Identity and access management (IAM) offers a good example of how security policy decisions trigger the law of unintended consequences. With the soundest of intentions, the majority of the digital world insists on strong IAM policies. These typically involve pairing a user name and password to authenticate user identity and authorize access digital assets like applications or data. There are several big problems with traditional IAM, however.

One difficulty is that user name and password pairs can get lost, forgotten, stolen or shared without permission. Multifactor authentication (MFA) can strengthen the control and go further to verify the identity of the user. However, the addition of MFA can affect user experience and cause its own complications—applications to maintain, support inquiries and so forth. Similarly, cumbersome password resets deprecate user experience and create support overhead as well as their own accidental pathways to fraud and identity theft.

The other serious problem with IAM is its tendency to create large stores of valuable personal information (PII) that must then be rigorously defended. IAM makes the holders of PII into protectors of PII. That’s a situation that few people are happy about. The problem compounds on itself given how many entities hold PII in parallel.

The average person’s PII is stored by their employer, bank, phone company, insurance company, healthcare provider, the government, credit rating agencies, credit card companies and on and on.  From a hacker’s perspective, it’s ideal. The hacker gets multiple shots at stealing your PII. At some point, he or she is going to succeed.

A lot of smart minds are at work today rethinking how IAM is done. ShoCard, for example, has devised a way to use Blockchain to create an identity management solution that puts the ID data in the hands of the user rather than the entity controlling access. Instead of a user name and password pair linked to PII in a central identity store, ShoCard uses Blockchain to store an immutable, verifiable identity signature for the user. There is no PII on the Blockchain. A one-way hash makes it essentially impossible to reverse engineer a user’s identity from the Blockchain data.

The user stores his or her PII in encrypted form on a mobile device. When logging in to a system with ShoCard, the user sends a PIN or biometric data to the Blockchain ledger, which validates the user’s identity. There are several advantages to this approach compared to traditional IAM. The ShoCard identity verification is portable. It can be used for Single Sign On (SSO) or extended across multiple entities like the bank, hospital and so forth. These entities never have to maintain stores of PII. This alleviates a big security headache and legal/compliance liability for them. The user feels more secure as well.

Cybersecurity and medicine have a lot in common. It’s not accident we refer to certain kinds of malware as viruses. Digital attackers act like pathogens in the human body, finding unprotected paths to invade and infect, spreading and then consuming resources. We liken security measures to both preventive medicine and medical treatment. We talk about security “hygiene.”

Adrien Gendre, Chief Solution Architect at Vade Secure

The medical metaphor came to mind recently when I spoke with Adrien Gendre, Chief Solution Architect for Vade Secure. Vade specializes into protecting digital assets from email-borne threats such as phishing and spear phishing. While we were discussing malware, we might easily have been talking about illness and treating patients.

From Gendre’s point of view, it makes little sense to look for malware on its own. “You’ll always be a step behind,” he said. Of course, Vade does look for malware, but the solution is designed to take a much more comprehensive view of the email threat environment. Like a doctor who wants to treat the whole patient, Vade looks at the entire email to assess it for threats.

“We have amassed data on billions of emails over the years,” Gendre explained. “This forms the basis for a machine learning and artificial intelligence-based approach to detecting email-based threats.” Vade looks at email language syntax, points of origin, file naming conventions and so forth to gauge an incoming email’s potential for harm.

Vade Secure’s enables predictive protection against known and unknown threats, including against multi-form attacks. The filter is automatically updated thanks to daily analysis of billions of data bits in real time, providing immediate protection from the first attack, even if it is low-volume. “Malware usually doesn’t look like malware. It looks like something else. We’ve gotten good at seeing the ‘something else’ that gives away the presence of malware.”

In its next move, Vade is launching a new site, https://www.isitmalware.ai/, which is now open for pre-launch registration. The site offers fast malware detection. In recent times, the company has been able to identity malware up to five hours earlier than other email security players.

As a culture, we have read and watched so many stories about cyborgs that we may have trouble remembering that they’re works of fiction. Schwarzenegger seems real enough, right? He’s a cyborg, a person with mechanical elements built into his body, extending his physical abilities extended beyond normal human limitations. The Terminator has computers welded into his steel skull and runs around killing people.

