S P ECI A L
ED IT IO N
E M AGAZIN E
POWERED BY
news.com
CYBer SecurITY
Do we have IT right?
25th November Crown Perth
Perth Conference 2016
From the War Room to the Board Room, HuntsmanÂŽ Defence Grade Cyber Security Platform delivers: Advanced Threat Detection and Incident Response Continuous Compliance Serious Cyber Security ROI
Proven in the most secure and sensitive environments within the intelligence, defence and criminal justice networks across the 5 Eyes community.
LEARN MORE TODAY 1300 135 897 huntsmansecurity.com
Quick Q&A
A I S A
N AT I O N A L
CO N F ER EN C E
2016
....with Bruce Schneier Cybersecurity Guru Bruce Schneier
Cybersecurity Guru Bruce Schneier, author of ‘Data & Goliath’, a New York Times bestseller, discussed the Internet’s resiliency and China’s suspected cyberattacks against major US companies. NOTE: The day following this interview an attack occurred against Dyn, a domain name service provider, that disrupted access to high profile sites such as Twitter, Spotify and the New York Times. Attackers took over tens of millions of devices using malicious software called Mirai. Bruce Schneier, aged 53 years, is an American cryptographer, computer security, privacy specialist, and author. Having written several books on general security topics, computer security and cryptography his latest book, ‘Data & Goliath’
4 | Chief IT
is not only a best seller but a MUST read! Schneier is a fellow at the Berkman Center for Internet & Society at Harvard Law School, a program fellow at the New America Foundation's Open Technology Institute. He has been working for IBM since they acquired Resilient Systems where Schneier was CTO. He is also a contributing writer for The Guardian news organization. Editor - I read some of your comments recently about the DDOS attacks and there were questions around the testing and resilience of the Internet. So I’m seeking your thoughts on who may have been testing the Internet and its vulnerability?
Bruce - It was the first story that I have written that has a lot of unsubstantiated rumours and I was told these things by some companies and I wrote about them because nobody else had. These were about a particular style of DDOS attack against large infrastructure companies, that look like someone very much testing the defensive capabilities of these companies. Now I can’t name the companies, but there was this Verisign report on DDOS which confirmed that what they were experiencing had mirrored exactly what I was told. (Verisign Distributed Denial of Service Trends Report LINK) So that’s the public information. Since I wrote that article, I was approached by two other companies that said yes we are seeing this too.
A I S A
N AT I O N A L
So this is pervasive. The companies, including Verisign thinks it comes from China. China is, for some reason, testing these DDOS capabilities. They are not taking down any of these sites. It’s hard to know why they are doing it, it’s hard to know how effective it could be and would be. Is it a diversion or is it simply some kind of cyber war unit just running tests? It reminded me very much of the US actions during the Cold War, of flying planes high over the Soviet Union, and watching their air defences turn on to learn about capabilities. It felt like that. Editor - Do you think it correlates to other military manoeuvres? Bruce - I don’t know any of that; I don’t know enough to make that connection. All I know is that for the past year and a half, this has been happening to these large Internet infrastructure companies. Editor - When you say it’s being sourced from China, there are other activities being sourced from Russia, according to the US. What do you think of that? Bruce - This is bigger than that. It’s longer term. This isn’t something happening this week or this month, this has been going on for a year and a half, off and on. Editor - Is the attack methodology the same? Is the Internet something they can actually break? Bruce - I don’t know. So far, the companies that have been victims, Verisign included, have adequate defences, to defend against these attacks. Could it work? I don’t know. Would you want to do it? I can’t tell! It wouldn’t be permanent.
CO N F ER EN C E
Editor - Is this the kind of thing nation states or terrorists might be preparing to use, such as during a 9/11 style attack? Bruce - When you think about nation states using DDOS, it has to be in conjunction with something else. So, you can easily imagine China using it on themselves when there is a Tiananmen Square level of political unrest. Like Turkey, lots of countries sensor themselves during times of political unrest. You can imagine a country like China doing this against Taiwan for some reason. My guess it is just done as some testing capability. The companies involved were US companies, so I spend a lot of time with the Harvard Kennedy School and a lot of people there are working on cyber war, the Americans and occasionally the UK and other ‘five eyes’ countries, come in and test our cyber warfare readiness. That’s what military officers do, they plan for war and it’s my guess that it’s Chinese military officers that are doing this, like ours, like yours, like everybody’s, are planning for war. And this is one of the things that is being done in the eventuality. I think it is a risk!
2016
Quick Q&A
Editor - Or it would be setting off too many red flags? Bruce - A lot of what I am saying here is pure speculation. I saw this pattern and I thought we should make this public. I have been trying to get these companies to talk on the record, there is no shame here, but with the exception of Verisign, they never talked to me, but they published that report and I link to that in my article. Editor - This leads me to the Internet of Things. What’s your view there? Bruce - That’s the Brian Krebs story. Brian Krebs was attacked by digital video recorders, CCTV cameras, vulnerabilities in random devices, not computers. Editor - That is something I was interested in. Princeton did some research on this, to find out how many devices are out there with just default, root passwords and there were about 13% of all devices on the Internet that were vulnerable.
