The submissions for this assignment are posts in the assignment’s discussion. Below are the discussion posts for Richard Bocchinfuso, or you can view the full discussion.
Discussion: Describe the basis for effective collaboration of security defenses within and between organizations.
This is an interesting question. I think ten years ago effective collaboration of security defenses within and between organizations would be highly dependent on effective open communication between these organizations. Today I think the effective collaboration of security defenses is being aided by two core technology shifts:
- Cloud
- Machine Learning, Deep Learning, AI
Let’s start with the cloud. Today’s security providers are increasingly becoming cloud-enabled, they are relying on the aggregation of massive data sets (big data) for heuristics on massive compute farms that far surpass what is possible in a heuristics engine on a laptop, desktop or mobile device. Just about every security technology provider is leveraging the cloud and vast resources it provides. When organizations buy into the cloud-based security paradigms it is the equivalent of sharing and communicating information, but this information is now being aggregated, anonymized, analyzed and cross-referenced in real-time. (Quora Contributor, 2018)
Machine learning, deep learning, and AI are not just buzzwords, they are technologies that harness data and continuously train models that can begin to see things which are not visible to the naked eye. These technologies are greatly altering how we think about security. Security providers like AlertLogic (Links to an external site.)Links to an external site., Secureworks (Links to an external site.)Links to an external site. and many others that focus on IPS/IDS and incident responses models that leverage data which is anonymized, but aggregated and analyzed across their entire customer base, this has tremendous value. Security providers like Tanium (Links to an external site.)Links to an external site. and Panda Security (Links to an external site.)Links to an external site. and others who focus on end-point security also use cloud technologies, big data and machine learning to provide superior heuristics. For example, the embedded anti-malware in Windows 10 makes use of “cloud-based protection” to better protect users, users are opted-in to collaborating and opting-out requires the user intervention that is buried in the bowels of the operating system and anti-malware (Windows Defender) configuration settings.
Collaboration and engagement require a focus on Human-Computer Interaction (HCI) to drive system usability and adoption, this is especially true in the field of security. Users vary and they have different expectations of the systems they interact with, a simple blacklist of whitelist approach no longer gets the job done, these approaches slow productivity and encourage working around the system. (Coursera, 2018)
Intelligent security systems which leverage AI may be able to adapt security protocols based on user usage profiles. For example, what users took the lollipop and what users didn’t and should how security is enforced for these two user types differ? (DreamHost, 2018)
To close out my thoughts this week, I will end with an example of a security problem that is not a platform problem, but rather a use problem, as is often the case. For those of us who have used Amazon (AWS) S3, the AWS object storage servicer we know that AWS offers extremely fine-grained ACLs for S3 buckets, the security paradigm is quite robust and defaults to no-access, but this robustness and fine-grained programmatic and composable infrastructure comes with complexity (Amazon, 2018), complexity leads to usability challenges which leads us to exposing data which is not intended to be exposed. This week that victim was GoDaddy who exposed an S3 bucket containing configuration data for tens of thousands of systems, as well as sensitive pricing information, apropos given our collective conversations last week regarding GoDaddy and DNS registrars. (Chickowski, 2018)
With > 80% of all corporations experiencing a hack of some sort, exploitation is on the rise and there is no end in sight. (Lipka, 2015) As we continue towards a public cloud world, platforms are providing more choice, easier access, and the ability to be agiler, build faster and come to market faster but we’ve lost the simplistic nature of layer 1 security. We have to have security systems that live at a layer above layer 1 human interaction, and communication. I believe that Progress will depend on the ability of the security systems of today and tomorrow to facilitate zero touch collaboration in an automate and secure way.
