A New Era of Cyber Threats: The Shift to Self-Learning, Self-Defending Networks

Jeff Cornelius, Ph.D., EVP

Trust Attacks

‘Trust attacks’ seek to undermine data integrity

Characterized by stealth and sophistication

Seek to manipulate rather than exfiltrate

Threat to reputation and stability of target organization

Artificial Intelligence Attacks

Observe a network in order to blend into the background

Emergence of polymorphic malware

Algorithms fighting algorithms

Battle is now taking place inside the network

Machine Learning is Hard to Get Right

No two networks are alike – needs to work in every network

On-premise, virtualized, Cloud, SaaS, segmented

Needs to work without customer configuration or tuning of models

Needs to support teams with varying security & math skills

Must deliver value immediately, but keep learning and adapting as it goes

Must have linear scalability

Cannot rely on training sets of data

Questions for Evaluating Machine Learning Technologies

What does the machine learning do?

Is the technology proven? Who uses?

Do you need mathematicians to support it?

Is machine learning at the technology’s core or used as a feature?

Does it require model tuning?

Can it be used on premise and in the cloud?

Next Step in Automation: Self-Defending Network

Automatically produces real-time active responses to potential threats

Does not rely on predefined signatures or prior knowledge

Slows down or stops the progress of novel threats within the network

Gives security team critical time to catch up

Automating the Analyst

Continued research and development into automation and assisting the human analyst

Classify unusual activity into benign or potential threat

Perform greater analysis of multiple weak indicators to raise awareness of increasing subtle attack above the threshold

Introducing supervised machine learning into detection

100% Visibility

Cloud and Virtual Deployments SaaS Connectors

Monitor critical data being accessed entirely over untrusted networks or in the cloud

vSensors – lightweight virtual appliances that capture traffic between VMs

OS-Sensors – host-based server agents for third-party clouds

Connectors available for SaaS applications

Cover rich datasets to monitor: User logins File changes Data transfers Data downloads

Interfacing to Other Systems

Add Enterprise Immune System visibility to existing systems

SIEMs and legacy reporting tools SOCs Email/pager/alert systems Out of the box integration Fully customizable API

Video Conferencing Camera Hack

Video conferencing camera was transmitting data outside the network

Camera had been compromised by a remote attacker

Attacker was aiming to either: Steal corporate information Take remote control of the device to launch a DDoS attack on another network

Would not have been detected through signature-based defenses – the activity was not inherently malicious

Industry: Retail

Point of Entry: Video conference camera

Apparent Objective: New attack vector, information theft

GLOBAL THREAT CASE STUDY

Bitcoin Mining Industry: Finance

Point of Entry: Machine

Apparent Objective: Personal gain in electronic currency

Machine sharing computing power with third party

Machine had been integrated into a network of compromised devices

Observed regularly mining for Bitcoins

Contacted locations that no other internal computers were talking to

GLOBAL THREAT CASE STUDY

Data Exfiltration from the Cloud

Company reliant on Amazon Drive for storage

Employee with system admin privileges altered access rules

Downloaded large volumes of data

Would not have been detected by traditional defenses – cloud environments are a blind spot

Industry: Finance

Point of Entry: Amazon Drive

Apparent Objective: Transmit mass amounts of data by altering admin credentials

GLOBAL THREAT CASE STUDY

Insider Threat

Malicious and non-malicious

Employee knowledge is advanced

Privileged users are aware of technical mistakes and blind spots

Best practices only go so far

IoT

Fridges, coffee machines, traffic lights – it’s all the same internet

Challenge is securing new class of internet-connected devices

Embedded system, difficult to upgrade or replace

20% of devices on typical corporate network are IoT

So many devices and protocols mean an ability to learn is vital – legacy and endpoint solutions don’t even try

ICS/SCADA Systems

Sharp increase in attacks in ICS environments

Convergence of IT and OT networks

Perimeter defenses and airgapping not enough

Traditional solutions don’t work in ICS/SCADA environments

Digital Supply Chains introduce new risks

Many ICS environments don’t have a dedicated security team

Cyber Risk Insurance

Many firms would not meet a general ‘reasonableness’ standard for preparedness Companies often start security at the bottom As a results, boards and officers could be made to look negligent in a court of law If a company doesn’t have enough cyber insurance, the C-suite and board could lose their personal assets

Start at the top instead of the bottom

Supply Chain & Third Party Systems

Hundreds of vendors and contractors have access to an organization’s network

More stringent review of security in business relationships, including long security questionnaires

Vendor management, procurement and chief risk officers are trying to manually assess supply chain cyber risk

Cyber risk score would highlight those vendors who pose a high risk

Mergers & Acquisitions

M&A toolkit is useful before, during, and after M&A transactions

Used to identify whether there is evidence that another entity has likely copied intellectual property

Best practices suggest that networks be immediately connected upon deal closure

But what if the parent or child network has been infiltrated? Then both networks would be at risk

Conclusion

Stealth and sophistication of threats are increasing

Machine learning technologies will be fundamental

Ask the right questions when evaluating

Try technology before buying

Over 2,000 Deployments – From SMEs to Global Banks

Q & A Questions

Proof of Value

No-Cost, 4 week trial, no obligation Appliance deployed in your environment Installed in 1 hour Analysis of what we find and how we find it Weekly, custom-made Threat Intelligence Reports from world-leading analysts Joint commitment