Q: DarkMatter recently participated in a CIO Summit in the Middle East where you had an opportunity to meet with senior IT executives from the Oil & Gas, Public Sector, Financial Services and other sectors. What was the main takeaway from those meetings?
Faisal Al Bannai: Our conversations across industry segments in the Middle East remain consistent. Institutions are realising at differing rates and on various levels that cyber security is becoming a central theme for the further advancement of their businesses and industries.
We also find an acknowledgement by entities that they do not have a full understanding of the threat landscape that they face, who the main threat players are, what data assets they are specifically targeting, or how best to prepare for possible attacks.
As in other parts of the world, the number of cyber breaches being picked up and reported by the media is increasing rapidly. We see the Public Sector (including critical national infrastructure), Financial Services, Oil & Gas, and Telecom being sectors that are intensively targeted by cyber criminals given their high profile and the potential financial or strategic gains to be made.
Our conversations with entities across all of these sectors, and institutions in general, centres around our belief that contextualisation is the first and most important step towards an effective and actionable cyber programme. An entity cannot defend itself from what it does not understand, and so it is crucial it familiarises itself with its cyber risk profile before any management of the risk can begin in earnest. This involves the entity understanding its assets, its vulnerabilities, the full range of threats it may face, and the capabilities of those threats.
Our cyber security capabilities, which we look to pass along to our clients, are underpinned by a commitment to the DarkMatter Cyber Security life-cycle, which is a four-stage approach encompassing planning, detection, protection, and recovery.
Q: DarkMatter earlier this year opened an R&D centre in Toronto, Canada. What is the main focus of the research activities in the centre?
Al Bannai: DarkMatter's facility in Toronto focuses on the advancement of our secure communications technologies and works in concert with our R&D centres in the UAE and China. The facility is expanding rapidly and we continue to actively seek to hire engineers with experience across multiple disciplines and planforms, including embedded systems, mobile, desktop, server and IoT.
DarkMatter's secure communications applications are designed to offer government entities and security-conscious businesses in the Middle East region and further afield the ability to deploy and utilise a regionally developed, world-class offering. Earlier this year we announced the introduction of our Voice and Chat application for iOS and Android, which was developed with the support of the centre in Toronto.
The application provides end-to-end secure communications, based on the latest advancements in cryptography, cryptographic implementations, and network protocols. It is based on a software and hardware security co-design and incorporates an advanced hardware-based cryptographic chip to ensure security and prevent tampering.
The Voice and Chat application also features secure back-end infrastructure to allow secure communications, and was implemented in partnership with leading technology firms. DarkMatter experts and global test and validation labs also conducted extensive black-box and white-box testing of the application.
Q: What drove your entry into the secure communications space with your Secure Voice and Chat application? What are the opportunities you see for DarkMatter in this space?
Al Bannai: I have been personally involved in the Information and Communications Technology (ICT) sector for almost 20 years, and within that time I have witnessed it becoming increasingly converged. Given the amount of data being transmitted across networks and the number of connected devices and sensors in the modern world, cyber security has grown to become a critical issue for protecting nations and their digital assets.
One only needs to read the news headlines around the world on a daily basis to see how the number and sophistication of cyber breaches is rising all the time, and some of the consequences of these cases are dire.
The growth in the use of mobile connectivity, and smartphones in particular, made it clear that there was a genuine requirement for these types of devices to become better protected as their processing power and level of interconnectivity increased. Cameras, location services, and downloadable applications all contribute to increasing the attack surface faced by smartphones, and our Secure Communications Suite looks to minimise that threat.
DarkMatter's suite is already vetted and approved, protecting mobile voice and video communications, chat, email, and file sharing, as well as device management on iOS and Android smartphones, and all types of embedded devices. DarkMatter's suite of mobile applications runs on hardened operating systems, and is enabled via managed services across our secure cloud infrastructure, or through onsite deployments for clients wishing to manage the infrastructure themselves.
Thus, we provide services and products targeted at protecting the confidentiality and integrity of voice; video and overall data communication over the mobile network, IP layer.
Q: DarkMatter has sponsored a workshop on some of the cybersecurity challenges facing organisations in the Middle East region. What do you want participants to know about initiatives like Resilient Smart Governments and National Security Operations Centres?
Al Bannai: The Middle East is a complex mix of developed and developing economies, with varying levels of infrastructure deployment, and ICT connectivity. Compounding these variances are the geo-political overtures present in the region, which create a patchwork of allies and adversaries in a concentration that is probably not found anywhere else on the planet.