Bruce - No it probably wouldn’t be that correlated. No, it’s a separate unit. This is going to be the cyber unit, who is all the way off over there. They’re not the same unit that runs submarines or does tank manoeuvres, they are the cyber people.
Bruce - It’s really bad. The article I wrote after the Krebs attack is worth reading. I talk about the difference in the economics that means it’s not going to be like this [holding up his smartphone]. There is an entire team of security researchers that make sure this [smartphone] is secure. There is no such team for DVRs, and this thing gets patches every month, or every week! The DVR never gets patched and I throw this away every 18 months and buy a new one.
Editor - You don’t think they would be thinking at that scale?
Editor – Thanks Bruce. Can you please sign my copy of Data & Goliath?
Bruce - They might be thinking like that but the tests wouldn’t be correlated, because why bother?
Get your copy at www.schneier.com/books/ data_and_goliath/
Editor - So you wouldn’t be surprised if you saw these attacks – or stress tests – as a component of major military exercises?
Chief IT | 5
Quick Q&A
A I S A
N AT I O N A L
CO N F ER EN C E
2016
....with Alistair MacGibbon
Cybersecurity Advisor to the Prime Minister of Australia Alistair MacGibbon, Cyber Security Advisor to the Prime Minister of Australia speaks with Executive Editor Chris Cubbage at the Australian Information Security Association (AISA) National Conference 2016, Sydney. EDITOR (E) Are you getting good engagement with Prime Minister Turnbull and his office? Alistair MacGibbon (AM) Yes it’s great. The level of political interest in cyber security in my experience and I’ve been in this game since the 2000s, has significant up-tick. So I have regular involvement with senior politicians and senior bureaucrats and the level of interest is fantastic. E: Do you find the role frustrating at all, are they taking cyber security as seriously as they should? Yes, the launch of the Cyber Security Strategy in its own right by the Prime Minister and bringing the strategy into the Prime Minister’s own department are signs of how important it is being taken in Canberra. E: You’ve been in your role for only four months, what have been some of the key challenges for you? AM: Well I prefer to see it as what key opportunities there have been. I think what happened to the Census was actually an opportunity for the Government. It was a disappointment and frustration absolutely but also an opportunity to take something that was clearly very frustrating but not catastrophic in terms of what actually happened and parlay that into the thinking of government in the delivery of other government digital service delivery. So I look for opportunities out of what are otherwise unpleasant circumstances, and the Census was one of those unpleasant circumstances. So the opportunity is for a better dialogue around better digital service delivery from a Government perspective and indeed to engage the public as to what their expectations are of Government. E: Were you engaged at all for the Energy Security meeting held by Josh Frydenburg and do you see opportunity there because if they were to consider major power outages, these could also be instigated by cyber-attacks? AM: No but I would answer that by saying critical infrastructure of which the energy sector is a key
6 | Chief IT
part amongst the critical infrastructure sectors, it is vital. If we don’t get critical infrastructure protection right it is where the most catastrophic things can go wrong. There is a relationship between various critical infrastructure sectors because water is vital to power, power is vital to water, they all interlink. You take an all hazards approach, be it against fire, high wind or a cyber-attack that takes you off line, you are offline. Cyber is only a vector but I would say it’s a vector that has increased in importance across those various sectors and we need to increasingly turn our mind to how cyber based threat vectors will play across critical infrastructure. We shouldn’t lose sight that we should still take an all hazards approach for business continuity and cyber-ability. I still see our greatest risk as our greatest opportunity. E: Do you have much to do with the State Governments, rather than just the big beast of the Commonwealth Government? AM: My role is supposed to have a national capacity as opposed to just a federal government perspective. I’ve been in active discussions with a number of states bilaterally and all of the states at times in larger forums. There is huge opportunity there because the states are the main service delivery vehicles for the country.
