Threat Intelligence

How To Become A Cybersecurity Entrepreneur In A Crowded Market

If you want to build the next great cybersecurity startup, use your expertise, then follow these three simple suggestions. Declines in venture funding often paralyze the technology community.

Talk of bubbles, dying unicorns, and austerity can surge for weeks following a negative report.
In response, many entrepreneurs hit pause on their dreams, believing they should wait for more favorable conditions.

That approach is often misguided.  In our work as venture capital investors, we see this dynamic in the cybersecurity market today.
In July, tech market analysts at CB Insights predicted that 2016 will see $3B in cybersecurity funding with over 300 deals.

A year earlier, in 2015, analysts saw $3.75B invested in 336 cybersecurity deals.

Barring some miracle, investments will continue to decline year over year. When we drilled into the CB Insights data, we found an important discrepancy.

The relative volumes of Series A, B, C, D, and E+ rounds have not changed significantly in 2016.
In fact, the deal share of Series A rounds increased three percent.

Conversely, ‘Seed’ and ‘Angel’ deals declined from 37 percent to 31 percent, a five-year low.

This trend suggests that incumbents have doubled down in crowded niches, and would-be founders have hesitated. Counterintuitively, the downturn in funding could offer ideal conditions for entrepreneurs.

To find out, let’s begin with a question: What’s behind this decrease in early-stage investments? There are several factors: Known Areas of Security Became Crowded with Strong PlayersEstablished verticals like endpoint protection and network security are oversaturated.

Even newer markets like SCADA security and cyber deception have at least 10 to 20 vendors each.
VCs prefer not to support new startups in red oceans.

Thus, funding in these areas has and will continue to decline. CISOs Are Overwhelmed by the Variety of SolutionsThanks to the dense competition, chief information security officers (CISOs) are overwhelmed with options, and that affects funding.

Every day, cybersecurity startups bombard CISOs with dozens of similar products.

That creates an undue burden on CISOs who don’t have the time to evaluate, purchase, and maintain a basket of point solutions.

They’d rather choose broad platforms from established vendors.

Frankly, a brand-name cybersecurity platform is easier to justify to shareholders, board members, and fellow executives. With CISOs hesitant to choose early-stage startups, VCs have scaled back funding.   Non-specialized investors wanted inPerhaps most tellingly, investors without cybersecurity experience entered the market when it was bullish. Lacking the expertise to evaluate cybersecurity technologies, they financed startups with minimal differentiation and questionable leadership.

The consequent bloating of valuations and over-saturation raised the costs of marketing, sales, and talent acquisition for everyone.

Funding has slowed, in part, because it peaked unnaturally.

Experienced cybersecurity investors want to let crowded cybersecurity markets fizzle. So, if you’re a wannabe entrepreneur on the fence of launching a cybersecurity startup, is now really the time to do it? Absolutely yes. Remember, funding conditions don’t change cybersecurity’s raison d'être.

Breaches happen daily, and cybercrime will cost businesses over $2 trillion annually by 2019, according to Juniper Research.

Think about what we expressed above: your would-be competitors are likely stuck in red oceans and might lack access to additional funding. Right now, you can choose a blue ocean and face less competition than you would in bullish conditions. Consider, too, that enterprises face a global shortage of cybersecurity talent.

According to Cisco, the world has 1 million unfilled cybersecurity jobs, and that number could reach 1.5 million by 2019. Peninsula Press estimates that the U.S. alone has 209,000 vacant roles. When we consult our network of high-caliber CISOs, they consistently voice demand for solutions that manage, orchestrate, and automate cybersecurity.

Enterprises can’t adopt new technologies and compensate for the talent deficit – not without advances in cybersecurity.  Takeaways and Opportunities for the Security ProThat dilemma raises an interesting challenge for enterprise security professionals as new technologies spur the need for new and innovative security solutions.   Cybersecurity almost always finds a new market two to three years after a disruptive technology emerges.
Virtual containers, autonomous vehicles, and drones, for instance, have created some of the latest and greatest opportunities in cybersecurity. Right now, someone is inventing a technology that will spawn massive security issues. Who better to spot it than you? Why not make your move while capital is tied down in yesterday’s cybersecurity solutions? Why not approach CISOs with technologies they haven’t seen?   If you want to build the next great cybersecurity startup, we offer several suggestions: First, recognize that brilliant technology doesn’t equate to a great product or viable business model. Perform due diligence on the markets in which you see opportunities.

Build to sell, otherwise VCs will pass. Second, understand the thin line between an emerging space and a non-existent one.

The examples we mentioned – autonomous vehicles, virtual containers, and drones – they were nonexistent only a couple of years ago.

Their security was an afterthought, and afterthoughts can make billion-dollar businesses. However, if you create a technology before the market is ripe, you’ll spend precious capital educating the world on a problem that doesn’t exist.

And then, if that problem does come to fruition, the second wave of startups will reap the benefits of your spending and hard work.    Third, build platforms, not features.

