Elastic-ing All the Things at BSidesLV 2017

Take five seconds to think: Which of the two scenarios is the worst as an incident responder? In the first one, you have to analyze terabytes of logs by grepping audits, Windows events, proxy, intrusion prevention systems and mail as you try to pivot, correlate and understand what the heck happened. In the second one, […]… Read More

The post Elastic-ing All the Things at BSidesLV 2017 appeared first on The State of Security.

from Elastic-ing All the Things at BSidesLV 2017

7 Not-to-Miss Presentations at Black Hat USA 2017

The excitement is building for Black Hat USA 2017. To help attendees get the most out of the event, I’ve assembled just a few of the presentations that will no doubt make this year’s conference a memorable one. These talks range in topic from mobile network vulnerabilities to breaking electronic door locks to new solutions […]… Read More

The post 7 Not-to-Miss Presentations at Black Hat USA 2017 appeared first on The State of Security.

from 7 Not-to-Miss Presentations at Black Hat USA 2017

Book Review: Borderless Behavior Analytics

The excitement is building for Black Hat USA 2017. To help attendees get the most out of the event, I’ve assembled just a few of the presentations that will no doubt make this year’s conference a memorable one. These talks range in topic from mobile network vulnerabilities to breaking electronic door locks to new solutions […]… Read More

The post 7 Not-to-Miss Presentations at Black Hat USA 2017 appeared first on The State of Security.

from Book Review: Borderless Behavior Analytics

Defending anti-netneutrality arguments

Last week, activists proclaimed a “NetNeutrality Day”, trying to convince the FCC to regulate NetNeutrality. As a libertarian, I tweeted many reasons why NetNeutrality is stupid. NetNeutrality is exactly the sort of government regulation Libertarians hate most. Somebody tweeted the following challenge, which I thought I’d address here.

@ErrataRob I’d like to see you defend your NN stance in this context.https://t.co/2yvwMLo1m1https://t.co/a7CYxd9vcW

— Tanner Bennett (@NSExceptional) July 21, 2017

The links point to two separate cases.

  • the Comcast BitTorrent throttling case
  • a lawsuit against Time Warning for poor service
The tone of the tweet suggests that my anti-NetNeutrality stance cannot be defended in light of these cases. But of course this is wrong. The short answers are:

  • the Comcast BitTorrent throttling benefits customers
  • poor service has nothing to do with NetNeutrality

The long answers are below.

The Comcast BitTorrent Throttling

The presumption is that any sort of packet-filtering is automatically evil, and against the customer’s interests. That’s not true.
Take GoGoInflight’s internet service for airplanes. They block access to video sites like NetFlix. That’s because they often have as little as 1-mbps for the entire plane, which is enough to support many people checking email and browsing Facebook, but a single person trying to watch video will overload the internet connection for everyone. Therefore, their Internet service won’t work unless they filter video sites.
GoGoInflight breaks a lot of other NetNeutrality rules, such as providing free access to Amazon.com or promotion deals where users of a particular phone get free Internet access that everyone else pays for. And all this is allowed by FCC, allowing GoGoInflight to break NetNeutrality rules because it’s clearly in the customer interest.
Comcast’s throttling of BitTorrent is likewise clearly in the customer interest. Until the FCC stopped them, BitTorrent users were allowed unlimited downloads. Afterwards, Comcast imposed a 300-gigabyte/month bandwidth cap.
Internet access is a series of tradeoffs. BitTorrent causes congestion during prime time (6pm to 10pm). Comcast has to solve it somehow — not solving it wasn’t an option. Their options were:
  • Charge all customers more, so that the 99% not using BitTorrent subsidizes the 1% who do.
  • Impose a bandwidth cap, preventing heavy BitTorrent usage.
  • Throttle BitTorrent packets during prime-time hours when the network is congested.
Option 3 is clearly the best. BitTorrent downloads take hours, days, and sometimes weeks. BitTorrent users don’t mind throttling during prime-time congested hours. That’s preferable to the other option, bandwidth caps.
I’m a BitTorrent user, and a heavy downloader (I scan the Internet on a regular basis from cloud machines, then download the results to home, which can often be 100-gigabytes in size for a single scan). I want prime-time BitTorrent throttling rather than bandwidth caps. The EFF/FCC’s action that prevented BitTorrent throttling forced me to move to Comcast Business Class which doesn’t have bandwidth caps, charging me $100 more a month. It’s why I don’t contribute the EFF — if they had not agitated for this, taking such choices away from customers, I’d have $1200 more per year to donate to worthy causes.
Ask any user of BitTorrent which they prefer: 300gig monthly bandwidth cap or BitTorrent throttling during prime-time congested hours (6pm to 10pm). The FCC’s action did not help Comcast’s customers, it hurt them. Packet-filtering would’ve been a good thing, not a bad thing.

