In an exclusive interaction with Augustin Kurian, Senior Feature Writer at CISO MAG, Sharma talks about his journey, the impact of COVID-19 on cybersecurity, the adoption of AI and ML, and the global compliance norms.

Edited excerpts of the interview follow:

AK: You have over 15 years of experience across a wide spectrum of areas spanning information security, cybersecurity, cyber forensics, cyber warfare, risk management, expertise in the SOC and CERT, cloud computing, Big Data, Internet of Things (IoT), MEC, ML, and AI. How has your journey been so far? How has the cybersecurity space evolved in the last 20 years, and how did COVID-19 change the cybersecurity dynamics?

Sharma: My journey in the past 15 years has been fascinating. I need to be on my toes, keeping myself abreast with the latest know-how within the security domain. The security landscape has undergone exponential growth in the past 20 years. For example, two decades ago, organizations were taken by storm with the advent of firewalls. Then came the era of Intrusion Detection and Intrusion Prevention Systems (IDS/IPS).

Moving to the more recent past, with the advent of the Internet of Things (IoT), Artificial intelligence, and Machine Learning (AI & ML), cybersecurity has taken another quantum jump. The threat landscape changed with the advent of the cloud, and the complexity of the threats increased parallelly.

Digital transformation has played a key role in how cybersecurity has changed over the years. We moved from packet-filtering firewalls to next-gen firewalls, which provided other functionalities such as gateway AV controls, web content filtering, and email content filtering.

In the current context, AI and ML is being used for the next generation preventive and detective solutions such as Endpoint Detection and Response (EDR) at the endpoints; Network Detection and Response (NDR) at the network level, and User Entity Behavior Analytics (UEBA) — all utilizing the power of AI and ML to identify anomalies by first understanding what is normal. The contribution that threat intelligence brings to the table cannot be ignored. Threat intelligence (from Clearnet and Darknet) is providing the necessary ingredients for a threat hunting program in an organization, and it matures with the help of EDR and NDR technologies. Couple that with other recently matured and evolving technologies such as Security Incident and Event Management (SIEM), Deception Technologies, and Security Orchestration, Automation and Response (SOAR). This provides the necessary tools to a cybersecurity professional to thwart most of the cyberattacks and/or helps them in detecting many within a timely fashion. Also, matured organizations have great response plans in place as they know, “it is no more a question of if, but when.” The COVID-19 pandemic has changed, possibly forever, the way we work. It has caused many organizations to adapt and/or hasten their roadmap towards digital transformation and has resulted in many organizations such as banks, which traditionally have never moved aggressively towards the cloud or even toward providing remote access to the work environment.

When there is change, there exists a potential for confusion, omissions, and mistakes. Cybercriminals are aware of this and will do their best to capitalize on any opportunities that are afforded by them. I do not mean to imply that the cloud and remote technologies mentioned above are inherently less secure. Rather, the concern arises from the fact that due to the conditions the pandemic has created, most organizations are hurriedly adopting them, and they are often forced to do so while relying on fewer resources in terms of both personnel and revenue. When one adds to that dangerous concoction of digital transformation, the additional ingredient of large-scale remote work enablement, it can easily spell disaster. The likely factors contributing to the incident and breaches in the COVID-19 situation include:

• Increase in error – These error types are typically due to carelessness and/or hurry on the part of a system administrator or regular end-user, which includes misconfiguration, misdelivery, and publishing errors.
• Stolen credential-related hacking – Our recent research shows that over 80% of breaches within the hacking category are caused by stolen or brute-forced credentials. The majority of the time, these occur via web apps and/or the cloud. Since businesses are forced to lean on Software-as-a-Service (SaaS) platforms more heavily now, we expect this increased reliance to substantially widen the attack surface for bad actors looking for stolen and brute-forced credentials.
• Asset management and patching – Most of us will agree that making sure that, all corporate-owned assets are promptly and consistently patched, may be more difficult in the current environment than it has been in the past. However, given the current circumstances in which a large number of employees are being encouraged (or mandated) to work from home, maintaining those newly external workstations for remote access suddenly becomes a much bigger deal.
• Ransomware likely to rise – Several incidents where the ransomware group was also confirmed to have taken a copy of the data before triggering encryption and posting the data (either partially or entirely) publicly on their website of choice.
• Impact on the phishing landscape – The surge in remote working due to the pandemic may increase the reliance on mobile phones and tablets. Research from last year’s DBIR report indicates that many users are more likely to click on a malicious link when using a mobile device than a desktop or laptop.
• The Mind Games – Clearly, COVID-19-related terms are showing up in threat indicators. However, how susceptible people are to them is still an open question. To try to provide an answer, Verizon examined some simulated phishing data provided by a report contributor. Verizon compared emails that contained COVID-19-related terms (such as COVID, Corona, pandemic, Wuhan, SARS, etc.) to those emails that did not contain such references. Based on the data, phishing emails that were related to COVID-19 had a somewhat higher success rate and showed more organizations having far higher click rates, even above 50% in some cases.

