The 2020 Census approaches, fraught and politicized. The most visible issue seems to be the debate (and litigation) over whether it is fair to ask respondents if they are American citizens. This is surely a troubling question, but there is at least one other major problem looming with the census. It won’t draw much heat, in political or media terms, but it’s no less important. In fact, it could be much more serious than the citizenship flap. It’s the matter of data security.

Risk to census data is on the mind of Jonathan Couch, Vice President of Strategy at ThreatQuotient, which makes a threat intelligence platform. Couch brings impressive credentials to the discussion, having served in a number of roles related to advanced cyber warfare, cybersecurity, information operations and policy. These include stints in the Air Force at the National Security Agency, the Air Force Information Warfare Center and in Saudi Arabia for the Joint Task Force.

Jonathan Couch, Vice President of Strategy at ThreatQuotient

Couch’s concerns cross several dimensions of the census. First, there are the mechanics of the data collection and storage. As he points out, much of the census data will be collected digitally through devices like tables. From there, census workers will upload the data to cloud-hosted databases. This architecture was devised to enable different groups of stakeholders, e.g. state and federal agencies to have easy access to the data.

“One of the most striking aspects of the census, from a cyber security perspective, is the sheer size of the effort,” Couch says. “You’ve got thousands of people collecting information on thousands of devices. That alone is a big attack surface area. But, the red teamer in me wants to ask, ‘what happens if someone loses a device?’ or ‘what are the authentication rules for the main database?’ Who gets access? Is the data submission secure? How? How is it logged, and on and on?”

The need to preserve data integrity is absolutely essential for the Census. Over 2,500 government program depend on the Census. Without accurate information, many elements of the government and citizens they serve will suffer.

These practical concerns are actually secondary to Couch’s bigger worry. “We’re not seeing the plans for securing the census,” he says. “It appears that the Census Bureau is not serious about bringing cybersecurity industry partners in to the process of designing the data collection workflow. Neither I, nor anyone else I know in the security sector, has any idea how this is being implemented or secured.”

Couch doesn’t know why details not available. “Maybe it’s like healthcare.gov, where the administration is concerned about revealing too much, for political reasons. If that’s the case, it’s an error in judgement, in my view.”  Alternatively, Couch suspects the government is attempting a “security through obscurity” strategy, figuring if they publish nothing about the Census data and security architecture, it will be harder to hack. “This has been proven wrong,” Couch adds. “Someone will always find it and find a way in, for bragging rights, if nothing else.”

In Couch’s mind, the biggest threats to the Census involve malicious actors manipulating data in order to manipulate budgets, voting district residential tallies and so forth. “It could be ransomware, too,” he shares. “You don’t want to think about what that will look like.”

Couch recommends bringing together a consortium of companies and individuals to look at the Census’ architecture. Then, they might find areas where that specific technology and architecture have been used before and tested for security. “This way, we can start to gain confidence that it will at least work properly and be secure. Then, I would do a bug bounty,” Couch says. “Let’s pay people to break in. It will save a lot of time, embarrassment and money down the road.” He also advocates using a “trust but verify” approach with paper backups to information gathering processes. “That way, we can spot check and cross-correlate data,” Couch says, adding, “I think the country deserves this level of care in the Census. It’s too important to treat it in the current manner.”

Photo Credit: Municipalidad de Córdoba Flickr via Compfight cc
 

How do you ensure security and compliance in the fast-moving DevOps process? Security has always been a challenging proposition in the software development and releasing cycle. However, security becomes even more precarious with DevOps, which fuses the previously separate development and IT operations workflows into a single, accelerated process.

“We have a natural conflict here,” said Joseph Kucic, Chief Security Officer at Cavirin Systems. Cavirin offers solutions to address security challenges in the cloud and DevOps. “A DevOps team is under pressure to move quickly, to write and implement code. At the same time, the SecOps team is usually perceived to be slowing down the process in order to try and prevent breaches. We see this tension all the time. Unresolved, it can cause organizational trouble and increased risk exposure.”

As Kucic sees it, security can lag because reviews occur late in the DevOps pipeline. “In the worst case,” he added, “Security is an afterthought after the CI/CD pipeline is deployed. The various groups operate in silos. This creates friction, rework and the potential for error.”

The truth is, it’s even worse than that. The very nature of modern software, the kind that’s cranked out daily through Continuous Integration (CI) and DevOps, makes it more vulnerable to threats than earlier generations of code. Risk exposure arises from a variety of factors. DevOps work is often spread out across multiple geographies and corporate entities. That alone creates risk.