The Time-Warner Case
First of all, no matter how you define the case, it has nothing to do with NetNeutrality. NetNeutrality is about filtering packets, giving some priority over others. This case is about providing slow service for everyone.
Secondly, it’s not true. Time Warner provided the same access speeds as everyone else. Just because they promise 10mbps download speeds doesn’t mean you get 10mbps to NetFlix. That’s not how the Internet works — that’s not how any of this works.
To prove this, look at NetFlix’s connection speed graphis. It shows Time Warner Cable is average for the industry. It had the same congestion problems most ISPs had in 2014, and it has the same inability to provide more than 3mbps during prime-time (6pm-10pm) that all ISPs have today.

The YouTube video quality diagnostic pages show Time Warner Cable to similar to other providers around the country. It also shows the prime-time bump between 6pm and 10pm.
Congestion is an essential part of the Internet design. When an ISP like Time Warner promises you 10mbps bandwidth, that’s only “best effort”. There’s no way they can promise 10mbps stream to everybody on the Internet, especially not to a site like NetFlix that gets overloaded during prime-time.
Indeed, it’s the defining feature of the Internet compared to the old “telecommunications” network. The old phone system guaranteed you a steady 64-kbps stream between any time points in the phone network, but it cost a lot of money. Today’s Internet provide a free multi-megabit stream for free video calls (Skype, Facetime) around the world — but with the occasional dropped packets because of congestion.
Whatever lawsuit money-hungry lawyers come up with isn’t about how an ISP like Time Warner works. It’s only about how they describe the technology. They work no different than every ISP — no different than how anything is possible.
Conclusion

The short answer to the above questions is this: Comcast’s BitTorrent throttling benefits customers, and the Time Warner issue has nothing to do with NetNeutrality at all.

The tweet demonstrates that NetNeutrality really means. It has nothing to do with the facts of any case, especially the frequency that people point to ISP ills that have nothing actually to do with NetNeutrality. Instead, what NetNeutrality really about is socialism. People are convinced corporations are evil and want the government to run the Internet. The Comcast/BitTorrent case is a prime example of why this is a bad idea: government definitions of what customers want is actually far different than what customers actually want.

from Defending anti-netneutrality arguments

Cyber Exposure: The Next Frontier for Security

The stakes have never been higher when it comes to cybersecurity. Global cyber attacks such as the recent WannaCry ransomware attack is a sobering reminder that cybersecurity is the existential threat of this generation. A new report from Lloyd’s of London estimates a serious cyber attack could cost the global economy more than $120 billion – as much as catastrophic natural disasters such as Hurricane Katrina and Sandy. According to the report, the most likely scenario is a malicious hack that would take down a cloud service provider at an estimated loss of $53 billion. With all of the attention and the hundreds of vendors in the security industry, why are we still here in this same situation, with it only getting worse and more severe?

The reality is these “future” technologies and compute platforms, such as IoT and cloud, are no longer the future. They are here and now. This means the cyber attack surface is no longer a laptop or a server in a data center. According to Business Intelligence, there will be nine billion active IoT devices in the enterprise by 2019. That’s more than the entire smartphone and tablet markets combined. According to a 2016 IDG Enterprise Cloud Computing Survey, over 90 percent of organizations either have applications running in the cloud today or are planning to adopt cloud applications in 2017. We’re also seeing development shifts such as DevOps become mainstream, and with that comes the rise of containers and microservices as a way to make changes to smaller parts of the application in a more agile way. According to 451 Research, the container market is the fastest growing market of cloud-enabling technologies, with a CAGR of 40 percent through 2020, growing from $762 million to $2.7 billion by 2020.

So What Do We Do in Response?

We throw hundreds of tools at the problem, each designed to protect the organization from a nice, many times advanced “threat of the week” style attack. We have Configuration Management Databases (CMDBs) which give the organization an IT view of assets and configurations, but weren’t built to keep pace with modern assets and aren’t a security view. Vulnerability Management (VM) technologies are used by most organizations to scan the network to identify issues, but the problem with legacy VM tools is they are a “one size fits all” approach designed in the world of client/server and on-premise data centers which only assess “known” assets which are running at the time of the scan or that can have an agent deployed on them.

