Protecting Organizations in the Age of the Mega Breach

he's with masterji communications he's been working over 15 years in cybersecurity he's not only is he a security ninja he's a real-life ninja and you may recognize him from the televisions if you've seen American Ninja Warrior yeah he's done it he is done actual Ninja Warrior you can find him on the youtubes thanks for that warm welcome and it is true one of my hobbies is American Ninja Warrior I brings a little balance to my life I've been on the show over the last couple of seasons so we have any Ninja Warrior fans here yeah yeah so if you want to talk ninja I'll be around for the after-party and you can all hang from scaffolding

somewhere and then I'll answer all your Ninja Warrior questions but today I'm not here to talk about ninja I'm here to talk about this trendy thing we call data breaches it's making the news lately and more importantly how we can learn from coyotes and our fight against this next generation of cybercrime does anyone have any coyotes living in their neighborhood couple I see it popping up on social media all the time about a hundred years ago coyotes and other predators were deemed a threat to the livelihood of ranchers in the US and in response the government created a extermination campaign that provided monetary rewards for the pelts of these predators these bounty bounty programs are put in place in hopes of culling the

herd but interesting lean enough while these programs worked fairly well on most predators they had little to no impact on the coyote in fact the coyote population often increased as a result the more aggressive the man became at trying to control the coyote the more their numbers grew and thrived over time coyotes are a small dog and a big dog world and as I did my homework on this project it became clear to me these creatures are capable of adapting to any environment in many amazing ways as we encroach to their natural habitat instead of being forced out the Coyotes adapted we found they were capable of living and surviving in any environment that happens to grow up around them

including New York City this is a coyote on top of a bar in New York City coyotes have evolved their ability to survive when they feel threatened or persecuted as a species they transform into a type of colonization mode and their populations multiply exponentially we can't control the coyote resistance is futile we must figure out I don't live and coexist with a coyote and like coyotes hackers are small dogs in a big dog world continuously adapting to the ever-changing cyber landscape hackers have been around since the beginning since the analog and digital technology revolution they've been around since freaker's were mimicking phone tones to steal long distance does anyone remember those days some of us are old enough I

think to the creation of modern day and Lauer and even more recently a BT hacking kids hackers are adapted and overcome every new technology that is emerged to protect us over the past several decades and there's no reason to believe that any of that is changing anytime soon and that's proof let's go back a few years 2013 was the first year of the mega breach that's when there was 62% increase in reported data breaches from the previous year happening in the next year and this was the year that we had our first 1 billion reported compromised records in a single year and this slide always makes me laugh a little bit this is the year data breaches get personal

this was also the year that breaches became sort of in the mainstream news you started hearing more about them and then 2016 happened IBM security reported there was a 556 percent increase in dated reported data breaches from the previous year to exceed four billion think about that number for one second four billion records the total number of reported data breaches for 2016 exceeds nearly the entire online population in other words everybody in this room your personal data was probably stolen in 2016 and oh by the way these metrics only reflect reported data breaches and don't account for any of the unreported breaches and there's many more if you've subscribed any threat intelligence or following a threat intelligence service

those guys pay people to troll the dark web looking for word stolen data and there's plenty more out there that's never been reported and here we are 2017 I think I might call this one the year of breach fatigue it seems like every week there's a new one these are just a few of the organizations that have been reported data breaches this year alone and as you'll see many of these are very well resourced organizations and they're still routinely getting breached and even before the big Equifax breach your personal data was likely already for sale on the dark web but thanks to Equifax it's virtually guaranteed now like the coyote population the breach totals keep increasing every year

despite constant improvements in modern cybersecurity technologies but why is that before we answer why I want to talk about what it really means to be breached a breach isn't just the disclosure of information to an unauthorized party the media loves talking about stolen data or ransomware when reporting on breaches but there's far more to a breach than just stolen data and so this is where I have to pause do we have any attorneys in the room good this is because I got to put in a legal disclaimer I am NOT an attorney however it's been brought to my attention that there's actually a legal definition for the term breach in some states it's more important than others