References
Amazon. (2018, August 10). Bucket Policy Examples. Retrieved August 10, 2018, from https://docs.aws.amazon.com/AmazonS3/latest/dev/example-bucket-policies.html
Chickowski, E. (2018, August 9). AWS Employee Flub Exposes S3 Bucket Containing GoDaddy Server Configuration and Pricing Models. Retrieved August 10, 2018, from https://www.darkreading.com/attacks-breaches/aws-employee-flub-exposes-s3-bucket-containing-godaddy-server-configuration-and-pricing-models/d/d-id/1332525
Coursera. (2018, August 10). Usable Security. Retrieved August 10, 2018, from https://www.coursera.org/lecture/usable-security/course-intro-60olh
DreamHost. (2018, January 30). Take This Lollipop… I Dare You! Retrieved August 10, 2018, from https://www.dreamhost.com/blog/take-this-lollipop-i-dare-you/
ElsonCabral. (2011, October 26). Take This Lollipop. Retrieved August 10, 2018, from https://www.youtube.com/watch?v=pbQm-nIMo_A
Lipka, M. (2015, June 05). Percentage of companies that report systems hacked. Retrieved August 10, 2018, from https://www.cbsnews.com/news/percentage-of-companies-that-report-systems-hacked/
Quora Contributor. (2018, February 15). How Will Artificial Intelligence And Machine Learning Impact Cyber Security? Retrieved August 10, 2018, from https://www.forbes.com/sites/quora/2018/02/15/how-will-artificial-intelligence-and-machine-learning-impact-cyber-security/#34f878166147
James, I would go as far as to say unless mandated by a regulatory requirement very few enterprises are advertising breaches and even when mandated by regulatory bodies they are pushing the boundaries of the disclosure. For example, Equifax took six weeks to disclose the hack, not the only major enterprise in a regulated industry looking to delay disclosure. The bigger the organization the more sensitive the data the tighter and more broad sweeping the NDAs. Ed Snowden’s are not falling out of trees and the number of statistical breaches, when contrasted with the number of reported breachs, say there is more interest in obfuscation than there is in disclosure. Sure, the OTR conversations can happen at an InfoSec meetup, but the bigger the enterprise the more isolated and focused exposure is becoming, with access to systems, processes, conversations, etc. becoming so tightly governed that it’s getting harder and harder to assemble a full picture of a situation. Those who do have the complete picture don’t attend InfoSec meetups, they are busy having dinner at Le Bernardin. 🙂
I think it’s a fair assumption to assume we know only a small fraction of what’s happening and that the preponderance of the most diabolical stuff never makes it into the mainstream. As technology becomes a profit center for every company, we will see more and more of this. The days of we are a manufacturing company and tech is a cost center are over, big data, analytics, and machine learning are driving every industry, with the CMO spending more on technology than the CIO.
Not saying we shouldn’t keep trying, but I believe we will see significant innovations that will change the game, relying less on the good behavior of people and more on the machine to make and monitor decisions. Andrew mentioned the Target breach, there is no reason that and PLC network for HVAC controls should have >= layer 2 access to a network for payment processing, IMO layer 1 is even questionable, what should have been disclosed is the name of the network architect who built that infrastructure and everyone who looked at it thereafter and didn’t yell from the rooftop.
References
Isidore, C. (2017, September 8). Equifax’s delayed hack disclosure: Did it break the law? Retrieved August 10, 2018, from https://money.cnn.com/2017/09/08/technology/equifax-hack-disclosure/
McLellan, L. (n.d.). By 2017 the CMO will Spend More on IT Than the CIO. Retrieved August 10, 2018, from https://www.gartner.com/webinar/1871515
Andrew, let’s assume that an organization or organizations have a well designed and implemented network infrastructure using platforms from providers like Cisco, Juniper, Palo Alto, etc.
Organizations acting together (e.g. supplier and buyers in a supply chain system), can secure their data exchange on encrypted channels, they can use multi-factor authentication, they can use Geo-fencing, they can use certificate-based PKI Smart Cards, but what if the exploit resides in the router or firewall code? What if there is an APT (Advances Persistent Thread) against organization X which exploits some vulnerability in the router or firewall code? When organization X identifies the breach, do they communicate that they have been breached? If so to whom? While agreeing that open communication is key to slowing the bad guys, reducing the blast radius, etc. I also believe there are few organizations willing to volunteer that they have been breached, this is especially true if the breach has to do with human error, which they so often do. The reports we see are typically driven by watchdog groups, like the recent GoDaddy breach (Links to an external site.)Links to an external site.; by a regulatory requirement to disclose like the Target (Links to an external site.)Links to an external site. or Equifax (Links to an external site.)Links to an external site.breach; by a catastrophe like the CodeSpaces (Links to an external site.)Links to an external site. breach, but it most cases the motivation to disclose is not very strong at all. I believe the answer resides in anonymizing the breach reports, focusing a little less on corporate accountability and more of getting the data needed to start programmatically plugging the gaps, making the system less punitive and manding more tech to secure the network so the machine may save us from ourselves. In essence more carrot and less stick. For example what if in the case of Target there was stateful packet inspection which saw both PLC data and payment processing data flowing on the same network, and took automated action to segment the traffic, shut the traffic down, etc. Sure these technologies will get hacked as well, but people are inherently poor binary decision makers and I think we will a different paradigm emerge. I think we are seeing it already.
Scott, enjoyed the post. I think this is my first comment on one of your post in this class. I like Canvas 1000x better than the old LMS but it feels like this class has more students or something because the discussion threads are long. Anyway, I have a few friends who work for FireEye, they are 100% focused on APTs (Advanced Persistent Threats) and what they will say is that FireEye focuses on four things: Prevent, Detect, Contain, Resolve. While prevention and detection are important with APTs the bad guys will typically find a way in so they put a heavy focus on containment. What containment is about is about is not letting the bad guys leave one they are in. I always think about the bar scene from the movie “A Bronx Tale”. The bad guys walk it the bar, but then they are contained. 🙂
Stating to see more and more focus on preventing data exfiltration (DLP).