We are in the new, modern world of IoT, cloud, SaaS, mobile and DevOps, which means organizations need to approach understanding their cyber risk in a way that adapts to this new world of modern assets. For example, IoT and mobile devices may be undetectable with traditional tools, containers and cloud workloads which, as opposed to other types of assets that have lives of months to years, may have a life of minutes to hours, making them extremely hard to see and protect. There are also safety-critical infrastructure and Operational Technology like Industrial Control Systems which are a rising attack vector. These systems were designed to be walled off from the network and isolated from threats, and therefore not designed for frequent change or software deployments. As software permeates through every industry, these Industrial IoT devices which are now connected devices need to be protected but the old way is too intrusive.

Welcome to the Era of Modern Cyber Exposure

We believe that Cyber Exposure is the next frontier for empowering organizations to accurately understand, represent and ultimately reduce their cyber risk against the rapidly changing modern attack surface. Cyber Exposure transforms security from a static or fragmented view to live and holistic visibility across every asset – whether that’s IoT or traditional IT devices, cloud infrastructure or Industrial Control Systems. From this live picture then you can start to accurately assess and analyze these assets for areas of exposure. This could be misconfigurations but it could also be other hygiene types of health indicators such as out-of-date antivirus or flagging high-risk users. By correlating this information with additional sources data, such as a CMDB or threat intelligence, you can get a more complete picture of the business criticality and severity of the issue to prioritize remediation and work with IT to fix it.

Cyber Exposure is analogous to IT Service Management and how the execution of ITSM processes is supported with specialized software technology. At the core of ITSM software suites are a workflow management system (service desk) for managing incidents and maintaining a knowledge base system of record, and a Configuration Management Database (CMDB) for discovering and mapping Configuration Items and their dependencies. Bringing these technologies together creates an intuitive way to link incidents with change and service requests together, but also provides a view of business services and the underlying IT infrastructure to help accelerate troubleshooting and change impact analysis, for example. Just as ITSM provides a process for planning, delivering and operating IT services to better support customers, Cyber Exposure provides a discipline and a process for managing and measuring cyber risk against the modern attack surface. This will help security and IT teams collaborate to more effectively and efficiently identify and resolve issues, but will also provide an objective way for the CISO, CIO and the business to measure cyber risk and use it for strategic decisions and planning. Cyber Exposure technologies will provide the data, visualization, process management and metrics to help drive a new way to manage security to reduce risk, make better business decisions and actually enable digital transformation instead of being the impediment to it.

Communicating Cyber Risk to the Board

There has also been a lot of conversation around cybersecurity awareness and readiness within the C-suite and the board of directors: how do you represent and communicate cyber risk in non-technical, business terms? Today the CISO has to translate a mountain of data in multiple spreadsheets into intuitive insights the business can use to make decisions from. Cyber Exposure will help the CISO drive a new level of dialogue with the business. If you know which areas of your business are secure – or exposed – and you can measure your organization against a larger set of data. This opens up a whole new set of discussions and decisions about where the organization needs to focus, how much and where to invest to reduce risk to an acceptable amount and help drive strategic business decisions. Every function has its organizational system of record to manage, measure and predict the business exposure relevant to that function, for example, CRM for revenue and forecasting exposure, ERP for financial and supply chain exposure and Human Capital Management (HCM) for employee satisfaction and attrition exposure. Imagine a future where every strategic business decision factors in Cyber Exposure data as a key risk metric, just as the business does with all of these types of exposure. We believe the future doesn’t need to be in the future.

We’re excited to apply our years of expertise and knowledge in understanding assets, networks and vulnerabilities to usher in this new modern era of Cyber Exposure. And we’re just getting started…

from Cyber Exposure: The Next Frontier for Security

Book Review: Borderless Behavior Analytics

The stakes have never been higher when it comes to cybersecurity. Global cyber attacks such as the recent WannaCry ransomware attack is a sobering reminder that cybersecurity is the existential threat of this generation. A new report from Lloyd’s of London estimates a serious cyber attack could cost the global economy more than $120 billion – as much as catastrophic natural disasters such as Hurricane Katrina and Sandy. According to the report, the most likely scenario is a malicious hack that would take down a cloud service provider at an estimated loss of $53 billion. With all of the attention and the hundreds of vendors in the security industry, why are we still here in this same situation, with it only getting worse and more severe?

The reality is these “future” technologies and compute platforms, such as IoT and cloud, are no longer the future. They are here and now. This means the cyber attack surface is no longer a laptop or a server in a data center. According to Business Intelligence, there will be nine billion active IoT devices in the enterprise by 2019. That’s more than the entire smartphone and tablet markets combined. According to a 2016 IDG Enterprise Cloud Computing Survey, over 90 percent of organizations either have applications running in the cloud today or are planning to adopt cloud applications in 2017. We’re also seeing development shifts such as DevOps become mainstream, and with that comes the rise of containers and microservices as a way to make changes to smaller parts of the application in a more agile way. According to 451 Research, the container market is the fastest growing market of cloud-enabling technologies, with a CAGR of 40 percent through 2020, growing from $762 million to $2.7 billion by 2020.

