Day: January 18, 2017

Here’s some good news for the countless businesses getting ready for the migration to Windows 10: Microsoft recently announced that its Windows 10 Anniversary Update features security updates specifically targeted to fight ransomware. No defense is completely hack-proof, but it’s great to see the biggest names in the tech world are putting ransomware at the top of their list of concerns.

Patching holes, preventing users from “clicking the link”
Microsoft released a guide on how the latest Windows 10 Anniversary Update specifically enhances protection against ransomware. The company focused on eliminating the vulnerabilities hackers have exploited in the past, and says its updated Microsoft Edge browser has no known successful zero-day exploits or exploit kits to date.

The company says its smart email filtering tools helped identify some 58 million attempts to distribute ransomware via email—in July 2016 alone. But what if a phishing email does reach gullible and mistake-prone end users? Microsoft says it has invested in improving its SmartScreen URL filter, which builds a list of questionable or untrustworthy URLs and alerts users should they click on a link to a “blacklisted” domain.

Thanks to security upgrades, Microsoft says Windows 10 users are 58 percent less likely to encounter ransomware than those running Windows 7.

Better threat visibility for IT
On the response end, the Windows 10 Anniversary Updates also sees the launch of the Windows Defender Advanced Threat Protection (ATP) service. The basic idea behind Windows Defender ATP is to use contextual analytics of network activity to see signs of attacks that other security layers miss. Microsoft says the new service gives “a more holistic view of what is attacking the enterprise…so that enterprise security operations teams can investigate and respond.” Better visibility of your users’ activities—now that’s something we at Code42 can get behind.

Using the intelligence of the “hive mind” to fight ransomware
One impediment to the fight against ransomware has been organizations’ reluctance to share information on attacks, both attempted and successful. We already know that new strains of ransomware emerge daily, but without this shared knowledge, even older strains are essentially new and unknown (and thus remarkably effective) to most of the enterprise world. The sheer size and market share of Windows puts Microsoft in a unique position to solve this problem. Its threat detection products are now bringing together detailed information on the millions of attempted ransomware attacks that hit Windows systems every day. With Microsoft now focused on fighting this threat, we’re eager to see the company leverage the intelligence of this hive mind to beat back the advance of the ransomware threat.

What does Microsoft say about ransomware recovery?
It’s important to note that responding to a ransomware attack is not necessarily the same as recovering from an attack. In other words, Windows 10 says it can help you detect successful attacks sooner and limit their impact—but how does it help you deal with the damage already done? How does it help you recover the data that is encrypted? How does it help you get back to business?

The Windows 10 ransomware guide makes just one small mention of recovery, urging all to “implement a comprehensive backup strategy.” However, Microsoft offers a rather antiquated look at backup strategies, leaving endpoint devices uncovered, focusing on user-driven processes instead of automatic, continuous backup, and even suggesting enterprises use Microsoft OneDrive as a backup solution. As we’ve explained before, OneDrive alone is insufficient data protection. It’s an enterprise file sync-and-share solution (EFSS), built to enable file sharing and collaborative productivity—not continuous, secure backup and fast, seamless restores.

Making the move to Windows 10? Make sure your backup is ready
Most enterprises are at least beginning to plan for the move to Windows 10, as they should be. The new OS offers plenty of advantages, not least of which are security features that undoubtedly make Windows 10 more hack-resistant. But as security experts and real-world examples continually show, nothing can completely eliminate the risk of ransomware. That’s why your recovery strategy—based on the ability to quickly restore all data—is just as critical as your defense strategy.

Moreover, as more organizations make the move to Windows 10, they’re seeing that the ability to efficiently restore all data is the key ingredient to a successful migration. Faster, user-driven migrations reduce user downtime and IT burden, and guaranteed backup eliminates the data loss (and resulting lost productivity) that plagues the majority of data migration projects.

Jeremy Zoss, Managing Editor, Code42

[Cloud Security Alliance Blog]

In many spheres of employment, the application of Artificial Intelligence (AI) technology is creating a growing fear. Kevin Maney of Newsweek vividly summarized the pending transformation of employment and the concerns it raises in his recent article “How artificial intelligence and robots will radically transform the economy.”

In the Information Security (InfoSec) community, AI is commonly seen as a savior – an application of technology that will allow businesses to more rapidly identify and mitigate threats, without having to add more humans. That human factor is commonly seen as a business inhibitor as the necessary skills and experience are both costly and difficult to obtain.

As a consequence, over the last few years, many vendors have re-engineered and re-branded their products as employing AI – both as a hat-tip to their customer’s growing frustrations that combating every new threat requires additional personnel to look after the tools and products being sold to them, and as a differentiator amongst “legacy” approaches to dealing with the threats that persist despite two decades of detection innovation.

The rebranding, remarketing, and inclusion of various data science buzzwords – machine intelligence, machine learning, big data, data lakes, unsupervised learning – into product sales pitches and collateral have made it appear that security automation is the same as AI security.

We are still at the very early days of the AI revolution. Product and service vendors are advancing their v1.0 AI engines and are predominantly focused on solving two challenges – sifting through an expanding trove of threat data for actionable nuggets and replicating the most common and basic human security analyst functions.

Neither challenge is particularly demanding of an AI platform. Statistical approaches to anomaly detection, data clustering and labeling processes meet all the criteria for the first security challenge, while “expert system” approaches of the 1970s and 1980s tend to be adequate for most of the second challenge. What’s changed is volume of data that decisions must be based upon and the advances in learning systems.

