Recently, the Center for Cyber Safety and EducationTM released the results of the Children’s Internet Usage Study. The study contrasted the self-reported online behaviors of U.S. kids in grades 4-8 with their parents’ perceptions of their behavior. The findings were surprising and could be a cause for concern for many parents, as it shows that children are spending more time online, including late into the evenings, than their parents were aware. The children indicated they visit sites they know they are not supposed to, and engage with strangers despite warnings from parents. A few of the survey results are below:
40 percent said they connected with or chatted online with a stranger.
30 percent texted a stranger from their phone.
21 percent spoke to a stranger by phone.
15 percent tried to meet with a stranger they first encountered online.
11 percent met a stranger.
6 percent revealed their home address.
53 percent access the Internet for reasons other than homework seven days a week.
49 percent have been online at 11 p.m. or later on a school night.
33 percent have been online at midnight or later.
David Shearer, CEO of (ISC)² and the Center for Cyber Safety and Education said, “We are grateful to Booz Allen Hamilton, a valued partner over the years, for supporting this important initiative to raise parents’ awareness about the types of risky activities their children are engaging in online. Concerning findings such as these only reinforce the need for educational programs like Safe and Secure Online to help parents play an active role in preventing risks.”
In response to the survey results, the Center updated their Safe and Secure Online program, a leading free education program that teaches families and educators how to be safer online. Certified security expert members of (ISC)² contribute to the development of the program and all members are encouraged to share this information with their families and community. The free education program can be accessed in English at http://www.SafeAndSecureOnline.org. The program materials will be translated into other languages (Spanish, French, German, Portuguese and more) throughout the next few months.
In the U.S., April 28 is ‘Take Your Child to Work Day’ when children accompany their parents to the workplace. The (ISC)² headquarters office will be educating young visitors on how to stay safe online in hopes that children will become more cautious in the future and treat online strangers like they would real-world strangers.
Last year I attended an international risk management conference and was quite shocked by one of the sessions I attended. One of the presenters said, “ERM’s job is to protect the balance sheet.” Enterprise risk management (ERM) is a function that must address all types of risk, not just financial risk.
Monetizing risk and normalizing risk are two of the biggest problems risk practitioners face. Monetizing and normalizing risk makes it very easy to report risk exposure and risk treatment cost but obscures the true risk impact. When risk impact is obscured or under valued, it causes decision makers to make very poor decisions. This is especially true for safety risk where poorly managed risk events can lead to loss of life.
When asked this question, many people’s response will be “Human life is priceless.” Unfortunately, the desire to monetize risk impact has given rise for the need to quantify the value of human life. The international standard for the value of human life is $50,000. The Stanford Graduate School of Business conducted research awhile back that indicates the actual value of human life is $129,000. Anyone who has lost a loved one would likely argue that these values are woefully inadequate.
Monetizing risk impact causes these values to be used by decision makers to make decisions about what safety guards are worthwhile and cost effective. Consider a safety risk event that has a risk impact of $2.5 million and the risk treatment cost is $4.4 million. Many decision makers would simply accept this risk because the treatment cost is nearly twice the potential impact, and it doesn’t make economic sense to spend $4.4 million to save $2.5 million.
There would likely be a very different outcome if this risk event was presented to decision makers as a safety risk event that could cause 50 people to lose their lives and the risk treatment cost is $4.4 million. I would like to think that decision makers would choose to spend the $4.4 million to save 50 lives. Please note, 50 lives multiplied by the international standard value of human life of $50,000 is $2.5 million. As you can see, monetizing risk impact can dramatically change the equation.
ERM’s job should be much broader than simply protecting the balance sheet. ERM’s job is to manage all types of risk including budget risk, schedule risk, quality risk, safety risk, reputation risk and mission risk.
Mayo will present How Culture Affects ERM at EuroCACS 2016 30 May – 1 June in Dublin.
Footnote 1 Kingsbury, K. (2008, May). The Value of a Human Life: $129,000. Time.
Joseph W. Mayo, President, J.W. Mayo Consulting Services
The ninth annual edition of Verizon’s Data Breach Investigations Report (DBIR) has just been released, and Palo Alto Networks is proud to have contributed data and analysis to help make the report as comprehensive as possible. Palo Alto Networks is committed to sharing threat intelligence across the security industry, exposing the evolving nature of threats, in order for organizations to better protect themselves.