I've had a few spirited discussions with these attorneys over what an actual breach really is and we end up agreeing to disagree mostly because these attorneys aren't as technical as they think they are in my opinion if you have a compromised system of any kind anywhere connected to your network you've been breached so with a legal disclaimer out of the way breach is just like the coyote bounty program often have unforeseen consequences and it doesn't matter how you were breached whether Doug clicks on a email phishing campaign or maybe one of his guys plugs in a USB Drive to his local network or a hacker comes in from the outside it doesn't matter because there's always a

potential for collateral damage I have to call this the breach ripple effect Equifax is a great example that had many breach ripple effect variations it started with them essentially handing over your personal financial information to cyber thieves they essentially gave the keys to the kingdom your social security numbers your home address your bank account information date of birth about you and your family the cyber thieves free of charge if that wasn't bad enough they also managed to botch every attempt at remedied the mess from the beginning from waiting six weeks to even disclose the information to high-level executives selling stock with we're making it publicly knowledgeable and then this is my favorite they launched a sketchy named website and

encourage everyone to go check to see if they were compromised and then shortly after that from their official Twitter account they tweeted a link to a rogue phishing website rogue phishing they didn't even own this site and encourage everyone to enter in their personal information they did pretty much everything wrong and will likely be used as a teaching tool and a case study for future breaches of what not to do now while Equifax is a great example of the traditional reach that involves stolen data I want to point out that one important breach fact that is often overlooked is not all breaches target your data and one example that actually happened to me and I'm from Dallas by

the way happened to me in Dallas a few months ago I was awakened in the middle of the night by emergency sirens I woke up I looked out the window we had clear skies and otherwise perfect weather at the time I was confused as it turns out a hacker had compromised the emergency communication system and activated all 156 sirens citywide and it lasted for several hours this of course triggered a ripple effect of people calling 9-1-1 and if you happen to be laying on the side of the road down on them or onto the life threatening emergency your call wasn't getting through because this ripple effect people call 9-1-1 burden day already over staff call center so

danny exfiltration is not required to make a dramatic and damage and impact in the organization so whether attack is against your infrastructure such as a point-of-sale system being taken offline for a little while or a simple denial of service against a phone system most organizations this translates into loss revenue and increased cost quantifying these costs is fuzzy at best many organizations want to estimate the cost based on per records stolen on a given vertical however the boy Miller for figuring out what it really costs is anything but straightforward you'll have immediate costs such as incident response investigation cleanup but also long-term cost such as auditing loss to buy P legal fees brand impact and as I

previously mentioned potentially Public Safety not to mention many breaches come with a scapegoat I'm sure everyone noticed that shortly after Equifax announced their CTO and CIO resigned and then a couple weeks later the CEO is now also left the company it's not a coincidence earlier this morning you might have remember Omar talking about the global cost of cyberattacks I want to take a take that one step further and talk about what it actually cost for a cyber attack against your business every year the Pony Monde Institute tries to figure out what that is they interviewed over 1,200 companies that suffered cyber attacks in 2016 they SMA the annual cost of these companies was 9.5 million

dollars each so who has nine million dollars a budget laying around and clean up after a cyber attack Doug come on

with that many analysts are also predicting that global cost of cybercrime will rise up to as much as six trillion in just three short years just this June global shipping company Maersk announced the loss of three hundred million dollars due to a malware attack that took them over two weeks to recover so think about this for one second they didn't have any dolus data stolen they didn't lose anything it took them two weeks to recover and they lost 300 million dollars I consider that data breach a couple of months ago FedEx had to force the halt of their shares being traded on the stock market due to a company they acquired in Europe because they were