What is confusing many security technology buyers at the moment lies with the inclusion of AI buzzwords around products and services that are essentially delivering “automation.”

Many of the heavily marketed value propositions have to do with automating many of the manual tasks that a threat analyst or incident responder would undertake in their day-to-day activities, such as sifting through critical alerts, correlating them with other lesser alerts and log entries, pulling packet captures (PCAPs) and host activity logs, overlaying external threat intelligence and data feeds, and presenting an analytics package for a human analyst to determine the next actions. All these linked actions can of course be easily automated using scripting languages if the organization was so inclined.

The automation of security event handling doesn’t require AI – at least not the kind or level of AI that we anticipate will cause a global economic and employment transformation.

The AI v1.0 being employed in many of today’s products may be best thought of as assembly-line robots – replicating repeated mechanical tasks, not necessarily requiring any “intelligence” as such. That automation obviously brings efficiencies and consistency to incident investigation and response – but by itself isn’t yet having an impact on an organization’s need to employ skilled human analysts.

As organizations get more comfortable sharing and collectively pooling data, the security community can anticipate the advancement and incorporation of better learning systems – driving down an incremental AI v1.1 path – in which process automation efficiently learns the quirks, actions and common decisions of the environment within which it is operating. One example would be assessing an analytics package that was automatically compiled by determining similarities with previously generated and actioned packages, assigning a prioritization and routing to the correct human responder. It may sound like a small but logical process of automation, but requires another level and class of math, and “intelligence” to learn and tune an expert decision making process.

In my mind, Security AI v2.0 lies in an intelligence engine that not only dynamically learns through observing the repeated classification of threats and their corresponding actions, but is able to correctly identify suspicious behaviors it has never seen before, determine the context of the situation and initiate the most appropriate actions on behalf of the organization.

That might include the ability to not just identify that a new host has been added to the network and appears to be launching a port scan against the active directory server, but to predict whether the action may be part of a penetration test (pentest) by understanding the typical pentest delivery process, typical targets of past pentests and the regular cadence or scheduling of pentests within the organization. The engine could then arrive at an evidence-based conclusion, track down and alert the business owners of the suspected activity and, while waiting for confirmation, automatically adjust threat prevention rules and alerting thresholds to isolate the suspicious activity to minimize potential harm.

The success of Security AI lies in determining actions based off incomplete and previously unclassified information – at which point the hard-to-retain “tier-one” security analyst roles will disappear like so many assembly-line jobs in the motor vehicle industry have in the past couple decades.

Gunter Ollmann, Chief Security Officer, Vectra

[ISACA Now Blog]

Let’s pretend you’re planning a big trip, and you need a nice place to stay. After considering different options online, you find a place that sounds great. The photos appear perfect.

So, here’s the question. When you arrive, will the lodging match your expectations…or is it just too good to be true?

When you’re choosing among CISSP^® training providers, we know you’re sorting through a variety of companies and often times, big, beautiful claims. To ensure you aren’t surprised when you reach the CISSP certification exam, here are three myths debunked.

Myth #1: Pass rates of 90%+ are guaranteed.

What you should know: No training provider knows exactly which questions and real-world scenarios will be on the exam, so there’s no way to guarantee a pass rate.

The CISSP certification exam is very tough, and it’s constantly being updated to reflect our ever-changing cyber world. Not to mention, there are a variety of unknown variables when each person takes the exam.

The notion that a company will prepare you for the exact questions on the exam is impossible.

Bottom line: (ISC)² does not provide pass rate information to any training providers – including our very own (ISC)² Official and Approved Training Providers. Be careful with any company that guarantees a pass rate.

 

Myth #2: Any training company can get you a CISSP exam voucher.

What you should know: (ISC)² and (ISC)² Official Training Providers are the only authorized organizations with the ability to offer CISSP exam vouchers.

What happens if an unauthorized company says they can get exam vouchers for you? For example, “all you need to do is give them your Pearson VUE credentials.”

You should know you’re putting yourself at risk. Sharing your Pearson VUE credentials with unauthorized companies or individuals violates the terms of the (ISC)² Non-Disclosure Agreement. Doing this means you:

• May lose your CISSP certification
• Can be indefinitely suspended from retaking the exam
• Will lose the money you’ve paid for the exam

Bottom line: When you go through official channels for exam vouchers, you completely eliminate these risks. (ISC)² and our Official Training Providers will never ask you for your Pearson VUE credentials.

 

Myth #3: Passing the exam is the one and only thing that matters.

What you should know: There’s more at stake here.

It’s easy to slip into the mindset that passing the exam is the only thing that matters. In this mindset, training can quickly turn into a series of memorization drills and brain dumps.

But step back for a moment. The CISSP certification was created to measure whether you have the experience, knowledge and critical thinking skills to be effective at your job.

Yes, we help you prepare for test day. Just as important, though, we never lose sight of the bigger picture: inspiring a safe and secure cyber world and developing professionals who can protect their organizations.

Because we create and manage the CISSP Common Body of Knowledge (CBK^®), our training seminars always include the most current information. Plus, all of our instructors have the CISSP certification themselves. This means our instructors can help you:

• Understand how to apply the most current best practices in real-world scenarios
• Build critical thinking skills to enable you to think beyond the tasks at hand
• Address today’s security problems, and discover tomorrow’s challenges before they even happen

Bottom line: When you choose (ISC)² or one of our (ISC)² Official Training Providers, you are on the way to becoming the most well-rounded and effective information security professional possible.

Interested in becoming a CISSP? Download the free planning kit.

[(ISC)² Blog]