HPE Enterprise.nxt: Six security megatrends from the Verizon DBIR

Verizon’s 2019 Data Breach Investigations Report (DBIR) is probably this year’s second-most anticipated report after the one from Robert Mueller. In its 12th edition, it contains details on more than 2,000 confirmed data breaches in 2018, taken from more than 70 different reporting sources and analyzing more than 40,000 separate security incidents.

What sets the DBIR apart is that it combines breach data from multiple sources using the common industry collection called VERIS – a third-party repository where threat data is uploaded and made anonymous. This gives it a solid authoritative voice, and one reason why it’s frequently quoted.

I describe six megatrends from the report, including:

  1. The C-suite has become the weakest link in enterprise security.
  2. The rise of the nation state actors.
  3. Careless cloud users continue to thwart even the best laid security plans.
  4. Whether insider or outsider threats are more important.
  5. The rate of ransomware attacks isn’t clear. 
  6. Hackers are still living inside our networks for a lot longer than we’d like.

I’ve broken these trends into two distinct groups — the first three are where there is general agreement between the DBIR and other sources, and last ones . are where this agreement isn’t as apparent. Read the report to determine what applies to your specific situation. In the meantime, here is my analysis for HPE’s Enterprise.nxt blog.

RSA blog: Managing the security transition to the truly distributed enterprise

As your workforce spreads across the planet, you must now support a completely new collection of networks, apps and endpoints. We all know this increased attack surface is more difficult to manage. Part of the challenge is having to create new standards and policies to protect your enterprise and reduce risk as you make the transformation to become a more distributed company. In this blog post for RSA, I examine some of the things to look out for. My thesis is that you’ll want to match the risks with the approaches, so that you focus on the optimal security improvements to make the transition to a distributed staffing model.

AI is both a boon and a bane for IT security

Next week I am giving a speech at the Inside AI/LIVE event in San Francisco. I have been working for Inside.com for nearly three years, producing a daily email newsletter on infosec topics. The speech will cover the current trends in how AI is both the bane and the boon of IT security. In my talk, I will point to some of the innovators in this space that I have found in my travels. I thought I would touch on what I will be talking about here.

Usually, when we first hear about AI, we tend to go towards what I call the “Skynet scenario.” For those of you who haven’t seen any of the Terminator movies, this is that point in the future where the machines take over and kill all of the humans, and we are left with Arnold-as-robot and Kyle Reese to save us all from extinction. That isn’t a great place to start thinking about the relationship between AI and security to be sure.

Certainly, we have heard many of the more recent notable AI fails, such as the gender-bias of the AI-based HR recruiting tool from Amazon, the self-driving Uber car that killed a pedestrian, and where Google Photo confused a skier with a mountain peak. But we need to get beyond these scenarios.

Perhaps a better place to start is to understand the workflow of machine learning (ML). Here we see that AI isn’t all that well suited to infosec. Why? Because the typical ML process tries to collect data, build an algorithm to model something that we think we know, and then use the model to predict some outcomes. That might work well for certain situations, but the infosec world is far too chaotic and too reliant on human interpretation of the data to work well with AI techniques.

On top of this is that the world of malware is undergoing a major transformation these days. Hackers are moving from being mere nuisances like script kiddies to professional criminals that are interested in making money from their exploits. Malware is getting more complex and the hackers are getting better at hiding their craft so that they can live longer inside our corporate networks and do more targeted damage. Adversaries are moving away from “spray and pray,” where they just blanket the globe with malware and towards “target and stay,” where they are more selective and parsimonious with their attacks. This is also a way to hide themselves from detection too.

One issue for using AI techniques is that malware attribution is hard, something that I wrote about in a blog post for IBM’s Security Intelligence last year. For example, the infamous WannaCry ransomware was eventually attributed to the North Koreans, although at first it seemed to come from Chinese agents. It took a lot of research to figure this out, and one tell was the metadata in the code which showed the Korean time zone. AI can be more of a hindrance than help sometimes.

Another problem for security-related AI is that oftentimes developers don’t think about security until they have written their code and they are in their testing phase. Certainly, security needs to be top-of-mind. This post makes some solid reasons why this needs to change.

