It’s been a while since I’ve managed to update with a post due to a combination of holidays and being busy both at home and work, but things have been happening all the same.
One of those things was the annual Infosecurity conference in London. It ran from the 5th-7th June at Olympia and I was lucky enough to go for two days (5th-6th). I haven’t been to an InfoSec conference before but I would go again, the presentations tend to be quite light on technical detail but the whole event is pretty decent for seeing current trends and opening your eyes to opportunities to do better.
I tend to walk around these events with a notebook furiously jotting down notes, I prefer to stay analogue for my note taking, and here are those notes…..
There always seem to be some main themes that permeate an event like this and, for me, it felt like these were the main contenders:
- A.I based threat detection and prevention
- Security teams as a managed service
- The need for in house security skills (red/blue team mentality)
The bottom two go hand in hand with the concept being that you outsource the day-to-day security team operations of tracking alerts and events from IPS/IDS or SIEM solutions but make sure you also have security trained staff internally to build and architect your code/infrastructure. The outsourced team will monitor what you have but it is your responsibility to make sure that what you have is decent in the first place.
It was a packed two days where, in between meeting my suppliers, I also tried my best to go to as many sessions as I could. Here’s a summary of my notes from those sessions.
Barbarians in the Throne Room
- Presenter: Dave Lewis (Akamai)
This talk was about data breaches based upon analysis Dave had carried out over two data sets:
- Data breach disclosure notices in the public domain
- Akamai’s own data of patterns they’ve seen across their infrastructure
On the first item, Dave suggested that there wasn’t really a standard generic pattern to the breaches but the most common reasons were nothing more complex than:
- Missing patches leading to compromise
- People simply walking out of the door with data on a USB stick
If you’re cynical you could look at those and think it suggests that all the expensive products on display at the event aren’t really needed, you just need good practice on the fundamentals. Of course that’s a fallacy based on such a narrow analysis but interesting nonetheless.
On the second item, it was interesting to to hear that Akamai’s own data seemed to suggest that 51% of web based attacks against them were good old SQL injection. That lines up nicely with the OWASP Top 10 but does give an unexpectedly high weighting to that particular attack.
Dave gave some tips regarding protections throughout the talk and whilst I hope they would be generally obvious to most people, I know they often aren’t implemented in reality despite that understanding:
- Use WAFs
- Always encrypt data
- Ensure that egress filtering is used to see what is going out of your network. A common method he mentioned was the use of GRE tunnels to encapsulate IP traffic using common ports that many people allow outbound
- It is important to have a strategy in place to protect DNS as it is key for a lot of malware to function (Cisco were pushing a product/service called Umbrella for this)
All in all, Dave was an interesting and charismatic speaker to listen to.
Securing the User
- Jessica Baker (Independent Security Consultant)
- Jonathan Kidd (Hargreaves Lansdown CISO)
- Angela Sasse (RISCS)
- Stephen Bonner (Deloitte)
This was a panel discussion about security culture within an organisation, some key messages from NCSC were:
- A fundamental change on approach to passwords (see here).
- The industry must move away from demonising users as the weakest link and think of them as the strongest link.
- If security doesn’t work for people, it doesn’t work. (there’s an NCSC video here on this topic)
It was an interesting discussion with Angela Sasse by far being the speaker with the most to say. I liked the focus on user psychology with everyone referencing a book called Nudge, which is now on my wishlist, as well as some mention of the SANS Security Awareness Report. I did also have a good chuckle when this xkcd comic was rolled out to illustrate the dangers of systems that alert users too much:
Risks, Threats & Adversaries: What (or Who) Should You Be Worried About?
- Peter Wood (ISACA)
- James Lyne (Sophos)
- Rik Ferguson (Trend Micro)
- Ian Levy from NCSC couldn’t attend due to election purdah rules
This was another panel discussion and I went along mainly for the draw of James Lyne & Rik Ferguson who I’ve seen speak before and found to be both informative and entertaining.
The discussion was very audience driven and focused to the current threat landscape. Of course, WannaCry was given a healthy amount of time for discussion.
There was an interesting note that the World Economic Forum’s global risk report now lists cyber-attacks and data theft as both likely and high-impact. The report can be seen here and is interesting to see how these issues now line up alongside risks such as terror attacks and natural disasters.
On the topic of ransomware the key points were:
WannaCry has essentially broken the trust model that is needed for ransomware attacks so the expectation is that this type of attack will decrease.
Recommended protections were the old standards of:
- Have good backups:
3 copies, 2 formats, and 1 backup copy should be air-gapped (i.e. on a tape in a safe)
- Limit access:
Through user admin privilege management and network segmentation
The emphasis shouldn’t be on zero day vulnerabilities as it simply isn’t possible to patch instantly. The focus should instead be on understanding vulnerability management. So knowing your estate and what vulnerabilities are out there so you can manage your risk during your patch window.