As mentioned, CISOs have had enough with point solutions, which are what startups initially make.

Even when you’re small, think big.
Initially, design your solution to integrate with common security portfolios.
In the long term, solve a set of interrelated problems.

Among CISOs, you want a reputation for handling all security dimensions of an indispensable technology.   With the right team and point of view, entrepreneurs can thrive in cybersecurity, and tight funding can even provide a competitive edge because cybersecurity is not a fad, it’s a central problem of digital society.
If you’re on the fence, that notion should give you comfort. Let tough funding conditions be a source of opportunity, not paralysis. Iren Reznikov  of YL Ventures also contributed to this article. Related Content: Yoav Leitersdorf and Ofer Schreiber are Managing Partner and Partner, respectively, at YL Ventures, which invests early in cybersecurity, cloud computing, big data, and software-as-a-service software companies, and accelerates their evolution via strategic advice and Silicon ...
View Full Bio More Insights

Russia, Russia, Russia: What Clinton Or Trump Can Do About Nation-State...

US mulls 'proportional' response to Democratic Party hacks in midst of an unprecedented presidential campaign clouded by cybersecurity concerns (among other things). Whether the next President of the United States likes it or not, she or he will be faced with a whole new era of nation-state cyberattacks that now have crossed a fine line from accepted cyber espionage to a form of cyberattacks aimed at sabotaging the election season. In the wake of a rare declaration by the Office of the Director of National Intelligence and US Department of Homeland Security last week that named Russia as the actor behind recent hacks of the Democratic National Committee (DNC) and personal emails of US political officials and organizations, the White House this week said the US will respond in a "proportional" manner to the breaches, which have gone glaringly public with online data dumps via WikiLeaks. Russia may be the first nation to move from cyber espionage to cyber sabotage in an apparent quest to influence or wreak chaos on the US election, but it wasn't the first nation the US has called out for damaging cyberattacks.

First there were the US Department of Justice's indictments of five Chinese military officials in 2014, followed by the Obama administration's naming and shaming of North Korea for the epic and massive data breach, data-wiping and doxing of Sony Pictures Entertainment later that year. Earlier this year, the DOJ indicted an Iranian hacker working on behalf of the Iranian government for allegedly infiltrating a server at a dam in New York. Even so, Russia's propaganda-driven campaign in the breach and doxing of the DNC and other Democratic Party operatives, takes this destructive cyber espionage activity to a whole new level. While most experts say it's unlikely Russia can or will be able to go as far as hack US voting systems to alter the vote-count, there are plenty of ways for the nation-state to sow seeds of distrust, doubt, and fear, in the election. This threat won't end after Nov. 8, either. "We have never been here before. No one really knows what is socially acceptable and what is not when it comes to cyber. We have no 'Geneva Convention' for cyber," says security expert Cris Thomas, aka Space Rogue, who says the administration needs to provide some evidence of Russia's involvement in the breach. Thomas says the US should be careful with attribution "and set the stage now as to what is and is not acceptable as we move into the future, when these sort of actions will become more and more commonplace," he says. Lisa Monaco, assistant to the President for Homeland Security and Counterterrorism, at a security conference hosted by The Washington Post last week, said the administration would consider tools including "economic, diplomatic, criminal law enforcement, military, and some of those responses may be public, some of them may not be."  An Executive Order issued in April 2015 by President Barack Obama gives the president authorization to impose some sort of retribution or response to cyberattacks.

The EO, which the administration has not used in any case as of yet, allows the Secretary of Treasury, in consultation with the Attorney General and Secretary of State, to institute sanctions against entities behind cybercrime, cyber espionage, and other damaging cyberattacks.

That includes freezing the assets of attackers. "Our primary focus will be on cyber threats from overseas.
In many cases, diplomatic and law enforcement tools will still be our most effective response," Obama said when announcing the Executive Order. "But targeted sanctions, used judiciously, will give us a new and powerful way to go after the worst of the worst." In response to the US allegations of Russia's election-hacking activities, Russian President Vladamir Putin this week said the attacks "have nothing to do with Russia's interests." "They started this hysteria, saying that this (hacking) is in Russia's interests.

But this has nothing to do with Russia's interests," Putin said at a Moscow business forum, according to Reuters. Putin appeared to shift the discussion to the contents of the information breached and dumped publicly via WikiLeaks. "Everyone is talking about 'who did it' [the hacking]," said Putin. "But is it that important? The most important thing is what is inside this information." 45th President In The Hacker Hot Seat While the Obama administration wrestles with how to implement its retribution policy for the first time, Russia's alleged hacking activity isn't likely to subside after the new President is elected, nor is the problem of nation-state hacking at this new level.
So either new President Hillary Clinton or new President Donald Trump will be forced to tackle this new chapter in nation-state cyber espionage. John Bambenek, threat systems manager at Fidelis Cybersecurity, says the next President of the US will have some big challenges here. "Ultimately, nations have to behave like economic actors," he says. Retribution, like attribution, to a cyberattack, can be a slippery slope. Unlike the diplomatic agreement between Obama and China's Xi Jinping, where both nations promised not to conduct cyber espionage for economic gain in the wake of China's infamous intellectual property theft-related hacks, a deal with Russia would be much trickier and less likely. "You're going to have to do it adversarily with Russia," Bambenek says.