Joseph Kucic, Chief Security Officer at Cavirin Systems, Inc.

Then, the software often uses standards-based APIs, web services, containers and microservices. These are all great for agility, but their loosely-coupled, distributed nature makes them easy to hack. Finally, there’s cloud hosting, which decouples IT operations from the infrastructure.

None of these issues would be particularly problematic if everyone followed rigorous security policies and consistently employed countermeasures. The trouble, as one might imagine, is that the loose nature of the DevOps world makes such a goal difficult to attain.

Cavirin has undertaken a solution to these problems. They offer what they call a DevSecOps solution that injects security and compliance policies into the DevOps process. With Cavirin, developers provision and manage data center resources through software. This way, secure infrastructure becomes possible as a natural extension of coding.

Security gets integrated into DevOps through 80,000 policies, 25 benchmarks and a host of programmable security controls. The tool integrates version control and enables adherence to security and compliance policies like patch management. An API enabled architecture facilitates DevOps Security Orchestration, connecting security tools for centralized protection.

DevOps can be friendly and secure…. if done right. DevSecOps can help make it happen.

The Cavirin example shows how apparently difficult security scenarios have solutions. It’s tempting to look at DevOps and conclude that it will never be a secure process. This is not true. It can be secure (or more secure) if stakeholders are willing to take the steps and make the investments in new solutions that address new risks.

Photo Credit: wocintechchat.com Flickr via Compfight cc

I spoke recently with John Cassidy, Co-Founder and CEO of King & Union, about the inspiration that led to the formation of the company. King & Union’s Avalon product enables security analysts to collaborate across organizations in threat assessment. For Cassidy, the idea emerged from working in a number of different government-facing roles.

John Cassidy, Co-Founder and CEO of King & Union

As a participant and executive in the development of DHS’s Einstein 3 at various telecoms companies, Cassidy was struck by how little opportunity there was for communication and coordination between security teams at different organizations. “I would watch people ineffectively working together, in silos, spending billions,” said Cassidy. “They were working for their own protection, but there were duplicating work being done elsewhere. Or, there were so many times that if an analyst had insight into something going on in another place, it would save everyone a lot of time and heartache. There had to be a better way.”

From this insight, Cassidy and his co-founder sat down to brainstorm how to make a better collaborate SecOps toolset. “Part of the burnout we see so often in SecOps is coming from a lack of good quality information,” Cassidy added. “We kept that issue in our sights as well. We felt if we could help security analysts collaborate and evaluate alerts in real time in multiple organizations, we could reduce stress levels quite a bit.”

The result was Avalon, a SaaS workspace in the cloud that enables analysts to visualize threats. With Avalon, analysts can collaborate in real time and manage data without being constrained in their individual bank or government agency silo. “They can go ‘across the aisle,’ as we like to say here in DC,” Cassidy said. “Analysts can use Avalon to cut across vertical sectors. A gas company’s SecOps team can talk to a bank’s. The bank can talk to the government. All three can share their most important security information in a trusted space.”

Avalon consists of groups. Some groups are publicly visible. Others are private. Joining a collaborative group involves a process of identity verification. Inside a group, members can share their findings about threats and other issues in their security landscapes. They can “enrich” findings from others with added data. The tool makes it possible to connect threats, malware signatures and so forth.

Screen shot of King & Union’s Avalon SaaS-based SecOps collaboration platform

That way, an analyst can look up a threat and see, for instance, that it’s already been detected and remediated in another place. Avalon will auto-populate information and show relationships between threats. Users can did into the data and discover the IP address the threat comes from and so forth. This saves time and increases the effectiveness of the SecOps team’s response capabilities.

Avalon can integrate with other tools, such as Alienvault or Crowdstrike. “We want to help teams do better with the tools they have,” Cassidy said. “Our goal is more extensive, productive collaboration in SecOps.”

Sam McLane is concerned about mental health. In particular, McLane, who serves as Chief Technology Services officer at Arctic Wolf, worries about the mental health of security professionals. “This is no joke,” McLane said. “It’s like working in an ER. There’s a lack of available resources.  People have to work in a very intense, fast-paced environment without a lot of support nor much validation of success.”

He’s not alone in making this observation. Many security experts point to burnout and even post traumatic stress disorder (PTSD) among SecOps team members. SecOps works shifts from mind-numbing review of alerts to high-adrenaline incident response.