This year we extracted a massive dataset from the AutoFocus threat intelligence service on over 38 million sessions carrying over 2.7 million unique malware samples. We worked with the Verizon team to add context to these samples with AutoFocus tag data, illuminating what campaign or family they were associated with.
Rapidly evolving malware
The DBIR team combined our data with intelligence collected from other contributors, coming to the conclusion that the life span of malicious samples is typically very low (i.e. samples are very rarely used more than a few times). The report found that “99% of malware hashes are only seen for 58 seconds or less,” lending credence to the critical need for constantly updated protections deployed back to the network, lest organizations risk being infected by rapidly changing malware.
Shifts in Crimeware
In many ways, this report suggests that the threat landscape has not shifted significantly from the 2015 report. However, it does present one compelling insight into the rise of a threat that is top of many people’s minds, ransomware. The graph below is the average price per payment card record in USD over the last 5 years (Source: Intel Security).
If you were a cyber criminal and had previously focused on stealing credit cards data with malware, the supply of new card numbers into the market in the last few years has made your life very hard. A 76% drop in the price of your offering over 5 years is devastating, and that might make you look for alternative ways to monetize the computers you infect with malware. This graph is a near inverse of the ramp we’ve seen in ransomware attacks between 2013 and today, adding more evidence to suggest cyber criminals may be abandoning certain forms of fraud to focus on their ransomware business model.
Overall, the 2016 DBIR underscores how time-tested techniques for infecting organizations continue to be responsible for the vast majority of breaches. While there may be shifts in monetizing attack, such as moving from stolen credit cards to holding machines for ransom, attackers continue to rely on their old tricks. Primarily motived by profit, we expect cyber attacks to continue going back to highly effective tactics like spearphishing or comprise by infected websites.
Achieving PCI compliance in Amazon Web Services (AWS) involves determining where AWS compliance efforts intersect with your own compliance efforts. Who is responsible for documentation? And do the same concepts of network segmentation and separation apply within AWS, and if so how? These and many other questions arise when you combine PCI compliance with AWS.
To hear the answers to these and many other questions regarding PCI compliance on AWS with the VM-Series virtualized next generation firewall , please join Palo Alto Networks and Warren Rogers for a webinar on Tuesday May 3 at 10 a.m. PDT.
This is an interesting customer case study. First off, Warren Rogers chose to pursue PCI compliance not because it was a requirement, but because they wanted to improve their security posture and enhance their customer value proposition. Second, if you remove the notion of cloud and virtualization, all of the same questions, considerations and processes Warren Rogers addressed are applicable to PCI compliance on a physical network.
About Warren Rogers: Warren Rogers is a 37-year-old, privately held company that provides the leading fuel system monitoring solution in the industry. Its entire IT infrastructure is housed in AWS, and the Warren Rogers All-Point Monitoring System provides the most accurate and complete information of the fueling operation including every tank and every line. Their customers include companies like QuikTrip, Wilco/Hess, CircleK and many more.
A Customer Case Study: Achieving PCI Compliance in AWS When: Tuesday, May 3, 2016 Time: 10am PDT, 12pm CDT, 1pm EDT Speakers: Matthew R. McLimans, Computer Engineer at Warren Rogers Register Now.
Having joined Palo Alto Networks following a 35-year career in the U.S. military, the past decade of which I served in a variety of leadership positions in cyber operations, strategy and policy, I have found that many of the cybersecurity challenges we face from a national security perspective are the same in the broader international business world.
This blog post series describes what I consider to be four major imperatives for cybersecurity success in the digital age, regardless of whether your organization is a part of the public or private sector.
Imperative #1 – We must flip the scales (February 16, 2016)
Imperative #2 – We must broaden our focus to sharpen our actions (March 12, 2016)
Imperative #3 – We must change our approach (March 30, 2016)
Imperative #4 – We must work together
IMPERATIVE #4 – WE MUST WORK TOGETHER
Before I get to the details, allow me to review some background and context, and then provide an executive summary of Imperative #4 in case you are pressed for time.
As a reminder from my previous three blogs, I use the factors in Figure 1 to explain the concept behind Imperative #4 in a comprehensive way.
Figure 1
Threat: This factor describes how the cyberthreat is evolving and how we are responding to those changes.
Policy and Strategy: Given our assessment of the overall environment, this factor describes what we should be doing and our strategy to align means (resources and capabilities – or the what) and ways (methods, priorities and concepts of operations – or the how) to achieveends (goals and objectives – or the why).
