IT Focus Area: Security
February 28, 2017
A Look Back at RSA Conference 2017
RSA concluded its 26th annual conference in San Francisco on February 17, 2017. More than 43,000 people participated in the whirlwind of keynotes, sessions, and parties. Crowded expo halls featured more than 550 exhibitors vying for the attention of attendees looking to hear the latest strategies for fighting cyber attacks.
"This year's RSA Conference challenged a big industry audience to think small. Small are the attack surfaces of security cameras, home routers, and mobile devices increasingly populating our office and home work environments. Small are the diverse data transactions that require innumerable protective measures. Big are the shifts in thinking that require us to think of ourselves as small players inside a vast ecosystem of solution providers. Thinking small is the first step in working together more effectively, and having a big impact with better outcomes."
— Chris Young, General Manager and SVP, Intel Security
The Target Has Become the Weapon
Not surprisingly, there was a lot of talk about IoT security. James Lyne, Global Head of Security Research at Sophos, warned attendees to be aware that many IoT devices use cryptography that is 10 to 15 years old, if they are built with security in mind at all.
During an opening keynote, Chris Young focused on the Mirai botnet. He advised the audience not to think of it in the past tense, and posed the question, “Given the amount of infected devices out there, what's the risk that a new device can be co-opted into a Mirai botnet?" He then explained that to find out, Intel Security CTO Steve Grobman’s team had bought a DVR to use as a honeypot, and connected it to the internet. Just over one minute later, Young said, the device was compromised. “Today, the target has now become the weapon,” he said. “The game has changed on us yet again.”
Raj Samani, CTO for Europe, the Middle East and Africa for Intel Security noted that DNS provider Dyn lost nearly 15,000 customers after suffering a massive DDoS attack backed by a Mirai IoT botnet. "That is frightening," Samani said. "You can still be unfairly impacted just because other people didn't do the right thing."
The Scourge of Ransomware
The impact that ransomware continues to have on all sectors made it another area of focus. The conference featured an all-day ransomware seminar, during which ransomware’s “multifaceted implications across technical, policy, compliance and financial response” were highlighted.
Charles Carmakal, Vice President at Mandiant, discussed lessons learned from disruptive breaches investigated by Mandiant. He advised that to better block attackers and ransomware, enterprises need to ensure that their backup environments are as segmented from the corporate network as possible.
"Most of the time, when a threat actor has full control over an Active Directory environment, it's trivial for him to gain access to the backup environment and destroy the data. Of course, organizations need some level of connectivity between production systems and backup environments in order for the backup process to work. It's best for organizations to lock down administrative access to the backup servers by requiring jump boxes, multi-factor authentication, [and so on].”
— Charles Carmakal, Vice President at Mandiant
In another session, James Lyne deconstructed “funny ransomware wins and fails”. He demonstrated ransomware samples built using a malware-building tool available via a dark web .onion site (.onion is a domain suffix indicating an anonymous hidden service) that offers buyers multiple ransomware-building modes, ranging from basic to "paranoid." One of the samples reviewed was the horror-themed “Jigsaw”, pictured below. Jigsaw deletes files on its victim’s computer once an hour, leaving the victim to stare at a sweat-inducing countdown and an image of the Jigsaw killer from the movie “Saw”. The longer the ransom remains unpaid, the greater the number of files that will be deleted. Worst of all, if the ransomware is restarted — through the victim rebooting or otherwise terminating the process — Jigsaw will then delete one thousand files. Luckily, researchers have found a way to decrypt this Saw-themed menace for free.
When Jigsaw threatens to delete your files, it’s not joking.
A Question of Retaliation
The idea of hacking back was also discussed. The question, “Is hacking back ever justified?” was posed to panelists on the Cryptographers' Panel, which included the participation of (among others) dual-key cryptography pioneer Whitfield Diffie and Israeli cryptographer Adi Shamir, the "S" in the RSA asymmetric cryptographic algorithm.
"If you talk about private sector attacks, I'm completely against hacking back in revenge. If you talk about governments, I would completely flip it ... not to hack back, but my government should hack before, in order to learn about the tools and plans of other governments."
— Adi Shamir, Co-Inventor of the RSA Algorithm
Show Floor Observations
Some of Forsythe Security's key observations from the show floor centered on runtime application self-protection, deception, security scoring and threat hunting.
We noticed several runtime application self-protection (RASP) web application security vendors at the conference. RASP comes into play when an application is executed (runtime), causing the program to self-monitor and detect malicious input and behavior. If you are not familiar with RASP, the following Signal Sciences video on YouTube can help to explain: “Web Application Security - NGWAF, RASP, WAF What The Hell's The Difference”.
There was also a strong presence of deception solution vendors, including Illusive Networks, TrapX, Attivo, TopSpin and Thinkst noted by members of our team. Illusive, Attivo and TopSpin announced new products at the conference, and interest in this space is expanding rapidly among large companies in a variety of industries. This seems to indicate an acknowledgment among enterprise security teams of the importance of enhancing detection capabilities, and a growing understanding of how deception can be beneficial to security programs.