under attack at that time they were disrupted their business was impacted and they had to stop trading up shares in the stock market from an attack data wasn't stolen there there either eventually all businesses will be compromised so this makes it really critical for decision-makers to think through all these dimensions and risk when assessing the cost of the organization despite all this evidence most companies greatly understate the importance and the risk of a cyber event the most recent UI InfoSec survey that solicits feedback from executives they society leaders like many of you in this room revealed there's a huge disconnect between organizational strategy and cybersecurity function 78% of those interviewed had no idea what the sky

security implications were to their corporate strategy 78% they also discovered 9 out of 10 businesses failed to evaluate the financial impact of a cyber attack it's crazy to me that people aren't even thinking about this stuff these metrics are also reminded me of a blackhat briefing I went to with colleagues of Michelle and the FBI they talked about how they captured credit-card thieves so while that particular story wasn't all that interesting to me it was pretty standard it was something you could have seen on Netflix it was interesting to me these cyber thieves they were overseas they had compromised a bunch of point-of-sale systems all across the US and they were siphoning off credit card numbers and

eventually they were caught they were put in jail FBI did a post-mortem but this the entire operation and they went back to some of these businesses to find out you know what happened how things were going and they found that most of these businesses shut their doors due to the damage that was caused from that cyberattack if companies aren't identifying understanding and evaluating the impact of a cyberattack the nature of the risk will remain unknown and understated in order for us to understand the implications of a given cyberattack it's important for us to understand the cyber threat landscape but first let's do a quick review of how that's evolved over the past few years the profile was fairly simple I'm happy

that a Michell slide mimics this it was simple cybercrime cyber espionage and cyber activism and each of these categories required some level of sophistication and skills to actually be successful heck when I was a kid hacker was just somebody sit in the basement trying to have fun and yes that's what my first computer looked like and no that's not me with hair but now both nation-states and criminal organizations are recruiting and training smart people and paying them large sums of money to join them in their exploits and since the release of the NSA hacking tools earlier this year even though global script kiddies have access to nation-state quality my work malware kits that are as easy to use it's

watching a how-to video on YouTube this requires all of us as security experts start thinking strategically while moving tactically so what does all this what does all this mean one strategy that I often recommend is to treat security like self-defense does anyone in here practice martial arts few of us you know no matter how good your defenses are you will get hit however it is possible to minimize the damage you take when you do get hit something that I teach my karate students which also applies to cyber security is make it an effort to identify what is not working for you and understand why and then you either modify it or abandon it altogether finally what isn't working for you is

often more valuable than knowing what is working for you learn from what is not working for you so how does this apply to cyber I'm glad you asked first let's take a look most companies are doing today traditionally organizations spent millions of dollars on preventive technologies hoping to plug holes or add enough layers and walls and gate attacks but yet companies are still getting breached I mean look at all these great vendors here these are all cutting-edge technologies including some of the next greatest next-gen products so aren't these technologies working it's not that these technologies don't work in my experience these are security solutions typically aren't being used properly Forrester Research recently reported 64% of the security decision makers say

their team spend too much time on day-to-day tactical activities rather than on actionable incident response so in other words we expect our IT department to also be security experts who and here's expect to be a security expert that also requires some security IT work and in the case that you're a CEO or you have a security guy on staff that guy is expected to also be an expert in every security technology on the market like Doug that might have been a reasonable expectation back when and we had firewalls and antivirus and that was considered good enough but not today which is also no surprise that foresters also reporting 65% of decision-makers say finding security professionals with

the right skills as a major challenge moving tactically doesn't necessarily mean buying that shiny new cyber security Tory toy either anyone that's recently it's in the DNA security conference might notice there's a dizzying array of products that promise to automate the collection and correlation and analysis of everything happening on your network that's a bold claim what is often overlooked most of these solutions require some level of security expertise and knowledge to work as advertised you can't just plug and play and they work but Trevor one of our robot overlords save us I think our previous speaker alluded to the fact that we're not there yet the new buzzword of course is AI artificial intelligence but that's quickly becoming

