Cyber Security Institute

Sunday, August 28, 2016

IR News Security - 2016-08-28

Table of Contents

  • Automate, integrate, collaborate: Devops lessons for security
  • Dragos Raises $1.2M in DataTribe-Led Seed Funding Round for Cyber Threat Operations Center; Robert Lee Comments
  • Cyber Pain Points: Failure to get buy-in for Incident Response Plan (IRP) in the top 10!
  • Cybereason Named a Top 'Disruptive Innovator' by Juniper Research
  • Confronting Cybersecurity Challenges Through US-Singapore Partnership – Analysis
  • The New EU Cybersecurity Directive: What Impact on Digital Service Providers?
  • CISO Hunting Tags: What threat hunting should mean to you
  • 4 Tips to Give You Greater Network Visibility and Prepare You to Survive a Breach
  • What’s next for threat intelligence?
  • RiskSense Selected Best Cyber Risk Management Software of the Year
  • InCommon Enters Proof of Concept for Federated Incident Response
  • AI will help virtualised data containers manage their own security, access control
  • Japanese government plans cyber attack institute

Automate, integrate, collaborate: Devops lessons for security
Enterprise security pros are often seen as heavy-handed gatekeepers obsessed with reducing risk.
They'd rather be viewed as enablers who help the organization complete tasks and gain access to needed data. 
To make that transformation, security teams must become faster, more efficient, and more adaptable to change.
That sounds a lot like devops. 
As more companies embrace devops principles to help developers and operations teams work together to improve software development and maintenance, those organizations also increasingly seek to embed security into their processes.
Continuous automated testing improves application security.
Increased visibility in operations improves network security. 
When data collection and analysis is automated, developers, security teams, and operations can work together.
The benefits go beyond application security.
Song describes an organization that saw sales drop dramatically after pushing out a feature update to their ecommerce application.
Was the problem with the update or the application itself.
It turned out that the SSL certificate had expired.
With all the players in one place, it was easier to identify and fix the problem.
There is a "fusion of different operations and teams working together," she says. 
Security doesn't operate in a silo, Song says.
Removing barriers between teams gives security operations information about what is happening faster.
Faster alerts means security operations are looking at the problem earlier in the cycle, and better information on hand helps the team figure out a solution.
Link: Dragos Raises $1.2M in DataTribe-Led Seed Funding Round for Cyber Threat Operations Center; Robert Lee Comments 
Dragos will use the funds to establish a threat operations facility that will work to provide cyber threat detection services for industrial control systems and supervisory control and data acquisition platforms as well as develop technologies intended for ICS networks, the company said Wednesday.
Link: Cyber Pain Points: Failure to get buy-in for Incident Response Plan (IRP) in the top 10! 
Here’s the list of all 10 Pain Points:
-  Lack of a cross-functional “incident commander” to coordinate response across the organization
-  Incident response plans lack cross-organizational considerations and buy-in
-  Limited data classification guidance to help determine severity and guide incident response activities
-  Ill-defined processes (aka “pre-thought use cases”) for responding to high impact incidents
-  Lack of defined checklists or step-by-step procedures, including contact lists for response
-  Lack of consideration of the business impact when determining courses of action for response
-  Ill-defined or mixed use of event and incident taxonomy between responders
-  Lack of defined thresholds between events and incidents to aid in decision making
-  Limited or lack of pre-determined (aka “pre-canned”) external communication statements
-  Lack of training and exercise of “memory muscle” for the most likely or high risk incidents
Link: Cybereason Named a Top 'Disruptive Innovator' by Juniper Research 
Cybereason today announced that the company and its Military-Grade, Real-Time Detection and Response Platform, has been named by Juniper Research as one of the Top Three ‘Disruptive Innovators to Watch in 2016.' Cybereason is the only cybersecurity company to make the watch list.