In the past several years, Amazon, Google, (most recently Microsoft) and many other IaaS players have come out with their ML toolkits that are pretty impressive. For a few bucks a money, you can rent a very capable server and build your own ML models for a wide variety of circumstances. That assumes that a) you know what you are doing and b) that you have a solid-enough dataset that you can use for creating your model. Neither of those circumstances may match your mix of skills or situation.

So there is some hope in the AI/security space. Here are a few links to vendors that are trying to make better products using AI techniques.

First is a group that is using what is called homomorphic encryption. This solves the problem where you want to be able to share different pieces of the same database with different data owners yet encrypt the entire data so that no one can inadvertently compromise things. This technology has been the darling of academia for many years, but there are several startups including ICE CybersecurityDuality Technologies’ SecurePlus, Enveil’s ZeroReveal, Capnion’s Ghost PII, and Preveil’s email and file security solutions. A good example of this is the San Diego-based Community Information Exchange, where multiple social service agencies can share data on their clients without revealing personal information.

Google’s Chronicle business has a new security tool it calls Backstory. While still in limited release, it has the ability to ingest a great deal of data from your security logs and find patterns of compromise. In several cases, it identified intrusions that happened years ago for its clients – intrusions that had not been detected by other means. That is showing the power of AI for good!

Coinbase is using ML techniques to detect fraudulent users, such as those that upload fake IDs to try to open accounts. It matches patterns in these uploads, such as if someone uses a fake photo or makes a copy of someone else’s ID.  And Cybraics has developed an AI engine that can be used to scan for vulnerabilities across your network.

Probably one of the more interesting AI/security applications is being developed by ZeroEyes. While not quite in production, it will detect weapons in near-real time, hopefully identifying someone before they commit a crime. This isn’t too far afield from the thesis of Minority Report’s pre-crime activities. We have certainly come a long way from those early Skynet days.

You can view the slide deck for my presentation at the conference below:


Sometimes, the tin-foil hat types are right

A recent story in the NY Times caught my attention. It is about a block in the Cleveland area where some of their wireless car key fobs and garage door openers stopped working. The block is near a NASA research facility, so that was an obvious first suspect. But it wasn’t. The actual source of the problem turned out to be an inventor that was flooding the radio spectrum at the same frequency as the fobs use: 315 Mhz. Once the radio emitter was turned off, the fobs and garage doors started working again. The issue was the inventor’s radio signal was so strong it was preventing anything else from transmitting on that frequency. He had no idea that he was the source of the radio interference.

This story reminds me of an experience that I had back in 1991 or so. At the time, I was the editor-in-chief of Network Computing magazine for what was then called CMP. It was a fun and challenging job, and one day I got a call from one of my readers who was the IT manager for the American Red Cross headquarters in DC. This was Jon Arnold, who spent a long career in IT, sadly dying of a heart attack several years ago. Turns out they had a chapter in Norfolk Va. that was having networking issues. Their office was a small one, of about 25 or so staffers as I recall. Every day their network would start slowing down and then eventually go kaput for several hours. It was at a different time during the day, so it wasn’t the Cleaning Person Problem (I will get to that in a moment). It would come back online sometimes by itself, sometimes with a server reboot. The IT manager asked if I would be willing to lend and hand, and the first person that I thought of to help me was Bill Alderson.

I first met Bill when he was a young engineer for Network General, which made the fabulous Sniffer protocol analyzer. Many of you who are not from that generation may not realize what this tool was or how much of a big deal it was to have a device that could record packet traffic and examine it bit by bit. Today we have open source tools that do the same thing for free, but back then the Sniffer cost four or five figures and came with a great deal of training. Bill cut his teeth on this product and now has his own company, HopZero that has an interesting way to protect your servers by restricting their hop count.

Bill and I first met back in 1989 when I worked at PC Week and we wanted to test the first local area network topologies. We set up three networks, running Ethernet, Token Ring and Arcnet in a networked classroom at UCLA during spring break. All were connected to the same Novell Netware server. Ethernet won the day (as you can see in this copy of the story), and the other topologies died of natural causes. But I digress.