no more than marketing pixie dust just sprinkle a little here and there and boom your solution becomes has the poor side of a self-driving Tesla with the simplicity of a Amazon echo Alexa prevent cybercrime

the reality AI is really good at detecting anomalous behavior however it also detects a hundred other things that need to be checked out only later find they weren't attacks the use of the term AI insecurity is often misconstrued with the fact that machine learning still requires some level of human feedback to learn what is good and bad but the problem is we're not always sure what good and bad is because malware programs mask their true nature you can only automate what you're certain about and there's a tremendous amount of uncertainty in cybersecurity data doesn't equal information and information does not equal understanding cybersecurity hasn't reached the point where the technology has eliminated the need for the human element Heather

Adkins she's one of the founding members of Google security and she said this recently at TechCrunch no one is safe from internet attacks and AI defenses can't help so despite what you've might have read or heard we just haven't reached the point where the human element is no longer required and this is coming from Google that has deep mind and if you watch the news recently you've heard the new alphago has achieved a another level if she's saying this we're a long ways away and when she was asked what can you would do if a AI is not gonna work what we do to protect our networks her response was more talent less technology automation does

have a place in cybersecurity but currently it's true strengths are its ability to augment existing detection and response solutions by bringing these tools together to help the human element cyber security in transition and I think this Gartner quote sums it up very nicely prevention is futile unless it's tied to a detection and response capability amateur security program isn't about keeping the breaches out it's more about how you respond to one focusing on how the breach swell occurs is very important it's often nearly as important to respond how you respond to a breach to minimize that ripple effect I think we all can agree there's no silver bullets when it comes to cybersecurity that's okay because hopefully werewolves

and coyotes aren't part of your threat model anyway however detecting threats as soon as possible and taking appropriate action to attempt to minimize the day the damage is as close to a silver bullet in the impo seconds you're gonna find today I often get asked what's the best security approach I usually respond with this leading question is your security solution a force multiplier or force divider I've come across many solutions like I can't tell you how many I've tested and seen in action that are actually really good but ultimately they end up creating more work for the IT staff and actually making their job easier who hasn't found the solution like that you bought this shiny new toy a toy man

this is cool and then all of a sudden your workload triples I see a few heads nodding most of those solutions require very specific security expertise to actually operate the solution and to monitor and manage everything for that given network the most effective solutions the ones that combine people process and technology together which optimizes resources as a force multiplier not a force divider so now you might be wondering all right Trevor what does the force multiplier solution even look like I'm glad you asked the first let's talk about who seen this first before a few hands okay good more hands every time so this is in this cybersecurity framework this framework was designed by hundreds of the country

most expert cybersecurity professionals over the past several years this framework enables organizations regardless of size or degree of risk to apply best practices practices to risk management to help improve your own security posture and just like the Coyotes adapting to the modern urban landscape this framework is the single best approach to the ever-changing cyber threat landscape and judging by all the vendors in here they fit many of the categories on the cyber this cyber framework so you likely have some of these in place already today I'm not gonna go through every single one of these however I do want to draw your attention to the detection and response category this is the one of the most

important categories in the entire framework in my opinion the companies are under investing in I can't tell you how many companies will buy a bunch of prevention technologies and they don't worry about the detector and respond you don't invest in this one you it's almost pointless do you have anything in place you're gonna get compromised as proof by the breach numbers increasing year-over-year heck equifax is the current poster child for neglecting this entire category both of them and arguably they butchered the last one too arguably yeah so this is what we know today Danya breaches will continue you should proactively plan for the breach ripple effects without a silver bullet technology people are still the critical

piece of the security puzzle your implicit actually take a page and the lesson from the Coyotes and continuously adapt and the same way hackers are adapting to InfoSec now that we all know a little bit more about coyotes and their abilities to adapt that was a good time to review your own security maturity model adapted accordingly because security isn't something that you buy it's something that you do thank you [Applause]