AK: CEO frauds are a concern these days. Do you believe the new work from home format has heightened cybersecurity risks on CEOs and those with privileged access?

Sharma: In one of the recent reports, it was mentioned that senior executives are 12x more likely to be the target of social incidents, and 9x more likely to be the target of social breaches than in previous years. One of the factors behind targeting the senior executives is that they have access to the most critical information, and often, they have unrestricted access to such information.

With the new work from home scenario, we expect to see a rise in phishing emails. With the number of executives making use of personal devices for work-related tasks increasing, the risk for compromise becomes greater. So, we may see the number of business email compromise attacks increasing.

AK: When it comes to data security, many times, industries do not know what their critical data is. So, how do you think they can combat it?

Sharma: One of the most important aspects of securing data is being able to answer what sensitive data an organization has (PII, PHI, Payment Data, etc.), where it is stored, processed, and transmitted, who has the access, and what privileges they have, and what it will cost the organization if such data gets leaked. It means that a data classification exercise needs to be carried out.

Organizations are creating massive amounts of data that is both structured and unstructured. The key is to have a sound understanding of business processes and having business process flows to identify the data life cycle — creation, storage, usage, sharing, archiving, and destruction. Having a data classification policy is another important aspect as it identifies any legal and regulatory requirement and setting up of various classification levels. Using an Identity and Access Management Solution (IAM) and Privilege Identity Management (PIM) solution with assigned roles and responsibilities can help in better managing users’ access to data.

About the Interviewer

Augustin Kurian is the Senior Feature Writer and part of the editorial team at CISO MAG and writes interviews and features.

 

This interview first appeared in the December 2020 issue of CISO MAG. Get all your copies now! Subscribe

The post “Having a universal standard for privacy may not be practically possible” appeared first on CISO MAG | Cyber Security Magazine.

By Dr. Erdal Ozkaya, MD & Regional CISO of a Global Bank

AI/ML in cybersecurity involves deploying self-sufficient tools that can detect, stop, or prevent threats without any human intervention. The detection of threats is done based on the training that the algorithm in the security tool will have undertaken on its own, and the data already supplied by the developers. Therefore, throughout its life cycle, an AI-powered security tool will become better at detecting threats. The original dataset of threats provided by developers will provide a reference base that it can use to know what is normal and what is malicious. The security tool will then be exposed to insecure environments before final deployment. In the environments filled with threats, the system will continually learn based on the threats that it detects or stops. Hacking attempts will also be directed at it. These attempts will involve hacking or attempts to overwhelm its processing capabilities with lots of malicious traffic. The tool will learn the most commonly used hacking techniques for breaching systems or networks. For instance, it will detect the use of password-cracking tools such as Aircrack-ng on wireless networks. Similarly, it will detect brute-force attacks on login interfaces. The main role that will be played by humans in cybersecurity will be to update the algorithms of the AI tools with more capabilities.

AI security systems will possibly contain all threats. Conventional security systems are usually unable to detect threats that exploit zero-day vulnerabilities. With AI, even after evolving and adapting new attack patterns, malware will not be able to penetrate the AI system. The system will check the code being run by the malware and predict the outcome. Outcomes that are deemed to be harmful will cause the AI system to prevent the program from executing. Even if the malware obfuscates its code, the AI system will keep tabs on the execution pattern. It will be able to stop the program from executing once it attempts to carry out malicious functions such as making modifications to sensitive data or the operating system.