As I stated earlier, it is crucial for an entity to gain awareness of its cyber environment, and only once the organisation has a firm handle on its risk profile can it then move to take appropriate steps to implement a cyber security programme, which is effectively a three-part process encompassing visibility, intelligence and integration.
Visibility means truly understanding the assets, configurations, and users of the entity's network, systems, information, and its current state. Intelligence helps an organisation understand the threats it faces as well as the capabilities, motivation, and resources of the potential attacker. Integration aggregates the information found in the other two phases, and displays it in a format that can be readily understood by decision makers to enable them to act quickly.
These three steps are best undertaken by a cyber security specialist that is based in the region and understands that often-time the success of a sustainable cyber security posture depends on more than just technology, people, and processes.
Q: Dark Reading recently celebrated its 10th anniversary. What would you say have been the biggest changes in the security industry in the last 10 years?
Tim Wilson: In the past decade, the IT security industry has seen everyday changes that would seem like earthquakes in other industries. We've seen the emergence of botnets that were bigger than some service provider networks. We've seen single breaches that affected billions of end users. We've seen vulnerabilities that affected not only whole industries, but the very fabric of the Internet.
The attackers have changed. Over the last decade, the face of the hacker has evolved from the nerdy teenager to the organized criminal, the political hacktivist and the state-sponsored hacking team. And their methods are as varied as their motivations.
The nature of the security profession has changed, too. We've gone from guards at the gates to online detectives, constantly searching for that one unseen attack hiding deep in our code. Signatures gave way to behavior. Perimeter security gave way to a risk-based approach. And the IT security person – once sequestered in a small cube in the data center – now is part of some of business' most crucial risk discussions.
When it comes to the state of the industry, I think the biggest change is that security professionals no longer believe they can prevent a breach. They can reduce risk and mitigate the impact of a compromise, but no one believes that they can completely stop attackers from breaching their IT environment. As a result, there is much more emphasis on forensics and incident response today than there was 10 years ago. It's about finding the attacks that your conventional defenses have missed.
Perhaps what is more significant is the one thing that HASN'T changed – we're still being breached. By most measures, we're spending more money every year on IT security, but the frequency of breaches – as well as their size and scope – continue to grow. We haven't found the answers yet.
Q: Why have defenders continued to lose ground against the adversaries despite all the money that has been poured into cybersecurity and all the security technologies that have become available over the past decade?
Wilson: There are many reasons why we're still struggling in the security industry, but I think one of the most important is that while attackers work well in a sort of community environment, most defenders – both enterprises and the vendors that serve them – tend to work in a vacuum. Enterprises tend to develop their own separate security strategies for their own data – but in reality, every enterprise IT environment is a network of suppliers, partners, and customers linked together by a variety of service providers, from cloud to mobile. It doesn't make sense for each enterprise to focus so heavily on "internal security" or a corporate perimeter when in fact the data is moving rapidly across a variety of infrastructures to a variety of players that the IT department doesn't control.
And then there are vendors, most of whom don't even want to acknowledge that there are other vendors in the data center, much less competitors in the marketplace. My email inbox is full of claims that say, ‘We're the only vendor doing this.' But if that's true, then every enterprise needs products from 1,440 vendors, doesn't it? And not one of those products will work with the others. It's this sort of thinking that has caused enterprises to purchase so many single-function products – and it's the reason why enterprises have made little progress in defending themselves from breaches, despite spending more money on security than ever before.
Finally, there's the law enforcement problem, in that most nations address cyber security laws and enforcement only within their own borders. But the Internet is everywhere, and criminals who are concerned about law enforcement in one country can simply move their base to another country where the law enforcement isn't as strict. We can't stop computer crime locally or regionally – it has to be addressed and enforced globally. Until that happens, the bad guys will continue to win.
Q: Looking forward to the next 10 years what do you see as some of the biggest challenges facing enterprises on the cybersecurity front?
Wilson: Again, there are a lot of answers to this question, and I've addressed a few of them in the previous answers. Enterprises must stop looking at security in a vacuum and begin sharing information – as the attackers do so effectively. Vendors must stop inventing new, stand-alone products that solve only one problem – and don't work together. Enterprises must stop fighting fires long enough to develop a real security architecture that goes beyond simple layering of disparate technologies. Businesses must make a sincere investment in IT security staffing and training. End users must recognize that their unsafe behavior affects not only their own data, but the entire organization.