E: Mandatory reporting was introduced to Federal Parliament on 19 October 2016, was there any particular hold up to this legislation and your views on the legislation? AM: It’s clearly a matter for the politicians but I’ve always been a supporter of mandatory data breach reporting and see advantages in it. It’s now up to parliament to look at what form that takes, if at all, but certainly in my experience what industry is after is just knowing what is the new level playing field going to be. E: Did you have much to do with the ACSC Threat Report 2016? AM: I’m certainly aware of it and did quite a bit of media associated with it. The report’s objective is to provide more information about the type of threats the Commonwealth is seeing by giving case studies and advice on remediation. I think it was a positive step in the increasingly transparent way the Commonwealth is doing its business. If we want industry to disclose then the Commonwealth needs to disclose. If we want industry to change the way it’s doing business then we need to show the Commonwealth is prepared too. E: Why then is the legislative process so slow and one of the areas we have been covering is national
A I S A
N AT I O N A L
security, we mentioned a snap Minister’s meeting on Energy Security and we are still dealing with state based legislative models for physical security. Cyber security consultants are breaching state based legislation in the physical security realm when they look at access control or physical security, say under ISO 27000 Information Security Management Standards, and I’m wondering why we have two models of legislation still remaining? AM: That is an interesting question. So you’re really talking about the regulation and standardisation of advice. It is not an issue I’ve really thought of. I would say if it improves outcomes then you look at those things and if it doesn’t maybe it’s changing the old industries. E: This issue was raised with the Victorian Police Minister and she declined to change their legislation and openly admitted that regulating the information security industry in the same way they attempt to regulate the physical security industry would be overly burdensome. So my question is what about new technologies
CO N F ER EN C E
emerging, will security robots be subject to any form of regulation and legislation? AM: No but these are very interesting questions. I’ve been a strong advocate for industry led improvements in the cyber security industry so whether it’s an association like AISA or whether its CREST for penetration testing and working out what the best practice is and buying services from people who are recognised as having certain skill sets. In what is otherwise a pretty unregulated space membership of professional bodies and the requirements by those bodies might be the better way of looking at this. E: Do you think the cyber security sector needs to be regulated? AM: Well, I’m neutral on it. I think that businesses will buy services from people who provide the right services and the market will sort itself out. Having said that, I used to run CREST in Australia as the Chief Executive Officer and it was a voluntary industry association that would test people’s skills and certify those skills. It would
2016
Quick Q&A
also look into the companies that employed those people. There were national police clearances as part of the process and went to some way as providing a level of assurance to customers. E: I don’t understand why as a physical security consultant I’m restricted from operating nationally whilst an information security consultant is not, don’t you see the convergence of physical and cyber coming together? AM: They are inextricably linked. If your front door isn’t locked then someone can enter and plug into the backend of your network. I have nothing to do with the regulation or otherwise of physical security but I can only say in a cyber security sense I am all for the increase in professionalisation. The question I would ask the physical security world is does the current regulatory system actually improve the service delivery for customers who are buying those services. That is the question that should always be asked of any regulatory system. E: Thanks Mr. MacGibbon!
....with Rik Ferguson From Trend Micro Trend Micro’s Rik Ferguson discusses liaison with International Law Enforcement Agencies and the two leading online scams, CEO Fraud and Ransomware. E: Can you give us some insight into Trend Micro’s relationship with Europol and Interpol, and law enforcement in general? Rik - My work with Europol is part of an International cyber security advisory group. Europol and Interpol has reached out to the private sector and industry so they can expand their domain expertise and their reach. Obviously they’re very tightly involved with the European national law enforcement agencies (LEAs) and act as a coordinating body for the LEAs. They understand there is a wealth of intelligence and information that can be gleaned from the private industry to help out and they coordinate those relationships. Though organisations like Trend Micro do also have one to one relationships with pretty much every local law enforcement body
anyway, such as the National Crime Authority (UK) and Dutch High-Tech Crime Unit. Trend Micro also has one full time staff member at Interpol’s Cyber Innovation Centre in Singapore. While in Sydney for the AISA National Conference I was in a meeting with NSW Police but it is more our Australian Trend Micro personnel, such as John Oliver who will be liaising with Australian LEAs. John is part of the FTR (Forward Threat Research) teams and this team as a whole is responsible for managing the operation for LEAs. E: How does the relationship work, are you assisting with investigations and operations? Rik - The LEA relationship is a two way thing – so if we discover something in the course of our own research which we think may be useful or of interest to law enforcement we will reach out and by the same token law enforcement will contact us with enquiries as to what we may have in our holdings and to seeking information from us to
assist them. This may be about infrastructure or individuals and we also provide expert witness statements if matters are proceeding to court. The relationship is controlled under a Memorandum of Understanding and nondisclosure agreements and it’s not a paid operation. It is something Trend Micro does as part of being a security provider. The most effective way to keep our customer’s security is to help take the criminals out of business. E: How is Trend Micro structured and assisting police on the ground? Rik - Our research within Trend Micro is divided into two distinct teams. There is the Numerically Superior Team is called ‘Trend Labs’ with about 1,500 personnel globally and they’re responsible for sourcing and maintaining the bulk of the data that makes up the smart detection network, which is data about files, URLs, domains, IP addresses, emails which is the intelligence that makes up that backend database. Then there is a numerically
Chief IT | 7
A I S A
N AT I O N A L
CO N F ER EN C E
2016
FERGUSON
Quick Q&A
smaller team called FTR, with about 40-50 people globally, and they are literally around the world and have linguistic skills and capabilities so they can tap into underground forums. This has allowed us to develop a series of white papers about the similarities and differences in the criminal underground community, be it from China, USA, Germany, France, Brazil, Russia and several others. FTR is divided into three main groups, which are law enforcement cooperation and they’re actively involved in research which goes into a couple of different directions, one will be building a better beast, such as better, faster back end tools, sourcing data, mining and correlating data, so a lot of tool building and then there’s research into criminal underground, SCADA and ICS, point of sale malware, ransomware – they will continually rotate on various research projects. E: The Asia Pacific is known to be prevalent in terms of cyberattacks and cybercrime – is this your understanding and what are the key trends you’re seeking?
