CyberWire Daily - 2018 RSAC Outlook. [Special Editions]
Episode Date: May 8, 2018Just before the RSA conference this year, we spoke with a pair of industry experts for their take on the year so far, and what they expect to see in the coming months. In this CyberWire Special Editio...n, we hear from Craig Williams, Director of Talos Outreach at Cisco, and later in the show from Jon Rooney, Vice President of Product marketing at Splunk. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the CyberWire Network, powered by N2K.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose,
and showing the world what AI was meant to be. Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
This is a CyberWire special edition. I'm Dave Bittner. From time to time, we gather content from interesting people in the cybersecurity industry
that doesn't neatly fit within the confines of our daily summary or research Saturday show.
Just before the RSA conference this year, I spoke with a pair of industry experts for their take on the year so far
and what they expect to see in the coming months.
In this CyberWire special edition, we hear from Craig Williams, Director of Talos Outreach at Cisco, and later in the show from John Rooney,
Vice President of Product Marketing at Splunk. Stay with us.
You know, I think for me, if I had to define 2017 in terms of like a single threat,
I think everyone would agree that 2017 was really the year of ransomware.
That's Craig Williams. He's the director of Talos Outreach at Cisco.
Ransomware has been around since the 80s.
But when we combine the idea of ransomware with Tor and cryptocurrencies, that's really what allowed it to take off. And I think in 2017,
the inertia from previous years really hit an all-time peak. What's really interesting is the
cryptocurrency markets, right? We've recently published a study showing that most exploit
kits that we've observed throughout the year are now moving over towards crypto mining.
So think about the way ransomware works, right?
If you have a ransomware network of victims, a very, very small amount of that actually pay.
It's like 1% or 2%, potentially even less than that.
less than that. On the other hand, if you're mining some of these cryptocurrencies like Monero that are designed to be ASIC resistant, you can still get about a quarter out per home machine.
So say we have a 10,000, 100,000 node botnet, we're getting a quarter per machine every day.
You combine that with the fact that it's relatively undetectable for the average home user
and it's not taking down networks. It's not taking down hospitals.
It's not, you know, rendering MRI machines and CAT scanners useless. It's actually doing very,
very little to the victims other than costing them power. It's very unlikely attackers are
going to be investigated for it. So when you look at it from a high level, cryptocurrency
mining is going to have a more regular payout, potentially a higher payout, and it's going to be much less likely for the attackers. So if I had to throw a wild guess out, I think
2018 is going to be the year of crypto mining. Now, in terms of the market, I think last year,
walking around the show floor at RSA, certainly artificial intelligence and machine learning were
hot topics, if not the hot topic. It was on everyone's lips.
Do you think that trend is going to continue or do you think we're going to move on to something
different this year? You know, I think there are going to still be people out there talking about
it. You know, I think it's going to change a little bit, though. The hype around cryptocurrencies
has technology like blockchain being a buzzword everywhere, even in a lot of places where it may not be appropriate.
So I'm sure we're going to still see machine learning and AI, but I really think they're
going to start taking a step back for things like blockchain that are centered around cryptocurrency.
And what do you suppose the effect of GDPR is going to be on the industry this year?
Well, I think we're going to see a lot more people taking data privacy seriously,
Well, I think we're going to see a lot more people taking data privacy seriously,
especially in light of the things like the recent Facebook and Cambridge Analytica issues. I think we're going to all take a step back and look at, am I securing my data?
How am I going to secure my data?
You combine that with things like 2017 being the year of ransomware,
I think data protection has really moved into the boardroom,
and it's going to be a primary discussion. Looking at the business side of things,
do you think we're going to see much consolidation? Are we going to continue to see
an explosive growth of startups? What do you see the trends in that direction?
That's a tough question. I think we're going to still see startups. I think we're going to start
seeing probably still niche startups coming out. One. You know, I think we're going to start seeing probably still
niche startups coming out. You know, one of the things that I think is always frustrating from a
researcher standpoint is often we see startups with good ideas, but the product is just not
quite there, right? It'll be a fragment of a good idea, but it won't be functional. It won't be able
to meet the proper requirements. And so I hope this year that we're going to see some more solid products,
some more leaps forward in detection technology.
What do you suppose we're in for in terms of IoT?
I don't think there's going to be a magic bullet for IoT, right?
The problem with IoT is that there are already millions and millions of devices out there
that are unmanaged and unpatched.
