CyberWire Daily - Russia versus routers. Desert Scorpion swept out of Google Play. ZTE faces sanctions. RSA notes, and a Sandbox winner.
Episode Date: April 17, 2018In today's podcast we hear that Western governments attribute a large-scale campaign against poorly secured connected devices to Russia. Battlespace preparation is suspected. No new US sanctions agai...nst Russia, yet, but the matter remains under consideration. ZTE falls under the same cloud as Huawei. Desert Scorpion spyware ejected from Google Play. And there's a winner in RSA's Innovation Sandbox: BigID took away the prize. Justin Harvey from Accenture, joined by the head of Accenture's Cyber Defense team, Ryan LaSalle, discussing their 2018 State of Cyber Resilience report. Guest is Jason Brvenik from NSS labs on their Advanced Endpoint Protection (AEP) Group Test. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Western governments attribute a large-scale campaign
against poorly secured connected devices to Russia.
Battlespace preparation is suspected.
No new U.S. sanctions against Russia yet, but the matter remains under consideration.
ZTE falls under the same cloud as Huawei.
Desert Scorpion spyware's been ejected from the Google Play Store.
And there's a winner in RSA's Innovation Sandbox.
Big ID took away the prize.
Big ID took away the prize.
Coming to you from the RSA Conference in San Francisco,
I'm Dave Bittner with your CyberWire summary for Tuesday, April 17, 2018.
The U.S., British, and Australian governments yesterday unambiguously attributed a large-scale campaign against vulnerable routers to Russian security services.
U.S. CERT, in an advisory worth reading in its entirety, identified the affected systems.
Quote, generic routing encapsulation, GRE-enabled devices, Cisco Smart Install, SMI-enabled devices,
and Simple Network Management Protocol, SNMP-enabled network devices.
These are U.S. cert notes widely used by both enterprise and private individuals.
Exploitation would need no zero days.
The campaign has successfully taken advantage of insecure legacy installations
beyond end-of-life systems that no longer receive patches and other poor practices.
The governments making the attribution do so at a time of markedly increased tension
between Russia and Western countries.
The Salisbury nerve agent attack and Russian support of Syria's Assad regime
contribute to those tensions.
Observers in the US and UK suggest that Russia is preparing for a cyber campaign against critical infrastructure.
Russian motives against connected devices strongly suggest ongoing battlespace preparation,
and the prospective targets warn that Russia can expect retaliation.
Chinese equipment manufacturer ZTE has been subjected to U.S. sanctions, joining Huawei in the business penalty box.
The U.S. decision made note of ZTE's sketchy record with respect to observing international sanctions.
The U.K. also issued warnings about Huawei devices.
The British concerns were directly and explicitly addressed to security issues in the company's products.
Lookout finds highly targeted Desert Scorpion surveillance wear in Google Play.
It's associated with APTC23 and seems most interested in Palestinian targets.
Google has removed it from the Play Store and updated Play Protect to keep it out.
NSS Labs made news at last year's RSA conference with the release of their Advanced Endpoint Protection Group Test, evaluating market-leading security products on effectiveness and total cost of ownership.
They're back with a new edition of the report for 2018, and we've got Jason Brevnik, CTO at N.S.S. Labs, to take us through what they found.
You know, we assess whether or not and how a product does against attacks you're reasonably likely to face in the wild. We capture live exploitation and live
malware, and then we replay them in a comparable way against all the technologies and represent
that as a security effectiveness score. And this year we observed an effectiveness between
59 and 99 percent, roughly, between the 20 products we verify.
And what does that range represent?
That range represents protecting 60% of the attacks you're likely to face
or 99% of the attacks you're likely to face.
It's interesting that there could be that much disparity.
Also, though, in testing, we saw that there's a pretty rapid exchange
between vendors in the, quote, Intel space, if you will, where when one vendor notices a new piece of malicious code, a lot of the other vendors then benefit from that observation at the same time.
So we had to actually take some specific steps to avoid tainting the results in that way and ensuring that everybody had an equal shot.
So was there anything outstanding this year that surprised you that was unexpected?
A couple things, actually.
The one that stands out the most and is always interesting is what we call evasions.
The ability of a product that detects something malicious, whether it's an exploit or a piece
of malware, and then to have that product resubjected to that same
known thing and have it miss it when we apply evasive techniques to it is interesting.
It says that the bar is not very high on the attacker side to be able to get their malicious
needs done.
We saw nine of the products tested missing at least one evasion.
Well, then let's dig in here.
What are some of the results?
Who came out ahead and who needs to do a little work?
That's a great question.
If I look at the security value map and what the data is telling us,
and we understand the premise of operations and headcount
and unprotected costs versus protected costs,
there's some strong players in this space.
In the upper right quadrant, you've got Sentinel-1 did really well.
Palo Alto did really well.
And they have what would appear to be some strong products that can unify the AV and
EDR capabilities that are necessary in the market.
Of course, there's variances in each of the technologies.