Another topic of discussion was security scoring, including the tools offered by BitSight Technologies and SecurityScorecard. They use predictive analytics and security risk assessment tools to issue FICO-like scores (or, in the case of SecurityScorecard, grades ranging from A to F) to help predict an organization’s likelihood of a breach. Security scores are used in a variety of ways: cyber insurance underwriters use them to evaluate a company’s potential risk; companies leverage them for visibility into the security posture of third-party vendors and partners; and security executives use them to explain security risks to their board of directors in an easy-to-understand way. The market for these tools is so new that research firms haven’t yet paid much attention to them, but BitSight reported a 60 percent increase in customers in the first half of 2016. Interest is definitely growing.
A final observation from the show floor was the pervasive theme of threat hunting. It was so prevalent that one researcher joked, “With all the threat hunting going on at these vendor booths I can't believe there are any threats left to find.” There seems to be a lot of confusion around what threat hunting really is, and isn’t. Essentially, threat hunting combines threat intelligence, analytics, and security tools with human skills to look for attacks (and attacker activity) that get past security systems. Threat hunting is people-centric; the tools are enablers for the security experts, helping them to quickly navigate threats. The central goal is to catch intrusions in progress, rather than after attackers have completed their objectives.
Most Innovative Startup
RSA named UnifyID “RSAC Most Innovative Startup 2017.” A panel of venture capitalists, entrepreneurs and large security companies selected the identity management provider — which aims to “change the way you authenticate yourself” by eliminating the need for passwords — from a group of 10 finalists. Whether or not passwords will be replaced by machine learning, behavioral biometrics and continuous authentication anytime soon remains to be seen. The following video featuring founders John Whaley and Kurt Somerville explains their approach: UnifyID pitch video.
New Product Announcements
Numerous new security products were announced at the conference. Here are some highlights:
- IBM Watson for Cyber Security: By integrating Watson with its X-Force Command Centers, rolling out a new voice-powered assistant code-named Havyn to respond to security analyst commands, and making available a new app on the IBM Security Exchange — IBM QRadar Advisor with Watson — IBM has built a new Cognitive SOC platform. IBM also announced a new EDR solution called IBM BigFix Detect to bring these capabilities down to the endpoint, and an integration of IBM Resilient's Incident Response Platform (IRP) with Watson for orchestration and automation. IBM also announced an expanded partnership with Qualys, bringing together Qualys' IT security solutions with IBM's managed security services portfolio.
- Symantec Cloud Security Platform: Symantec announced new additions to its Symantec Cloud Security Platform that bring together the Symantec and Blue Coat Systems portfolios. Symantec announced the integration of its DLP offering with its cloud-delivered Web Security Service, bringing DLP across the web, email, and the cloud. Symantec also announced a new Malware Analysis Advanced Service and new Universal Policy for Web Security Service.
- Crowdstrike Falcon: Crowdstrike announced machine learning and advanced endpoint protection enhancements to its Falcon offering. Five new modules for Falcon EDR were introduced, including Crowdstrike Falcon Protect for behavioral analytics-based antivirus replacement, Crowdstrike Falcon Insight for EDR, Crowdstrike Falcon Discover for application usage and privileged user account monitoring, Crowdstrike Falcon Intelligence for analytics and threat intelligence, and Crowdstrike Falcon OverWatch for managed threat hunting.
- Gigamon GigaSECURE: Gigamon enhanced its GigaSECURE SSL/TLS Decryption solution with additional visibility capabilities. Specifically, the company announced support for both inline and out-of-band decryption, with supported ciphers now including Diffie-Hellman (DH), Diffie-Hellman Ephemeral (DHE), Perfect Forward Secrecy (PFS) and Elliptic Curve. Additionally, Gigamon announced AWS functionality.
- Imperva SecureSphere File Firewall v12: SecureSphere File Firewall v12 with real-time deception technology is designed to detect ransomware and prevent it from encrypting enterprise data. It adds decoy files to network file shares, luring hackers to strike there first so they can be neutralized before encrypting critical data.
- Illusive Deception Management System (DMS): Illusive Networks launched this platform, which uses machine learning and deception technology to detect attacks. The solution automatically and autonomously places deception decoys in the network, and then adapts as necessary based on real-time monitoring.
- SecurityScoreCard: SecurityScorecard announced the launch of the public beta of Malware Grader. The free solution allows companies to continuously monitor their infrastructure for malware, providing alerts on events and an A to F grade on the ability to prevent, detect and remediate malware events. The tool also provides weekly summaries. It builds on the SecurityScorecard platform, which provides security ratings and continuous risk monitoring.
- Centrify Analytics Service: This service uses machine learning to assess risk based on user behavior. It then assigns a risk score, and determines whether to grant access, require step-up authentication, or block access.
No Silver Bullet
Our key takeaway from RSA is generally the same each year: despite what you may have been told at some of the booths, there is no magic silver bullet that can fix your security problems. It is important to remember one of the “sacred cows” of IT security that hasn't been tipped: the importance of defense-in-depth. Looking past all of the RSA Conference buzzwords, brand messaging and hype, however, there were valuable trends and forward-thinking IT security technology on display.