Jon, Bill and I flew to Norfolk and spent a day with the Red Cross staff to try to figure out what was happening with their Novell network. We did all sorts of packet captures that weren’t conclusive. Our first thought was that it had to be something wrong with the server, but we didn’t see anything wrong. Our second thought was more insidious. Being in Norfolk, we were directly down the road from the naval base (you could say that about much of the town, it is a big base). We actually managed to get through to the base commander to find out if their radar was active when they were coming into port. Imagine making that phone call these days in our post-9/11 world? Anyway, the answer we got was negative. Eventually, after hours of shooting down various theories, we figured out the cause of the problem was a wonky network adapter card in someone’s PC. It usually operated just well enough that it didn’t interfere with the network most of the time. Once we replaced the card, everything went swimmingly, and we could put away our tin-foil hats.

Okay, so what is the Cleaning Person Problem? This sounds like folklore, but another reader told me about a problem they had on their network years ago. The reader was periodically disconnected from his network at the same time every night. He was one of the few people online at the time in their office, so it wasn’t like there was high traffic across the network. Eventually, after several evenings he figured out the problem: The cleaning crew was vacuuming the rug in the server room, and the network cable to the server was being run over by the vacuum. Because the cable wasn’t properly crimped and because it was run under the carpet (who knows why this was done), it was shaken just loose enough to disconnect it from the server. When the crew was finished, the cable would operate just fine. Thankfully, they made a better cable and ran it elsewhere where no one could step on it.

The Cleveland folks that had their car fobs disabled actually had it easy: the fault was in a very deliberate emitter that – while initially difficult to trace – was a very binary cause. Their challenge was that not every car fob and garage door was affected. The two scenarios that I mention here were not so cut-and-dried, which made troubleshooting them more difficult. So keep these stories in mind when you are troubleshooting your next computer or networking problem, and don’t be so quick to blame user error. It could be something not as obvious as the odd radio transmission.

FIR B2B podcast #120: Voice search, a survey rant and great tips for engaging mobile visitors

Paul Gillin kicks off with a short rant about the lack of rigor and news value of surveys, and how marketers should spend more time vetting their results to determine what questions/objections they’re likely to get. With the release next week of the Verizon Data Breach Report setting a high bar, it is a timely topic.

This week we saw a tweet from Chase bank that not only fell flat but incurred many folks’ antipathy. It was so tone deaf that it was hard to even understand how the bank could have put it out there. This incident, combined with the offensive NY Times International edition political cartoon that was published last week,  reinforces the need to be more careful about what your brand shares socially.

Speaking of social shares, this article by Bloomberg’s BHive research outfit has a lot to say about ways they found to increase the sharing of their news articles from mobile devices. As more and more news is read on these devices, content providers have to do a better job of not cluttering up  small screens with extraneous ads and other diversions. Bloomberg was able to improve engagement by a significant amount with just doing a few simple tweaks to their stories. One key point: They interviewed actual readers.

The Workamajig blog’s post on how Voice Search is Changing B2B Marketing (And What You Can Do About It) is well worth your time. Consider that voice searches are by definition conversational. People don’t speak in keywords. They ask “What’s the height of the Empire State building?” not “Empire State building height”. Voice opens up new opportunities for content marketing. Republishing your content as an Alexa skill, for instance, can bring you a whole new set of listeners. In fact, if you look at the best reviewed Business & Finance skills on the Alexa store right now, you’ll see content-focused skills dominate the list. David met one vendor called VoiceXP that can help you create your own voice apps. Clearly this will grow in importance in the near future.

Finally, we note this analysis by our colleague Mike Vizard in the Barracuda blog about how the Russian hacking of the DNC back in 2016 went down, as documented in the Mueller report. It all started with a spear phishing email. You have been warned. listen to our 17min episode here:

Endgame white paper: How to replace your AV and move into EPP

The nature of anti-virus software has radically changed since the first pieces of malware invaded the PC world back in the 1980s. As the world has become more connected and more mobile, the criminals behind malware have become more sophisticated and gotten better at targeting their victims with various ploys. This guide will take you through this historical context before setting out the reasons why it is time to replace AV with newer security controls that offer stronger protection delivered at a lower cost and with less of a demand for skilled security operations staff to manage and deploy. In this white paper I co-wrote for Endgame Inc., I’ll show you what is happening with malware development and protecting your network from it. why you should switch to a more modern endpoint protection platform (EPP) and how to do it successfully, too.