Perhaps all of this sci-fi overstimulation has led us misunderstand the essence of the cyborg, however. While we may one day see half-man/half-machine robots doing our dirty work, in reality the cyborg is already here. If we look carefully, we can see human powers amplified by machines in the execution of cybercrimes. Certainly, this would be a takeaway from the ambitious honeypot exercise recently completed by the firm Cybereason.

In its day job, Cybereason offers a cybersecurity data analytics platform including endpoint detection and response, next-generation antivirus, and active monitoring services. To gain a better understanding of how cybercriminals actually operate, they staged an elaborate hoax intent on tricking malicious botnets.

Israel Barak, CISO of Cybereason

“It’s imperative to understand how cyber criminals must function at scale,” said Israel Barak, Chief Information Security Officer, Cybereason. “They want to make as much money as possible. Like all the rest of us, they have only so many cycles in a day. They can’t waste time trying to break into every target manually. They rely on bots to do their advance work.”

The project, dubbed “Operation Honeypot,” involved the creation of a fictitious financial services company. The project’s operational goals including gathering intelligence on the tactics, techniques and procedures used by cyber criminals to harvest proprietary information on financial services companies. Cybereason created traps on the dark web with the usernames and passwords of the fake firm’s website’s Remote Desktop Protocol (RDP) in an attempt to lure hackers. This resulted in zero activity, unfortunately.

Simultaneously, thousands of brute force attempts to crack the servers were unsuccessful due to strong encryption. After Cybereason simplified and weakened the passwords, they witnessed an intrusion in less than two hours. The bots created persistence by establishing backup user accounts. Several days later, actual human hackers entered the environment using the persistence accounts and set up the environment for data theft. Their efforts led to the theft of 3GBs of data over a 4-6 day timeframe.

The Honeypot project reveals the existence of an actual cyborg—a human attacker with extraordinary powers of detection and seeming x-ray vision, a human being who can see through a million walls at the same time. “We have never seen bots of this level built to assist a human attacker, nor have they been commoditized to this degree,” Barak noted.

Cybereason researchers learned that cyber criminals are using automated bots to support crimes such as spam campaigns and data mining. They rely on bots for multi-purpose breaches that lay the foundation for human attackers to extract data and intellectual property. Barak commented, “The automatic exploitation in seconds means defenders will likely be overwhelmed by the speed at which the bots infiltrate their environment. The increasing automation of internal network reconnaissance and lateral movement is an even larger concern.”

Cybereason offers a solution to the bot attack as advance team for a human attacker. “Our approach to is to isolate the threat and observe what they are doing. We stop the threat from spreading,” Barak said. Their solution notifies SecOps and provides visibility into what the attacker is doing.

“Instead of being reactive and, say, re-imaging an infected server, let’s isolate the server and watch what the attackers are doing. Then, with the attackers thinking they’re in, you can let them waste their time,” he added. “On the other hand, if you re-image the server right away, you’ve told the hackers what to avoid next time they attack. This becomes an endless game. It’s not a game anyone will win.” Except maybe, the cyborgs. They’re coming…

Today’s PDF is tomorrow’s point of vulnerability. Personal data and intellectual rests in your data, potentially exposed to theft or improper use. Recent events certainly show the danger of these sorts of threats.

OpenText saw this problem and responded by acquiring Guidance Software, among other strategic moves. They understand that security must be part of Enterprise Information Management (EIM). The two fields are no longer separate. At least, they shouldn’t be. That’s one of the main takeaways from Enfuse 2018.

Anthony Di Bello, Senior Director of Market Development at OpenText

According to Anthony Di Bello, Senior Director of Market Development at OpenText, “We used to protect data by building walls. That no longer works. The walls are gone. We are working with our clients to help them take a data-centric approach to security.”

Di Bello highlighted how security is now part of the content life cycle, which OpenText solutions have traditionally managed. “When you create, manage and dispose of data, you have to be confident you can secure it,” he said. “You will also do well to make sure you have discovery and threat remediation seamlessly integrated into the content life cycle.”