So What Do We Do in Response?

We throw hundreds of tools at the problem, each designed to protect the organization from a nice, many times advanced “threat of the week” style attack. We have Configuration Management Databases (CMDBs) which give the organization an IT view of assets and configurations, but weren’t built to keep pace with modern assets and aren’t a security view. Vulnerability Management (VM) technologies are used by most organizations to scan the network to identify issues, but the problem with legacy VM tools is they are a “one size fits all” approach designed in the world of client/server and on-premise data centers which only assess “known” assets which are running at the time of the scan or that can have an agent deployed on them.

We are in the new, modern world of IoT, cloud, SaaS, mobile and DevOps, which means organizations need to approach understanding their cyber risk in a way that adapts to this new world of modern assets. For example, IoT and mobile devices may be undetectable with traditional tools, containers and cloud workloads which, as opposed to other types of assets that have lives of months to years, may have a life of minutes to hours, making them extremely hard to see and protect. There are also safety-critical infrastructure and Operational Technology like Industrial Control Systems which are a rising attack vector. These systems were designed to be walled off from the network and isolated from threats, and therefore not designed for frequent change or software deployments. As software permeates through every industry, these Industrial IoT devices which are now connected devices need to be protected but the old way is too intrusive.

Welcome to the Era of Modern Cyber Exposure

We believe that Cyber Exposure is the next frontier for empowering organizations to accurately understand, represent and ultimately reduce their cyber risk against the rapidly changing modern attack surface. Cyber Exposure transforms security from a static or fragmented view to live and holistic visibility across every asset – whether that’s IoT or traditional IT devices, cloud infrastructure or Industrial Control Systems. From this live picture then you can start to accurately assess and analyze these assets for areas of exposure. This could be misconfigurations but it could also be other hygiene types of health indicators such as out-of-date antivirus or flagging high-risk users. By correlating this information with additional sources data, such as a CMDB or threat intelligence, you can get a more complete picture of the business criticality and severity of the issue to prioritize remediation and work with IT to fix it.

Cyber Exposure is analogous to IT Service Management and how the execution of ITSM processes is supported with specialized software technology. At the core of ITSM software suites are a workflow management system (service desk) for managing incidents and maintaining a knowledge base system of record, and a Configuration Management Database (CMDB) for discovering and mapping Configuration Items and their dependencies. Bringing these technologies together creates an intuitive way to link incidents with change and service requests together, but also provides a view of business services and the underlying IT infrastructure to help accelerate troubleshooting and change impact analysis, for example. Just as ITSM provides a process for planning, delivering and operating IT services to better support customers, Cyber Exposure provides a discipline and a process for managing and measuring cyber risk against the modern attack surface. This will help security and IT teams collaborate to more effectively and efficiently identify and resolve issues, but will also provide an objective way for the CISO, CIO and the business to measure cyber risk and use it for strategic decisions and planning. Cyber Exposure technologies will provide the data, visualization, process management and metrics to help drive a new way to manage security to reduce risk, make better business decisions and actually enable digital transformation instead of being the impediment to it.

Communicating Cyber Risk to the Board

There has also been a lot of conversation around cybersecurity awareness and readiness within the C-suite and the board of directors: how do you represent and communicate cyber risk in non-technical, business terms? Today the CISO has to translate a mountain of data in multiple spreadsheets into intuitive insights the business can use to make decisions from. Cyber Exposure will help the CISO drive a new level of dialogue with the business. If you know which areas of your business are secure – or exposed – and you can measure your organization against a larger set of data. This opens up a whole new set of discussions and decisions about where the organization needs to focus, how much and where to invest to reduce risk to an acceptable amount and help drive strategic business decisions. Every function has its organizational system of record to manage, measure and predict the business exposure relevant to that function, for example, CRM for revenue and forecasting exposure, ERP for financial and supply chain exposure and Human Capital Management (HCM) for employee satisfaction and attrition exposure. Imagine a future where every strategic business decision factors in Cyber Exposure data as a key risk metric, just as the business does with all of these types of exposure. We believe the future doesn’t need to be in the future.

We’re excited to apply our years of expertise and knowledge in understanding assets, networks and vulnerabilities to usher in this new modern era of Cyber Exposure. And we’re just getting started…

from Book Review: Borderless Behavior Analytics