CSOonline: How to evaluate SOC-as-a-service providers

Not every organization that needs a security operations center can afford to equip and staff one. If you don’t currently have your own SOC, you are probably thinking of ways you can obtain one without building it from scratch. The on-premises version can be pricey, more so once you factor in the staffing costs to man it 24/7. In the past few years, managed security service providers (MSSPs) have come up with cloud-based SOCs that they use to monitor your networks and computing infrastructure and provide a wide range of services such as patching and malware remediation. For my latest article fo CSOonline, I look at how this SOC-as-a-service (SOCaaS) industry has grown up, what they offer and how to pick the right supplier for your particular needs.

Above you can see some of the vendors that I looked at for this story.

Thoughts on being a digital nomad

When the first personal computers were purchased by businesses back in the early 1980s, I was a freshly-minted engineer that was working in Washington, DC. I was trying to change the world, like so many other 20-somethings that were living there, working in and around the federal government. Little did I know that my love affair with PCs would become my career, and that they would change the world on their own, without much effort on my part.

I was thinking about this arc of my own humble life when thinking about the concept of digital nomads, those folks who have used the ubiquitous technology that has infused our lives over the past 40 years that we all now take for granted. Most of you inherently know what this means: the ability to travel and work anywhere in the world, as if you were sitting at your desk. Essentially, your desk becomes wherever you are: thanks to Wifi, the cloud and a truckload of communications technologies, you can be present globally.

While I am not one of them, I can certainly understand the appeal. In this edition of Web Informant, I want to highlight some of the folks who have interesting lives as digital nomads.

The concept of nomadic technology certainly has changed since I first started reporting for PC Week. Back then, the payphone was my go-to tool. Actually, let me revise that: Having a phone charge card was the killer app that enabled me to make calls without having any coins. Now we use a bunch of smartphone apps and the appropriate SIM card for our nomad connections. Of course, things aren’t always that easy, but still it is pretty amazing how far we have come since those early days.

My earliest memory of the prototype nomadic lifestyle is Steve Roberts. He is definitely into hardware, and his first experiment was to equip a recumbent bike with all sorts of tech that enabled him to ride 17,000 miles around the country and report on his travels. He started in the 1980s, just as the PC was taking hold, and the bike is now in the Silicon Valley Computer History Museum.  Back then, you had to have a strong back and a lot of knowledge to cobble together the tools to report on the road. I also consider him one of the early “makers” as he has what has to be the most well-equipped travel workshop that now used to build his hi-tech boats. He is still active in his nomadness, just from dockside.

Another deep resource on nomadic tips and tricks is from Jodi Ettenberg on LegalNomads. As you might assume, she was a former corporate lawyer who took to the road back in 2008 and started writing about food. But then her lawyerly training took over and she dug deeper. She has a very extensively curated page of meta-things such as international visa requirements, the philosophical differences and motivations among nomads, and links to numerous discussion forums and other nomads that you can follow. Sadly, she is no longer traveling due to health issues.

A few years ago, I came across Nikki and Jason Wynn, a 30-something couple that has been on the road since 2011. They initially sold their Dallas home and contents and bought an RV. They drove around the country for six years and then traded their RV for a sailboat. They are now somewhere in Polynesia, taking on the world.  Their YouTube channel gets 200K views with a wide range of upbeat videos that show lots of hands-on insight into the gear they use to stay connected when in the middle of an ocean, along with how they keep fresh water and live off the grid with all their electronics. The videos also have the usual travelogues about what they are up to and where they are.

Boating is also a big motivation behind Cruising the Cut. This is a solo effort from a 50-year-old former British TV journalist David Johns. For the past three years, he has been living aboard his narrowboat and navigating the extensive British canal network. I found him appealing, a combination of understated British irony (think of some of the characters played by John Cleese) with some boating-flavored HGTV “tiny house” design shows thrown in. Johns averages about 60K views of 170 different episodes. He also has an extensive curated list linking to other narrowboaters documenting their nomadic existence if you want to take a deeper dive into this subculture.

