firmware security.

 

The good news is that operating systems do continue to improve their compute security. For example, Windows 10 delivers tremendous new capabilities, offering much better protection for operating system secrets even if there is an admin or kernel level compromise, keeping secrets in a separate partition. Microsoft has also integrated regular updates to BIOS and other firmware via Windows Update to keep them current. However, vulnerable firmware could undermine these new capabilities, allowing attackers to work their way up the stack and into the entire physical platform, regardless of logical partitions, if system vendors are not careful. McAfee continues to partner with Microsoft and the PC ecosystem to address BIOS vulnerabilities, but many persist on deployed platforms if systems go unpatched.

 

With these new threats, we need to expand our view of what needs to be secured beyond the operating systems and applications. Customers need tools with visibility into the lower levels of the platform so they can detect and correct systems before becoming compromised. For example, endpoint detection and response (EDR) tools could leverage capabilities such as McAfee  low-level CHIPSEC analysis toolkit, to find machines that are vulnerable and take faster, more effective action against attacks in progress. CHIPSEC could scan for BIOS that isn’t write protected, System Management Mode RAM that is unlocked, and Secure Boot Keys with insufficient access control. Feeding this information to EDR solutions could provide incident response teams a clearer picture of low-level system vulnerabilities, along with immediate response options if or when any of those vulnerabilities are detected in the future. Potential reactions include killing a malicious process or quarantining a vulnerable machine until it can be updated. Customers can personalize their own solutions, leveraging McAfee’s customer-ready Software Development Kit (SDK), to add their own customized collectors, reactions, and workflows, using native OS commands and familiar languages such as Python, to hunt for and remediate vulnerabilities in their ecosystems.

 

The good news is that attackers are not the only ones who can take advantage of hardware and firmware. Hardware and firmware also give us new capabilities that are not possible with software alone. For example, McAfee has added support for Software Guard Extensions to DXL 2.0 to protect the signing of keys, so that we have a high level of confidence that DXL data was sent by the machine we thought it was. This mitigates attack vectors that spoof or simulate DXL messages, increasing the integrity of the exchange layer. Protecting hardware and firmware, detecting low-level attacks, and correcting incidents before they become compromises are examples of how McAfee is empowering responders with the adaptive capabilities they need to address the threats of tomorrow.

The post Hardware.Next: Diving deeper into the stack—understanding the dangers of hardware and firmware vulnerabilities appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/other-blogs/executive-perspectives/hardware-next-hardware-firmware-vulnerabilities-provide-tools-attackers-defenders/feed/ 0