Sam McLane, Chief Technology Services officer at Arctic Wolf

These insights led to the founding of Artic Wolf, which functions as a “concierge” SecOps service. The goal of the company is to provide enterprise-grade security but at a manageable price. For the sake of simplicity, Artic Wolf identifies itself as a Managed Security Services Provider (MSSP), but in reality, the company’s capabilities extend further than that definition would imply.

For some clients, particularly smaller organizations, Artic Wolf is essentially a Security Operations Center (SOC) as a service (SOCaaS). They can operate as an entire security department if necessary. For larger clients, the company works like a specialized, outsourced security team. Arctic Wolf has a crisp response process and offers a detailed post mortem on security incidents. They like to demonstrate to the client what has been learned in the experience of handling a security event.

The main benefit to the client is the lifting of the heavy HR pressure. “We have the people and the tools ready to go,” McLane explained. “That way, you don’t have to worry so much about hiring and retaining SecOps people. Alternatively, your team can focus on what matters most to them in security but leave most of the operational stuff to us.” Some clients work with Arctic Wolf on determining which security tools are the best fit for their organization.

There are challenges in this model, for sure. “We can get thrown under the bus,” McLane noted. “We don’t work there, so it’s easy. However, most of the time, we have found that the occasional problem helps make everyone—us and the client—better at what we do.”

Photo Credit: Dave77459 Flickr via Compfight cc

Managed Security Services Providers (MSSPs) are great. They help SecOps teams focus on important security tasks by taking over routine operations like monitoring firewalls and so forth. The nature of the threat environment, however, makes it necessary to think beyond the basic MSSP in certain cases.

Eldon Sprickerhoff, Founder and Chief Innovation Officer at eSentire

I spoke recently with Eldon Sprickerhoff, Founder and Chief Innovation Officer at eSentire. eSentire is a managed detection and response service that leverages Machine Learning (ML) to detect cyber attacks that are hard to spot with standard SecOps tools and processes. Sprickerhoff shared an example of how ML can make a difference in threat detection.

He talked about PowerShell, Microsoft’s task-based command-line shell and scripting language. Built on .NET, PowerShell exists on every Microsoft Windows instance. It’s a useful tool for administrators. From a security perspective, however, this pervasiveness is a weakness. “PowerShell can be incredibly granular,” Sprickerhoff said. “There’s also a ton of PowerShell traffic on the networks, so it’s a lot to parse. You can obfuscate code in PowerShell easily, encoding in octal [base 8]. This makes it possible to hide malware very effectively in PowerShell.”

eSentire has witnessed a big increase in PowerShell-based attacks in the last year or two. They see process tunneling within Microsoft apps, e.g. load redirects running inside a legitimate-looking app. Such attacks are quite difficult to detect. To mitigate the PowerShell risk, Esentire does a complete packet search. Then, they looked at an enormous amount of PowerShell code. Using ML, they developed a model that spots potential malware.

They nicknamed the PowerShell detection analysis project “Blue Steel,” after the movie Zoolander with Ben Stiller. Blue Steel reviewed commands in PowerShell and found an attack on Kaseya’s Virtual Systems Administrator (VSA) at several eSentire customer sites. The attacker had seen an opportunity in Kaseya’s endpoint updating process and used PowerShell to embed the Monero crypto mining malware on the endpoints. eSentire Blue Steel detected the attack and disclosed it to Kaseya, which has remediated the vulnerability.

The Blue Steel/Kaseya case illustrates how challenging it can be to detect stealthy attacks. A basic MSSP is usually not equipped to do this, nor is it paid to look this deeply into threats in its standard contracts.  Rather, they need tools, or perhaps partners, who can augment basic SecOps services to provide the kind of highly sophisticated threat detection that today’s cyber risk landscape demands.

“Cyber security is not an IT issue. It’s not even about security, per se,” says Andrew Morrison, Principal in Deloitte’s Cyber Risk Services Practice. “It’s a risk issue.” I caught up with Morrison after Black Hat 2018 to get his insights into how corporations need to rethink their fundamental approach to cyber security. This is the mission of the 3,400 people in Morrison’s organization.

“Cyber security is not an IT issue. It’s not even about security, per se.”

In Morrison’s view, cyber is a risk that needs to be managed. Cyber can no longer be just a service line within a business. The business itself needs to focus on being secure, vigilant and resilient.