There's definitely danger of escalation and "tit-for-tat" responses, he says. "History tends to favor sanctions in these matters," he says.

Take the US's economic sanctions against Russia in response to Putin's aggression in Crimea, he says. "That remains a pain point for Russia." But Russian doctrine supports escalation as a way to de-escalate tensions or conflict, notes Christopher Porter, manager of the Horizons team at FireEye. "If the US administration puts in place a proportional response, Moscow could do something even worse to stop a future response … I think that is very dangerous." Even if the US were to out the tools or infrastructure used by the Russian attack groups, it likely wouldn't pressure Russia to dial back the hacks. Porter points to a previous year-long study by FireEye of Russian threat groups that concluded that even after being outed more than 20 times in one year, the groups continued their operations. "It had no demonstrative effect on their ability to compromise" their targets, he says. "They are well-resourced" and FireEye has seen them just shift their operations with infrastructure from outside Russia or with other resources, he says. FireEye's Porter says there are two things the next US administration could do differently to handle these attackers. "They need to have better delegation for decision-making on the US side," he says. "Don't wait until a lot of incidents pile up before formulating a response.

The White House has to weigh in on every decision now." Second, don't treat state-sponsored hacks like a legal case. "We still talk about state-sponsored attacks as though they are a case for a lawyer, and we treat them like we have to prove them beyond a reasonable doubt … with forensic evidence," he says. That approach doesn't work because savvy nation-states can easily sow reasonable doubt in their attacks, he says. New Normal Norms Needed Ultimately, without any global cyber-norms from which to operate, the US is limited in its response. "I would love to see the next president somehow reach consensus with other nations as to what is and what is not acceptable in the world of cyber and what responses are acceptable to nations who violate those norms," Thomas, aka Space Rogue, says. That would entail defining just what cybersecurity violations would entail when it comes to nation-states. "We should have very defined sanctions regarding hacking and cyberwarfare," says Miller Newton, president and CEO of data encryption company PKWARE. But neither Presidential candidate has been eager to embrace the cybersecurity policy issues, despite both of their campaigns directly being drawn into the Russian hacks: Clinton via the DNC email breach as well as that of her campaign manager John Podesta, and Trump, who went so far as to say in the most recent debate that "maybe there is no hacking" in reference to the US government calling out Russia over the alleged data breaches. Newton says the candidates aren't emphasizing cybersecurity because it's just not a hot topic for voters. "It's not a vote-getting issue," he says. "They [the candidates] don't want to hit the privacy versus national security issue head-on [either].
It's a quagmire: there is no easy solution, but it needs to be front and center." But apparently, millennials do care about cybersecurity policy: more than half of US adults ages 18-26 surveyed by Raytheon and the National Cyber Security Alliance (NCSA) say that a candidate's position on cybersecurity weighs into their decision to support that candidate. Half don't think cybersecurity has been sufficiently discussed in this election season. Related Content: Kelly Jackson Higgins is Executive Editor at
She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ...
View Full Bio More Insights

Attackers Exploit Weak IoT Security

Akamai researchers say attackers are using an old OpenSSH vulnerability to target IoT devices and launch attacks. While the Internet of Things is touted for facilitating all sorts of life-changing services, there's been an undercurrent of anxiety among the more security conscious IT pros.

Their concern: All those smart devices, oftentimes built with default passwords and otherwise poor protection, could put networks and users at risk. Now it's clear those fears were warranted. Recent events have put the spotlight on IoT security – or to be more precise, IoT insecurity. Malware has surfaced that allows attackers to create botnets from vulnerable IoT devices and launch distributed denial-of-service attacks.

For example, Mirai was used in last month's high-profile DDoS attack on the KrebsOnSecurity website. In September, Symantec reported that cybercriminals are taking advantage of poor IoT security to hijack home networks and consumer devices and carry out DDoS attacks, most often against large companies. See the full article here on Network Computing. Marcia Savage is the managing editor for Network Computing, and has been covering technology for 15 years.
She has written and edited for CRN and spent several years covering information security for SC Magazine and TechTarget. Marcia began her journalism career in daily ...
View Full Bio More Insights

Executable Files, Old Exploit Kits Top Most Effective Attack Methods

Researchers for the new 'Hacker's Playbook' analyzed 4 million breach methods from an attacker's point of view to gauge the real risks today to enterprises. No organization is immune to the risk of a data breach.
Security leaders who want to assume the strongest protection must analyze their security posture from a hacker's point of view to understand risk, validate security controls, and prioritize resources.  That is the premise behind the SafeBreach Hacker's Playbook, which was released in its second edition today.