One of the biggest challenges that the industry will face is the sheer scope of the problem. Computing is growing at an unprecedented pace – think of the rapid growth in computer memory and network speeds, there is so much data that can be stored on a single mobile device. And there are more computers and mobile devices than ever, and that growth is out of control. Now, on top of all that, think about the Internet of Things – the addition of computer intelligence to everything from children's toys to manufacturing robots to the systems that control our critical infrastructure. Us older IT professionals still tend to think of IT security as device control – secure every device in the network, and you've secured your data. But that's not going to be possible in the future. We have to stop thinking about securing devices and start thinking about securing the data itself.
A related issue is the shortage of skilled security professionals. Given the size and scope of the problem, we'll never be able to train and employ enough people to keep up with the security problem. We have to put more thought into ways of automating security and reducing reliance on the human element. We've spent the last decade increasing security spending and adding more people to the security workforce – those things help, but they haven't solved the problem. We need better tools and strategies that can grow with the scope of the IT environment.
Q: Dark Reading has sponsored two workshops—one on attack vectors and the other on threat intelligence—at Black Hat USA. What are some of the key topics/issues in each of these two areas that you plan on highlighting at the event?
Wilson: Our session on choosing an attack vector discusses why an attacker would choose a different approach – say a mobile device hack or a network exploit – for some attacks while using more traditional approaches – usually app-level vectors such as SQL injection or cross-site scripting – for other attacks. We're pulling experts from each of these areas into a room so that they can interact and discuss why an enterprise might need to worry more about one vector than another, depending on the systems and data they are trying to defend. It's sort of like putting experts on cracking locks, stealing user identities, and armed robbers all in a room together to discuss the most effective way to rob a house. All of their methods will work, but some are more practical than others – and that gives the house's defender some ideas on how to spend their home security dollar.
Our session on threat intelligence focuses on the many sources of threat intel – which can range from a simple CERT feed to a full-service firehouse of dozens of different threat sources – and how to parse them to find relevant data that actually helps in enterprise defense. So many companies today are subscribing to these threat feeds, yet they don't know how to ferret out the relevant information or how to tie it to their internal security event information to help identify an actual exploit. We'll be discussing how enterprises can mine threat intelligence to directly aid in defense – and also how enterprises can share threat information with other enterprises to make whole supply chains and industries stronger.
Q: As an organization in the Defense Industrial Sector, Leidos has a lot of experience dealing with advanced malware from a wide range of threat actors. How are you leveraging that experience in delivering cybersecurity services and solutions to your clients?
Chris Williams: We have found that oftentimes, the techniques being used against commercial targets today are the same techniques that emerged in the defense sector years before. Consequently, this "trickle-down effect" provides some degree of headlight visibility into the different types and levels of sophisticated attack to be expected in other sectors. For example, while today's latest strain of ransomware may be a new piece of malware, the techniques that it uses to propagate, obtain privileges, and damage its target's infrastructure are familiar to us through our extensive experience in providing cybersecurity to national security customers. Leidos' commercial cyber practice draws directly from our national security cyber practice, and in fact many of our commercial cybersecurity personnel have government clearances and routinely support our government clients. We believe that cross pollinating skills, personnel and insight between our national security and commercial practices create positive outcomes in both markets.
Q: What exactly is a predictive cyber situational awareness capability?
Williams: Cyber situational awareness is about having a holistic understanding of what is happening in the cyber environment from the macro to the micro level to enable effective decision making. Infusing predictive capability into cyber situational awareness is about providing the means to anticipate the nature and impact of potential attacks so proper preparations can be made beforehand and effective actions can be taken both during and after the cyberattacks that will inevitably take place. Predictive capability in cyber situational awareness requires a mélange of ingredients including a deep understanding of the tools, techniques, and procedures (TTPs) used by different classes of attackers at various stages of maturity as well as the indicators of compromise (IOCs) when environments have been infiltrated. Having lists of IP addresses, DNS network names, or network data signatures is necessary but not sufficient. Developing detailed patterns that can be used to detect these attacks beforehand and having the institutional knowledge of the attackers and their behaviors and techniques are also important. Cyber, at its core, is a system of systems problem. Injecting predictive capability requires rich architectural understanding of the multi-threaded link between the client's inherent vulnerability versus the threat continuum and how the cyber capabilities and operational processes can be leveraged to mitigate risks a priori.
