Cyber Security Practitioner Series brought to you by Reverb Advisors.

Hack Secure's first dinner series was headlined by Professor Brian Levine of The College of Information and Computer Sciences at UMass Amherst.

Brian's talk focused on blockchains, and how blockchain-based cryptocurrencies are quickly advancing from simply supporting financial transactions to hosting advanced software services and initial public/coin offerings. He discussed the security of using blockchains for those purposes. He also explains the basic operation and assumptions of blockchains, such as Bitcoin and Ethereum, and describes the successes of these platform, as well as the attacks that these systems have suffered.

He then took a look at a few specific cases. For example, in May 2016, an Ethereum-based service called "The DAO" was created as a type of decentralized hedge fund. It raised over US$150M worth of ether during a crowd sale. By June 2016 an attacker began stealing ether from The DAO, but not due to a flaw or vulnerability in Ethereum; rather it was a flaw in the DAO's programming. Also discussed is how in July 2017, a flaw in a software "wallet" for Ethereum allowed an attacker to steal US$30M from some users.

If you have any questions for Brian feel free to contact him:
bnl@umass.edu
https://cs.umass.edu/~brian/
https://www.linkedin.com/in/bnlevine

Cyber Security Practitioner Series brought to you by Reverb Advisors.

For our next installment in the Cyber Security Practitioner Series, we interviewed AlphaSOC co-founder Chris McNab about DNS (Domain Name Server) analytics, it's importance, and what AlphaSOC is doing about it. 

Chris discusses his Splunk app, DNS Analytics for Splunk, and how AlphaSOC uses it to find anomalies and malware by analyzing the DNS logs. 

Tell us a bit about yourself, your background and what you're currently working on.

I'm a co-founder of AlphaSOC and author of Network Security Assessment (O'Reilly Media) which is a penetration testing title in its 3rd edition! I've worked in the security industry since 2000 on the consulting side of things, focusing on assessment work, and in recent years a lot of incident response and forensics. I tracked Alexsey Belan a few years ago, and put together a blog post recently describing his TTPs after it was publicly known he was associated with the massive Yahoo hack. We set up AlphaSOC back in 2013 upon realizing that DNS was a reliable and inexpensive channel to pay attention to when flagging malware and lateral movement in large networks.

What is DNS analytics and why is it important?

DNS Analytics for Splunk is the flagship AlphaSOC product that we've been working on and continuously improving since 2013. It's an app, for Splunk and non-Splunk environments,  that takes minutes to deploy and will instantly flag anomalies and malware within an environment by processing DNS logs. The analytics engine is actually platform agnostic. While many of our customers use Splunk, we support non-Splunk environments as well via Network Flight Recorder (https://github.com/alphasoc/nfr) which is a lightweight Linux command-line utility. Most security products used within a SOC perform one-dimensional correlation of threat intelligence feeds, flagging traffic to known bad domains. DNS analytics performs three-dimensional scoring using behavioral analytics and timing analytics to flag anomalies, emerging threats, and malware without signatures. For example, we're able to programmatically flag DGA traffic and DNS tunneling using analytics alone (versus threat intelligence feeds), and highlight odd traffic patterns (e.g. beaconing to a young domain with a suspicious TLD).

What are the threat intelligence feeds you use in your product and how does that help identify threats? Any specific examples you could touch on?

We curate our own threat intelligence through investigating the alerts within the system and marginal hits (e.g. young domains and FQDNs known to sandboxing engines). As such, we're able to categorize adware, unwanted programs, third-party VPN packages, P2P traffic, and malicious traffic patterns to C2 domains. Of the alerts we serve to users, only a small percentage are generated using a threat intelligence correlation, and the majority are generated by the analytics stack to highlight suspicious queries within the larger DNS dataset (which is often millions of events per day). As we improve the classifiers and analytics engine, we actually become less and less dependent on threat intelligence, which isn't a bad thing.

How much malware actually uses DNS for command and control?

According to research by Infoblox and BlueCat Networks, around 95% of malware families use DNS for command and control (C2). Even state-sponsored malware samples such as Stuxnet have been found to use DNS for C2 purposes. DNS has been found to be a reliable channel to pay attention to when identifying infected hosts within an environment.

How does AlphaSOC flag infections that don't generate DNS traffic?

To cover the small blindspot that remains (exploited by the 5% of malware families not using DNS), we've released IP Analytics for Splunk to flag anonymized circuits (e.g. Tor, I2P, and Freenet) and traffic to IP addresses which are known C2 and sinkhole destinations.

How can someone get started leverage AlphaSOC analytics to help protect their enterprise?

If you have Splunk, the DNS Analytics (https://splunkbase.splunk.com/app/1657/) and IP Analytics (https://splunkbase.splunk.com/app/3721/) apps are free to download and evaluate for 30 days without restriction. By using the tools to process your network logs, you can flag known and unknown malware, emerging threats, and policy violations (e.g. third-party VPN use, P2P traffic, cryptomining, and other threats). The visibility provides a lot of insight into what's going on within large complex enterprise environments. If you don't have Splunk, take a look at Network Flight Recorder (https://github.com/alphasoc/nfr) which is our Linux command-line utility to score DNS traffic and get in-touch with us to discuss your requirements! The analytics API and feeds that we provide can be consumed easily and integrated with SIEM and orchestration platforms.