8 | Chief IT
Rik - The two things I’m presenting on at AISA are definitely rife and that is ‘Ransomware’ and BECs or business email compromise. BECs, also known as CEO Fraud, on the face of it is a very simple fraud operation which compromises an email account or spoof of an account used by a senior company executive and then their account is used to compromise another senior executive email account, generally someone with access to the finance in the company. It is a simple form of social engineering attack where they submit invoices and say they have to be paid urgently and immediately and because it appears as a senior executive direction, the victim then by-passes any normal checks and balances and pays the invoice. According to the FBI, over the course of just the last two years, over US$3 billion has been paid as a result of the BEC fraud alone, affecting over 22,000 organisations globally and across over 100 countries. The top 5 includes Australia and is representative of English speaking countries, namely the US, UK, Canada, Australia and Belgium. Over 80 per cent of the email is from the General Manager and above, up to the CEO or
President and From the CEO and 40 per cent will go straight to the Chief Financial Officer (CFO) or to customers of the organisation or internally to the customer – the key aspect to this is the losses of this scale and businesses don’t get back the money from the banks yet consumers do. There has been only one arrest which was a Nigerian scammer called Mike who was identified by Interpol. His network included Nigeria, Malaysia and South Africa. BECs are an evolution of the 419 scam with a majority of the sources from Africa, such as Nigeria. Criminals are global and they have extensive networks and with multilinguistic skills also, including live chat windows in the language of your choice as they instruct victims to pay ransoms and the like, as well as distributing ransomware in different languages. It is something business and industry must get their head around and become aware that this is a significant and global issue.
The economics of security KEYNOTE PRESENTATION Bruce Schneier
Y
ou’ve all heard of Moore’s Law: but there’s a lesser known law called Metcalf ’s Law and that is, “The value of a network equals the square of the number of users.” Take, one phone – it’s useless; two phones are at least useful; a thousand phones is a network; a million phones are suddenly essential. So, is this true for real networks? A network of cell phone users, email users, SMS, Skype, and Facebook, and is it also true of a virtual network? The network of window versus mac users or IOS versus Android users. The more people use a thing, the more valuable it is for each one of us that uses it. This notion of network effect lends itself to a single dominant player in the marketplace. Think of Facebook. There was a time when you were not on Facebook because it was too small; now it seems to be the time when you have no choice but to be on Facebook because you would never speak to your friends otherwise. That’s the network effect. It’s true for Skype. It’s true for any application, the more people on it, the more likely you are to be on it. So a single player wins, because that’s what makes sense.
to switch to a competing product. Normally switching costs are low. Think about Coke versus Pepsi. You drink a Coke and you don’t like it, you drink a Pepsi tomorrow. That means that Coke better taste good. Compare to that the switching costs are high, so I have a cell phone, I use AT & T. If I don’t like AT & T’s service I am kind of likely to use it tomorrow, because the cost of switching cell phone providers is pretty high. I don’t like my operating system, it’s really hard for me to switch. In IT, switching from one product to another can be really expensive, it is retraining of staff, rewriting of applications, it is converting data. So, here is the thing of it: the higher the switching costs, the more a company can piss you off before you switch. They can provide you with a less quality service because they know that switching is hard, and companies do all they can to keep switching costs high. This is why you see proprietary file formats, non compatible accessories, programmes that won’t let you take your data with you when you leave, it is all designed to keep switching costs high, because that basically allows them to keep customer service low and that is cheaper.
Fixed Cost versus Marginal Cost
The Lemons Market
The second piece of IT economics is fixed cost versus marginal cost. In any product, there are two sets of costs. There is the cost to develop the product, and the cost to create the one of it that you’re buying, so a normal product like a chair, someone designed it and they were paid, then the company made a lot of chairs, and that development cost was amortised into the per unit cost that, say a hotel, purchased when they bought the chairs. In IT, pretty much all the cost is in development. The first copy of Microsoft Windows, for example, cost $20 million (I’m making this up), the second copy is free. So, what this means is stealing the results of development is a very powerful attack, this is true for not just software, it’s true for movies, for music, for pharmaceuticals, and this is why you see so much effort going in to protecting the development costs. In other cases, the high fixed cost becomes a barrier to competition. Once Google maps the world, it’s hard for someone else to come in. A company like Google can further cut the costs to zero to prevent further competition coming in.