I hope going forward that we come up with something vendor agnostic, something global
that will help us find a way to keep these devices updated. But the problem is the issues already
exist. So we need to find a way to stop the issue from getting worse and we need to find a way to
fix the existing problem. Overall, do you
think that 2018 is going to be a year that we gain ground or are we going to keep pace with where we've
been or do you think we might lose ground this year? I think it really depends on which markets
we're talking about. You know, I think for the average home user, this might be a year we gain
ground, right? If what we're seeing now continues to hold true, and if the crypto markets don't crash, home users are going to seem more protected. We're going to
see less people affected by ransomware because we're going to have more adversaries using crypto
mining. And so for the average home user, that's going to seem like a great success.
You know, on the other hand, when we look at well-sponsored threats or nation state attacks,
well-sponsored threats or nation-state attacks, we're really seeing a surge in attacks against non-strategic targets, right? Attacks like NotPetya targeting Ukraine, just wiping out
thousands of systems, and attacks like Olympic Destroyer with seemingly no consequences for
our adversaries. Now, in terms of advice and guidance for the people you work with,
Now, in terms of advice and guidance for the people you work with, for your customers,
what are you telling them in terms of setting their priorities and shaping their budgets?
So that's a good question.
I think there's lots of little easy things that companies can do to try and protect themselves a little bit better this year.
You know, the first one is let's learn from the not-pet-you attack, right?
Look for software that you're using
that's not from a large company
and make sure that they're publishing CVEs.
If they're not publishing CVEs,
you may want to be concerned about a supply chain attack.
We saw several last year.
We saw Emidoc in the Ukraine
and then we saw the CCleaner situation
mostly spread all over the world.
But I think given those two scenarios,
we're going to see more people look at supply chain attacks.
So if you're using small niche software,
be sure and segment those machines off
as aggressively as you can, right?
Your thermostat shouldn't need to talk
to your web server, for example.
And so make sure that when you're segmenting those off,
you plan on something going wrong
and only give access where it's actually needed.
I think the second thing is realize that every single hard drive ever will fail, right?
You're going to lose that data.
Now, the question is, do you want to back that data up before you lose it?
Or do you want to just roll the dice and hope you can recover it from a dying hard drive
as it starts spiraling down the hole?
The third one that's really easy is start turning on automatic patching where you can. You know, go into your web browser, set it to update automatically,
right? Go into your OS, set it to update automatically if you can. I mean, obviously,
you can't do this on servers, but I think you could do it on most end users' computers without
too much of a problem. And if we wanted to go an extra mile, make sure that you're using unique
passwords everywhere. Those simple things can really help make a difference if you get compromised.
You know, I think with Olympic Destroyer having recently happened,
we did see a very new technique of attackers intentionally planting false flags in that malware.
And so I think we're going to start seeing more of that in 2018.
You know, Olympic Destroyer was a very, very effective piece of wiper malware
designed to disrupt the Olympics, right, and potentially embarrass the Olympic Committee.
And I think people need to realize that because it got so much press and because it was so effective
and the fact that the false flags worked and tricked a lot of research organizations and
tricked a lot of members of the press, we're going to see that used in other ops.
And so what I think everyone needs to realize in 2018, you cannot do effective malware attribution based off the sample alone. In order to do effective threat attribution, you've got to
combine your malware research with a traditional intelligence apparatus.
Yeah, it's an interesting point. Because one thing I hear more and more is people saying that, well, attribution doesn't really matter for most folks.
And that's true.
It doesn't, right?
You know, I keep asking Chuck when he's going to get Talos its own battle group, but I really think it's not going to happen anytime soon.
And so, you know, when we track malware, we don't worry so much about attribution.
We worry about tactics, techniques, and procedures so that we can identify similar campaigns. And so we can identify campaigns that we believe may be related,
and that can help us predict what the attackers are after, what their motive might be,
and what their end goal might be. And that's really what we use to protect customers.
One of the things that we've seen is the shift towards sort of analytics-driven security.
That's John Rooney. He's the vice president of product marketing at Splunk.
Rather than just sort of pulling stuff in and trying to detect, but understanding, you know, we've said for years at Spl, whether you're talking about customers or additional vendors are starting to get on that page and realizing that, you know, the attack
surface is the horizon and that the only way, you know, to sort of have a chance against,
you know, an attack surface that large is to look at all the data and take an analytics-driven
approach. That's sort of a very broad level. I would say on a more specific level,
and I think you've seen it with what the individual vendors are doing, is two, three,
four years ago, the notion of machine learning techniques applied to security use cases felt very much like a sidecar. It was a sort of additional thing. And, you know, you thought of UBA products as something that you might be complementary to what you would see in a sim versus, you know, it's actually part of the same processes.
It's part of the same workload.