It is already projected that AI will overtake human intelligence. Therefore, a foreseeable point in the future will see all cybersecurity roles moved from humans to AI systems. This is both advantageous and disadvantageous. Today, when an AI system fails, the results are normally tolerable. This is because the scope of operations played by AI systems is still limited. However, when AI finally overtakes human intelligence, the results of a failure in the systems might be intolerable. Since the security systems will be better than humans, it is possible that they will be in a position to refuse input from humans. A malfunctioning system might, therefore, continue operating without any interventions. The perfectionist nature of AI will be both good and bad. Current security systems work toward reducing the number of attacks that can succeed against a system. However, AI systems work toward eliminating all threats. Therefore, false-positive detection might not be considered as such; they might be treated as positive detection and thus cause disruptions in the affected harmless systems that are stopped from executing.

Lastly, there are fears that the integration of ML and AI into cybersecurity might lead to more harm than good. As has been observed over the years, attackers are resilient. They will always try to find ways to beat a cybersecurity system. Normal cybersecurity tools are beaten using more sophisticated methods than the tools are aware of. However, the only way to beat AI will be to confuse it. Therefore, threat actors might infiltrate AI training systems and provide bad datasets, thus affecting the knowledge acquired by the AI-backed security systems. The actors might also create their own adversarial AI system to even the playing field. This would result in an AI versus AI battle.

Lastly, hackers might still use methods that circumvent AI security systems. Social engineering can still be carried out physically. In such cases, AI systems will not be able to help the target. Shoulder surfing—the simple act of looking over someone’s shoulder as they enter crucial details—is also conducted without the use of hacking tools. This also circumvents the security system. Therefore, AI and ML might not be the ultimate answer to cybercrime.

This article has looked at the evolution of cybersecurity from legacy to advanced and then on to futuristic technologies such as AI and ML. It has been explained that the first cybersecurity system was an antivirus system that was created to stop the first worm. Cybersecurity then followed this example, where security tools were created as responses to threats. Legacy security systems started the approach of using signature-based detection. This is where security tools would be loaded with signatures of common malware and use this knowledge base to detect and stop any program that matched the signature. However, the security systems were focused on malware, and thus, hackers focused on breaching organizations through the network. In 1970, an OS company was breached via its network and a copy of an OS was stolen. In 1990, the US military suffered a similar attack where a hacker broke into 97 computers and corrupted them. Therefore, the cybersecurity industry came up with stronger network security tools. However, these tools still used the signature-based approach and thus could not be trusted to keep all attacks at bay.

In the 2000s, the cybersecurity industry came up with a new concept of security where it advised organizations to have layered security. Therefore, they had to have security systems for securing networks, computers, and data. However, layered security was quite expensive, yet some threat vectors were still infiltrating computers and networks. By 2010, cybercriminals started using threats called advanced persistent threats. Attackers were no longer doing hit-and-run attacks; they were infiltrating networks and staying hidden in the networks while carrying out malicious activities. In addition to this, phishing was revolutionized and made more effective. Lastly, there was another development where attackers were using DoS attacks to overwhelm the capabilities of servers and firewalls. Since many companies were being forced out of business by these attacks, the cybersecurity industry developed a new approach to security, known as cyber resilience. Instead of focusing on how to secure the organization during attacks, they ensured that organizations could survive the attacks. In addition to this, users became more involved in cybersecurity where organizations started focusing on training them to avoid common threats. This marked the end of security 1.0.

The cybersecurity industry then moved to the current “security 2.0”, where it finally created an alternative to signature-based security systems. Anomaly-based security systems were introduced and they came with more efficiencies and capabilities than signature-based systems. Anomaly-based systems detect attacks by checking normal patterns or behaviors against anomalies. Apps and traffic that conform to the normal patterns and behaviors are allowed to execute or pass, while those that do not are stopped. While anomaly-based tools are effective, they rely on decisions from humans. Therefore, a lot of work still comes back to IT security admins. The answer to this has been to leverage AI with the hopes that such security systems will become self-sufficient.