Andrew Morrison, Principal in Deloitte’s Cyber Risk Services Practice

If anything, security is part of an even bigger picture. Cyber security—and threats—are an inescapable element of digital transformation. “All organizations are becoming digital, Morrison argues. “A bank is basically a tech company with banking services. A hospital is a health-oriented tech company, and so on.”

He then adds, “It’s really like the fourth industrial revolution. First, we had steam power, followed by electricity and computers. Now, we have hyperconnected and intelligent businesses. It’s incredible, but it’s also a security challenge. Boards are becoming much aware of their role in ensuring the durability of business in this environment.”

Digital transformation increases risk exposure. That’s an inevitable consequence of the paradigm shift. Deloitte’s approach is to guide the board and the broader organization through the security and risk management issues that arise with the transformation process. “Where is your perimeter?” Morrison asks. “You’ve had an exponential increase in nodes. Where does your entity end and another’s begin? The answer is not as simple as it used to be, that’s for sure.”

He shares, “You can also make things a lot worse as we push access to information. A network designed for sharing, which is wonderful, is a network that is at odds with security. You can have a lot of unintended consequences.” As an example, he cites recent accidental security breaches in the US military caused by fitness tracking devices worn by troops. As he puts it, “A generation ago, we worried about computer bugs. Now, there are 100 microphones in the board room I’m sitting in right now. Each is connected to the network.”

“Start with your customers. The market is looking for someone who will be the best steward of its data. Is that you?”

What’s the best way to start the rethinking of security as a risk issue? Morrison recommends taking a market-level view of the issue. “Start with your customers,” he advises. “The market is looking for someone who will be the best steward of its data. Is that you? Do you exercise an appropriate standard of care with your customer’s data? If the answer is ‘maybe,’ then you have work to do, work that goes far beyond the IT department and cybersecurity itself.”

The goal should be to differentiate through strong security technology and policies, e.g. identity management, SIEM, threat intelligence, backup and recovery and so forth. Deloitte approaches this work by pairing risk management professionals with cybersecurity and regulatory experts. All three disciplines necessarily join together to put the client on a good cyber risk footing. “From there, we work on security by design,” he says. “Going forward, you have to factor cyber risk into any system or business process you’re contemplating.”

Even the most tech savvy among us get caught flat-footed once in a while. For Justin Cleveland, head of government business at Authentic8, it was an experience at home. Cleveland arrived at his house to find a dozen boxes from Amazon.com on his doorstep. Not having ordered anything, he asked his wife what she had bought. Nothing. She had no idea what he was talking about. It was then that Cleveland and his wife noticed their 4-year-old daughter standing in the corner, her expression somewhere between alarmed and proud of herself.

“Did you ask Alexa for something?” they asked her.

Justin Cleveland

“I wanted some new dolls,” the girl replied. “Alexa said she would get them for me.” Mystery solved, but oh boy… The fact that Cleveland, who logged a decade in the intelligence community, could be outsmarted by a toddler and a home shopping assistant is very revealing in this day and age.

Do we ever truly understand what’s going on behind the scenes? Certainly, things are not always as they appear. Authentic8 approaches this problem through a secure browser. Authentic8 sets up a buffer between the machine, user and the external Internet. “Using the web puts your machine into contact with many unknown entities,” said Cleveland. “Regardless of what security tools you have, you really have no idea what code is being loaded onto your machine, and what data you are exposing to the outside world when you surf the net. Yet, there’s no way to control it, unless you establish a secure browsing presence.”

Cleveland’s job is to interest government agencies in the merits of secure browsing. Government personnel are online like everyone else, exposing their employers to zero day attacks and a variety of advanced persistent threats. Cleveland is finding strong interest in secure browsing in the government sector as the government, in his view, has become increasingly serious about cyber security. The Department of Defense, for example, has begun tightening controls governing data management by defense contractors. This is a topic we have covered previously.

According to Cleveland, government cyber security policy is still uneven, however. “It depends on the department,” he observed. Some agencies assume a leadership role in policy setting and standards of policy enforcement. He cited the example of the Customs Service inside the Department of Homeland Security. “They establish a path forward on cyber, and other agencies inside DHS follow their lead.”

Politics affect the process of securing the government, Cleveland also noted. “It’s inevitable, but it can be frustrating,” he observed. “There is more emphasis on sharing threat data today, and progress is being made on that front, but things could be going a lot more smoothly.” In the meantime, he’s advocating for secure browsing as a countermeasure for unknown threats.

Photo Credit: Virvatulia Flickr via Compfight cc