The first edition of the playbook, published in January, details enterprise security threats and risky habits from the point-of-view of an attacker.  Researchers at SafeBreach "play the hacker" by deploying simulators that assume the role of a "virtual hacker" across endpoints, network, and the cloud.

The new Hacker's Playbook incorporates a total of 3,985,011 breach methods, all executed between January and September 2016. SafeBreach's research team had two main objectives in compiling this playbook, says CTO and co-founder Itzik Kotler. The first is to take highly publicized breaches such as those at Sony and Target, and to create artificial models so customers can better understand these attacks and how they happen. Researchers also figure out how to attack; they analyze different methods to create simulation events to give users a better idea of the threats they face. "They're [the researchers] pushing the envelope in creating new ideas and experimenting with existing ones," says Kotler. "It's all to show customers what kind of malicious ideas exist." Successful breaches are sorted into three pillars: infiltration, how hackers enter a machine; lateral movement, how they jump from one server to the other, for instance; and exfiltration, how they steal valuable data out of the victim organization. The top infiltration methods used by attackers, according to the report, involved hiding executable files inside non-executable files.
Specifically, executable files embedded within Windows script files, macros, and Visual Basic had great success.  (Image: SafeBreach) Old exploit kits, many of which have been around for a year or longer, are still considered effective means of delivering malware.

These kits challenge endpoint security and secure web gateway products; top picks include Sweet Orange, Neutrino, and Rig Exploit Kit. Another finding, consistent with the last Hacker's Playbook, is the danger of misconfigured security products. Researchers passed malware between internal and external simulators and found many malware sandboxing solutions were not properly set up to safeguard all protocols, encrypted traffic, ports, and file formats. In exploring lateral movement, researchers were successful in infiltrating networks via brute-force methods and discovered issues with proxies, which can segment internal networks when deployed correctly.
If proxies are misconfigured, hackers can breach new network paths both internally and externally through proxy fuzzing. It's easy for hackers to pull data outside victim organizations because most have fairly open outbound communication channels to the Internet.

Top successful protocols include HTTP, IRC, SIP, and Syslogs, but IT support tools like externally bound syslogs can also be used to steal data. "One thing we are continuously seeing from the previous Hacker's Playbook is the exfiltration of information, the ability of the hacker to steal something you care about, is still at 100%," says Kotler.

This is a proven problem that will continue to pose a business risk in the future. The means of mitigating these risks varies depending on the business, as different companies and security programs have different needs, he continues. Knowing where the business is lacking, investing in the right technology, and driving employee awareness are key. "It all begins with an understanding of what is the problem and where are the gaps, and making sure they are validated correctly," he says. There is a positive finding from this collection of research, however, Kotler notes. "Companies today are being more and more proactive when it comes to understanding their security posture, and the notion of running simulations ahead of the curve so they can mitigate [risk]," he says. Related Content: Kelly is an associate editor for InformationWeek.
She most recently reported on financial tech for Insurance & Technology, before which she was a staff writer for InformationWeek and InformationWeek Education. When she's not catching up on the latest in tech, Kelly enjoys ...
View Full Bio More Insights

Cyber Hunters, Incident Response & The Changing Nature Of Network Defense

Or how I learned that network defense needs to evolve from a game of "stumbled upon" to "search and discover." Security is a human problem.

Computers don't hack computers.

Computers don't steal each other’s data.
Security breaches are the consequence of intent, which is something humans have, computers don't. Although we probably all agree with those observations, we don't all act accordingly in defending our computer networks.

From the earliest recorded days of warfare we know that the art of defending oneself from an intruder involves a multi-faceted strategy: Understand the territory you are defending. Build your walls where you are most vulnerable. Observe your enemy respond. That last step is where we often go wrong.

The computer security industry spends billions per year on understanding risks and building the walls.

This spans the gamut from risk assessments, red-teaming, to deploying access control, firewalls, and encryption.

But we still get hacked, and data is still stolen, and websites still go offline.
So we blame our walls, and build better walls, higher walls, and stronger walls. In fact, the state of network defensive products is at an all-time high.

The walls we erect are so strong that now many of us believe that it is becoming increasingly more difficult for our own workforce to actually do their job.
So what is going wrong? Network security operations are typically completely centered around "incident response." Once we discover something is wrong, we act. Whether responding to an alert, a log, a complaint, or a threat, most of security is reactive, not proactive. We monitor the indicators of compromise, and deal with them in triage fashion: scariest one first, then the others.

Although this is a necessary part of security operations, it is not sufficient for a true defense. Once we truly accept that network defense is a game that is played by humans, we see the folly of our ways. We must evolve the game of network defense from "stumbled upon" to "search and discover." We must realize that step three above actually changes the territory we are analyzing in step one.

Each time we erect a wall, or respond to an incident, the attacker learns.