AI sounds promising, though many doubts have been cast against it. AI and ML security tools will operate by detecting threats based on anomalies and taking informed decisions on how to handle these threats. The AI-security tools will have a learning module that will ensure that they only get better with time. Before deployment, these systems will be extensively trained using datasets and real environments that have real threats. Once the learning module is able to provide sufficient information to protect an organization from common threats, it will be deployed. One of the main advantages of AI security systems is that they will evolve along with the threats. Any new threats will be studied and thwarted. Despite the advantages of AI-powered security systems, there are worries that they may ultimately become harmful. As AI overtakes human intelligence, there might come a point where such tools will not accept any human input. There are also worries that attackers might poison the algorithms to make them harmful. Therefore, the future of AI in cybersecurity is not easy to foretell, but there should be two main outcomes: either AI-backed security systems will finally contain cybercrime, or AI systems will go rogue, or be made to go rogue and become cyber threats.

Artificial Intelligence and Cybersecurity

Enterprise customers around the world are investing in Artificial Intelligence and automation to improve their business processes, reinvent productivity, and improve operational excellence. Banks are looking into new ways of how to implement fraud detection in their ATM networks, insurance companies are exploring how to use Artificial Intelligence to predict the profitability of their services to the end customers, and brokers have started to apply Artificial Intelligence to predict stock market movements. The following diagram illustrates the reasons why business organizations are adopting worldwide Artificial Intelligence as of 2019:

Artificial Intelligence-powered cybersecurity

Almost all security vendors currently advertise that their technology has some sort of Artificial Intelligence. However, Artificial Intelligence comes in many variations and there are many underlying technologies. You will want to watch out for buzzwords that have been placed by marketing departments. It is not always clear what these security vendors are specifically doing with Artificial Intelligence, Machine Learning, and so on.

Building a security solution that is powered by Artificial Intelligence is challenging and requires investments. The costs include building the fundamental systems that are required to operate the technology, additional costs that are required for scaling the system in a hyperscale environment, and, lastly, there is a very limited pool of talents available in the market that have sufficient experience in working on Artificial Intelligence code and who are able to handle complex mathematical principles to create an efficient and scalable solution. Even if some companies can invest in the infrastructure and are able to hire these talents, Artificial Intelligence requires data—a lot of data to train the Artificial Intelligence. There are only a few companies in the world who actually have that amount of data. These companies need to have in-depth knowledge and data on the threat landscape, on digital identities, email accounts, web presence, and telemetry coming from endpoints and mobile devices. With that, companies like Apple, Google, Microsoft, Amazon, and Facebook have a clear advantage.

It is clear that Artificial Intelligence-powered security solutions will assist cybersecurity teams in many stages of defense. Narrow AI could be used to perform simple tasks such as searching for a specific Indicator of Compromise (IOC) in a threat intelligence database, all the way up to a super AI being self-aware and not only alerting the Security Operations Center (SOC) when it detects a cybercriminal trying to breach the environment, but also automatically adjust preventative security controls to prevent the breach from happening in the first place. Without any doubt, Artificial Intelligence-based security solutions will offer intelligent recommendations to the cybersecurity teams. The following screenshot illustrates the artificial intelligence-based security automation from the Microsoft Defender ATP solution:

Use Cases

There are five use cases that you will want to enable through Artificial Intelligence to improve your cyber hygiene and operational excellence, all of which are shown in the following diagram:

All of these use cases are fairly new and yet their full potential hasn’t been discovered by any security vendor. It is clear, however, that the benefits of Artificial Intelligence to fight cybercrime is critical and that security vendors are investing.

In summary, in this article we covered that Artificial Intelligence is not just Artificial Intelligence — there are many different technologies, use cases, and scenarios to take into account too. It is important to deeply understand what Artificial Intelligence is before jumping on the next call with the sales representative of a security vendor that tries to sell the world’s first Artificial Intelligence-based security solution. You are now able to ask smart questions such as is the Artificial Intelligence a Narrow AI or True AI capability? and when you say Machine Learning, is it supervised Machine Learning, Unsupervised Machine Learning, or semi-supervised Machine Learning? The key is not to get fooled and understand how technology can help you protect, detect, and respond against the ever-changing threat landscape. You will want to make sure that technology helps you to truly discover and remediate cyber-attacks as quickly as possible. The following diagram illustrates a project from MIT, of an Artificial Intelligence-based cybersecurity system that can detect 85% of cyber-attacks. However, this is only the beginning:

About the Author

Dr. Erda Ozkaya is a tenured cybersecurity professional and has juggled the roles of a security advisor, speaker, lecturer, and author. Having excelled in business development, management and academics focused on securing cyberspace, he is passionate about imparting knowledge from his hands-on experiences.