The fourth and last piece of IT economics is the notion of a lemons market. This actually came from an economist who won a Nobel Prize called George Akerlof, he studied markets with a symmetry of information he thought of by himself. Basically, markets where the seller knows a lot more about the products than the buyer. So think of the used car market, the seller knows a lot about the cars he sells, you as the buyer pretty much knows nothing. In those markets, I will spare you the economic math, in products where the seller knows more than the buyer, bad products drive good products out of the market. This is true for a used car market, and it’s true for IT security. This is why in the 1990s the best firewalls didn’t survive. This is why in the 2000s the best IDS programmes didn’t survive. Because we live in a Lemons market. And in a Lemons markets buyers tend to rely on economist pulled signals. So different signals are warranties – the used car market is full of warranties, take a car home drive it for a month and you don’t like it, you bring it back. Certifications, awards… have you ever wondered why our industry chases those dumb awards all the time? They’re signals. Awards, reviews, certifications, anything a buyer can jump on, and say I’m going to do that! I don’t know how to choose but this one won an award and this one is certified to ‘this’ standard.
Switching Costs The 3rd piece of IT economics is the notification of switching costs. The switching cost is the cost for you as a consumer
Chief IT | 9
EDITOR’S AISA NATIONAL CONFERENCE TAKEAWAY’S This year’s AISA National Conference in Sydney presented a who’s who of vendors, and an international line-up of keynotes, including best-selling author and security expert, Bruce Schneier. It is no surprise that the event sold out. AISA has firmly planted itself as holding cyber security conferences not to be missed. Well done to Arno Brok and the team on an increasingly impressive event. Later this month we will be in Perth for the AISA WA Conference.
As our 2016 My Security Media lead partner, Huntsman was appropriately a centre piece outside the main theatre with a display of their safe automation and real time analytics platform. Huntsman’s focus over the last 12 months has been on promoting next generation SIEM technology. Michael Warnock, Director of Sales correctly pointed out that legacy systems just haven’t delivered on the promise of delivering a security eco-system to the necessary level. The challenge remains the emergence of the Internet of Things and the numerous solutions on offer, from the end point to SIEM, but there remains a lack of time and skilled resources on SOC teams, which are already being stretched. Huntsman’s SOC platform gives a greater correlation between events, removing any false positive alarm events and giving the customer the ability to automate. Moving from established manual controls to system automation is a big step but this platform promises to take a detected or suspected threat straight to a safe place and for sandboxing. Threats could be a piece of malware or it could be an internal person’s mischievous behaviour. The Huntsman system allows the SOC team
10 | Chief IT
AISA Opening Presentation with Adrian Turner, Cyber Security Growth Centre
to start hunting in proactive investigations against targeted and highest priority attacks, as opposed to just being reactive. The evolution has been towards high speed processing and automation. The platform also incorporates machine learning traditional SIEM, real time threat intelligence module, in the form of behaviour anomaly detection (BAD), which has been applying an Artificial Intelligence (AI) based patent for the last 8 years. Huntsman has two products, one for the Managed Security Service Provider (MSS) and a Cloud Edition. As Sales Director, Michael’s focus is expanding enterprise awareness, “we find that a majority of the large enterprise clients, such as the top 50 -100 Australian organisations are quite ‘cyber-security’ mature but those below this level are definitely behind and we see as being our commercial sweet spot.” Huntsman is experiencing year on year growth, not just in Australia but throughout Asia. With responsibilities across Asia, Michael Warnock has also managed the growth across APAC, with deals such as with SMART Communications, a leading telco in the Philippines and reports in Japan of massive sales growth. Huntsman’s UK Operations are soon to be announcing a key partnership with a very large MSSP to take the product to Europe and this activity is also
opening doors into the US market. Singapore is also a key APAC location for the company and they are working closely with the likes of Microsoft and Cisco on further developing the Cloud platform and have been selected by Microsoft to participate in the Smart Cities Road Show, rolling out later this month. As an Australian based company, established in 1999 Huntsman remains proud to have serviced their first customer, the Department of Defence since 2003. Huntsman has progressed to have a leading positon in the market and is now enabling customers to consume security as a pure service. The Huntsman platform is moving from a subscription based model to a utility model, being a pricing model based on per terabyte of log data. As Michael proudly proclaims, “we’re highly competitive and this technology is our own”. You’ll have a chance to check out the Huntsman platform at the upcoming Microsoft Smart Cities Road Show and AISA’s Perth Conference, 25 November 2016.
TANIUM Tanium was making a debut at AISA with its single server, patented technology platform which creates a linear chain of computers across the network. Using a system agnostic tool to extract all network data points
were able to be escalated from the company’s local network administrators and immediately raised for the attention of the Company’s Board of Directors to improve enterprise cyber security and system awareness. Tanium is sold and distributed based on subscription model and priced according to the number of end points.