And then the attacker adapts.
If we simply erect defenses, but remain blind to the changing behaviors of our adversaries, then we will ultimately be just as vulnerable as we were before as the attacker learns new ways to maneuver in the changed territory. Thankfully, making the necessary changes is actually very easy. Understanding that we are dealing with a human threat, we can enable folks in our organization to seek out the adversaries, track them, learn who they are, and how they operate.

These "cyber hunters" are different than your existing incident response team although they should both work closely together. Cyber hunters are observers only, while incident responders are responsible for taking defensive actions.

The hunters needs only telemetry so give them as much visibility into the infrastructure as possible.  They are building "case files" on the adversary. Often the adversary has already penetrated the organization and it is up to the hunter to learn where, how far, and how wide. Only when the hunting is done, can effective incident response begin. And, although uncomfortable, in some cases it may be important to avoid shutting down the adversary until the true scope of the compromise is understood.  After all, you don't want to tip your hand prematurely. You need to ensure that your response will be sudden, forceful, and effective. Related Content: Dr.
Vincent Berk is CEO of FlowTraq with 15 years of IT security and network management experience. He is a member of ACM and the IEEE.
View Full Bio More Insights

Database Breaches: An Alarming Lack Of Preparedness

It's no secret that databases are fertile ground for malicious activities. Here's how a seven-step process for monitoring known harbingers of an imminent attack can help reduce the risk. The recently announced cyber attack at Yahoo, wherein 500 million user accounts were compromised over a period of several months, is irrefutable proof of an alarming reality - databases are under siege and many organizations are incapable of protecting them.  Although some of you may find this statement to be overly simplistic and presumptuous, those with a practical understanding of these digital repositories will likely appreciate my candor. Whether through a stolen system administrator credential, a customized malware exploit, an irresponsible third-party or a malicious insider, databases remain at imminent risk of unauthorized access.

Despite the fact that databases house the financial, health, employment, credit and educational information of virtually every American, secrets related to our national security and invaluable intellectual property, many organizations are incapable of identifying uninvited visitors once they've gained access.

This is evidenced by the Yahoo attack wherein nation-state operatives navigated the company's customer database for several months without detection. Foreign governments, cybercrime groups and other adversaries of the United States are well aware that databases have become fertile ground for their malicious activities.

Accordingly, cyber campaigns are being launched on these digital treasure troves on a routine basis.

Although state-sponsored actors have successfully penetrated databases housed at the US Office of Personnel Management (OPM), Anthem, and Sony, newly released data suggests that many entities continue to disregard this evolving risk. Alarming Lack of OversightAn Osterman Research survey, conducted of approximately 200 organizations with an average workforce of 22,000, reveals an astonishing absence of database security.

Among the report's most disturbing statistics, only 20% of those surveyed indicated that they continuously monitor critical databases for the purpose of detecting unauthorized activity.
In other words, four out of five either don't conduct any type of monitoring or only do so intermittently.  Database monitoring, a process by which an organization continuously captures, analyzes, tests and verifies transactions, is the only mechanism by which unauthorized access may be detected. However, there is a common misconception that merely logging database activity constitutes a monitoring program; it does not.

This distinction requires emphasis.

Although logging is a critical component of the monitoring process, the mere stockpiling of log data, without ongoing analysis, testing and verification of system activity, is meaningless for the purpose of detecting and disrupting the database attacks that have plagued our public and private sectors. Implementing a Strategy A central element of an effective monitoring program is the implementation of an automated alert mechanism. Without a process to generate real time alerts, the program will eventually stall due to the massive volume of database transactions.

An alerting process allows an organization to instantaneously sift through the din of database noise and focus upon the events that may actually pose a risk to the data housed within. The alert may be in the form an email, text message or automated telephone call to the cyber security auditor on duty. Upon receiving an alert, it is imperative that the auditor immediately evaluate and resolve any potential threat to the database.

There are certain conditions that are known harbingers of an imminent database attack and must be alerted on. When these events occur, the alerting process will simultaneously notify the appropriate staff and facilitate a real time investigation.

For example: Modification of a table, column or row: Indicative of a data manipulation attack Disabling of an audit log: Precedes a database attack Accessing the database from an unrecognized IP address: Indicates access from suspect location Attempt to access a restricted segment of the database: Indicates escalation of privileges  Access at unconventional times or dates: Indicator of a stolen user credential being used off hours Copying of information: Indicator of attempted theft of data Attempts to transfer or export large amounts database information: Indicator of data theft These events are often associated with unauthorized access, therefore each must be immediately addressed through analysis and verification. Database attacks are among today's most serious cyber threats. Unfortunately many organizations have yet to implement a basic monitoring process to timely detect this expanding form of electronic malice. Organizations that fail to deploy an ongoing database monitoring program remain at an imminent risk of unauthorized access and the financial, reputational and legal consequences that will result. Related Content:   John Moynihan, CGEIT, CRISC, is President of Minuteman Governance, a Massachusetts cybersecurity consultancy that provides services to public and private sector clients throughout the United States. Prior to founding this firm, he was CISO at the Massachusetts Department of ...
View Full Bio More Insights

Data Science & Security: Overcoming The Communication Challenge

Data scientists face a tricky task -- taking raw data and making it meaningful for security operation teams. Here's how to bridge the gap. Today, CISOs and their teams are being asked lots of questions about risk by different types of stakeholders. Many of these questions require security professionals to analyze raw data from multiple sources, then communicate insight about impact exposure or priorities that's meaningful to people who are not security pros.