OpenText is now operationalizing this strategy. In the eight months since Guidance became part of OpenText, multiple engineering teams have been working to integrate the EnCase product with several OpenText solutions. The goal is to combine the EnCase endpoint security and forensics capabilities with the intelligence and discovery functions available in the OpenText portfolio.

Building a Threat-Hunting Tool

First up is a project that brings together EnCase and OpenText’s Magellan AI platform. “This is about leveraging Magellan’s intelligence against the endpoint security data you get from EnCase,” said Di Bello. “With insight into endpoint data, we can search for anomalies that might signal the presence of a threat.”

Simultaneously, OpenText data scientists are working closely with customers to identify use cases and threat scenarios where endpoint data and threat intelligence can come together to improve an organization’s security posture. “We’re training the model,” Di Bello explained. With this approach, OpenText is trying to reduce customer reliance on their own, hard-to-find in-house data science resources.

Combining EnCase and OpenText Axcelerate for eDiscovery

Labor-intensive processes often form a drag on productivity in eDiscovery and investigations. OpenText addresses this problem with its new combination of EnCase and Axcelerate, its platform for eDiscovery and investigations. The fit is intuitive, given the respective qualities of each solution. EnCase enables efficient search, collection and preservation of data used in eDiscovery. Axcelerate provides the case assessment and processing of that data. Without a combined solution, investigators and eDiscovery managers had to toggle manually between data collection and eDiscovery management tools. The joint solution also benefits from embedded machine learning and analytics capabilities.

Before former FBI Director James Comey took the stage to deliver the keynote on day two of Enfuse 2018, the audience got to experience BTO’s classic song, “Let It ride,” at approximately 100 decibels. Meant to get us psyched up for Comey, the song’s lyrics delivered an apt but perhaps unintended message.  “Good bye, hard life,” the song blared, before asking, “Don’t cry. Would you let it ride?”

Indeed, saying goodbye to a hard life and not crying seems to be Comey’s guiding ethos these days. He’s moving on from a rough period in his career, but he is very much not letting things ride. Instead, he was reflective. He asked some difficult questions about the nature of privacy and offered insights into leadership at a time that OpenText CEO Mark Barrenechea described as “A tough few years for policy.”

Admitting a Mistake

Comey led off by admitting a mistake. “I screwed up the conversation on encryption,” he confessed. He was explaining his initial reaction to Google and Apple’s announcements of mobile encryption capabilities. At the moment, he expressed a sentiment along the lines of, “With this move, the worst people in the world could go right off of our radar screens. Why would we allow this to happen? We’re making terrorists immune to law enforcement and the Fourth Amendment. How on earth could this be something to brag about?”

As he reflected on his reaction, though, he felt he did not process the facts adequately. Rather than being just a green light for terrorists and pedophiles, the encryption moves by Apple and Google had actually highlighted a truly difficult tension in American life. “Like most people, I had approached this as struggle between privacy and security. How do we balance our right to privacy with our need for (and government’s obligation to provide) safety?” His view evolved. “This is really about security versus security. How do we protect our privacy, our money and ourselves while we keep our nation safe?”

With this move, the worst people in the world could go right off of our radar screens. Why would we allow this to happen? We’re making terrorists immune to law enforcement and the Fourth Amendment. How on earth could this be something to brag about?

Reflecting on the Nature of Leadership

Why does Comey think he made an error in judgment in his initial, hasty response to the encryption news? In his keynote, he reflected extensively on the nature of leadership. To him, his shoot-from-the-hip impulses about the risks of encryption flowed from a lapse in his usual tendency to surround himself with people who act as “guardrails” on him during important decisions.

According to Comey, the best leaders view decisions and the management of others along multiple dimensions. In contrast to organized crime figures he has prosecuted, and some unnamed politicians who frame all issues in terms of themselves, a good leader is able to go higher. A good leader can view a decision or a management relationship in terms of what he calls “external references” like values and institutional integrity. It was this thought process that led him to re-assess his earlier views on encryption.