IXIA
in real time this is an impressive, scalable, self-aware and self-healing system. We had the chance to speak to the Director of Security, Andre McGregor and Director of Technical Account Management Chris Hallenback about the system’s capabilities. To best highlight the system’s usefulness, the mega retail chain Walmart was highlighted as an ideal end user example, with the company’s 13,000 servers reduced down to just one and with such a dramatic reduction, a significant improvement in efficiency of Walmart’s network communications. I was briefed on the Tanium Dashboard and operating platform by David Shephard, Tanium’s Regional Director and the system presents as a valuable
tool for any SOC or even just an IT Operator trying to maintain a trusted and verifiable network environment. One of the advantages is the apparent back to basics capability of full network visibility to allow an appropriate level of cyber hygiene in accordance to ASD’s 35 for application whitelisting and full system and application patching capability. Another User example Tanium was able to present was Wells Fargo, with a massive 350,000 end point network. These end points were scanned and mapped within two minutes to determine there was 40,000 applications installed on the network, despite IT Operations having only approved and were only actively managing 1,700 applications. These issues
Ixia and I have kept crossing paths this year, be it in Singapore, Silicon Valley or Sydney. Sitting down with Ixia’s Managing Director of APAC, Naveem Bhat, it was very encouraging to hear the company has reported a positive year. Naveem confirmed, “it has been a good year for us though some have found it tumultuous. Cyber security is a very resilient market and people are spending money. We have had a positive trend for 2016, and Q1 and Q2 results have indicated that. The global market has all been talking about cyber security and we’ve found the enterprise segment and federal government segments are strongest.” Ixia solutions are particularly strong within the US market, as well as across Asia Pacific and the company is hiring new people for positions in Canberra, Singapore and Japan. Australia is a particular focus. Naveem explained how Ixia sees the threat environment within three main categories and the company is focusing on how it operates within each. Starting with State to State cyber activity, or cyber warfare. Naveem explained, “all nations are adopting cyber security strategies as part of national security and defence systems. Cyber deterrence is the future
Chief IT | 11
pillar of 21st Century diplomacy but also having the potential to change geo dynamic balances.” The second category is cybercriminals against the enterprise which covers a broad spectrum from cyber espionage, data breaches, brand equity loss and financial compromise. Then the third category is the cybercriminal against the consumer, such as that seen by Ransomware.
CROWDSTRIKE Founded in Irvine, California five years ago, Crowdstrike has welcomed an industry veteran as VP Technology Strategy in Michael Sentonas to launch its intelligence solution as a next generation AV (anti-virus), EDR (Endpoint Detection and Response) and Hunting tool. Ideal for IR (Incident Response) projects, Michael speaks very highly of Crowdstrike’s Russian born founder Dmitri Alperovitch and impressively referred to the DNC hacks and naming of the Fancybear and CozyBear teams. To refer to the CrowdStrike reference blog, CrowdStrike Incident Response group was called by the Democratic National Committee (DNC) to respond to a suspected breach. CrowdStrike immediately identified two sophisticated adversaries on the network – COZY BEAR and FANCY BEAR. “We’ve had lots of experience with both of these actors attempting to target our customers in the past and know them well. In fact, our team considers them some of the best adversaries out of
12 | Chief IT
all the numerous nation-state, criminal and hacktivist/ terrorist groups we encounter on a daily basis. Their tradecraft is superb, operational security second to none and the extensive usage of ‘living-off-the-land’ techniques enables them to easily bypass many security solutions they encounter.” The ‘Bear’ reference refers to the Russians, just as the ‘Panda’ references refer to the Chinese. These are an easy and smart way to refer to such nation-state actors. CrowdStrike was also tracking the actor under the cryptonym of ‘Silent Chollima’ and has deemed them responsible for intrusions dating back to 2006. The Silent Chollima was the actor revealed by the FBI in late 2014 “As a result of our investigation, and in close collaboration with other U.S. government departments and agencies, the FBI now has enough information to conclude that the North Korean government is responsible for these actions against Sony Pictures Entertainment.”…The vast majority of these attacks have been conducted against South Korea, including intrusions into their government and military systems to steal sensitive information, as well as destructive attacks against their financial and media sectors. The first major destructive attack that we detected from Silent Chollima occurred on July 4, 2009 when large DDoS attacks were launched against over thirty websites in the U.S and South Korea, including those of the White House, Pentagon, and major e-commerce and
financial services companies. Crowdstrike is now released across 176 countries and looking to expand further across international markets with a wider client portfolio. It has been six months since the last round of funding through Google Capital in Series C, raising US$100M and recently announced a new APAC presence, including a new Sydney office and new people hired in Canberra. Crowdstrike’s product strategy is to focus on the key aspects of network protection, taking a step back and identifying the underlying issues, appreciating that 40% of the big breaches happen of a result of malware but 60% is from misconfigurations and poor credential management, allowing the malicious or unintended insider threat to be effective. Michael concedes the “traditional technology is not delivering and customers can’t keep rolling out new signature detection or version upgrades. Crowdstrike seeks to combine security management, system detection and response and threat hunting as a service. The combined approach goes beyond the traditional to leverage machine learning in the Cloud. The standalone machine learning has been put into Virus Total for the industry to evaluate and for people who are not customers of Crowdstrike to be able to use. The machine learning scanning system works particularly well for commodity based attacks and applies other features which identifies the indicators of attack and allocates
rules around what a process is doing, as well as to what it is trying to execute. The Crowdstrike Indicators of Attack (IOAs) are leaders in detectors of ransomware and set out to stop the process pre-encryption, without the need for updates and sound black and white listing which is a key strength of the EDR.