Structure: This factor includes both organizational (human dimension) and architectural (technical dimension) aspects.
Tactics, Techniques and Procedures (TTP): This factor represents the tactical aspects of how we actually implement change where the rubber meets the road.
In this final blog of the series, I’d like to take you through Imperative #4 using the concept model outlined above, and step through the implications.
Figure 2
EXECUTIVE SUMMARY
For this last imperative in the series, I want to focus on something that I believe is absolutely vital to success. I’m leveraging my previous national security experience, as well as my current private industry role, in emphasizing the critical importance of this imperative.
In my view, no single organization, public or private, has all of the talent, skills, resources, capabilities, capacity, or authority to act effectively when doing so in isolation. It truly takes teamwork and effective partnerships to act effectively with cybersecurity in the modern digital age. Therefore, we must work together if we want to be successful as a community.
There is already a significant shift going on regarding cyberthreat information sharing. What was once the sole purview of governments is now increasingly being done by industry, and this is a much-needed shift.
It’s very important to distinguish cyberthreat information sharing from the more contentious terrorist threat information sharing and associated surveillance issues that flood today’s international headlines.
Cyberthreat information is focused on indicators of compromise and not commercial proprietary information, personally identifiable information, personal health information or the personal content of individual communications.
Indicators of cyberthreat compromise include:
Malicious code
Information infrastructure transmission
Connection and collection points
Compromised systems and networks
Cyberthreat organizations and individuals
The general categories of entities that these threat organizations and individuals target for their malicious activities
The techniques that these cyberthreats employ to conduct their actions across the threat lifecycle
From a policy perspective, an increase in cyberthreat information sharing across private sector organizations has led to a change in the views of a growing number of industry leaders. Rather than hoarding cyberthreat information as a commercial commodity, many leaders are now seeing a growing need to share the information as a public good. The greater overall good achieved by sharing this specific type of intelligence vastly outweighs the parochial interests of individual commercial entities, and the focus shifts to what commercial competitorsdo with the information once it is shared.
Effective information sharing requires an accompanying organizational structure shift from working in isolated silos to building effective partnerships and an environment of strong teamwork. Some organizations find this shift difficult to achieve, which is why it must be driven by the organization’s leadership to be effective.
The final set of implications resulting from Imperative #4 deals with making it actually work at the tactical level with the required speed and scale. This requires a shift from manual toautomated TTP regarding two distinct activities. The first activity is the automatedsharing of cyberthreat indicators of compromise, themselves. Equally important is the need to shift from the manual, human-based efforts to prevent further threat success as a result of the shared intelligence to an automated defensive posture adjustment procedure in near-real time.
Scaling the distribution of threat intelligence to the scope that partnership growth demands also requires the use of standardized formats and procedures that enable automated sharinginstead of legacy TTPs that use slow, adhoc and often manual approaches that usually result in confusion and complexity.
DETAILED DESCRIPTION OF IMPERATIVE #4
THREAT
I have 35 years of experience in the U.S. government and, more specifically, the U.S. military. During the vast portion of that experience, I had a close association with the national intelligence community, as well as the intelligence communities of many partner nations.
Now that I’ve been in the private sector for some time, I can tell you with confidence that what used to be the sole purview of governmental intelligence communities in terms of access and visibility into the cyberthreat landscape is now changing very, very dramatically. I believe this change is appropriate, as well as inevitable.
The private sector is awakening – in no small measure due to the alarm bell that the national and international security communities have been ringing for the past several years – to the growing size, sophistication and increasingly sinister intent of cyberthreats across the world.
In my view, there is a significant shift from governments being the sole dispensers of cyberthreat intelligence towards industry being more and more powerful as a producer of not just vulnerabilities and cyberthreat information but also real cyberthreat intelligence.
It’s very important to distinguish what I’m calling cyberthreat intelligence from other types of intelligence, especially terrorist threat intelligence and the contentious surveillance issues associated with it. I’m NOTtalking about proprietary commercial information (intellectual property or financial data), personally identifiable information, personal health information or the personal content of individual communications.
If you recall the key points I made in each of my last three blogs in this series about how we must change our view of the cyberthreat, I’m talking about indicators of compromise (IOCs)based on the cyberthreat lifecycle.
Indicators of cyberthreat compromise include: malicious code; information infrastructure transmission connection and collection points; compromised systems and networks; cyberthreat organizations and individuals; the general categories of entities that these threat organizations and individuals target for their malicious activities; and the techniques that these cyberthreats employ to conduct their actions across the cyberthreat lifecycle. This kind of intelligence CANbe shared.