This goal has many challenges, such as understanding raw data and analyzing it to produce accurate information that's helpful to a particular person's decision making context.

This is a skill in itself, and one that data scientists are uniquely placed to provide. Security's Analysis and Communication ChallengeCISOs often face questions from business or governance, risk management, and compliance stakeholders that operational tools can't answer.

This is either because tools are designed to meet a single operational security need rather than correlate data to answer a business risk question, or because tools are designed to "find bad" and detect when something goes wrong rather than enumerate risk.  As a result, someone in the security team eventually must extract raw data from a technology "Frankenstack," put it into an analysis tool (spreadsheets by default), and then torture the data for answers to questions that inevitably get more complex over time.

This is all before working out how best to communicate the output of data analysis to clearly answer "So what?" and "What now?" How Data Science Can HelpAsking questions of raw data from one source, let alone multiple sources, isn't easy. First you have to understand the data that your security tools put out and any quirks that exist (such as timestamps and field names).
In data science, data preparation is one of the most important stages of producing insight.
It involves understanding what questions a data set can answer, the limits of the data set (that is, what information is missing or invalid), and looking at other data sets that can improve completeness of analysis where a single data set is not sufficient. Then comes the job of selecting the most appropriate analysis method to answer the question at hand.

Data scientists have a spectrum of methods they can use, which are suitable for extracting different information from data.

Data science as a discipline will consider multiple factors to deliver the most meaningful information in the time available, all with appropriate caveats.

For example, what is the current state of knowledge on this topic? What does the consumer of analysis want to know? The answers here will set the bar for the complexity of analysis required to learn something new.

For example, if a data set hasn't been analyzed before, simple stats can provide valuable insight quickly.

Then there's the inevitable trade-off between speed to results on one hand and precision on the other.

Based on all this, the best analysis method could be simple counts or using a machine learning algorithm.  Finally comes communication. What view of the data does a decision maker need? For example, the view of vulnerability will be different for a CISO who needs insight for a strategic quarterly meeting when compared with a vulnerability manager who needs to prioritize what to fix at a tactical level. While these views will be built from the same raw data, the summary for each requires different caveats, because as you summarize, you inevitably exclude details.  Merging Data Science and Domain ExpertiseData scientists can't, and shouldn't, work in a silo away from the security team.

Far more value is gained by combining their expertise in understanding, analyzing, and communicating data with the domain expertise of security professionals who understand the problem and the questions that need answering. As more security departments start working with data scientists, here are three key factors to bear in mind: Time: Understanding multiple data sets, applying the most relevant analysis techniques to them, and delivering meaningful insights based on what question needs answering won't happen overnight.
It takes time. Domain expertise: There will be gaps in knowledge between your data scientist and your security team. Working in close partnership is critical. Just as you're getting used to constraints the data scientist has discovered in the data you have, so too is your data scientist coming to grips with new and usually complex log formats in an effort to see what's possible. The needs of your consumers: Communicating and visualizing insight from data requires different analysis for different roles.

The CISO, control manager, IT operations, and C-suite all have different needs — and your data scientist must learn about these roles to strike the right balance between conclusions and caveats for each one. Related Content: Nik Whitfield is a noted computer scientist and cyber security technology entrepreneur. He founded Panaseer in 2014, a cybersecurity software company that gives businesses unparalleled visibility and insight into their cybersecurity weaknesses. Panaseer announced in November ...
View Full Bio More Insights

NSA Director Not Opposed To Splitting Cyber Command From Agency

In the long run it may make sense to keep nation's cyber offense mission separate from NSA, Michael Rogers says. Admiral Michael Rogers, the director of the National Security Agency (NSA) this week said he is not opposed to the idea of separating US Cyber Command from the spy agency. Speaking at a forum organized by the John F. Kennedy Jr.

Forum at Harvard University’s Institute of Politics, Rogers said any decision to separate the two organizations would have to be made by the President of the United States.

But he would support the idea so long as it did not introduce any new risks. “Look, in the long run I think it is the right thing to do,” Rogers said. “The only question in my mind is the timing. We have to do it in a way that minimizes risk to Cyber Command and NSA,” said Rogers who as director of the NSA is also the head of Cyber Command. US Cyber Command was established seven years ago to provide a range of mainly offensive cyber capabilities for the US Department of Defense. The organization is structured along the lines of a typical military organization. One of Cyber Command’s missions is to provide capabilities for defending weapons systems, platforms and data against cyber attacks. On the offensive side, it is tasked with providing US operational command and policy makers with what Rogers described as a range of “options” for taking cyber action against foreign adversaries. One of its other roles is to provide capabilities for protecting US critical infrastructure targets and commercial entities against cyber attacks, if directed to do so by the president.

