AI is both a boon and a bane for IT security

Next week I am giving a speech at the Inside AI/LIVE event in San Francisco. I have been working for Inside.com for nearly three years, producing a daily email newsletter on infosec topics. The speech will cover the current trends in how AI is both the bane and the boon of IT security. In my talk, I will point to some of the innovators in this space that I have found in my travels. I thought I would touch on what I will be talking about here.

Usually, when we first hear about AI, we tend to go towards what I call the “Skynet scenario.” For those of you who haven’t seen any of the Terminator movies, this is that point in the future where the machines take over and kill all of the humans, and we are left with Arnold-as-robot and Kyle Reese to save us all from extinction. That isn’t a great place to start thinking about the relationship between AI and security to be sure.

Certainly, we have heard many of the more recent notable AI fails, such as the gender-bias of the AI-based HR recruiting tool from Amazon, the self-driving Uber car that killed a pedestrian, and where Google Photo confused a skier with a mountain peak. But we need to get beyond these scenarios.

Perhaps a better place to start is to understand the workflow of machine learning (ML). Here we see that AI isn’t all that well suited to infosec. Why? Because the typical ML process tries to collect data, build an algorithm to model something that we think we know, and then use the model to predict some outcomes. That might work well for certain situations, but the infosec world is far too chaotic and too reliant on human interpretation of the data to work well with AI techniques.

On top of this is that the world of malware is undergoing a major transformation these days. Hackers are moving from being mere nuisances like script kiddies to professional criminals that are interested in making money from their exploits. Malware is getting more complex and the hackers are getting better at hiding their craft so that they can live longer inside our corporate networks and do more targeted damage. Adversaries are moving away from “spray and pray,” where they just blanket the globe with malware and towards “target and stay,” where they are more selective and parsimonious with their attacks. This is also a way to hide themselves from detection too.

One issue for using AI techniques is that malware attribution is hard, something that I wrote about in a blog post for IBM’s Security Intelligence last year. For example, the infamous WannaCry ransomware was eventually attributed to the North Koreans, although at first it seemed to come from Chinese agents. It took a lot of research to figure this out, and one tell was the metadata in the code which showed the Korean time zone. AI can be more of a hindrance than help sometimes.

Another problem for security-related AI is that oftentimes developers don’t think about security until they have written their code and they are in their testing phase. Certainly, security needs to be top-of-mind. This post makes some solid reasons why this needs to change.

In the past several years, Amazon, Google, (most recently Microsoft) and many other IaaS players have come out with their ML toolkits that are pretty impressive. For a few bucks a money, you can rent a very capable server and build your own ML models for a wide variety of circumstances. That assumes that a) you know what you are doing and b) that you have a solid-enough dataset that you can use for creating your model. Neither of those circumstances may match your mix of skills or situation.

So there is some hope in the AI/security space. Here are a few links to vendors that are trying to make better products using AI techniques.

First is a group that is using what is called homomorphic encryption. This solves the problem where you want to be able to share different pieces of the same database with different data owners yet encrypt the entire data so that no one can inadvertently compromise things. This technology has been the darling of academia for many years, but there are several startups including ICE CybersecurityDuality Technologies’ SecurePlus, Enveil’s ZeroReveal, Capnion’s Ghost PII, and Preveil’s email and file security solutions. A good example of this is the San Diego-based Community Information Exchange, where multiple social service agencies can share data on their clients without revealing personal information.

Google’s Chronicle business has a new security tool it calls Backstory. While still in limited release, it has the ability to ingest a great deal of data from your security logs and find patterns of compromise. In several cases, it identified intrusions that happened years ago for its clients – intrusions that had not been detected by other means. That is showing the power of AI for good!

Coinbase is using ML techniques to detect fraudulent users, such as those that upload fake IDs to try to open accounts. It matches patterns in these uploads, such as if someone uses a fake photo or makes a copy of someone else’s ID.  And Cybraics has developed an AI engine that can be used to scan for vulnerabilities across your network.

