Black Hat is upon us and, with it, a lot of chatter about the dangers posed by so-called “APT,” or advanced persistent threats. Rather than get trapped in the hype bubble, Threatpost editor Paul Roberts took the opportunity to check back in with a recognized expert on detecting and combating APT-style attacks: Amit Yoran, the former CEO of NetWitness Corp. and now a Senior Vice President at RSA, The Security Division of EMC. Yoran says that the darkest days may yet be ahead in the fight against APT style attacks, with mounting attacks and a critical shortage of security talent. To cope, both private sector firms and the government need to stop fighting the last war and pivot to the kinds of practices and monitoring that can spot sophisticated attackers.
It has been 15 months since EMC gobbled up NetWitness, the network monitoring firm Yoran headed. Back then, the company had just helped EMC detect a devastating security breach in its RSA business unit that leaked critical information on RSA’s SecureID. The stolen information was then used to aid in attacks on other high profile firms that used SecureID to secure access to their networks. The attack was a black eye for EMC and RSA, but also put the firm and Mr. Yoran in a unique position to speak – with experience – about the danger posed by so-called “APT” or advanced persistent threats. A successful entrepreneur who, before launching NetWitness, co-founded the security firm RipTech (acquired by Symantec), Yoran also served within government as the National Cyber Security Division at the Department of Homeland Security. Threatpost editor Paul Roberts began by asking Yoran what changes he has seen in the security industry in recent years.
Threatpost: You’ve been in the security industry for a long time and in a number of different capacities. As you look across the industry now, where are we? What do you see as the biggest changes that have taken place in the last few years?
Amit Yoran: On the threat side, is really where the market is evolving and where I see a lot of energy and focus. There’s a broad enough understanding that the threat landscape has changed. We hear a lot of buzz around APT (advanced persistent threats). And we know that traditional approaches to security like firewall and antivirus are – unless you have context –making guesses about what’s going on. That’s especially true with rapidly evolving threats. We’re also helping to address security expertise within organizations. We’re listening to government folks and people in industry speak about needing 100,000 cyber warriors. That’s very much a dream, because that kind of expertise is not broadly available.
So the question is: how can you take the few hardcore experts that exist in an organization and scale them? What technologies and capabilities can we deliver to help a handful of experts that exist get an understanding of what’s happening in a security environment? We want to augment that with automated threat intelligence – positive control over information that they share, live threat intelligence infrastructure and so on.
Threatpost: So are you saying that the tools organizations have invested in aren’t working?
Amit Yoran: I think they’re necessary, but not sufficient. Things like antivirus, intrusion detection – I’m not comfortable saying they’re unnecessary, but I’m definitely comfortable saying they’re not sufficient.
Threatpost: That may be, but in many cases organizations are compelled to use these technologies by regulations, such as PCI.
Amit Yoran: Well, with PCI, yes, but I think there’s room for interpretation. What’s certainly true is that, for the purposes of compliance, most risk officers or compliance officers aren’t willing to take an aggressive stand. I think the bigger question, when it comes to compliance, might be ‘What constitutes a firewall or IDS?’ I’m not saying ‘abandon this and do that.’ But, when it comes to the question of how to balance resources and time, I’m increasingly of the conviction that compliance is not what should be driving your security posture. It’s an interesting and important byproduct, but if compliance is in the driver’s seat, you will fail in security practice. I’ve never seen an organization that allowed compliance to drive security succeed on the security front.
It’s certainly the case that a lot of regulations have some logical underpinning. But when that’s taken too literally or read too restrictively, like with anything, the organization starts performing to the test rather than to the task. As an organization, you should be practicing and working towards your regulation and compliance requirements, not driving towards a specific security requirement, because its common knowledge that there’s a substantive gap.
Threatpost: OK. So if regulatory compliance isn’t the end, where should companies invest?
Amit Yoran: I think there are a couple areas where improvement is happening. One is agility. We don’t have blocking, filtering and preventative mechanisms that can respond to “zero days” or modifications of existing exploits. The question is: ‘How will we deal with those threats and identify new capabilities?’
There’s also the marriage of key assets and key targets. More often than not, APTs are using modifications of generic exploits, but using them in very focused attacks. The exploits are advanced enough but its really the persistence of the threats that’s most important. So this is an area where we need to think like the adversary. They’re going to be targeting certain systems and individuals. They’re going to use social engineering to get access to the data they’re interested in. We need to ask: ‘What are those key assets?’ ‘How can we identify them and prioritize the visibility and protection and response around those key pieces of infrastructure?’
We can’t protect everything at all times, but there’s a whole lot of analytics that can be applied to these problems, and we have the ability now to look at large data sets and do interesting modelling around them. This isn’t anomaly detection applied to a TCP connection. We’re talking about looking at the confluence of user behavior and application behavior, and applying profiles to those that makes sense of what should be permissible and what is actually happening in the environment.