Confronting Cybersecurity Challenges Through US-Singapore Partnership – Analysis
As a key deliverable to PM Lee’s visit, Singapore’s Cyber Security Agency (CSA) and the US Department of Homeland Security (DHS) co-signed on 2 August a Memorandum of Understanding (MOU) on the Cooperation in the Area of Cybersecurity, which lays a foundation for cooperation on cyber-related issues. 
This agreement covers cooperation in key areas that include regular Computer Emergency Response Teams (CERT) to CERT information exchanges and sharing of best practices, coordination of cyber incident response, conducting new bilateral initiatives on critical infrastructure protection, and continued cooperation on cybercrime, cyber defense, and on regional capacity building. 
Singapore’s CSA has entered into four other bilateral cyber MOUs signed with France, United Kingdom, India and the Netherlands.
The agreement with the US is the fifth and an important milestone for both countries.
It is the first cyber agreement between an ASEAN nation and the US.
While Singapore benefits from accessing knowledge about cyber threats and mitigation responses from the US, Washington will equally gain deeper insights into the cyber threats experienced by Singapore and potentially the South East Asia region. 
Both Singapore and the US are becoming more digitally dependent, with Singapore having aspirations to be the world’s first Smart Nation.
The creative use of information and communications technology (ICT) and Internet of Things (IOT) will undoubtedly bring about significant advances in the way we live, work and play through predictive and automated decision-making based on detailed collected data on individuals. 
From 16-18 August 2016, Singapore’s CSA, Ministry of Foreign Affairs and the US Department of State’s Third Country Training Programme hosted an ASEAN Cybersecurity workshop, the first of its kind.
This Singapore and US lead diplomatic effort brought together ASEAN cyber officials from both policy and technical offices to discuss developing and implementing national cybersecurity strategies, cyber incident response, multi-stakeholder engagement, private-public partnerships and building a culture of cybersecurity. 
Singapore is in a unique position to take the necessary technological leadership role in enhancing its national cybersecurity posture while supporting the region.
The shared insights and experience by both Singapore and the US can be of considerable benefit to the ASEAN countries and to the larger global community as all nations continue to seek ways to improve their cybersecurity postures.
Link: The New EU Cybersecurity Directive: What Impact on Digital Service Providers? 
Considerable disagreement surrounded the inclusion of digital service providers within the draft NIS Directive, bringing opposition from the European Parliament, various Member States, and entities falling under the definition of "digital service provider." These opponents viewed cyberattacks on digital service providers as insufficiently significant and therefore argued against additional regulation, which would potentially negatively affect innovation.
While the final NIS Directive does extend to digital service providers, it subjects them to a lighter regulatory touch than essential service operators.[1] 
DSP services cover the three following categories (NIS Directive (Annex III)): "online marketplace," "online search engine," and "cloud computing services": 
"Online marketplace" covers "a digital service that allows consumers and/or traders to conclude online sales or services contracts with traders either on the online marketplace’s website or on a trader’s website that uses computing services provided by the online marketplace." 
"Online search engine" covers "a digital service that allows users to perform searches of all websites or websites in a particular language on the basis of a query on any subject in the form of a keyword, phrase or other input, and returns links in which information related to the requested content can be found." 
"Cloud computing service" means "a digital service that enables access to a scalable and elastic pool of shareable computing resources." 
Security Requirements.
The NIS Directive aims at implementation of "state of the art" measures.
It requires the following from DSPs: 
dentify and take appropriate technical and organizational measures to manage the risks facing the security of the network and information systems used in offering services within the EU. 
Take measures to prevent and minimize the impact of incidents affecting the security of their network and information systems on services offered within the EU, with a view toward ensuring service continuity. 
Incident Notification Requirements.
DSPs must promptly notify the competent authority or "Computer Security Incident Response Team" ("CSIRT")designated by the EU Member State of any incident having a substantial impact on the provision of a service offered within the EU.
Notifications must include information to enable the competent authority or CSIRT to determine the significance of any cross-border impact.
However, the notification should not expose the notifying party to increased liability. 
Regarding implementation of the NIS Directive, EU Member States are required to adopt the Directive’s strategy for regulatory measures for cybersecurity within the EU, to create a computer security incident response team for EU nations to address cross-border security incidents, and to establish a unified strategic cooperation group to encourage Member States to exchange information. 
National Strategy for the Security of Network and Information Systems.
EU Member States must adopt a national strategy defining the objectives, as well as appropriate policy and regulatory measures, in order to achieve a high level of security. 
Post-Notification Procedure.
After consulting the DSP concerned, the notified competent authority or CSIRT (and, where appropriate, the authorities or CSIRTs of other EU Member States concerned) may inform the public about individual incidents or require the DSP to do so, if it determines that public awareness is necessary to prevent an incident or respond to an ongoing incident, or where disclosure of the incident is otherwise in the public interest. 
The NIS Directive’s potential reach over entities established outside of the EU also calls for companies to evaluate whether their activities may bring them within the scope of the Directive.
As penalties for noncompliance are yet to be determined by each Member State, this is even greater reason for companies to ensure that they do not fall foul of the NIS Directive.

