The Art of Sharing

I just a lot of those come out there hello I'm going to talk today about the artist sharing what we're talking about today in this session is the ability for us to share information about the threats that were observing with other organizations without giving up anything that we're not already sharing with the outside world who in years is sharing threat information I got a show of hands okay so that's like three I want to take that quiz again at the end of the session and I think we're going to see a lot more a lot more people sharing than they think that they are on what I'm going to talk about today is i think the

security market in general is coming down coming around to a recognition of the fact that it's very important for us to understand what threats are affecting people across our particular industry and across the entire IT marketplace and in order to do that we have to be sharing information about the threats that we're getting hit with and a lot of people are hesitant to do this because of privacy concerns they're very worried about sensitive information getting leaked out particularly about about major intrusions major hackers that get into their network might steal a lot of data they don't want to share that information until they're ready to share that information there's a lot of PR involved in those types of threats well

we're going to talk about is a lower bar lowering the bar for sharing to something that's more palatable across the wider base of organizations so that we can get a high level of usefulness with a very very low risk of disclosure about that information so my name is Roy Stefan I'm from a company called pierce global threat intelligence were a cybersecurity product company that offers ways to share information across different models I'm not going to give a corporate pitch just we're based out of Virginia so we're fairly local organization and we have a large global threat database that we can integrate with your log files and provide you information about malicious actors that are in your network but I'm

not here today to talk about my product what I'm here today to talk about is the methodologies and the approach to privacy that we used behind are sharing mechanisms so well first started out we look at the fact that systems administrators are very smart people are configuring their networks to keep the bad guys out there not one hundred percent successful nobody's a hundred percent successful keeping the bad guys out but if they let legitimate traffic be blocked then they come under extreme pressure from their organizations to remediate those situations so what we can tell is everything they let in isn't necessarily good by definition but the things that they're blocking tends to be on average much worse than the goodness

of things are letting in is that make sense you can trust the things they're blocking better than you can trust the things that they're letting in and that's because business practices won't let them lock legit into traffic and if they do not for very long so what we're looking at is the information that gets blocked the people that organizations know up front are malicious actors the things that are happening on your network that are already known to be malicious to one organization that may not be known to be malicious to other organizations so this comes down a lot to customizations comes down to white lists if people are picking up hackers and attackers because their firewalls

blanket policies are covering them or because the signature analysis on a Navy is covering them that's not necessarily new information from a sharing information perspective to the rest of the network what is interesting and what is unique from an information sir sharing perspective are the hackers that are being stopped by your white list your heuristics the the customizations that are done beyond the standard interest and analysis and that is where we can identify zero days and we're information sharing becomes extremely important extremely valuable as i said before sharing is fairly tricky there's a lot of sensitive personal information that's out there there's a lot of people that are already sharing enormous amounts of sensitive information with

the likes of Google and Facebook they're doing this more than their personal lives in their business lives but we've seen the value that people can derive from sharing information and on a generational basis what we're seeing is people are starting to be more comfortable with sharing information that they were you know 20 years ago or ten years ago even what's interesting that happened with Edward Snowden I think we're all familiar everyone knows about the study case Ravens that's universe never heard of never so uh what Snowden highlighted I don't think that many people should have been surprised if anybody whether the Patriot Act they know what was going on but what's noted highlighted for everybody was the fact

that there's a lot of information that's out there in the open your ISPs have a lot of information about you a lot of your communications particularly your meta information like your headers to and from IP addresses are not encrypted even if you're doing a VPN there's still a lot of meta level information that's that's available to log files governments are making use of this is peas are making use of this global threat technologies or our partner of the ISPs they're making use of this information whether you want them to or not it's not to say that they're stealing your credit card data or sensitive healthcare information but there is valuable information that's available and that's not being encrypted

in all of our communications so I ask the question again how many people in here think that they're sharing information every one of you are sharing information whether you want to or not you know and when we think about sharing information a continuing through a Google or Facebook or some other type of active sharing mechanician class and i sat in the IT world but what's come out and what's commonly known now is that organizations have their information being taken being looked at and being used globally and and what we talk about is okay that information is not encrypted it's not secure how can we take that information and get some utilization out of it ourselves if we

would really like to share and we would like to get the benefits of that sharing that information is already being used how can we turn this around and use this information to gain some usefulness ourselves if we're already sharing information I think after this slide we recognize that we are already sharing this information no matter what the legal department says about it no what no matter what executives think about it at an IT level we can recognize our information is being shared widely already then we can take that information and we can use it for for good we can use it for our own purposes we can use to better protect ourselves through actively participating and

actively sharing that information with each other it's already out there in a while did you have a question sir we just especially know so when we look at sharing we try to reduce this down the previously solve the equation good good mathematics say somebody out there has already solved this at least in pieces or in parts we looked across a number of different different organizations number of different systems where we're sharing is happening we're open data is being exchanged well look at the reasons why those systems have been successful where so many people have a belief that they're not sharing so many people have a belief that they're against sharing in their organizations and what we saw is a