Former FBI Director James Comey speaking at Enfuse 2018

Comey framed leadership as balancing confidence with humility. A leader needs to have both and should avoid tipping too far in one direction or another. He warned against the “seduction of certainty,” where our confirmation bias keeps us pegged to a comfortable but incorrect position. In this mode, an overly confident person will make an overly quick and inevitably wrong decision.

In management situations, Comey raised the humorous but very real issue of two people simultaneously dealing with their individual “imposter complexes.” As he put it, both the manager and the subordinate are afraid they’ll be unmasked as imposters. The subordinate may be nervous at being exposed for incompetency. The manager may be afraid to listen for fear of appearing not to know something the subordinate knows.

His answer is to be a better listener – not, as he put it, a “Washington listener” who simply waits for his turn to bulldoze the other person with talking points. No, a good leader listens and tries to demonstrate that he or she needs what the subordinate has to offer.

Be a better listener – not, as he put it, a “Washington listener” who simply waits for his turn to bulldoze the other person with talking points. No, a good leader listens and tries to demonstrate that he or she needs what the subordinate has to offer.

Needing Leadership in a Difficult Era

Mark Barrenechea posed an alarming question to Comey. What can we do, he asked, about the fact that we are now in an era when law enforcement can look at our DNA records, harvest our personal information from social media and so forth, without any specific legal justification? Comey replied, ironically, that we are in a “golden age of surveillance.” Americans have turned their information over to third parties, putting themselves at the risk for warrantless searches.

What will it take to make this situation right? The answer, according to Comey, refers back to his views on leadership. These are complicated issues. Quick answers will almost certainly be wrong. Effective leaders in business and government would be well served by focusing on external reference points. What are American values? What is the foundation of American democracy? Those are the parameters for making these policy decisions.

Quick answers will almost certainly be wrong. Effective leaders in business and government would be well served by focusing on external reference points. What are American values? What is the foundation of American democracy? Those are the parameters for making these policy decisions.

Factoring Leadership into Policy Decisions

One of the helpful takeaways from Comey’s keynote was the insight that every difficult policy decision requires leadership. This can be for good or bad. The worst policy ever devised was the product of someone’s leadership, leadership that turned out to have been extremely poor. The challenge is to approach policymaking with solid leadership that includes listening and a healthy balance between confidence and humility.

Mark Barrenechea concluded the session by discussing a recent moment when Opentext confronted a tricky leadership decision. After the revelations that Facebook had shared user data with a third party, Barrenechea concluded that it would be better to terminate its Facebook presence. “We based our client and partner relationships on trust. If Facebook disclosed their information to a third party without their permission, we would consider that a breach of trust.” He made the decision despite the fact that it will affect short term sales pipeline.

“Digital Transformation” is an appealing, if slightly overhyped buzzword in IT circles. Broadly, the term refers to improving the ability of a business to work with its customers, partners and suppliers through digital means. Usually, this implies automation and artificial intelligence as well as fluid integrations that leverage open APIs. The process is a boon to business if done right, but it also amplifies certain kinds of risk exposure. For instance, as a consequence of digital transformation, there has been a veritable explosion in the number of devices and virtual machines operating in the extended enterprise.

Jeff Hudson, CEO of Venafi

“Machine proliferation presents one of the most serious, and under-examined sources of risk exposure in today’s organizations,” said Jeff Hudson, CEO of Venafi. His company provides a trust platform for the dynamic protection of machine identities across extended infrastructure. “A large company today will inevitably create and power down tens of thousands of virtual machines and other, comparable devices. Each machine is vulnerable to attack. If you can’t track your machines’ identities, you may not even understand how many threats you’re facing.”

Hudson pointed out that most organizations are disciplined about managing the identities and credentials of human users, but less organized about machine identities. The risk in this practice comes from ignoring the reality that machines can now easily become “users” of applications. “With open APIs, you can easily have machines accessing data, making procedure calls and interacting with people. You need to know if the machines in these integrations and orchestrations are legitimate.”

Venafi accomplishes this by enabling global visibility into certificate issuance and related factors. “We give you a line of sight into SSH, SSL, TLS, API Keys and so forth, wherever they are in your organization. Remember, there’s no perimeter anymore.” The platform offers deep intelligence and automation of all aspects of machine identities, allowing users to rapidly identify and automatically correct vulnerabilities and weaknesses in keys and certificates at machine speed and scale.