This is a good thing. Because if those in industry are expecting the government (whichever country you are from) to show up with all the intelligence needed to defend against the threat, that is not a realistic expectation.
Having come from government, one of my biggest frustrations as a network defender was the inevitable intelligence / gain-loss equity assessment that played out when there was valuable cyberthreat intelligence that the defense community needed. Sharing it usually represented too much of an intelligence risk to sources and methods, so there was always tension.
Sometimes, the tension surrounding sharing also came as a result of our own ability to take advantage of the same thing against one of our adversaries. Nobody on that side of the argument wanted to give away such an advantage by sharing the information with the cybersecurity community; and therefore, our adversaries then would have known as well.
In my opinion, this situation is improving slowly because the intelligence gain/loss balance is now tempered by a real sense of an equally strong and competing operational gain/loss equity at play. In my opinion, the more that the Internet of Things phenomenon plays out, the greater the overall risk will be to our ability to provide more and more vital security, as well as business operations, if we do NOT share cyberthreat intelligence widely and rapidly between public and private organizations.
However, these gain/loss dynamics still represent a challenge and government is biased not to share, or at least not to share rapidly. So, it’s a GOOD THING that industry is increasingly doing this on its own.
Believe me when I say that there will always be plenty of challenges left for governments to tackle, so this shift only helps the overall team effort, and that’s why it’s an imperative for future cybersecurity success.
POLICY AND STRATEGY
Given that we have a greater and greater industry role in cyberthreat intelligence, what shouldwe be doing about this?
At Palo Alto Networks, as in a growing number of other like-minded (yet competitor) companies, we believe we must share this intelligence as a public good, rather than hoard it as a commercial commodity. THIS IS A HUGE SHIFT!
I remember when I was in the special operations and information warfare communities during military operations in both Afghanistan and Iraq. In the early days, you may recall that we had a similar dynamic going on across the multi-agency and coalition efforts. We all knew bits and pieces, but we all had trouble “connecting the dots,” which was one of the key reasons that the 9/11 attacks happened in the United States.
Over time, we made a deliberate decision that we needed to move from a “need to know”basis for terrorist threat information-sharing toward a “need to share” basis so that, collectively, we could work in a more effective, integrated fashion.
It was very painful making this adjustment, and many organizations resisted due to both real and perceived risks (some still do today). However, this shift in mindset and policy began to show promise, and the gains turned out to be worth the risks in terms of success against terrorists on the battlefields of Iraq, Afghanistan and other key locations around the globe.
This is the same strategic dynamic for cyberthreat intelligence, though I must make the key distinction that we are NOT talking about surveillance-related intelligence about terrorists, but rather cyberthreat IOCs. There’s a huge distinction between the two that many tend to conflate in today’s “security versus privacy” debates.
Now, let me tell you the story of the Cyber Threat Alliance.
ORGANIZATION AND ARCHITECTURE
The Cyber Threat Alliance (CTA) is an example of shifting organizational structure from silos to partnerships. This is a story about eight companies – several of which compete with one or more of the others, including my own – that have put their money where their mouths are and actually organized to share cyberthreat intelligence.
To illustrate the example, I’ll use a recent Cyber Threat Alliance pilot project to show how the notion of organizing to share cyber threat intelligence can work.
First, some background: CryptoWall Version 3 is a form of ransomware, and has been recently used by a cyberthreat criminal entity to steal and encrypt an organization’s or individual’s sensitive information to hold it for ransom (usually through Bitcoin or other digital currency). If the ransom is not paid in accordance with the criminal entity’s demands, the information stolen and held for ransom is then destroyed.
The Cyber Threat Alliance utilized the collective intelligence and analytic resources from the four founding members (Palo Alto Networks, Intel® Security, Symantec™, and Fortinet®) and four other contributing members (Barracuda Networks, ReversingLabs, Telefonica, and zScaler) to publicly publish a report on October 29, 2015, titled “Lucrative Ransomware Attacks: Analysis of the CryptoWall Version 3 Threat.”
This was the first published report using combined threat research and intelligence from the founding and contributing members of the Cyber Threat Alliance. The report provided organizations worldwide with valuable insight into the attack lifecycle of this lucrative ransomware family. The Cyber Threat Alliance further discovered:
The $325 million in revenue that went to the attackers included ransoms paid by victims to decrypt and access their files.
