CyberWire Daily - RSA Special: Emerging Technologies [Special Editions]
Episode Date: March 10, 2016There was no shortage of new and innovative technology on display at the RSA conference. We sat down with industry innovators to get their perspectives. In this RSA special edition, we’ll hear from ...Lance Cotrell, Chief Scientist at Ntrepid about their secure browser technology. Emily Mossberg is from Deloitte Advisory Cyber Risk Services, and she’ll give us her perspective on emerging trends in cyber risk management. Oliver Friedrichs is the CEO of Phantom, who were the winners of this year’s RSA Sandbox competition. He stresses the importance of automation. Richard Moulds from Whitewood Encryption Systems tells us about their true random number generation and delivery system, And finally, Vikram Sharma from Quintessence Labs, who’s flagship Trusted Security Foundation aims to centralize the management of encrypted keys. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. stay home with her young son. But her maternal instincts take a wild and surreal turn as she
discovers the best yet fiercest part of herself. Based on the acclaimed novel, Night Bitch is a
thought-provoking and wickedly humorous film from Searchlight Pictures. Stream Night Bitch January
24 only on Disney+. In this special report, we take a look back at RSA, specifically at some of the technology trends we're seeing,
machine learning and automated analysis of big data, the importance of integrating with comprehensive solutions,
and above all, the need to cut through the glare of too much information without missing what's really important.
We'll also get some perspective on cyber risk and why coming up with random numbers is harder than one might suppose. I'm Dave Bittner in Baltimore with a CyberWire special edition on emerging technologies.
It's Wednesday, March 9th, 2016, and thanks for joining us. From the companies we spoke with at
RSA, several trends appear to be driving technology
development in the cybersecurity space. Above all, they talked about the value of automating as much
of security as possible. We didn't hear a lot of grand promises to completely dispense with human
analysts or decision makers. Indeed, we didn't hear anyone in our one-on-one discussions make
these kind of bold claims. There's an agreement that human talent seems to be, at some level,
effectively irreplaceable. Instead, companies are's an agreement that human talent seems to be at some level effectively
irreplaceable. Instead, companies are offering approaches that enable human talent to raise its
game. We saw repeated emphasis on solutions that reduce the need to review logs and watch alerts,
and that promise to free human operators to look at the big picture and perform the triage
necessary to effective, timely incident response. Machine learning approaches to anomaly detection seem to be a popular option.
These are seen as cutting through noise with relatively low loss of signal,
and the ability to ingest and process very large amounts of data
was featured by many of the experts we spoke with.
Those data are increasingly accepted in unstructured form.
Finally, scalable, comprehensive security solutions are increasingly seen as vital.
This trend has a few interesting corollaries.
It offers a space for big integrators to offer managed services that cut through another form of noise,
the high volume and rate of introduction the market and security offerings seize.
Comprehensive managed security services are also scalable
and enable small and mid-sized enterprises to enjoy the security resources
formerly seen only in larger, well-resourced organizations,
dedicated security staff, SOCs, even IT teams,
and to do so in an affordable fashion.
The trend also strongly suggests that innovators with new products
would do well to develop them into offerings
that could easily integrate with larger, comprehensive solutions.
You can read about our discussions with AT&T,
Verizon, Cyfort, Cylance, Heat Software, and Zimperium in today's special RSA retrospective
on our website, thecyberwire.com. At RSA, we sat down and spoke with several innovative companies.
After the break, we'll hear what they had to tell us.
This podcast is made possible by the Economic Alliance of Greater Baltimore,
helping Maryland lead the nation in cybersecurity with a large, highly qualified workforce,
20,000 job openings, investment opportunities, and proximity to key buyers.
Learn more at greaterbaltimore.org.
There was no shortage of new and innovative technology on display at the RSA conference.
We sat down with a variety of innovators to get their perspectives.
In this RSA Special Edition, we'll hear from Lance Cottrell, Chief Scientist at Entrepid, about their secure browser technology.