James then went on to speak a bit about IoT with the key message being that IoT is not the future, it is now. The gist of the point was that IoT is getting to the point where it is “on by default” which, in effect, is taking the security choice away from users and companies. You can’t choose to avoid using IoT devices as rapidly everything will become IoT whether you are aware of it or not.
MFA and Beyond
- Wendy Nather (Duo)
- Sam Rigelsford (Dyson)
Sam went through his experiences implementing MFA at Dyson which, whilst interesting, wasn’t really that useful for me as I’m well aware of the process & pitfalls having implemented it for my company. I’ll do a lab series at some point to show how to set that up in Azure.
What Wendy Nather had to say though, I found very interesting. Wendy spoke about how increasing de-perimeterisation means that companies needs to move towards a “zero-trust” model.
By this she suggested that companies need to move away from the concept of whitelisting internal users and run MFA as an always on protection, regardless of your location. Coupled with this, she also suggested that companies focus on applying device hygiene restrictions before letting them join the network.
On this concept of de-perimeterisation it was recommended to read about Google’s BeyondCorp strategy.
ZScaler & Nuage
This wasn’t a talk/presentation but just a sales pitch that caught my eye as interesting/useful, but as it was a sales pitch I’ll keep my notes brief.
Simply put, Nuage offer a SD-WAN (Software Defined WAN) product service which you can then combine with ZScaler to provide a cloud based security overlay. All pretty cool stuff that, I suppose, can help businesses move away from the old hub & spoke model to:
- Commodity Internet breakout at each branch location.
- Getting rid of the need for firewalls and proxy servers at branch sites as that will all be covered by the cloud based security overlay.
One for me to read up a bit more about.
Malware Red Alert: The First 24 Hours
- Presenter: Steve Shepherd (7Safe)
This was another sales pitch kind of talk from Steve so I’ll keep these notes brief too. The session essentially stepped through the CREST incident response process (which is very good): Prepare, Respond, and Follow-up.
Steve’s headline tips/advice seemed to be:
- You need to have a response partner lined up and ready to help you through an attack
- Irrelevant of IPS/IDS or other tools you still need to go through a server inspection process following an incident so it is important that you have a clear grasp of what you have out there
- You need to consider your company’s risk profile: Are you a worthy target?
Hand-to-Hand Combat With An Advanced Attacker
- Zek Turedi (Crowdstrike)
- Dan Larson (Crowdstrike)
Whilst obviously this pushed Crowdstrike’s service it was the most technically in-depth of all the presentations I saw at the event. It was also popular, the room was jam packed to the level that I’m sure breached fire regulations – extra chairs were brought it to fill all the aisles 🙂
The session was essentially a summary of the attack trends Crowdstrike are seeing across the environments they manage based upon their data pool of around 30 billion events per day.
- Their data shows 8/10 breaches were from a fileless attack (a Verizon report puts the figure more at 50/50).
- In 2017 they have seen a large rise in malware to mine crypto currencies such as Monero.
- Often not picked up by AV as it’s not really a virus
- More profitable and reliable than ransomware – a slow steady income of $132/yr per machine
- SMBv1 worm versions have been found recently which grind networks to a halt as CPU is drained.
The Monero piece particularly caught my interest as I wonder how many AV clients do pick it up?
They then went through the traditional cyber kill-chain that an attack follows whilst offering some counter measure advice for each step – all a but too much detail for me to do it justice so I’ll leave it at that.
I went along to a Splunk 101 session based on curiosity having read about the product and also because it was name dropped so often in other presentations when people gave examples of network event visibility.
I don’t have any experience with Splunk but I kind of wish I could get some. I do think the product looks really good but my only reservation is that if you don’t have a dedicated security team then I question how much it will actually be used.
Top tip from this presentation was that for anyone interested you can sign-up for a free trial and they also offer a free basic training course online. I’m planning to partake so, if I do, I’ll write up what I learn on this blog.
How to be Employed at the SOC of Tomorrow… Today
- Presenter: Ryan Kovar (Splunk)
Sticking with the Splunk theme the final session I went along to was very much an informal discussion where Ryan spoke of his experience in the industry to date before going on to give his opinion of the key skills teams will need in the future.
- Ryan’s premise was that very soon A.I will soon eliminate the traditional tier 1 jobs such as log checkers or those who write forwarders.
- His though was that most people working in IT security who are in their 30s or above won’t have started in that sort of role, whereas those who are younger will have. In some ways this is a disadvantage but in other ways breadth of experience can be an advantage if used properly.
- Ryan’s assertion was that the explosion in the amount of available data means that the key skills are being able to use that to influence at the exec level. Therefore the skills needed to compliment security awareness are:
- BI/Data visualisation
- Statistical analysis
- Additionally he emphasised the need to know how to code, how to script in particular, with languages such as bash, Perl, and Python. (He recommended Scipy lectures as a good online resource)
All just a matter of opinion, but very interesting nonetheless.