But the very simple premise of, do you stop the attacks you're facing?
And when you don't, do you provide the details necessary for an enterprise to respond?
I think we have some pretty strong products there.
Certain companies in their marketing materials and then when they describe their technology, they come at it from different directions.
For example, some companies are all in on artificial intelligence, you know, those sorts of things.
Do you find any alignment between the types of systems that people say they're using and how they come out in your tests?
Are there any trends there? Are there any patterns?
Yeah, so, you know, last year we saw some interesting things there where machine learning was all the rage and AI and that kind of stuff. And what we
observed were the new players had promise, but there were a lot of edge cases that they just
weren't yet up on. I think we saw a more robust showing this year from the machine learning
vendors relative to their more traditional peers, but still a number of edge cases.
relative to their more traditional peers, but still a number of edge cases.
In cases, for example, where offline protections were the most promised exist,
we're not connected to anything, we don't have any cloud intelligence or signatures,
we can still protect you.
I think we saw a number of areas where that really could be something that is, we protect you from the things that we've experienced in the past,
not the new creative things we're likely to experience.
There's some promise certainly in that space, but I think we're not yet seeing a
realization or the promise entirely. But I'm not seeing an incredible difference between the two
approaches other than when you weigh the intelligence they can provide back to the
enterprise in order to further action these things. The traditional vendors and the more advanced AEP vendors that have EDR-like functionality built in are providing a lot more
context around the attacks they're facing than the vendors that simply make a conclusion and
don't have the supporting details. And so there's a gap, I think, in the market there that shows in
our scoring and representation that will be interesting.
So in terms of recommendations for those folks who are out there shopping for these technologies, based on the results that you've seen, do you have any guidance for how people should go about looking for what's right for them?
There's a number of strong products that made recommended in our testing.
Beyond having been validated as providing quality protections and insight and visibility,
you need to look at the ecosystem you're dealing with, manageability, agent proliferation,
total cost of ownership or ROI that we represent in the testing as well,
how many headcount it takes to manage it, that kind of stuff.
There's a number of players, both in the traditional space where you probably have existing relationships and in the emergent space and looking to have a leg up on the ability to respond quickly to an emergent attack.
That's Jason Brevnik from NSS Labs.
You can find their complete Advanced Endpoint Protection Group Test on their website.
RSA is in full swing today as keynotes begin at the Moscone Center.
RSA is in full swing today, as keynotes begin at the Moscone Center.
Yesterday's highlight was the Innovation Sandbox,
in which 10 of the most interesting startups in the sector competed for recognition.
Two finalists were selected from the field.
One was Fortinix, whose runtime encryption protects data in use and thus offers cloud users a trusted enclave.
Applications run inside a secure envelope that travels with the app wherever it moves.
The other finalist was BigID,
which offers a solution to a range of privacy challenges by identifying personal data,
correlating it with persons, and placing that data in context.
The judges finally selected BigID as the winner.
The topicality of the challenges the company addresses
and those challenges attendant market needs carried the day.
Privacy rights are in the forefront of most enterprises' concerns,
especially, if you'll forgive us for reminding you again
of something you already know,
with the full implementation of the European Union's
General Data Protection Regulation, GDPR,
just a month and change away.
As BigID pointed out in their presentation, rights adhere to persons, and if you can't
associate the data with the people, you can't really protect their rights to that data.
Most Innovation Sandbox finalists have over the years compiled impressive records in the
market.
Success has by no means been confined to the winners, so it's worth giving another look to all of 2018's finalists.
Alcavio, Awake, BigID, BlueVector, CyberGRX, Hycelate, ReFirmLabs, ShieldX, and StackRox.
We'll have continuing coverage of the RSA Conference throughout the week.
If you'll be at San Francisco's Moscone Center this week, stop by and say hello to the Cyber Wire team. We'll be at the Akamai
booth 3625 in the North Hall. We hope to see you there, and we thank Akamai for their hospitality.
And finally, a musical note. All of the Innovation Sandbox finalists came to the stage to walk up
music of their own selection, and we always look forward to their stylings.
Yet no one this year, or to our knowledge ever, have chosen Metallica's Enter the Sandman,
despite its excellent track record introducing Mariano Rivera when he emerged from the Yankees' bullpen to shut down some hapless opposition.
The absence of Enter the Sandman from the sandbox is curious curious and would seem to stand in need of explanation.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life. You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives Thank you. and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
And joining me once again is Justin Harvey. He's the Global Incident Response Leader at Accenture.
Justin, nice to connect here at RSA in person.
Hi, it's great to be here, Dave. We are
really, really, really excited to be here to talk to you about the 2018 Accenture Security Cyber
Resilience Report. We get asked all the time, what is happening in our industry, not only from a
cybersecurity perspective, but from a business perspective? And not only that, I think probably the number one question
that we field from our CISOs and from the C-suite and boards is, how are we doing versus everyone
else in our insights and the way that we are conducting and building our cybersecurity
programs? So today, I brought with me Ryan LaSalle. Ryan LaSalle is the Global Managing Director for Accenture Security Strategy and Growth.