The goal of Hack Secure is to help educate the cybersecurity community on as many issues and ideas as we possibly can. In that vein, we like to host intimate dinners with cybersecurity practitioners and executives to discuss current topics.

Our next dinner will be highlighted with a talk given by Professor Brian Levine of The College of Information and Computer Sciences at UMass Amherst. (If you're interested in attending a future dinner, please reach out to us below.)

Brian's talk will focus on blockhains, and how blockchain-based cryptocurrencies are quickly advancing from simply supporting financial transactions to hosting advanced software services and initial public/coin offerings. He’ll discuss the security of using blockchains for those purposes. He will also explain the basic operation and assumptions of blockchains, such as Bitcoin and Ethereum, then describe the successes of these platform, as well as the attacks that these systems have suffered.

We will be taking a look at a few specific cases. For example, in May 2016, an Ethereum-based service called "The DAO" was created as a type of decentralized hedge fund. It raised over US$150M worth of ether during a crowd sale. By June 2016 an attacker began stealing ether from The DAO, but not due to a flaw or vulnerability in Ethereum; rather it was a flaw in the DAO's programming. Also to be discussed is how in July 2017, a flaw in a software "wallet" for Ethereum allowed an attacker to steal US$30M from some users.

If you would like to attend this event, or any future events being held by Hack Secure, please reach out to us below: 

Cyber Security Practitioner Series brought to you by Reverb Advisors

We recently interviewed Brian Castagna for our Cyber Security Practitioner Series on the topic of how enterprise organizations should view their information security programs as a revenue driver as opposed to a cost center.

Brian shared his wisdom with us on his approach to revenue driven security programs, and how he uses this while serving as the Director of Information Security at Oracle Bare Metal Cloud.

Tell us a bit about yourself and your current role.

I’d like to start this Q&A with a confession.  I’m trusting you as the reader with my secret.  (in a whisper) “I used to be an auditor”. Sssshhh, don’t tell anyone. Yes, I was one of those smug 22 year olds that cost $200 an hour who asked you “what’s Linux?”.   I started my career as an IT Auditor performing SAS 70, PCI DSS and ISO 27001 audits at various public accounting firms including KPMG, PwC and Shellman.  And while I jest, there is tremendous value in building information security programs in starting with a strong foundation of IT general controls - access, authentication, change management, backup, and monitoring.

After 8 years of evaluating the security and controls of technology service providers, I realized I wanted to do more than just find the security issues,  I wanted to fix them too. For the past 5 years I’ve been building information security programs at venture backed technology companies including Jumptap, Acquia and Dyn.

In my current role, I lead the information security program for Oracle Cloud Infrastructure (OCI) Edge Services. Formerly Dynamic Network Services (DYN),  OCI Edge Services runs DNS, Monitoring and Email services for the edge of Oracle’s V2 Cloud.

Organizational leadership teams often make information security investment decisions to prevent or respond to a security breach. Should this be the primary driver for information security investment?

Information security is a great case study in human behavior.  We are a reactive species.   Why did you get that new home security system?  Because a robber just broke into your house.  Why did you start eating healthy, and stopping drinking cokes, eating Oreos and fried food?  Because you now have type 2 diabetes.  Why do organizations make significant increases in information security investments?  Because they just had a major security breach.

A common attitude among corporate executives is the following:

“Why would I invest money in information security when we haven’t had a security breach?  And if I did invest money in information security, it’s really just an insurance policy to protect against a cyber attack.”

This is the wrong line of thinking in my opinion.  This type of attitude has contributed to the myriad of breaches we see in the news every day.

Here are four areas that I believe should be drivers for information security investment:

1. Revenue:  It’s the money, stupid.  What if information security was an implicit or explicit revenue center?  What if you used metrics to directly tie information security  to increases in revenue?  People respond to money.  If investments in information security could open up new segments of the market such as healthcare, government or e-commerce, that is a eye opening pitch to executives vs. we need to protect against X scary event in the future.

2. Shorten Your Sales Cycle:  Are you living quarter to quarter?  Anxious to close that seven figure enterprise deal to secure your next round of VC funding?  If you are able to meet or exceed your customer's security expectations this will shorten your sales cycle with the security and legal hurdles found at larger enterprise customers.

3. Marketplace Differentiation:  Customers of cloud service providers demand a strong security story.  If you can articulate your security to customers in a confident, but not boasting manner - you will get more customers than your competition.

4. Nature of the Business & Data: What you do for a business, and the types of customer data you maintain should have a strong influence on the level and type of information security investments your organization makes. For example, you are a Fintech startup and take on personally identifiable information and bank account data in the cloud. Your customers (banks) require security. Regulators (SEC, privacy laws) require security. Auditors require security (external, customer auditors). You require security, because you need to meet the needs of customers, regulators, auditors and most importantly to grow and mature your business.