Emily Mossberg is from Deloitte Advisory Cyber Risk Services,
and she'll give us her perspective on emerging trends in cyber risk management.
Oliver Friedrichs is the CEO of Phantom, who were the winners of this year's RSA Sandbox competition.
He stresses the importance of automation.
Richard Moulds from Whitewood Encryption Systems tells us about their
true random number generation and delivery system. And finally, Vikram Sharma from Quintessence Labs,
whose flagship product, Trusted Security Foundation, aims to make security easier.
We start with Lance Cottrell from Entrepid, who contends that web browsers are a weak link in the
security chain. The browser's really the least secured.
That's where the biggest danger is,
because they're inherently difficult to secure.
Firewalls are just not that effective,
because it's like dealing with vampires.
You're inviting the malware in when you follow a link.
You say, no, come in.
I requested this link.
Clearly I know what I was doing.
The firewall's trying to scan it.
And of course you've got to support every kind of content imaginable.
The browser itself is a mammoth beast, right, because it's got to be able to do all these
things, and you've got the plug-ins, like our favorite plug-in Flash, it's just riddled
with insecurity, and I think fundamentally so.
Intrepid's approach is to isolate the browser from the rest of the user's environment.
So what we're doing is we're taking the browser, standard Firefox,
and we're putting it inside a hardened Linux virtual machine running on the user's desktop.
And that virtual machine does not share file space with the host operating system.
It has no direct communications with the host operating system,
except just the video feed out, the keyboard and mouse in.
And we actually use a VPN inside that VM out to our cloud for all communication.
So even if malware got into this little box, it can't scan your local network.
It can't look for a vulnerable print server or your domain controller or something else.
It's totally isolated from
both the machine and the network. And then at the end of the session, as soon as you're done
browsing, we destroy the entire thing completely. So the malware can't persist. Trackers are totally
destroyed. And one of the wins is because we're VPNing you out, you don't have your own IP address.
You have our IP address. You don't have cookies because we destroyed them all.
And they can't browser fingerprint you because all Passages users look identical
because they're using the same virtual machine image.
So the whole thing of going to a website and being targeted suddenly disappears.
Intrepid calls their secure browsing technology Passages,
and you can learn more about it at intrepidcorp.com.
As we heard yesterday, actionable intelligence is intelligence that enables an enterprise to
reduce risk. Today, we hear from an expert on risk management as we talk with Deloitte's
Emily Mossberg. When we talk about cyber risk, there has been a lot of emphasis
and focus over the last several years on the elements of vulnerability and threat.
Vulnerability probably has been talked about for the longest period of time in terms of what are
the vulnerabilities specific to a piece of software or hardware,
and how could an attacker potentially get into that hardware or software.
The threat has been being talked about more recently.
I think that the dialogue around threat has really evolved over the course of the last, let's say, three to four years.
A lot more focus on who is the adversary, what is their motivation,
what are the kinds of tools and techniques that they are going to use,
what is that going to look like in terms of what the threats are that are coming at your organization.
But the piece that really hasn't been talked about very much is the impact piece.
So you think about risk, there's three elements, right?
There's the vulnerability, there's the threat, there's the impact.
And in my experience, most of the dialogue has been on the first two, the threat and the vulnerability, not on the impact.
And I think that we need to start focusing more on the impact piece.
But the important clarification there is that it's not just the technical impact of what these
incidents or attacks may look like, but what is the business impact associated with this?
And how do we bring that dialogue into the equation? Mossberg suggests
companies take a broader approach to incident response. If you look at the incident response
life cycle, there is the beginning triage phase and the immediate response. There's the intermediate
phase where you've now gotten things under control.
You've cleaned them up, but you're dealing with the immediate impacts associated with what's occurred.
Then there's the longer-term recovery.
This is where you start looking proactively at why did this happen in the first place?
Are there some foundational or fundamental changes that I need to make in
terms of the way that my business operates, the data that I'm collecting, how I'm managing that
data, etc.? And I think that what's different about this approach is that we're looking across
that entire incident response lifecycle, and we're also looking broadly across the enterprise.