406,887 attempted CryptoWall infections.
4,046 malware samples.
839 command-and-control URLs for servers used by cybercriminals to send commands and receive data.
The hundreds of millions of dollars in damages span hundreds of thousands of victims across the globe. North America was a particular target for most campaigns.
Although this example of an effective partnership for cyberthreat intelligence-sharing was just a pilot project to prove that competitor cybersecurity organizations could actually work together to bring down a single threat, it was also a powerful endorsement of the concept and demonstrated the organizational structure required for success. In fact, the quote below, from Rick Howard, Palo Alto Networks CSO, sums it up nicely:
“This type of collaborative research by security vendors reflects the power of effective threat information-sharing and the positive effect it can have on helping maintain trust in our digital world. As a founding CTA member, we are committed to the idea that this new way of working together – of combining intelligence on a common adversary and sharing cyberthreat information as a public good – is to the benefit of all organizations in the battle against cybercrime.”
There will be more research published this year from the CTA. This represents an imperative to move from our traditional, legacy approach of working in isolation toward real teamwork and effective partnerships.
This surely won’t be easy, and if the CEOs from the partner companies in the CTA had not personally been involved, this partnership would not be effective today. With leadership commitment, this demonstrates an organizational approach to a more successful cybersecurity future – one where various entities determine that there is an overall common objective, the achievement of which provides more overall good on balance than individual efforts that work against one another for a single organizational advantage.
TTP
In the Cyber Threat Alliance example that I just used, there were two tactical, more procedural issues that we learned were key to success.
First, let me remind you of the problem I covered in my first blog of the series about the lopsided advantage that the attacker currently has over the defender. Taking a page from our cyber adversaries, in terms of one of the key reasons for this imbalance, we need to take slow, human decision-making out of the equation, and automate everything we can to determine known bad IOCs in near-real time from unknown activity/techniques/signatures.
Cloud capabilities are key to success in automating this process, and the only real way to wipe away an estimated 80–90 percent of more routine cyberthreat activity so that we can use the human processes for the really sophisticated stuff.
Using the Cyber Threat Alliance again as an example, in order to join the Alliance, each company must contribute a minimum of one thousand unique malware signatures every dayand must agree to automatically consume rapidly discovered known bad signatures from any of the other Alliance partners. They must also ingest the resulting protections into their own company’s defensive capabilities, systems and platforms.
This TTP produces a rapid self-learning capability. It also produces a self-healing fabric that stretches across all of the partner organizations’ information technology enterprises, and limits the cyberthreat level of success dramatically.
One of the other important TTP lessons coming from the Cyber Threat Alliance experience is that in order to become self-learning and self-healing at scale, you have to get away from ad hoc information transmission methods and move to a standardized format. Doing so enables the automation of information-sharing and cybersecurity platform adjustment at the same time and on a much broader scope and scale.
The standardized methods for automated cyberthreat information-sharing being explored by the U.S. government and other international organizations called STIX/TAXII may prove successful, but both public and private organizations, including the Cyber Threat Alliance, are working through which techniques and procedures help to best scale for success.
CONCLUSION
Cybersecurity success in the digital age requires that we leverage teamwork and partnerships in powerful new ways that we are only beginning to understand and implement.
Private industry has a growing, increasingly important and entirely appropriate role in cyberthreat analysis and intelligence. Governments simply cannot, and should not, be the only ones to cover the entire cyberthreat landscape. However, we must be clear and precise about what cyberthreat intelligence means in order to avoid the confusion between security and privacy. When it comes to cyberthreats, security IS privacy.
The need to share cyberthreat information is rapidly becoming rightfully viewed as a greater societal good, where the risks associated with arguments not to share widely and rapidly are becoming eclipsed by an overall growing threat to the trust we place in our digital way of life.
On balance, this imperative to share information about both cyberthreats and the associated protection mechanisms against them requires that we think differently about the way we organize so that we are optimized for a “need to share” culture. This will require strong leadership by example.
The imperative that we work together also requires using standardized, automated TTP for both sharing the critical information and for loading it into the defensive posture of our information technology enterprise in near-real time.
Taken together, these shifts regarding the role of industry in cyberthreat intelligence, in the policies that guide a culture of sharing threat information as a public good, in the way we organize to facilitate a “need to share” culture, and in the TTP we employ to standardize and automate information-sharing and mitigations all reinforce the imperative that we must work together. More importantly, they also contribute to our collective cybersecurity success in the digital age.