“Machine proliferation presents one of the most serious, and under-examined sources of risk exposure in today’s organizations”

Scale and automation are key, Hudson explained. “It’s all well and good to have policies for tracking machine identities. However, today’s IT operations can make such  policies essentially worthless if they’re not automated and based on machine intelligence. We’re way past the days of a human admin setting up a machine and assuming that they will be on top of the machine’s activities throughout its life cycle. There are just way too many machines and automated processes in the mix.”

The Venafi solution looks at the machine’s intended use and human owner and assesses the context of its use. If the machine is not acting within expected parameters, it is flagged for investigation. By automating machine identity management, Venafi enables enforcement of effective machine identity policies.

Venafi also addresses an inherent difficulty in applying security policy to machines: Machines can’t get fired, sued or sent to prison. “If an employee steals proprietary data, he or she will face disciplinary action or even criminal prosecution,” said Hudson. “A machine will not. At least, not today. Call me in ten years and ask me the same question. The answer might surprise us all.”

Watch how he spends money. That’s popular advice on dating sites for finding “Mr. Right.” If he spends money on you, he loves you, or so the thinking goes. While it’s debatable if this is healthy dating wisdom, the guidance is worthwhile in cybersecurity.

Mike Orosz, Senior Director of Threat Services and Technology Transformation at Citrix

Mike Orosz, Senior Director of Threat Services and Technology Transformation at Citrix, advocates examining spending to assess an organization’s level of commitment to robust security. He comes to this insight after a career that includes 20 years in security roles in the US Army and Department of Defense.

“You can learn a lot about an enterprise by looking for gaps between identified risks and budget to mitigate them,” Orosz said. “If you’ve got good correlation between risk and spend, you know the organization is taking the threats seriously. The opposite is also true, though in some cases they may not understand the seriousness of the risk.”

A big part of his job is to address these gaps and help clients understand their vulnerabilities and the best remediation practices. “I like to ask, ‘are we ready for vulnerabilities?’,” he added. “Coming from the military, we can treat vulnerabilities as intel, so to speak, and base our strategies on what we learn.” Orosz then prefers to assemble an integrated team to address vulnerabilities and any associated spending gaps.

“We may not recommend increasing spend,” he said. “A lot of the time, it’s a matter of allocation.” For example, some security teams are overly focused on firewalls and traditional notions of the “perimeter.” “The perimeter is all over the place today,” Orosz observed. “You could have exposure to attack based on deficient identity management and access control in the public cloud. No amount of firewall investment is going to make a difference in that case.”

Asked about the difference between working in government versus the corporate world, Orosz explained, “In the government, people generally understand their job and your job. Roles have been long-established, so little explanation is needed. In corporate life, you have to sell yourself. Why should I work with you? Why should I support your budget? We have to make the case that we’re making peoples’ lives easier. If we can’t win that argument, we aren’t going to get anywhere.”

Hal Holbrook as “Deep Throat” in Alan Pakula’s 1976 film, “All the President’s Men.” (Copyright Warner Bros 1976)

“All The President’s Men” is one of my all-time favorite movies. It’s got everything you want in a film: great acting, suspense, an important subject, and an eerie premonition about the difficulty of using machine learning in threat detection. One of the best lines in William Goldman’s script has been forgotten in favor of the classic “Follow the money.” Hal Holbrook, playing “Deep Throat,” implores Robert Redford’s Bob Woodward to “Get the overview.”

As Deep Throat, an FBI agent, understood, a collection of suspicious incidents might mean nothing, or everything, in an investigation. What mattered was an overview, a holistic understanding of what was going on, of who was doing what. Without that, it was all just—as Robert Redford whined later in the story “ChickS%% Games.”

Getting the overview is the mission of SecBI, a solution that provides what the company calls “Full Scope Detection” of activities on a network. They answer the kind of question that Redford fired at Dustin Hoffman while they drove around Washington doing learning-based threat detection with a 1971 Volvo Volvo 122S, rather than a computer. He asked, “A man asks you for directions. Is he interrogating you or is he lost?”