Probably one of the more interesting AI/security applications is being developed by ZeroEyes. While not quite in production, it will detect weapons in near-real time, hopefully identifying someone before they commit a crime. This isn’t too far afield from the thesis of Minority Report’s pre-crime activities. We have certainly come a long way from those early Skynet days.

You can view the slide deck for my presentation at the conference below:

 

Endgame white paper: How to replace your AV and move into EPP

The nature of anti-virus software has radically changed since the first pieces of malware invaded the PC world back in the 1980s. As the world has become more connected and more mobile, the criminals behind malware have become more sophisticated and gotten better at targeting their victims with various ploys. This guide will take you through this historical context before setting out the reasons why it is time to replace AV with newer security controls that offer stronger protection delivered at a lower cost and with less of a demand for skilled security operations staff to manage and deploy. In this white paper I co-wrote for Endgame Inc., I’ll show you what is happening with malware development and protecting your network from it. why you should switch to a more modern endpoint protection platform (EPP) and how to do it successfully, too.

CSOonline: How to evaluate SOC-as-a-service providers

Not every organization that needs a security operations center can afford to equip and staff one. If you don’t currently have your own SOC, you are probably thinking of ways you can obtain one without building it from scratch. The on-premises version can be pricey, more so once you factor in the staffing costs to man it 24/7. In the past few years, managed security service providers (MSSPs) have come up with cloud-based SOCs that they use to monitor your networks and computing infrastructure and provide a wide range of services such as patching and malware remediation. For my latest article fo CSOonline, I look at how this SOC-as-a-service (SOCaaS) industry has grown up, what they offer and how to pick the right supplier for your particular needs.

Above you can see some of the vendors that I looked at for this story.

And to help you evaluate your own SOCaaS providers, I wrote a follow-up article that outlines what you should have in your RFPs.

Security Intelligence: How to Defend Your Organization Against Fileless Malware Attacks

The threat of fileless malware and its potential to harm enterprises is growing. Fileless malware leverages what threat actors call “living off the land,” meaning the malware uses code that already exists on the average Windows computer. When you think about the modern Windows setup, this is a lot of code: PowerShell, Windows Management Instrumentation (WMI), Visual Basic (VB), Windows Registry keys that have actionable data, the .NET framework, etc. Malware doesn’t have to drop a file to use these programs for bad intentions.

Given this growing threat, I provide several tips on what can security teams can do to help defend their organizations against these attacks in my latest post for IBM’s Security Intelligence blog.

How to protect your mobile apps using Zimperium’s zIAP SDK (screencast)

If you are looking for a way to protect your Android and iOS apps from malware and other mobile threats, you should look at Zimperium ‘s In-App Protection (zIAP) SDK . It supports both Apple X-Code for iOS apps and Android Studio for those apps. One of the advantages of zIAP is that you don’t have to redeploy your code because changes are updated dynamically at runtime and automatically pushed to your devices. zIAP ensures that mobile applications remain safe from cyber attacks by providing immediate device risk assessments and threat alerts. Organizations can minimize exposure of their sensitive data, and prevent their customers and partners’ data from being jeopardized by malicious and fraudulent activity. I tested the product in April 2019.

Pricing starts for 10K Monthly Active Devices at $12,000 per year, with steep quantity discounts available.

https://go.zimperium.com/david-strom-ziap

Keywords: strom, screencast review, webinformant, zimperium, mobile security, app security, Android security, iOS security

RSA blog: Third-party risk is the soft underbelly of cybersecurity

In the past several weeks, we have seen the effects of ignoring the risks of our third-party vendors. They can quickly put your enterprise in peril, as this story about a third-party provider to the airline industry illustrates. In this case, a back-end database supplier grounded scheduled flights because of a computer outage. And then there is this story about how two third-party providers from Facebook exposed more than 500M records with unsecured online databases. These are just the more notable ones. Hackers are getting cleverer about how and when they attack us, and often our third-party apps and vendors are the soft underbelly of our cybersecurity. Witness the various attacks on point-of-sale vendors or back-end database vendors, payment providers or ecommerce plug-ins, etc. And then there are system failures, such as what happened to the airline databases.