For example, soon after the massive intrusion at Sony Corp. two years ago, the NSA was called in to assist the FBI, the DHS and other domestic law enforcement agencies in investigating the attack. Rogers’ comments come amid reports of the Pentagon and the intelligence community recommending that the President break up the joint leadership structure that exists today for the NSA and Cyber Command. Apparently, there is a growing feeling that the missions of the two organizations are different enough to merit a different organizational structure.

The argument is that Cyber Command with its offensive mission would do far better as an independent organization than as part of the NSA, whose mission is primarily a defensive one. Concerns over the dual-hatted role of the NSA director are not new and neither is talk about the need to separate Cyber Command from NSA. Many have previously noted that the NSA director’s obligations to the agency’s signals intelligence mission under Title 50 of the US Code are in direct conflict with his cyberspace obligations under Title 10 authority. In addressing the issue at the Harvard forum this week, Rogers said Cyber Command was established within NSA seven years ago because it made the most sense to do so at that time. The US had decided then that cyber was an operational domain in which new capabilities needed to be developed, Rogers said. “We stepped back and asked ourselves ‘how do we build on previous investment and previous expertise’,” in the cyber domain within the defense department. The NSA, with its cyber capabilities was the obvious choice, he said. “While NSA is an intelligence organization, it is a combat support agency within the DoD” with extensive cyber capabilities, Rogers said.

The feeling at the time was that setting up Cyber Command within the agency would give the US a way to leverage that capability, he said. “It is now seven years later and we are currently, as we often do, stepping back and asking ourselves does that structure still make sense?” Rogers said. “Has seven years of practical experience led us to believe that perhaps some of the assumptions we made are proving to be different than we thought.” Related stories: Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ...
View Full Bio More Insights

Partners In The Battle Against Cyberthreats

The News Desk is visited by George Karidis of CompuCom and Rodel Alejo from Intel to discuss cloud technology services that enable customers to curate best-of-breed offerings and aggregate security data across multiple clients.

CompuCom also announced...

Incident Response A Challenge For 98% Of InfoSec Pros

Too many alerts and too little staff leave security pros swimming in threat intel and begging for automation. Ninety-eight percent of IT security pros find incident response to be a challenge and 71% say it's grown more difficult over the past two years, according to a new survey by Enterprise Strategy Group, sponsored by Hexadite. "It's a combination of several different factors, but the main problem is the inability to investigate every alert," says Hexadite’s vice president of marketing Nathan Burke. "The increasing volume of attacks and subsequent alerts simply make it impossible to hire the problem away.
It's just not mathematically possible for companies to hire a large enough staff to investigate tens of thousands of alerts per month, nor would it make sense."  Ninety-one percent of respondents say their incident response efficiency is limited by the time and effort spent on manual processes.
Survey respondents, thus, have big plans to increase the use of orchestration and automation for incident response: 97% have either automated/orchestrated some of their IR already, or will do so within the next 18 months. Only one-third of survey respondents consider their automation projects "mature," though. "Prioritizing threats is just making a conscious decision about what to ignore, and there's no good way to decide what really is low fidelity versus something that should be looked at," Burke says. "The holy grail is the ability to investigate everything without prioritization, and that can only be accomplished through automation." Organizations are using or considering automation to collect security data, to reduce errors, to automate runbooks/workbooks, to improve triage, or to increase the number of alerts that can be investigated, the survey found. Forty-six percent of respondents say they can't keep up with the volume of threat intelligence data. "This may be due to an increase in the amount of threat intelligence they consume/share or problems associated with normalizing this threat intelligence into a useable format," the report stated. Although 38% reported an increase in the number of hours devoted to incident response, that extra time was spent having to process much more information.

Forty-two percent report an increase in the volume of IR data collected, 39% an increase in the volume of security alerts, and 38% an increase in the number of threat detection tools used.  So is the problem one of too many tools, over-sensitive tools sending up false positives, unskilled humans who don't know what to do with all those tools -- or some combination of the above? "It's hard to fault detection tools for creating false positives ... they need to be overly sensitive and throw flags for every potential threat," says Burke. "However, when companies lack the capacity to follow up, they often tune the detection systems to match their capacity, and that's a recipe for disaster." Respondents also reported other factors that drove changes in their IR operations in recent years, including: new IR related to new IT initiatives like IoT (44%); additional IR collaboration between security and IT ops (40%); and increase in staff training needed for IR (38%).

Forty-seven percent say they struggle with "monitoring end-to-end IR processes." The report says that "could be due to a number of factors, including a lack of visibility across technology domains, poor data sharing practices between the IR and IT operations team, or a shortage of skills in areas like cybersecurity analytics and forensic investigations." Ninety-one percent of respondents also plan to increase their IR spending, and 91% plan to increase their IR staff.   "In a way, this is all good news," says Burke. "People recognize the problem, and they’re taking the necessary steps to address it." Related Content: Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ...
View Full Bio More Insights

Why It's Always Cyber Hunting Season (& What To Do About...