And this, I'm really proud that he's here with us because this is the second year that we've been doing this report,
and it's got a lot of great insights.
All right. Well, Ryan, welcome.
Why don't we just start off?
Why don't you take us through some of the highlights of what you found in this report?
just start off, why don't you take us through some of the highlights of what you found in this report?
You know, when we did this last, we launched this last year, we started with about 2,000 security leaders across several different countries. And this year, we're pretty excited
because we've expanded that to 4,600 security leaders in companies over a billion dollars
across 15 countries. And what we saw in the changes from last year has really been the start
of a return on the investment that
people are making in security. We've seen dramatic improvements across several different areas of
performance in security. We've seen improved detection rates. We've seen improved defensive
effectiveness from many of these organizations. And we're seeing that on average, the time to
detection is getting better and better. There's still some areas to address.
I think many organizations see that they need to continue to invest,
and almost 40% of the companies surveyed are planning to significantly
or up to double their security investment next year.
We see that there's a path, though, towards getting to a steady state in security.
And the last thing I'll say is we've also noticed that there's a bit of a disconnect
between where organizations are investing and their priorities and their adoption
of what I'd consider innovative and breakthrough technologies. Describe to me, what do you mean
by that disconnect? How is that playing out? Well, only about 40% of the companies we surveyed are
investing in capabilities like artificial intelligence, machine learning, blockchain,
and some of the kind of bedrock stuff that we see in the market in security as being innovative and transformative to how organizations can improve their defenses.
But we also see that many organizations are expecting that their providers are doing that for them as well.
So we see that that's going to be one of the ways that the other 60% start to achieve some of those outcomes.
that the other 60% start to achieve some of those outcomes.
So, Ryan, I think one of the things that stands out about this report is that there is actually,
as you look forward, there's some good news here. There's some reason to be hopeful.
Yeah, I think that is a very positive sign that we picked up in this report and our research.
One of the key insights we saw was, given the performance improvements we've seen year over year and the way that organizations have tackled the critical cybersecurity capabilities they need
to be effective, we see that in about two or three years, many organizations
will be at a point where it won't require stair-step increases in security budgets
to achieve the capabilities that they need to get good at. They'll be able to get
to almost a steady state in their operations where they can innovate within
their budgets and investments.
And I think one of the reasons that's happened is one of the big changes we saw from last year
was almost twice as many organizations have had their security budgets authorized
and directed by their board or CEO.
So now that CISO has a direct line of communication up to the part of the organization
that is most determined to manage risk.
And they are able to be more effective in their spend and in business adoption of the kind of behaviors and capabilities they need to be successful.
Justin, the report has some practical steps here, some advice for reaching resiliency.
Can you take us through those steps?
Sure.
The first here would be building a strong foundation.
And your listeners should be not surprised how many times I've harped around doing the basics well.
And so our research really has shown that focusing on the basics, for instance, network segmentation or multi-factor authentication or encryption,
et cetera, is really making a big difference with these results.
The second would be pressure testing resilience like an attacker.
This is something that our team embraces across cyber defense, which is thinking like the
adversary.
Instead of thinking more in terms of how can I do blanket security, thinking in terms of what an attacker or
what the enemy or what the adversary could do or want to do to your environment. The third would be
employing breakthrough technologies. We're starting to actually see the fruits of our industry's labor
by focusing on artificial intelligence, on machine learning, and next generation type of approaches
to cyber defense, such as on the endpoint. And we're starting to finally see the results of that,
even though it's taken several years. The fourth would be being proactive in using threat hunting.
As you know, this is near and dear to my heart because I run the threat hunt team.
Being able to constantly look for the adversary or look
for malicious events through the three main areas. Number one would be application of known bad,
which is threat intelligence. Second would be looking for anomalous behavior. And the third
one would be looking for suspicious behavior. And the fifth is evolving the role of the CISO.
This is exactly the heart of the matter we're trying to drive toward in a report like this.
And that is cyber defense and cybersecurity is not just IT's problem.
It's not an operational issue.
It is a risk to the business.
a risk to the business. And the more our CISO can speak in terms of the business and communicate that to business stakeholders and to the C-suite and to the board, the more successful they will
be at not only getting the money, getting the necessary budget, but also in creating an
environment where the true business leaders of an enterprise or the corporation or
the military or the government are making informed risk decisions based upon what's
happening to their business. All right, Justin Harvey and Ryan LaSalle, thanks for joining us.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
the cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing Cyber Wire team is
Elliot Peltzman, Puru Prakash,
Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan,
Carol Terrio, Ben Yellen, Nick Valecki,
Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, Thanks for listening.
We'll see you back here tomorrow.
Thank you. into innovative uses that deliver measurable impact. Secure AI agents connect, prepare,
and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard.
Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.