Emily Mossberg says she definitely sees a shift in the conversation
along with who's having it.
This is evolving to the point where it's getting more executive management time
than it ever has before.
The boards are asking questions.
They want to know what is our posture? Are we doing
the right things? So as this becomes less of a niche technical topic and more of a front and
center boardroom topic, we've got to change our approach. We've got to change our language.
to change our approach. We've got to change our language. So previously, this was about bits and bytes. Have we identified and are we alerting on all of the triggers that are happening?
But that dialogue doesn't translate to the executive management board table. It doesn't
translate to the boardroom. So you've got to change the way that you're talking about it.
It doesn't translate to the boardroom.
So you've got to change the way that you're talking about it.
And there's an expectation that this is part of the executive dialogue. And so it's not that the other things aren't important anymore, but the translation layer has got to be there in order for the leaders of the organizations to feel like they're making the right decisions and to have confidence
that their cyber risk program and practitioners are doing the right things.
You can learn more about Deloitte and their cyber risk services organization at Deloitte.com.
Phantom gained notice by winning the RSA Innovation Sandbox competition.
Their technology aims to use automation to connect cybersecurity systems.
Oliver Friedrichs is Phantom's founder and CEO.
Yeah, so we deliver a purpose-built layer of connective tissue for the entire industry.
It's really the industry's first open and extendable security automation and orchestration platform,
tying together the dozens of products that the typical large enterprise has in their environment today.
You know, on the showroom floor here today, we have 551 vendors.
Each of them solves the problem in a different way, and they believe that they're the solution.
different way, and they believe that they're the solution. What we found, though, in the large enterprise is that they've bought 50, 60, 70 of these products from different vendors here,
and none of them actually interoperate or actually work together in any meaningful way. So as a
result, the security team is literally pivoting between dozens of different consoles on a daily
basis to try to manage their security environment, and it just doesn't scale.
Phantom is built around a response technology that they call Playbooks.
We take an alert or an input from some data source.
I mean, it might be your SIM or your threat intelligence feed that you're getting from a threat intel provider
or even phishing emails coming out of a mailbox that your organization might be managing.
What we do is we work on that high-fidelity data source, and we allow you to build a playbook.
Now, a playbook represents really a digital version of what your manual playbook might look like.
So if you have an analyst looking at certain types of alerts coming out of your technology,
those analysts are typically following some set of procedures to take action,
whether it's investigation, containment of threats, recovery from a breach, and so on.
We codify those into a playbook, a digital playbook,
that then allows the platform to also connect to the other security
products and then execute actions on those products. So you might have a
firewall and the obvious thing to do on a firewall would be to block traffic, to block
an IP address or report. You might have endpoints and the obvious thing to do
there might be to quarantine an endpoint from the network so that it can't
continue spreading. So there's about 120 different functions that we support
across around 40 different products today in the current platform.
According to Friedrichs, there are multiple factors at play
that make automation a must.
The other challenge is we can't hire the talent we need.
There simply aren't enough people that are qualified
to be able to staff the open positions in the industry right now.
So it's this confluence of just more events, more velocity, more products, fewer people,
and it's all compounding where we have no choice but to automate now.
You can learn more about Phantom at phantom.us.
When I was 12, I used the money I'd saved from my paper route to buy my first computer, a TRS-80.
I couldn't afford an Apple II.
I made games in BASIC and quickly realized that every time I restarted the computer,
the random numbers I needed to make my game work were coming up the same.
The built-in random number generator wasn't truly random.
So I coded an endless loop generating random
numbers until the user pressed a key on the keyboard, and just like that my game had the
random numbers it needed. Needless to say, things are a bit more complicated today.
Richard Moulds is from Whitewood Encryption Systems.