To stop today's most capable and persistent adversaries, security organizations must rely less on tools and more on human analysis. Today’s cyber threats are attacking networks, disrupting businesses, and covertly stealing intellectual property that can only be found through one proven method: proactively hunting for them.

Too many organizations rely on automated tools or "magic bullet" security technologies that detect threats using known signatures, rules or malware "sandboxing" concepts – but this is not enough to stop the most capable attackers who cause significant damage and data loss. There are close to 400 new threats every minute in the United States alone, 70 percent of which go undetected, according to Sarbjit Nahal, head of thematic investing at Bank of America.
It’s time for companies to hunt for the threat, rather than react to cybersecurity events. While many organizations, particularly those in highly regulated industries, have been wary of allowing too many cyber personnel into their systems to monitor or detect attacks, the reality is the enemy is often already inside.
If malicious code is dormant or threat actors already have legitimate remote access, they can lie unseen within the enterprise for months. Financial firms, for example, take an average of 98 days to detect a data breach, according to the Ponemon Institute.

The length of time that a threat is able to remain in the system after compromise but before containment, referred to as "dwell time," is a critical metric for enterprise security teams and their senior leadership. In fact, we need to change our thinking from measuring security based on quantitative measurements of alerts or rules and signatures to a qualitative approach comprised of three key metrics: Time to Identification or time it takes to identify a compromise; Time of exposure, which measures how long vulnerabilities have been left in the open to attack; Dwell time, the most important of all three. These measurements are quantifiable metrics that chief information security officers (CISOs) should be concerned about and tracking. To reduce time to identification, time of exposure and dwell time, security teams must transition to a more proactive approach by implementing methodologies that "hunt" for attackers, their behaviors and anomalies inside enterprise event sources with a clear understanding of the business’s mission.

These cyber hunters, both machines and humans, search a network environment for suspicious behavior based on advanced analytics, custom content and tools, contextualized threat intelligence, and visibility from monitoring software.

Then, after the hunters detect the threats, they can reverse engineer the malware and conduct sophisticated forensic analysis to understand how it arrived on each host, its capabilities, both observed and dormant, and the damage or exposure it caused.

Finally, hunters work with IT and security teams to contain the threat. The Hunt for Cyber Hunting TalentMonitoring and remediation tools fail time and again to detect threats deemed critical or high, which include persistent attacks from experienced actors, such as nation states. Only human analysts with the assistance of sophisticated tools can recognize, respond and contain today’s adversaries.

For example, during a recent assessment of a Fortune 500 hedge fund, our hunters found code lurking inside the system that had been there for 10 months in only twelve minutes.
Similarly, a healthcare provider found malware embedded in its systems for 14 months that had been exfiltrating data from the network. Well-known industry tools failed to catch it, but hunters identified the infection almost immediately.   When discussing where to find the expertise necessary to perform hunting, there is an industry-wide mantra that the talent pool is shallow and organizations can’t find or afford the experts they need.

This isn’t surprising as many young adults are still unaware of the career opportunities in cybersecurity.

According to a survey conducted last fall by Raytheon and the National CyberSecurity Alliance, 46% of young adults ages 18-26 said that cybersecurity programs and activities were not available to them in school and 79% said they have never spoken to a practicing cybersecurity professional. The majority of young adults entering the workforce today are unprepared for cyber careers, so organizations must implement intensive training about how to detect threats and how to respond.

For threat hunting to be effective it requires both employee training and education, as well as machine learning capabilities to identify anomalies or unusual behavior rather than simple detection of a known threat like malware. One of the main points that many organizations are missing from their cyber defense strategies is effective lateral movement detection and mitigation of bad actors already within their network. Proactive threat hunting fills this need. The security industry needs to make a commitment to train and mentor the next generation of cyber hunters through mandatory hands-on classroom learning, mentoring, and online courses.

This process starts with university partnerships and a willingness to identify candidates in unconventional places.

Cyber hunting requires great talent, but aptitude and attitude, combined with effective training can trump industry veterans who often must unlearn poor or outdated practices.   Organizational leaders used to view security operations as a compliance checkbox and a reactive task. Reactive systems that recognize known threats do not detect the most damaging adversaries, who can only be caught by hunting for behaviors and stealthy attackers that a lot of times look like normal users or systems. Organizations must shift strategy to rely less on tools and more on talent. Related Content:   David Amsler is founder of Foreground Security, which was recently acquired by Raytheon Company.

Given his level of expertise and knowledge, Amsler has taught more than 350 information security courses to top government organizations, including the Internal Revenue Service, ...
View Full Bio More Insights

FBI Arrests NSA Contractor For Alleged Code Theft

The FBI has arrested a contractor from the National Security Agency for the possible theft of secret codes created to break into foreign government networks. A National Security Agency contractor was recently arrested by the FBI, the New York Times ...