Q: Leidos has sponsored a workshop on encrypted ransomware at Black Hat USA? Why that topic? What do you want participants to learn about the threat?
Williams: Ransomware marks an interesting milestone in the evolution of malware and cyberattacks. Due to massive cyber breaches like what happened at Target, we have seen the black market value of cyber information plummet. This includes Social Security Numbers (SSNs), credit card numbers, and even health care records. Cyberattackers – particularly professional cybercrime rings out of Europe – have realized that sensitive data is always more valuable to its original owner than it is to the black market. Why try to sell this data to an uninterested third party at wholesale rates when you can sell it back to its original owner at retail prices?
Now, for the victim to want to pay up, you have to compromise their data so badly that it is cheaper to pay you the ransom than it is to recover the data. That's where things start to get interesting. Ransomware on a couple of computers in an enterprise environment is not going to pose a serious threat. You have to put ransomware on a majority of the computers in the enterprise, or you have to put it on the most critical systems – like the Electronic Health Records (EHR) or other mission-critical applications – for the victim to take notice. And to accomplish that level of compromise, the attacker has to use the same Advanced Persistent Threat (APT) techniques that we have been observing in the national security sector for the past decade. So our goal is to educate participants on how to counter this new wave of APT ransomware
Q: What were the main takeaways from your recent webinar on the evolving nature of threats and IT complexity on enterprises?
John Dumbleton: Masergy recently held a webinar on Rethinking Cyber Security with David Venable, VP of Cybersecurity at Masergy and Jeff Pollard, key Forrester analyst for security. As per a recent Forrester Consulting survey of more than 100 IT security decision-makers:
Here are the key takeaways from the Rethinking Cyber Security webinar:
Q: Masergy's Unified Enterprise Solution (UES) incorporates a patented Network Behavioral Analysis technology. What exactly is it and how does it help identify attacks faster and more accurately?
Dumbleton: Masergy's patented network behavioral analysis provides a systematic, architectural approach to network security. It performs deep packet analysis to spot advanced persistent threats (APTs) and zero-day attacks.
Masergy's UES differentiates from other security offerings in many ways:
Leveraging Masergy's patented behavioral analysis and correlation system, companies get better predictive and proactive threat data because the potential for an intrusion is discovered earlier and at a more detailed level. This enables companies to enact more specific countermeasures earlier before the threat causes material harm.
Q: Why is SIEM technology not sufficient for dealing with Advanced Persistent Threats?
Dumbleton: The idea behind SIEM technology – having a single pane-of-glass view of an organization's security position and advanced reporting of incidents – is enticing. And, by and large, these systems are equipped to start an organization down the road to better protecting the business from more surreptitious threats.
SIEMs generally include built-in API and connector support for collecting information from common critical infrastructure, such as servers and firewalls. They operate in real-time across the enterprise, and support dashboards, reports and correlation rules that address many common security and compliance scenarios.
SIEMs are resource intensive systems to implement and use. By some estimates, it takes over 12 months to complete a SIEM implementation. Once in place, they can generate huge volumes of alerts, which require extensive IT resources to investigate.
Researchers such as Gartner and Deloitte have found that SIEMs carry high transaction costs and fails to yield the intended results. Ultimately, such failure has also led to the lack thereof of actionable intelligence, resulting in exfiltration of data and information by both internal and external perpetrators. See our infographic on Why SIEMs are not enough.
Q: Masergy has sponsored two workshops at Black Hat USA? Why are these workshops important to your marketing strategy?
Dumbleton: Masergy sponsored the workshops at Black Hat 2016 to help IT decision makers cut through the hype around two key industry trends: machine learning and security outsourcing. Masergy Chief Scientist Mike Stute has a unique view on machine learning, artificial intelligence and their effect on cybersecurity. After Mike's workshop, Black Hat attendees will be better equipped to ask vendors the hard questions about their machine learning-based products.
Masergy VP of Cybersecurity David Venable's workshop on how enterprises can build an efficient security program is quickly becoming the must-attend workshop of the show. David's experiences at the National Security Agency enable him to educate Black Hat attendees on how their IT organizations can mitigate risks from cyber criminals, hacktivists and state-sponsored attackers.
While Masergy's portfolio of patented technologies and comprehensive services are well liked, they're not as well known as we want them to be. By sponsoring these workshops at Black Hat 2016, Masergy is raising our profile among CISOs and other key decision makers in the enterprise IT space.