CISO Hunting Tags: What threat hunting should mean to you
The better your network security and the better engineered the security program.
The absolute best your incident response and threat team should likely reflect.
As your security team increases in skill and demonstrable capability in keeping the network closed.
The more likely that the threats found inside are going to have superlative capability.
Thus, your teams that are the shock absorber for incident response (CIRT and threat hunting) are going to need superlative skill.
Thus, we are looking at highly mature and more importantly well-funded programs.
At some point I’ll write a post talking about right sizing and right funding a security program from a realist point of view. 
Having a good log collection and netflow analysis capability allows you to hunt for threats.
Many people focus on the current network traffic and looking for real time anomalies.
A world class program will keep netflow logged for a window of a year. 
Hunting takes on a sense of stalking, following indicators of possible compromise to particular hosts.
Things like beacons, web pages, slow machines, and other elements might get your notice. 
Whether randomly pulling boxes from production for examination, or given a tip-off from the network surveillance.
Hunting on a host usually starts in the file system and memory system.
There are ways to dump the memory of a host and then evaluate it for possible previously undetected malware.
SANS and others teach memory forensics courses that serve the threat hunting team well in the skills development area.
In my experience I have pulled boxes out of production I thought were exploited only to at a forensic level refute that hypothesis.
In other cases I pulled boxes from production that had no sign of issues and had twenty or more variants of malware infesting them.2005 Robin Hood
reliability and validity are not the same thing.
The dichotomy of discovery based on the nearly random nature of some of the processes make the analogy of hunting work.
You can stalk, you hunt from a blind, or you can take whatever walks into your path.
It is all about looking for things that you didn’t know exist.
Your team needs to be active persistent defensive agents on the network.
The time intensive and mission impacts of interdicting a host all result in managerial reluctance.
That reluctance is well founded because a host may have exploitation’s that will result in downtime. 
I often get asked two questions.
What is the role of honeypots/nets in threat hunting and why do we do this.
Discussing the first question a honeypot is literally a sophisticated intrusion detection system.
From a realist point of view you can think of the honeynet as a sensor, or trip line that gives you warning. 
You only have so many resources, and you only have so much time.
I shepherd my security teams closely to make sure nobody is burning out, and try and maintain a good work/life balance when leading teams.
Threat hunting in the short term creates more work for the teams in general.
Over the long term it decreases the CIRT teams time on response tasks and informs the security team of better protection measures.
If you as a CISO enforce the security feedback loops and configuration controls that will be illuminated by hunting on your network. 
Threat feeds carry lots of indicators of compromise that can be used to defend your network.
Those feeds can be days behind the actual adversary.
The various threat feeds are not necessarily customized to your business, infrastructure, or political standing.
They are in fact part of the information security portion of the CISO portfolio not the threat hunting portion.
The threat hunting group is looking for that last finite number of threats that make it through your world class information security perimeter.
Since this is identifying the worst of the worst and likely the most entrenched adversary.
The whole reason you do this is to finally say you have reduced the surprise factor of network security management to a known level.