How do you approaching building information security programs to drive revenue?

I take a customer centric view when I build information security programs.  With that lens, it enables me to get more buy-in within the business driven departments at an organization from executives, customer support, sales, account management and product.  A customer centric security program is a win not only for the business in driving revenue, but for security teams as well - as enterprise customers have expectations much more stringent than compliance standards.  Here are some of my focus areas to drive revenue:

• Compliance:  As a former auditor, I have a love hate relationship with compliance. Love because foundational IT general controls bring a baseline level of structure and health to an organization.  That makes me happy :). Hate, because compliance is often window dressing, with insufficient focus on mitigating the relevant threat models to a particular business - be that strong vulnerability management or security incident response. Out comes the sad face :(. The reality is, compliance is now table stakes.  If you want to sell to mid-market or enterprise, you need the acronyms: SOC 1, SOC 2, SOC 3, ISO 27001, PCI DSS, HIPAA, FedRAMP, etc.

• Customer Visibility:  Customers want visibility into the security of your product or service beyond the audit reports and questionnaires.  Figure out a way to provide them that visibility, and you will break down sales barriers.

• Answer the Hard Questions:  Gone are the days of easy security questions from enterprise customers.  I completed a 420 question security questionnaire the other day.  If you can answer the hard security architecture and configuration questions well, it will help you get that top 20-30% of revenue that’s been elusive to your business.

• Charge for it:  Why hello Mr Customer.  We are offering three product models Bronze, Gold and Platinum.  The platinum offering comes with these five additional security features and services.  Which product do you prefer?  The customer likely has to get past his own corporate security team and make his boss happy.  Security should be an easy upsell.

• Internal SLA’s:  Go hard.  Make your security team service providers.  Respond quickly with internal SLA’s on requests from customer support, account management, and sales.  Not only will you be making friends and kissing babies within peripheral business units, but you will make customers happy.

• How does an information security program impact a company's enterprise value?

A properly designed and implemented information security program increases enterprise value. There are implicit and explicit benefits to having the right level of security, structure and control.  

Implicit examples include things like new hire, termination processing, and background checks.  Having functional, and ideally automated baseline IT general controls will save your entire company time and money.  There is tremendous value in making security easy and automated. In a recent conversation I had with with the CISO of a Boston tech company, he made the decision to only allow third party technology vendors that integrate with his company's single-sign-on system.  That’s a great example of a security policy that is driving implicit enterprise value where dozens of security administrators are not required to manage access to 90 + third party applications..  

A more explicit example is opening up a new market segment.  For example, as a cloud service provider you cannot do business with the Federal Government unless you have FedRAMP compliance. Get FedRAMP, and open up a market segment where the revenue, and resulting increase in enterprise value can be explicitly tied to your efforts as a security professional.

How do you approach building security teams?

Building high performing security teams is both challenging and exciting.   There is an huge talent gap for the required information security skill sets, particular in security architecture, security engineering, and security incident response.  Couple that talent gap with the need for a blended skill set of technical and people skills, and you find yourself on a unicorn hunt.

I build security teams with skill sets that complement each other.  For example, some team members have a technical focus, or a people focus, or a queue based focus, or a project based focus.  I approach team building by recognizing strengths & weaknesses, orchestrating the use of those strengths, and equipping my team with the right message and tooling to effectively execute.

When is the right time for a company to build out an information security function?  Why?

To answer this question, we first need to evaluate the applicability of the information security investment drivers discussed above. What’s the target market for customers? Nature of the product and data?  Risks to the business?  Based on the answers to those questions, it’s easier to build out a roadmap or staffing plan for security.

However, herein lies the challenge for building the security team.  Often this question is driven by customer compliance requests - such as a SOC 2 audit, and not driven by a meaningful business strategy.  If I had a nickel every time a recruiter messaged me on linkedin stating a company needs an information security director to get them SOC 2 compliance, I would be a rich man.

So, how do we answer this question?  Let’s start with some simple yes and no questions:

1. Are you a SaaS, PaaS, or IaaS provider?

2. Do you operate in the Cloud (e.g. AWS, Google, Azure, Oracle)?

3. Do you want to sell to mid-market and enterprise customers?

4. Do you want to sell to regulated industries or geographies - healthcare, financial services, government, e-commerce, European Union.

5. Do you take on sensitive customer or consumer data - intellectual property, source code, PII, credit card data, bank records, and/or strategy documents?

If you answered yes to #1 above - you should likely hire an information security resource(s) by the time you are 200 people.

If you answered yes to #1 and #2-5, you should hire an information security resource(s) between 50-150 people.   The more questions you answered yes to, the closer you should be to hiring for information security after 50 people.

A common misconception is that security is one person job, and you just need one manager, director or CISO.  Information security is not a person, it is going to be a team where the scope, scale and timing of building that team depends on the nature of your business.

Hear from Dan Guido of Trail of Bits, Andrew Becherer of DataDog, and Jen Andre of Komand about the opportunities that exist in the cybersecurity community and how you can get involved.