Let’s move on from boating to flying. Kara and Nate Buchanan are another young couple that three years ago took to the skies and have a goal of visiting 100 countries. They are currently making their way through the Middle East and have produced more than 500 videos with 600K followers of their exploits. They are all about the people and the food and are very upbeat (sometimes bordering on the twee) about their adventures. If you want to know exactly how much money they make from their efforts, they are also the most transparent and provide monthly reports of their expenses and income. If you want help accumulating your own travel miles, they will freely share which are the best travel credit cards and other tips that they use to get around.

Chris Dodd has put together some very practical tips on how to become a nomadic freelancer, complete with flowcharts on where to find online training for the skills that you lack. This training orientation is something of his specialty, and he provides details on selecting the right coworking space among other things. He has been on the road for the past two years.

Mike Elgan has been writing about tech as long as I have, and now he has turned his nomadic leanings into a viable business. He and his wife Amira run Gastronomad, where they offer foodie tours to satisfy those who can’t afford to go 100% nomadic but still want to travel to interesting places and get off the beaten path. Given his background as a product reviewer, their site has a lot of info on camera choices, among other things.

One perspective you don’t always see online is from Matt Karsten, who started out with the ExpertVagabond blog back in 2010 and eventually gained millions in followers. Earlier this month, he wrote about quitting traveling due to burnout and after meeting the woman he would eventually marry. “Trying to juggle a normal work routine when you’re also trying to figure out where to sleep next week just isn’t ideal. Often, I never wrote much about the places I was living because I was too busy catching up with work after months of traveling.”  They have moved to LA.

I have just tapped the surface of these nomads, and have tried to give you a sampling, including a few who are still wandering the planet in search of new adventures. As you can see, some have given this life up and “settled down,” whatever that means. Some travel as couples, others as singles. Some are into the hardware, some are more about learning their craft. You may follow or know of others or count yourself as nomads; feel free to share your own stories and recommendations on my blog comments. And good luck if you decide to pursue your own nomadic dream.

FIR B2B podcast #119: Our favorite email newsletter tips

Paul Gillin and I are old hands at email newsletters. Paul had his own for several years and has produced several for his clients. I currently publish two: my own Web Informant, which I have been doing almost weekly since 2003, and Inside Security which is part of a group of newsletters. We share a few tips from our years of experience.

The first is to know your audience and segment them for best results. This post in Marketing Week documents how marketers are segmenting the audiences at a much finer level than they previously did thanks to an explosion in behavioral data from third parties. One bottled water vendor was able to dramatically boost the response rate of its YouTube ads with an email newsletter sliced by 16 different segments. The survey found that behavior and location are the most effective segmentation methods, with the old stalwarts like age and gender being the least effective.

We discuss how to craft your subject line and choose a coherent theme as well as how to pick the optimal length and number of hyperlinks to include. If you do use links, beware of URL shortening services, since many as spam filters block them. There’s also the question of whether to make your newsletters text-only or to go the HTML route. If you choose the latter, be sure to test each newsletter with different browsers and different screen depths. Finally, we cover how to choose the right tool for the mailings. We’ve used a variety of them over the years, and each has different strengths and weaknesses. Some of these topics are mentioned in this piece for Marketing360.

We’d love to hear from you about your favorite email newsletters and tips for creating your own. You can listen to our 16 min. podcast here:

Security Intelligence: How to Defend Your Organization Against Fileless Malware Attacks

The threat of fileless malware and its potential to harm enterprises is growing. Fileless malware leverages what threat actors call “living off the land,” meaning the malware uses code that already exists on the average Windows computer. When you think about the modern Windows setup, this is a lot of code: PowerShell, Windows Management Instrumentation (WMI), Visual Basic (VB), Windows Registry keys that have actionable data, the .NET framework, etc. Malware doesn’t have to drop a file to use these programs for bad intentions.

Given this growing threat, I provide several tips on what can security teams can do to help defend their organizations against these attacks in my latest post for IBM’s Security Intelligence blog.