As an award-winning technical expert, Dr. Erda has received many accolades. His recent awards are the Cyber Security Professional of the year MEA, Hall of Fame by CISO Magazine,  Cybersecurity Influencer of the year (2019), Microsoft Circle of Excellence Platinum Club (2017), NATO Center of Excellence (2016) Security Professional of the year by MEA Channel Magazine (2015), Professional of the year Sydney (2014) and many speakers of the year awards in conferences. He also holds Global Instructor of the year awards from EC-Council & Microsoft.

Dr. Erdal has the following qualifications: Doctor of Philosophy in Cybersecurity, Master of Computing Research, Master of Information Systems Security, Bachelor of Information Technology, Microsoft Certified Trainer, Microsoft Certified Learning Consultant, ISO27001 Auditor & Implementer, Certified Ethical Hacker (CEH), Certified Ethical Instructor & Licensed Penetration Tester. He has also been a part-time lecturer at Australian Charles Sturt University and has co-authored many cybersecurity books, as well as security certification course-ware and examinations.

Disclaimer

CISO MAG did not evaluate the advertised/mentioned products, service, or company info, nor does it endorse any of the claims made by the advertisement/writer. The facts, opinions, and language in the articles do not reflect the views of CISO MAG and CISO MAG does not assume any responsibility or liability for the same. Views are personal.

The post Security Evolution: From Legacy to Advanced, to ML and AI appeared first on CISO MAG | Cyber Security Magazine.

By Carolyn Crandall, Chief Deception Officer, Attivo Networks

Layered Defenses Have Helped, but Not Enough

One of the most encouraging things about today’s cybersecurity landscape is that more businesses and organizations have begun to recognize that it is essential to have layered defenses, rather than relying on a single security solution or strategy to fight attackers. The combination of tools like EPP, EDR, and deception technology, each designed to perform a specific function at a particular level of the network, has dramatically increased the defender’s ability to detect potential threats. One recent study has shown that merely combining deception technology with EDR technology can increase detection rates by an average of 42%.

A standard security setup today might look something like this: EPP effectively functions as an antivirus, weeding out known threats before they can enter the network. The next layer of defense, EDR, is there to catch more unusual threats that might slip past EPP, observing things like suspicious endpoint processes. Finally, there are tools like deception, which provide the in-network detection capabilities necessary to identify lateral movement, privilege escalation, and other signs that an intruder is already within the network. Deception — as its name implies — can also help confuse attackers by concealing valuable data, which has become an increasingly useful tool in the fight against attackers using advanced persistent threat (APT) tactics.

APTs and Ransomware 2.0

One of the reasons this type of layered defense has become more important is that the threat landscape has changed dramatically. In the past, ransomware attacks were often “smash and grab” operations, where attackers would begin encrypting whatever information they could get their hands on as quickly as possible and hope for the best. Today’s ransomware threats are more insidious: attackers will attempt to enter the network undetected and spend time conducting reconnaissance to identify the most valuable data. They will try to acquire credentials, often by targeting Active Directory, which they can then use to move throughout the network and escalate their attack.

The longer these attackers can remain undetected, the better the odds they will be able to identify, encrypt, and steal valuable data — and the more damaging the attack will be. Ransomware enters the network by circumventing perimeter defenses, targeting human beings with spear-phishing emails and other social engineering attacks designed to trick users into giving them a foothold on a network endpoint. For this reason, effective in-network defenses are more critical than ever when it comes to stopping ransomware. Attackers will conduct reconnaissance as part of their discovery tactics, and defenders can fight them by improving their ability to detect lateral movement—and by hiding and denying access to their data.

Concealing Your Data Is Easier Than You Think

There is a wide range of things that attackers may target, such as files, folders, removable storage, cloud or network shares, AD information, and more. Data concealment works by preventing attackers from finding these assets. After all, attackers can’t encrypt or steal what they cannot see. While having useful detection tools in place is a critical component of a layered defense, actively concealing the data from attackers takes the strategy one step further by preventing them from advancing or escalating their attack. InfoSec teams can automatically receive an alert to the presence of an attacker and isolate infected endpoints.