You can read my column on RSA’s blog here about what to do about managing third-party threats.

CSOonline: How to improve container security

Gartner has named container security one of its top ten concerns for this year, so it might be time to take a closer look at this issue and figure out a solid security implementation plan. While containers have been around for a decade, they are becoming increasingly popular because of their lightweight and reusable code, flexible features and lower development cost. In this post for CSOonline, I’ll look at the kinds of tools needed to secure the devops/build environment, tools for the containers themselves, and tools for monitoring/auditing/compliance purposes. Naturally, no single tool will do everything.

Behind the scenes at a regional NCCD competition

Every year hundreds of college students compete in the National Collegiate Cyber Defense Competition. Teams from around the country begin with regional competitions, and the winners of those go on to compete for bragging rights and cash prizes at the national event in Orlando held at the end of April. A friend of mine from the Seattle area, Stephen Kangas, was one of the volunteers, all of whom are drawn from IT security professionals. I spoke to him this week about some of his experiences. The event tries to simulate defending a simulated corporate network, and is divided into two basic teams: the defenders who comprise the blue teams from the colleges, and the attackers, or red team. In addition, there are other groups, such as the judges and the “orange team” which I will get to in a moment. There is also a team of judges with body cams to record the state of play are assigned to each blue team and these are used to tally up the final point totals. Points are also awarded based on the number of services that are still online and haven’t been hacked, as well as those systems which were hacked and then recovered. Both teams have to file incident reports and these are also evaluated as part of the scores.

Stephen has participated at the competition for several years as a mentor and coach for a team from a local high school that competes in the high school division. This year he was on one of the red teams attacking one of the college blue teams. He has his Certified Ethical hacker credential and is working towards a MS in Cybersecurity degree too. He has been involved in various IT roles both as a vendor and as a consultant, including a focus in information security, for decades. “I wanted to expand my knowledge in this area. Because most of my experience has been on defensive side, I wanted to get better, and for that you have to know about the strategy, tools, and tactics used by the offensive black hats out there.”

The event takes place over a weekend and the red team attackers take points away from the defenders for penetrating their corresponding blue team’s network and “pwning” their endpoints, servers, and other devices. “I was surprised at how easy it was to penetrate our target’s network initially. People have no idea how vulnerable they are as individuals and it is becoming easier every day. We need to be preparing and helping people to develop the knowledge and skills to protect us.” His red team consisted of three others that had complementary specializations, such as email, web and SQL server penetration and different OSs. Each of the 30 red team volunteers brings their own laptop and but they all use the same set of hacking tools (which includes Kali Linux, Cobalt Strike, and Empire, among others), and the teams communicate via various Slack channels during the event.

The event has an overall red team manager who is taking notes and sharing tips with the different red teams. Each blue team runs an exact VM copy of the scenario, with the same vulnerabilities and misconfigurations. This year it was a fake prison network. “We all start from the same place. We don’t know the network topology, which mimics the real-world situation where networks are poorly documented (if at all).” Just like in the real world, blue teams were given occasional injects, such as deleting a terminated employee or updating the release date of a prisoner; the red teams were likewise given occasional injects, such as finding and pwning the SQL server and changing the release date to current day.

In addition to the red and blue teams is a group they call the orange team that adds a bit of realism to the competition. These aren’t technical folks but more akin to drama students or improv actors that call into the help desk with problems (I can’t get my email!) and read from scripted suggestions to also put more stress on the blue team to do a better job of defending their network. Points are awarded or taken away from blue teams by the judges depending upon how they handle their Help Desk phone calls.