number of different areas spam reputations a lot of people are sharing who's spamming with them they don't necessarily consider that sharing that they are they're sharing those IP addresses back into cisco back into fire I back into mcafee and other organizations your signature analysis not everybody contributes the signatures but there's there's a widely recognized methodology for creating generic signatures and being able to share that information back into the community without giving up a lot of sensitive information about attacks that may have worked or not worked against your organization and when you look at something as simple as DNS requests even being able to resolve an IP address into a hostname or the reverse but I hope

universal it of our normal up is still sharing information with the DMS system you're still taking a bit of information about your communications you're taking an IP address that somebody in your organization's going to this web server and you're resolving a domain name into that IP address all of that information is crossing the boundaries of your organization so again this is just several examples of the fact that we talk to companies every day that say I don't share anything legal will never let me share anything there's no sharing Stephanie my organization as much as I might like to benefit from a sharing network they'll never allow me to share anything internally and we have a number of situations here that

organizations are sharing I've sat down with legal organizations in many different companies and said show me the legal agreement that you have in the DNS system what are you talking about well there's IP addresses that are passing back and forth DNS every day no there is it we don't share IP addresses we'd never share IP addresses well I'm you know I'm sorry but if you have a network in your environment you are sharing that and let's start with that sharing s basis for how we can maximize the utilization so when I talk about what are these successes have in common they're self-limiting there's some there are other technologies out there that that like to grab every bit of

information when you look at the sim world when you look at some of the online log management systems they're interested in grabbing all of your log information and being able to strike through it they want they want pcap passionate packet capture they want every aspect of your log files because and from their perspective the more data that they have two more that they can see the more value that they can add back to their customers when we look at it we say there's so many people that are against sharing that low-level information against sharing all of that data that those systems and those organizations are actually short changing themselves because they're asking for too much data because they're

asking for too much data too much sensitive information they don't have enough people contributing to that system to really get a big data effect on the information and to really be able to derive the maximum value that they could if they'd self-limited so the methodology that we're talking about today is instead of pushing forward and trying to get from each one of the people in the system all of their information restrict yourself to the information that they're already sharing or information that has very low value to the organizations and that way you're able to maximize the number of organizations that are contributing to the network and from a breath perspective you end up with a lot more

information and a lot more usefulness from information when you're trying to track things like global spread of botnets and not just command and control but the zombies and the action actual active users we looked for previous models where people were taking large amounts of information self-limiting and being able to share across wide swathes of the of the populace what we came up with was approachable the RTO confidentiality map is anybody never heard of this I doubt I doubt anybody in IT has ever heard of this it's a statistical confidentiality chart used by the US Census this was developed for the two thousand census i believe and and what they determined was what information out of the US census are we

allowed to publish publicly because as we collect information on on all these households there's a lot of sensitive data the reflecting and if we just publish every bit of information that we have nobody's going to share or people are going to lie or run into these other issues so it's important as a government that we perform census for tax and voting reasons and all different types of reasons and the challenge in front of sentences is how much of that data do we share back to the community and which pieces of it have as it says here maximum amount of utility the most usefulness that we can get well the same time having the lowest risk of

disclosure so when you look at census what they identified was a particular trip point right here which was sort of the ideal position where they're getting the maximum amount of utility out of the data possible with a minimal amount of risk of disclosure so we've applied that across the board to a number of different technologies that want to wear up in the marketplace and yeah okay but don't hold me to exactly the placement here this is our interpretation of what we've seen from the market that the reaction of the markets I don't want google it wouldn't come after me and Sue me but from our perspective what we've seen in census of course built the model

so by definition there there at the truth point and this is this is their model so that's where we placed them as we go up the stack we see people that have higher levels of disclosure risk more information that they're sharing but they've thrown that line differently so so we've created more of a tolerance range where people are pretty okay with the way Microsoft does things Facebook and Google sort of are right at the top of tolerance range and you can see when they go beyond the tolerance range there's now product from the public they set up a new option they set up a new to fall and they draw themselves back into the tolerance range so so over the last

two years we've been seeing a lot of a lot of Facebook and Google here popping out of that tolerance range in back in and they like and they try to operate right at the top of that range as opposed to census who's trying to operate more at the bottom of this range and then spying programs right off the chart they don't care so when we looked at those technologies that I talked about on the last slide we really found the objective zone is here sort of sensitive below if you really want to maximize people's comfort level with sharing their information you need to self limit yourself to the information that is below this this tolerance range