Threatpost: What about the cyber expertise problem? After all, using a product like NetWitness requires a special skill set that’s hard to come by.
Amit Yoran: I feel like saying ‘tough.’ If that’s the skill set, you have to go get it. But the fact is, we need to look to technology sharing and tools that allow people to do more. We can help folks identify things in their environment, like ‘why is one of my users logging on from three different geographies simultaneously?’ or ‘why did they log in to a site registered two days ago in Eastern Europe or China?’
So there are a whole bunch of things we can do to help guide interesting things. We can make these approaches more user friendly to novice users. Ultimately, the realization is: we have to come down market to help educate and frame things for less expert users. But they need to come upmarket with their knowledge of fraud and they need to retool themselves.
Threatpost: Do you find the shift in focus, in the past couple of years, to ‘advanced threats’ useful or a distraction?
Amit Yoran: I think its absolutely useful to talk about the danger posed by nation-state actors. But the flip side is that, while you may have an elite group of exploit writers and attack planners, down the road, those exploits and attack techniques make their way into the broader community of malicious actors. So, while Stuxnet and Flame might be viewed as what elite hackers do today, we’re going to see a rapid proliferation of those technologies.
Threatpost: Your unique experience inside the Beltway gives you some perspective on efforts to pass cybersecurity legislation. Any thoughts?
Amit Yoran: Well, I’m a bit sensitive about this topic. What I can say is that I’m a firm believer in the need for greater transparency. It helps organizations better understand threats and make better decisions than they’re making today. We need better visibility into attacks and better accountability by organizations. We need a better understanding of what exploits are occurring and what organizations are doing to protect themselves.
I think there are significant roles that governments can play in security. Government has a lot of good threat intelligence and can provide that type of knowledge into what is happening. So there’s a role for threat intelligence. But I’m always cautious on getting private industry to rely on governments to protect it rather than learning to protect ourselves.
What’s also clear is that automation allows things that were not possible before, so there are civil liberties and privacy implications that need to be thought out.
Threatpost: Many of our readers are looking for guidance on how to handle threats like APTs. What is one thing they can do to provide resistance to being hacked?
Amit Yoran: It’s not about resistance to hacking. You can use performance metrics, but there are unintended consequences. Namely, they can skew your organization toward metrics in good and bad ways. What we’ve been able to provide to customers is a level of comfort: how do you know if you’re vulnerable to APT? How do you know that you’re not having data exfiltrated? We provide visibility and confidence. We can say ‘here’s where the important stuff is; here’s where the critical stuff is and here’s what’s happening in those environments.’ So, when a question pops up, they can answer it. We’re focusing on that kind of agility and finding people answers.
Threatpost: What big trend do you see coming in the security world?
Amit Yoran: Well, a couple years ago, it was “compliance.” You had a situation where every security product became a compliance product. Then last year it was APT – every product became relevant to detecting APTs. We’re realizing that nation states are very active in this arena. And they may go after critical industry or intellectual property. They’re trying to further their nation’s economic advantage as much as anything else.
So I think that is the realization that started happening: these attacks are going to continue to expand. As we said earlier. Even in our conversation: we’ve been focused on nation-state actors, but that’s a blurry topic. In certain parts of the world, organized crime is condoned by the government. Are NPOs and Universities working on behalf of government entities APTs? It’s an increasingly muddy environment. I think we’re in for a very tough year or couple of years as the security community adjusts. The good news is that the realization that we need to do something differently. It’s not that we’ve discovered the answer, but we now realize that something is going on.
Threatpost: For much of the last two decades, we’ve been working in a computing monoculture dominated by Microsoft’s Windows and the company’s other products. That’s no longer the case – what with Mac infiltrating the enterprise, and the explosion of smart mobile devices. Where are we now, in your opinion?
Amit Yoran: I think industry is behind and rapidly coming around. For all the evils of technology monocultures -organizations are largely unable to protect their environments today – going forward the landscape is even more ominous. I think the diversity of the number and types of computing platforms and the organization’s ability to control those platforms – or lack of it – is a major concern. You need to have data protected. But in today’s applications, its delivered to platforms where you have diverse applications running. It’s a major efficiency driver for a businesses. But – wow- the security paradigm needs to change rapidly. I’ve found that there’s always a silver lining. As we look at cloud-based service capabilities and providers and at architectures moving forward, I think there’s an opportunity to inject some new capability into organizations. Right now, that’s quite daunting, because they run the risk of failure. But there’s a great opportunity to leverage technology trends for key improvements in security.
Threatpost: Amit, thanks for taking the time to talk to Threatpost!
Amit Yoran: It’s been a pleasure!