Adding additional realism, during the event members of each red team make calls with the help desk, pretending to be an employee, trying to social engineer them for information. “My team broke in and pwned their domain controllers. We held them for ransom after locking them out of their Domain Controller, which we returned in exchange for keys and IP addresses to some other systems. Another team called and asked ransom for help desk guy to sing a pop song. They had to sing well enough to get back their passwords.” His team also discovered several Linux file shares that had employee and payroll PII on it.

His college’s team came in second, so they are not going on to the nationals (University of Washington won first place). But still, all of the college students learned a lot about better defense that they can use when competing next year, and ultimately when they are employed after graduation.  Likewise, the professionals on the red teams learned new tools and techniques from each other that will benefit them in their work. It was an interesting experience and Stephen intends to volunteer for Pacific Rim region CCDC again next year.

RSA blog: Understanding the trust landscape

Earlier this month, president of RSA, Rohit Ghai, opened the RSA Conference in San Francisco with some stirring words about understanding the trust landscape. The talk is both encouraging and depressing, for what it offers and for how far we have yet to go to realize this vision completely.

Back in the day, we had the now-naïve notion that defending a perimeter was sufficient. If you were “inside” (however defined), you were automatically trusted. Or once you authenticated yourself, you were then trusted. It was a binary decision: in or out. Today, there is nothing completely inside and trusted anymore.

I go into more detail in my blog post, Understanding the trust landscape here. I had an opportunity to  spend some time with Rohit at a presentation we both did in London earlier this year and enjoyed exchanging many ideas with him.

The Huawei telecom ban makes no sense

Color me confused about our 5G technology policy. Today I see this statement: “I want 5G, and even 6G, technology in the United States as soon as possible. It is far more powerful, faster, and smarter than the current standard. American companies must step up their efforts, or get left behind. I want the United States to win through competition, not by blocking out currently more advanced technologies.” That is from a recent set of tweets from our president. He is expected to sign an executive order banning Huawei equipment from domestic cellular carriers before next week. Not to be outdone, Congress is considering HR 4747 that would prevent government agencies from doing business with them.

Huawei seems to be the latest target of badly behaving tech companies, and it has gotten a lot of enemies. Last week our Secretary of State meet with several European leaders, telling them to not purchase any equipment from Huawei in building out their 5G cellular networks. He told them that this gear will make it more difficult for American equipment to operate there.

The fear is that Chinese will embed spying devices in their gear, interfering with communications. Chinese hacking attempts have dramatically risen over the past year, according to this new report from Crowdstrike. While the report didn’t identify Huawei as the source, they did find several hacking attempts aimed specifically at telecom vendors and their government customers.

The US isn’t alone in its fear of Huawei spying. Poland, Italy and Germany are all considering banning their gear from their newer cell networks. Last year, both South Korea and Australia enacted such a ban, and the UK began removing their equipment too. Huawei supplies Australian and UK 4G equipment and BT said last month that they will begin removing that stuff.  A recent news story in The Register stated that Huawei won’t be used to run any new British government networks, even though it will continue to be used in British landline infrastructure.

But is the Chinese government really using Huawei equipment to spy on us? Jason Perlow writes in ZDnet that chances are low, mainly because first there is no concrete proof, and second because it wouldn’t be in their best economic interests. Also, given that you can find Chinese semiconductors in just about everything these days, it would be nearly impossible to effectively ban them.

But there is another confounding reason that no one has mentioned, and that has to do with this law called CALEA. It spells out requirements for telecom suppliers and how they must provide access to government wiretaps and other law enforcement activities from their gear. So technically, not only is Huawei doing this, but all the other telecom vendors have to do so too. If you are with me so far, you see that Huawei is obligated to have this “backdoor” if they want to do business in the USA, yet we are criticizing them for having this very same backdoor! How this will play out in these bans is hard to realize.

A Huawei ban makes no sense. But it won’t stop government agencies from piling on at this stage.