At RSA 2018, SecBI Co-Founder Doron Davidson and VP of Product Management Arie Fred explained how their solution uses unsupervised and supervised machine learning to detect a full scope incident narrative—an overview, if you will of events and users. “You have to understand what’s hidden on the network,” Davidson explained. “You have to enrich the event information and make connections between things that no human being would ever notice.”

Doron Davidson, Co-Founder of SecBI

An example of enrichment with SecBI might involve correlating user identities with network events to discover a pattern. SecBI uses a process of “autonomous investigation” to carry out this kind of enrichment leading to insights. “Let’s say you detect file uploads to a public cloud server. Is it data theft or routine business? That might depend on who is doing it. If the user is a contractor in another country, then maybe it warrants a look.  What we do is establish a narrative so we can offer meaningful alerts. If you have to investigate every cloud upload, you’ll drown.” SecBI helps security analysts avoid chasing sporadic alerts with tedious investigation workflows. The result is to accelerate incident response and investigation processes.

The tool is also useful for post-mortem analysis of security incidents. Sometimes, things are not clear until they’re over. SecBI’s machine learning analyzes and clusters all forensic evidence related to a security incident. These might include infected devices, and their users, malicious command and control servers and compromised infection points. It might identify the drop-point with which they communicated, for example.  SecBI is able to summarize and present all the relevant evidence in the event data.

RSA 2018 presented several moments of, “Oh no… I need to worry about THAT now?” Upstream, an early stage venture from Israel, offered up a juicy “Oh no, but it will be okay” perspective on the topic of cyber security for connected vehicles. Cars are full of digital processors, none of which are particularly well secured, it turns out.

The good news, or perhaps the bad news, is that there are projected to be 250,000,000 connected cars on the road by 2020, according to Gartner. Gartner feels that connected cars will emerge as one of the most significant elements of the Internet of Things [that can kill you or others if you don’t provide adequate security.]  We’ll call that the IoTtCKYoOIFDPAS.

Oded Yarkoni of Upstream

“A car is basically a hundred little computers sitting on top of four wheels,” said Oded Yarkoni, Upstream’s Head of Marketing. “They come from many different vendors and have millions of lines of code between them. They are installed by the car maker, but the vast majority of connected cars have literally no systemic security built in.”

This is the problem Upstream is solving. The challenge, according to Yarkoni, is to secure the connected car without requiring anyone to crack open the car and physically start installing security on the dozens of processors in the vehicle. “That’s a non-starter,” said Yarkoni. “However, the risks are out there and the potential impacts are serious.” Indeed, cyber risks for connected cars range from nuisances like being locked out of a vehicle to multiple fatalities and mass terror.

Upstream, which was founded by Yoav Levy and Yonatan Appel (CTO), uses a non-invasive approach to security for connected cars. Upstream collects telematics data from vehicles to a central server. TechRadar defines telematics as “A method of monitoring a vehicle. By combining a GPS system with on-board diagnostics it’s possible to record – and map – exactly where a car is and how fast it’s traveling, and cross reference that with how a car is behaving internally.”

Upstream uses low-footprint data collectors, installed on servers or networks deployed in the fleet data center. For Upstream, a “fleet” can be either an actual fleet, like a group of taxis owned by one company, or a class of cars like a 2017 Toyota Camry. In the latter case, the car company might serve as the data collector for its vehicles.

The data then goes to the Upstream Automotive Cybersecurity Platform for analysis. Upstream anonymizes the data to protect driver privacy and then does in-depth analysis to detect threats, anomalies and malicious activities. The solution can mitigate risks of DDoS attacks, forbidden server commands, malformed vehicle messages, malicious exploits and so forth. Rules-based workflows and customized alerts enable fleet managers to respond to security incidents on the road.

Policy Quick Take

Cybersecurity policies will soon be applied to cars, if they are not already. A fleet owner can set policies regarding access to the vehicle and its accepted uses. They can define and enforce myriad policies for the vehicle data and system access and on and on. Connected vehicle policy is set to become a key part of an organization’s security policy for IoT and edge devices.