Capturing keystrokes on a keyboard is a way of generating random numbers. I mean,
it's not perfectly random, but it has randomness in it that's okay for applications that you know shuffling songs on your ipod that's fine that's
not okay for generating you know thousand bit keys for encryption so we use actually quantum
mechanics you actually use the random behavior of photons it sounds you know it sounds crazy like a
science experiment in many ways it is, photons operate and have behavior
in certain conditions that is fundamentally random. You'd literally have to change the
laws of physics to be able to influence this stuff. So we generate large volumes, hundreds
of megabits per second of perfect random numbers, and then we actually deliver them over the
network to virtual machines up in clouds or IoT devices or servers running encryption algorithms.
Richard Mould says that at Whitewood, they envision a time in the not-too-distant future
where entropy is delivered just like so many other services we've come to take for granted.
So I think a good analogy is time. Five years ago, we would program all of our laptops and
our cell phones and our servers with time. If I had a rack of a thousand servers in my
data center,
I'd have to go along and configure the time on all these things.
And that may have been fine back then, but in the era of iTunes and Apple Pay,
all of our phones have the same time.
So time has moved from being a local issue to being a networked issue in living memory.
And I think entropy goes the same way.
When you have a thousand virtual
machines or ten thousand phones or a hundred thousand smart meters generating keys you expect
them to be equally good at generating keys but if they're all generating entropy locally and
their own bits of hardware and out of their own little natural environment by definition their
ability to generate entropy and therefore random numbers is different for every single one of those
devices so that's the opposite of what you want if you're a security person you want all of your By definition, their ability to generate entropy and therefore random numbers is different for every single one of those devices.
So that's the opposite of what you want if you're a security person.
You want all of your systems to be equivalent from a security point.
You want consistency.
So our argument is entropy and random number generation is too important to be left to individual devices on a sort of best effort approach.
It should be something that's rigorous.
It should be something that's rigorous, it should be professionalized,
it should come from a trusted source,
and it should be made available to systems ubiquitously,
as if it's essentially a utility.
There's more information on Whitewood and their random number generator
at whitewoodencryption.com.
Vikram Sharma is CEO at Quintessence Labs,
where they know a thing or two about random numbers.
They use quantum properties as part of their flagship product,
called Trusted Security Foundation, or TSF.
So the TSF is a single appliance which integrates in three capabilities.
It has a true random number generator at its core,
indeed the world's fastest true random number generator.
We measure a property called quantum noise,
and we generate one billion random numbers,
a gigabit per second of full entropy, true random numbers.
The reason we do that is to do high-quality encryption.
You need a good stream of true random numbers.
To date, how we've largely done that
has been through pseudo random number sources
so you'll have some software
that tries to approximate true random numbers.
However with the advent of ever more powerful computers
indeed maybe even quantum computers
there is a risk that the strength of the encryption
that you hope to achieve
could be compromised if you don't have true random.
So that's the first component, a true random number generator.
That then feeds into an advanced key management system,
and it's compatible with a standard called KMIP,
Key Management Improperability Protocol,
which allows our key management server to serve up keys
to any consumer that's KMIP compliant.
And we also have a piece which enables you or allows you to implement data security policy,
to govern who has access to what sorts of data and what kinds of security measures
you wish to put in place, what types of encryption to protect different types of data.
According to Sharma, it's a situation of the sum being greater than the parts.
The loose analogy is like when the iPhone came out, we had an iPod for music, we had
a BlackBerry for texting, and we had a cell phone.
When the iPhone came together and integrated these capabilities, one form factor customer
said, this is a very logical grouping of technologies.
I would like to have one of those.
That's what we see for the TSF.
And as we look into the future,
our goal is that every global Forbes, global 2000 company
at the heart of its security infrastructure
should have a series of TSFs to be the root of trust.
You can learn more about Quintessence and their products at quintessencelabs.com.
And that's our CyberWire RSA retrospective.
We'll have another edition tomorrow covering trade and investment.
The CyberWire is produced by CyberPoint International.
Our editor is John Petrick.
I'm Dave Bittner.
Thanks for listening. That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.