4 Tips to Give You Greater Network Visibility and Prepare You to Survive a Breach
No. 1: Ensure that you have logs, and that they are protected.
No. 2: Keep your database of systems and applications up-to-date. 
No. 3: Have a method to capture network traffic and to send alerts. 
No. 4: Make a plan for responding to a data breach and write it down.
Link: What’s next for threat intelligence? 
Nearly every security vendor wants to get in on the action and the majority of security operations groups are either being told by their management to get on board with it, or they’ve attended various security conferences and realised they need to add threat intelligence into their security program. 
At some stage, every CISO or SOC manager will be asked by management, concerned about the latest hack: What do you know about it.
How does it affect us.
What are we doing about it? 
A solid threat intelligence strategy provides you with a means of being proactive and ensuring that you’re on top of your cyber security, so that you’re in a position to answer these questions before they are even asked. 
On a network, there are only three things security operators need to deal with; noise, nuisance and threats. 
You need to filter out the noise (blocking it at the perimeter or detecting it and automatically remediating), focus on threats (the real gotchas that can negatively impact shareholder value) and determine if a nuisance is actually noise or a threat and deal with it accordingly. 
An effective threat intelligence platform helps organise the threats and provide the information you need to isolate what really matters. 
Once you are using threat intelligence to improve communications and focus your resources, you can start diving into risk management. 
A threat intelligence platform lets you take a more strategic view of the business critical assets you need to protect, the threats that are targeting these assets and the ways in which they are going about it, and the countermeasures you have in place.
Link: RiskSense Selected Best Cyber Risk Management Software of the Year 
SUNNYVALE, Calif. & ALBUQUERQUE, N.M.—(BUSINESS WIRE)—RiskSense® Inc., the pioneer and market leader in pro-active cyber risk management, today announced that the company’s cyber risk management platform was selected Best Cyber Risk Management Software of 2016 in the 8th Annual Security Products Magazine New Product of the Year Awards.
The RiskSense Platform was recognized for its innovations in intelligence-driven cyber risk analytics, which identify threats in near real-time based on business risk criticality across the entire attack surface of an organization, and prioritize closed-loop remediation efforts.
Link: InCommon Enters Proof of Concept for Federated Incident Response 
With InCommon interconnected to the global federation community, participants now have the opportunity to take part in and support policies and standards being developed internationally.
One of the most promising collaborations in this area is the Security Incident Response Trust Framework for Federated Identity (Sirtfi).
Developed by a working group comprising international research, campus, and federation operator community members, this framework and related entity tags for IdPs and SPs serves as a first iteration of a global federated incident response approach. 
This proof of concept will include very scoped support for Sirtfi including:
-  Importing the Sirtfi entity attribute for those international IdPs and SPs that have chosen to adhere to the specification along with importing the REFEDS Security Contact metadata into InCommon metadata from eduGAIN.
-  Adding to the InCommon aggregate and exporting to eduGAIN the REFEDS security contact and the Sirtfi entity attribute on the entity descriptors of the following IdPs:
—    NCSA
—    LIGO
—    The University of Chicago
—  Adding the Sirtif tag to several LIGO SPs

AI will help virtualised data containers manage their own security, access control
Although virtualised data 'enclaves' offer the best control over enterprise data now, CISOs will increasingly rely on artificial intelligence (AI) technologies to keep ahead of changing threat exposures as data becomes increasingly “self controlling”, one leading security strategist has predicted. 
Organisations that use virtualised enclaves to contain and segregate enterprise data in mobile devices “are getting the best return on their investment,” Citrix chief security strategist Kurt Roemer told CSO Australia. “By mobilising data in an enterprise container that's treated as a set of project-based enclaves on the mobile device, your enterprise data never leaves your control.
That lets you focus resources on sensitive data and not just on the security technologies and controls that are supposed to apply to everything.” 
AI tools will be essential in “considering the workflows that take into account the different relationships, networks, and boundary conditions that help provide the right level of risk in the organisation,” Roemer said. “When you do that, it often leads you to different conclusions than you get on the network you may have in place right now. 
Fully realising the potential of AI technologies will require a more mature perspective of the technology, he added, noting that most organisations still think of AI primarily as a tool for automating security log analysis. 
Those insights would become more evident as AI tools allowed security monitoring policies to extend to parts of the enterprise that might never normally be visible in the same context.
For example, AI might not only be used to look for anomaly conditions and alert administrators, but to monitor paths of communication between application components and automatically reroute that traffic if an issue is detected. 
These decisions will be adaptable based on the circumstances of access – for example, the location or device used by the person requesting access – and enforced at a highly granular level. “An AI based system will be able to look at intelligence systems, contracts, and business relationships, then decide whether a system should still be accessible and whether someone has the right to share that data or not,” Roemer said, noting that the 'all-access pass' – conventional user ID-and-password gateways – had to evolve. “Access needs to be continually evaluated and contextual,” he explained, “and ultimately data is going to need to be really self-controlling.
All of us change our situations throughout the day and your access needs to be constantly evolving to meet the unique risks of each of those situations.
Eliminating the all-access path is about making the access very specific to the risk that is presented.”

Japanese government plans cyber attack institute
The government of Japan will create an institute to train employees to counter cyber attacks.
The institute, which will be operational early next year, will focus on preventing cyber attacks on electrical systems and other infrastructure. 
The training institute, which will operate as part of Japan’s Information Technology Promotion Agency (IPA), is the first center for training in Japan to focus on preventing cyber attacks.
A government source said that the primary aims will be preventing a large-scale blackout during the Tokyo Olympics and Paralympics in 2020, and stopping leaks of sensitive power plant designs.