Better still, the ability to actively feed attackers fake data can not only derail their efforts but make them believe that their attacks are succeeding. If they are unaware that they have fallen for a trick, they will still attempt to carry out their attack, allowing defenders to gain additional information on their TTPs and IOCs, and enabling them to better prepare for future attacks. And while this sort of trickery is a great way to keep attackers off balance, it is important to note that it does not disrupt employee operations. Despite the fact that attackers will not be able to identify the data they are seeking, employees will be able to access it without complexity or any disruption to how they operate.

Concealing Your Data Makes the Attacker’s Life Harder

After infecting an endpoint system, ransomware will try to encrypt files and local, network, or cloud folders while attempting to steal credentials to further its attack. By hiding and denying unauthorized access to these assets, defenders can prevent lateral ransomware propagation and data encryption, dramatically decreasing the attack’s effectiveness. By improving detection capabilities to identify recon and lateral movement, defenders significantly reduce the time attackers have to gather intelligence on the network as well. Additionally, by steering the attacker into a deception environment, the defender can turn the attack on its head, stop it, and gather adversary intelligence on the intruder for remediating infected systems and fortifying defenses.

Combining this type of data concealment with effective perimeter defenses can put the finishing touches on a truly comprehensive approach to cybersecurity. Ransomware attacks have proven notoriously difficult to stop over the years, but by concealing the very targets that attackers are after, defenders can gain the power to give themselves a major advantage.

About the Author

Carolyn Crandall holds the roles of Chief Deception Officer and CMO at Attivo Networks. She is a high-impact technology executive with over 30 years of experience in building new markets and successful enterprise infrastructure companies. She has held leadership positions at Cisco, Juniper Networks, Nimble Storage, Riverbed, and Seagate. Crandall has received many industry recognitions including Top 25 Women in Cybersecurity 2019 by Cyber Defense Magazine, Reboot Leadership Honoree (CIO/C-Suite) 2018 by SC Media, Marketing Hall of Femme Honoree 2018 by DMN, Business Woman of the Year 2018 by CEO Today Magazine, Cyber Security Marketer of the Year 2020 by CyberDojo (RSA), and for 9 years a Power Woman by Everything Channel (CRN).

Disclaimer

Views expressed in this article are personal. The facts, opinions, and language in the article do not reflect the views of CISO MAG and CISO MAG does not assume any responsibility or liability for the same.

The post Data Concealment: An Innovative Weapon for Every Defender’s Toolkit appeared first on CISO MAG | Cyber Security Magazine.

Tor, also known as the Onion Router, is a software that provides user anonymity by automatically encrypting and rerouting web requests through multiple layers of Tor nodes. Threat actors often use Tor services to hide their identity and IP locations when performing malicious activities.

“The risk of being the target of malicious activity routed through Tor is unique to each organization. An organization should determine its individual risk by assessing the likelihood that a threat actor will target its systems or data and the probability of the threat actor’s success given current mitigations and controls. This assessment should consider legitimate reasons that non-malicious users may prefer to, or need to, use Tor for accessing the network. Organizations should evaluate their mitigation decisions against threats to their organization from advanced persistent threats (APTs), moderately sophisticated attackers, and low-skilled individual hackers, all of whom have leveraged Tor to carry out reconnaissance and attacks in the past,” the advisory said.

Security Guidelines

CISA recommended certain protective measures for organizations to reduce the risk posed by threat actors who use Tor. These include:

• Block all web traffic to and from public Tor entry and exit nodes. (It does not completely eliminate the threat of malicious actors using Tor for anonymity, as additional Tor network access points, or bridges, are not all listed publicly.)
• Tailor monitoring, analysis, and blocking of web traffic to and from public Tor entry and exit nodes: orgs that do not wish to block legitimate traffic to/from Tor entry/exit nodes should consider adopting practices that allow for network monitoring and traffic analysis for traffic from those nodes, and then consider appropriate blocking. This approach can be resource-intensive but will allow greater flexibility and adaptation of defensive.
• Block all Tor traffic to some resources, allow and monitor for others. This may require continuous re-evaluation as an entity considers its own risk tolerance associated with different applications. The level of effort to implement this approach is high.

The post CISA Issues Advisory on Mitigating Risks Originating from Tor appeared first on CISO MAG | Cyber Security Magazine.