Jane Frankland
NUIX With a job title such as ‘Director of Advanced Threats and Countermeasures and Director of Security North America’ I’d suggest you know your stuff. Not surprisingly then, that’s the case with Nuix’s Ryann Linn as we discussed the Nuix threat intelligence platform. Nuix has a range of impressive tools suitable for enterprise, analytics, regulation and enforcement and the Advanced Threat platforms provide impressive visibility and insight into systems, networks and data. The adaptive security end point product refers to Hash Lists, real time behaviour analytics and Indicators of Compromise (IoCs). An interesting tool amongstis the Nuix Investigative tools include Nuix workbenches which can process cases and format incident response and forensics. Subscription models are based on a license per server and licensed dongles and plugs into the machine. The SME (Small to Medium Enterprise) take-up is definitely increasing. Nuix Insight Adaptive Security combines six security technologies into one lightweight, intelligent endpoint agent, featuring: • Digital Behavior Recorder™: Continuously monitors and records endpoint activity straight from the kernel, including users, processes, Windows Registry changes, user sessions, DNS queries, file system information, Netflow communications, removable media, and print jobs • Real-time detection: A multilayered threat detection stack that automatically identifies malicious activity • Intelligent protection: Includes whitelisting, blacklisting, application control, and behavioral blocking • Response and investigation: Automated and manual options including incident triage and investigation capabilities allowing security analysts to search, filter, and organise single or multiple data sets collected by the Digital Behavior Recorder • Remediation: Allows analysts to terminate malicious processes based on their process identifier (PID) and to delete files and Windows Registry keys • Deception: Fake listening services that help analysts identify attackers during the reconnaissance phase of their attacks.
JANE FRANKLAND - WOMEN IN SECURITY Jane Frankland is clearly on a journey – up hill. Women in security and women entering the security sector are actually declining. It was therefore refreshing and encouraging to speak to a champion for altering this trend. There is plenty of talk around the cyber security skills crisis and Jane Frankland disagreed with the notion that needing passion in cyber security was the key – instead just having an ‘interest’ in security was enough to be the trigger for women to consider a functional role, or better, ‘a career’ in cyber security. More so, cut to a quick reference to Rik Anderson of Trend Micro, who placed the burden on the employer whose job it is to nurture their employee’s interest. As Jane crafts her book and continues to champion the cause to encourage and invite women into cyber security disciplines, she has a distinct battel ahead of
her. Please encourage her with a Linkedin follow. Reading Jane’s work quickly refers to the September 2015 (ISC)² published results from their global information security workforce study, entitled ‘Women in Security: Wisely Positioned for the Future of InfoSec.’ They surveyed nearly 14,000 professionals worldwide and alarmingly revealed that the workforce was predominantly male. In fact, only 10% of information security professionals were female. To make matters worse, the figure was the same as the year before, and had reduced from the year before that, despite the growing demand for more cyber security professionals. Jane responds with three key mistakes being made: 1.
2.
3.
MISTAKE #1: We’re extremely poor at marketing cyber security especially in schools, colleges and universities. MISTAKE #2: Women need to see other women succeeding in order to believe that they can succeed too. MISTAKE #3: Women lack confidence and we're doing nothing to improve this.
As an advocate for the security discipline, it was refreshing to hear Jane point to the ‘key’ that can and will continue to advocate change – ‘Language’. It is the language of computer science that often negates entry. Within the STEM or STEAM (there’s a preference!) we can essentially block entrance at an early age and literally make mountains out of mole hills. Changing the language of computing, security and science can generate a fundamental shift in perception and adoption. Going back to the basics and fundamentals
Chief IT | 13
is what is required. Communication skills involve both the ‘visual’ but also the ‘doing’ and Jane highlights that “girls are often more attracted to the ‘doing’ than the boys are to the ‘visual’.” Jane also refers to the concept that “women see risk differently than men and are more risk averse, we compete differently and competition is not conducive to a lot of women”. So when competition is perceived then you may not get the women having representation. Gamification or team building is better for women and working in teams is more conducive to women’s involvement. So the industry and all sciences still have a lot to learn and adapt to if the trends are to change. With champions like Jane Frankland, there is at least a chance. Look out for her book, Women in Cyber Security: Standard not Exception, due for release in 2017.