Whether you're talking about what the vendors are doing or sort of the influential industry analysts, I think there's this convergence.
influential industry analysts, I think there's this convergence. The same way that whatever it was 10, 15 years ago, people had TiVo, and now it's just a feature that's sitting in your DVR box,
if you're not a cord cutter and old like me. I think it's fair to say that AI and machine
learning were very much a buzzword. And so I think that made it challenging to cut through
some of that marketing noise. Do you suspect that this year things are going to settle down on that front some? I don't know that the noise is going to subside at all. I think you
see it more and more. However, I think what people are doing is people are spending the time to dig
in, like, what does that really mean? And even from a terminology standpoint, you know, we've
talked about machine learning in very specific ways for a number of years. And that's more, I think, a function of how our software works and how our software has
always sort of worked. And the notion of training your data to look for anomalies, to look at
patterns, to suppress events, to being very specific functions that tie into the work that,
you know, security professionals need to do as part of their day-to-day jobs. So if anything, we've maybe underplayed it a little bit in terms of those capabilities.
There's always going to be hype.
There's always going to be.
It's nice that AI is the new DevOps, which is the new cloud, which is the new SOA.
We know that this happens.
It gets frothy in our industry.
But I think that we're finally at a point of deeper
consideration where people are, they're doing their homework, they're reading the back of the
box and saying, what is this again? And how does this work? And so we've been really specific where
we're not necessarily, you know, spray painting the market with AI all over the place. We're very
specific in the areas in which we apply AI in our user
behavior analytics product to do threat detection, in particular insider threat detection through
anomaly, single and multivariate anomaly detection as well as a number of other very specific
techniques.
And I think that's where I think the interesting thing about what's going to happen in the
market with AI this year is there's going to be a bridge built between the super high-level marketing fuzz
and then the super down-in-the-weeds algorithm talk that most people's eyes glaze over with.
There's going to be a translation layer.
And it's on the customer.
It's on every customer.
It's on every vendor to sort of make that translation layer as meaningful as possible.
And have you seen an evolution in the types of questions that your customers are coming to you with?
Absolutely, yeah.
I mean, I think, you know, two, three years ago, it wasn't even a shotgun.
It was sort of like, tell me about what AI is.
Whereas now we're getting very specific questions about event grouping.
We're getting very specific questions about what types of anomaly detection,
how can you train the data, what is the interaction that I have as an operator to
sort of be on a dimmer switch between having this be a black box and then having it be
hard math that I need to hire a Stanford or Berkeley PhD to man the other end of.
Again, I think that is indicative of people realizing,
hey, this stuff is valuable.
Again, as I mentioned before, the attack surface is the horizon.
So I can't hire enough smart security professionals.
How do I get leverage?
How do I get sort of logarithmic leverage in the org?
And what does it actually mean to me?
And in terms of the evolution of the threats themselves,
what directions do you see those taking in the next year or so?
I mean, I think, you know, we've certainly seen the gamut this year
in terms of the popular imagination being taken over by some pretty sophisticated,
pretty nuanced stuff, to also being some, like a lot of just brute force,
dumb, you know, bad hygiene stuff.
And I think that the fact that both of those, you know, both ends of the continuum are still something that every organization needs to worry about just sort of highlights the problem that we haven't outgrown just poor password hygiene.
We haven't outgrown just people leaving dumb ports
open that they shouldn't be leaving open.
And I think the notion is no
amount of automated
hardening will forever wipe
the earth of that. That being said,
on the other front that people are
fighting is very sophisticated,
very nuanced attack services.
And then you get all the way down to
the hardware and the chip level,
like everyone dealt with over Christmas vacation with some of those issues.
That's a big span, right?
That's a big span to have to worry about.
When you look across the industry,
do you think that we're going to be seeing more of these consolidations,
more of these acquisitions?
Are there too many providers right now?
I think these things are always cyclical. I mean, I think as additional capabilities and as
additional categories exist, it's possible you'll see additional rounds of acquisitions. I mean,
going back to the AI stuff, we picked up Rokana and SignalSense this year as additional acquisitions
that were, in some cases, around technology, but also in other cases, really more about a talent.
But, you know, I think that's the question.
That's the eternal question that every venture capital firm, you know, makes when they make
an A round of funding.
Is this a feature or is this a company?
In some cases, it's just going to end up being a feature in a suite.
In other cases, it's going to be a massive company.
some cases, it's just going to end up being a feature in a suite. In other cases, it's going to be a massive company. Our thanks to Craig Williams and John Rooney for joining us.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technology.
Our show is produced by Pratt Street Media with editor John Petrick, social media editor Jennifer Ivan, technical editor Chris Russell, executive editor Peter Kilby, and I'm Dave Bittner.
Thanks for listening. Thank you. with ThreatLocker, the cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.