and these are the technologies that have been successful this is the the DNS system we talked about even IP headers right people people know that IP headers are unencrypted and they still use the internet anyways so so that objective range is really right there but something interesting about an email right now email is just sort of floating out of that range which probably should happen decades ago but that's my personal feelings so as an organization we came up with a statement called privacy protected crowdsourcing it's a bit of an oxymoron I think if you guys are the description I said that but what we mean by this privacy protected crowdsourcing is we're identifying the pieces of your information that are

already known are already public and we're looking at ways that we can share that information across the widest number of organizations so that they can be protected without the risk of disclosing any sensitive or legitimate business data out of your network so so we're moving from that communication that that coordination is sharing removing any IP address excuse me removing it like social security numbers hipot information % in a viable information coming from from a packet level captures taking all that information out of the equation and saying look this is too sensitive there's too low of a value for sharing that information let's look at the communication level so let me give you a specific example of this when you

block somebody at your firewall it could be any number of reasons why you're blocking at your firewall who in here collects that data on the people they block at their firewall right we talked to a lot of organizations and a lot of people didn't raise your hand we talked a lot of organizations that don't even look at that data if it was a block I just drop it on the ground and forget about it they're much more concerned with the people that are getting into their network the information sharing that we're talking about here looks at the things that are blocked in one organizations firewall and if you block somebody you block somebody new block

somebody and you let them in becomes very interesting to you that 100 other people blocked that guy that you're letting into your sensitive credit card database and that's a way that we can prioritize your alerts your warnings you may be getting a hundred thousand red alerts an hour and trying to investigate and prioritize what's the worst of the worst and by identifying an understanding that several other people have blocked particular communication that you're letting in you may even have alerts of warnings about it but as we saw on target there was there was several different systems that alerted warned about this stuff and they just it just never really got hurt eyes right I've never got respected by the

management to the last guys talk for those of you guys that were in here before talking about systems in the boardroom 11 out of the 13 board members at Target got let go because they ignored the warnings that were coming out and that's why sisters are getting at the border because people getting fired over this now and we haven't seen that in the past with technology breaches it sort of been limited to a technology for all them and now it's expanded out to be in the true executive problem up into the border and that's why we're seeing a lot more attention and why target was such a game changer with is as an aside from the top

we've all seen hundreds of thousands maybe millions of attacks just like Target over the years and there's always kind of a little bit of a reaction a little bit of a jump in people paying attention and budgets etc maybe hire an extra guy but the target one is is completely different not because of the technology that was employed or the way the hackers work it was completely different because of the effect that that had in the boardroom and that's that's why I mean person that's why I see target is a game-changer for securities industry because the pain is actually starting to be felt at those upper echelons and I think the last guys talk actually highlighted a lot of a lot

of very good points around that around that particular aspect so anyways that's that's what we mean by privacy protected crowdsourcing and i think i'm gonna jump into the summer year because i'd like to have a few minutes i know on the last person standing between you and lunch so i feel that and i know i'm not going to keep your attention too long here but really when we look at last 10 years of business intelligence and big data analysis as its come along it spent a lot of time trying to turn data into information you've probably all heard heard that spiel all the sort of buzzwords what we're looking at here is is providing perspective being able to

take large amounts of data that you know may be overwhelming us in terms of alerts of warnings already and adding perspective to that ironically by adding more data the problem to our data problem is more down right it's an interesting statement but when you look at it from a perspective aspect the fact that we have tons of alerts of warnings and all of the filters that are on our network are looking at a finite data which is the information that's just in our network so if we have three filters or nine filters are 15 different filters between AV firewall IPS is content filters etc the return on investment for added yet another filter looking at that existing set of data is

quite marginal when you're able to bring in a new set of information when you're able to add perspective to that data that you weren't able to see before it actually takes all of those sensors and filters that you have on your network that makes them more effective because they're not just spinning out flat rent alerts across the board you can take all the red alerts that are coming from your systems and you can prioritize them by what the rest of the world knows about what's going on in your network and that's that's highly critical for being able to respond quickly and being able to identify no malicious actors I'll say that again no malicious actors we're not

finding people that that were never known or never detected anywhere what we're doing is cross educating but we've each learned and detected somewhere so that we can take that low hanging fruit off of the table we can deal with those known malicious actors first so we don't have to keep reinventing the wheel does that mean all the attacks are gone no there's still be people that are compromising brand new machines coming up with new attacks and coming after us in new ways but we'll have more time and more resources to devote to finding those new attacks in those new directions if we can automate and we can share and avoid the duplicated work of dealing with that that lower level drama

of hackers and that's really the best I think that Sharon can come to is is to force the hackers to compromise new machines every time this process of using the same set of botnets again and again to different customers hundreds of times a week is is something that as a society as a community we can defend ourselves against if we can find innovative ways like this to get over our privacy concerns and to be able to share information that's already out there and has already been exposed to the outside world already so that's that's basically what I wanted to cover today are there any any questions come