FORCEPOINT Last but not least, and being the last meeting for the conference, we have to appreciate the patience of Forcepoint. But discussing User Behaviour Analysis and Insider Threat is always going to retain my interest. Forcepoint presented itself as the only vendor offering an Insider Threat and DLP solution with visibility and behavioural analytics to baseline normal employee behaviour and quickly identify and record risky behaviour. Guy Elion explained, “the combination of SureView® Insider Threat (SVIT) and TRITON® AP-DATA stops insider theft and the exfiltration of critical data caused by malicious or accidental user behaviour.” Guy confirmed. “this is giving something that is very unique to the market, so not only do you get an alert but you also get a snap shot of the intention of the user. We find the market is very interested in this specific issue within Australia and much more than any other segment on the international market. We also have deployed next generation firewalls that we had acquired from Stonesoft and see plenty of advantages for those customers with distributed environments.” Forcepoint is continuing to make investments in this area for the benefit of customers. Forcepoint is concluding the year having combined the technology and expertise from Raytheon, Websense and Stonesoft to offer a new band and focus. The re-branding follows the successful integration of the technologies after a series of acquisitions, first of Websense by Raytheon in May 2015 and then of Stonesoft’s next-generation firewall business and technologies, including with teams from Intel Security in January 2016. We look forward to seeing Forcepoint and all other vendors, plus more at AISA’s National Conference in 2017! Hope to see you there!
14 | Chief IT
Cyber Security Professional of the Year Pieter Danhieux
Diversity in Cyber Security Award Jacqui Loustau
CYBER EXECUTIVE ENHANCEMENT ROUND-TABLE A special premier event designed for executives and board members alike. A closed room, vendor independent round-table discussion with Q&A, so come along and ask your questions.
Allan S Cabanlong, ASEAN Eng. Executive Director, Cybercrime Investigation and Coordination Center (CICC) Philippines
Dr. Amirudin Abdul Wahab, Chief Executive Officer, CyberSecurity Malaysia
Friday 25th November, 2016 8.00 am - 1.00 pm Invitation only, places are limited. RSVP no later than 5pm Friday 04th November Invitation extension After lunch you are welcome to attend the AISA Perth Conference 2016 running in parallel.
Phillip Russo, Cyber investigator and digital forensics Expert, CIA Solutions
Gary Hale, Director, Cyber Security & Innovation, Cisco
Venue: Crown Perth Cost: Nil AISA Perth Conference 2016 Registration & Enquires, please contact: Mourad Khalil +61(0) 403980718 | mouradswork@gmail.com Daisy Sinclair +61(0) 415780257 | daisyfrancissinclair@gmail.com
CYBER SECURITY - DO WE HAVE IT RIGHT? Why are organisations so scared? What should they be concerned about? Cloud? Data classification? Malware? Other threats? How is the rest of our region dealing with these issues? How should we manage or change?
Hear from four leading experts on this key topics and cut through some of what you need to know or do. A roundtable discussion and Q&A will be held so come along and ask questions. More about the event.
This event will help address fears, barriers, roadblocks and perceptions of organisations and individuals around cyber security - “the reality and the myths” - and to ultimately get to the bottom of what are the “real” things to worry about or manage.
AISA invites all individuals with an interest in information and cyber security to become members, see our new member’s link below. If on the other hand you or your organisation are keen on sponsoring the AISA Perth Conference 2016 event you may do so through the link.
BECOME A MEMBER
SPONSOR EVENTS
Chief IT | 15
Cyber Security
Continuous improvement Network security, optimised networking and business continuity: Fortinet’s continuous improvement
N By Gary Gardiner Director of Technical Support, APAC at Fortinet
etwork security is moving beyond firewalls, advanced threat protection and data leak prevention into network optimisation and business continuity. Security is increasingly being seen as a business process enabler as opposed to simply an adjunct to your company’s IT infrastructure. And as more and more enterprises migrate mission critical applications into the cloud, business continuity and return on investment are becoming key considerations for executives as they evolve their infrastructure from cost centres into agile and elastic organisational assets. One company driving this transformation is Fortinet. Since establishment in 2000, Fortinet has been at the forefront of security innovation and delivery. It’s FortiGate firewalls have set the benchmark for comprehensive protection and speed since their introduction as UTM (Unified Threat Management) appliances in 2004; it’s FortiGuard Labs employ more than 250 expert researchers and analysts around the world and collects data from more than two million sensors to protect more than 270,000 customers every day. And its acquisition of security information and event management (SIEM) solution provider AccelOps earlier this year has expanded Fortinet’s functionality well beyond traditional security. Three key innovations Three innovations in particular set Fortinet apart: The FortiOS operating system, the FortiASIC architecture ‘system on a chip’ and internal segmentation. FortiOS operates in concert with your entire network environment to protect every component from the server to the client and into the cloud. The FortiASIC chip ensures low-latency operations up to five times faster than comparable solutions. Internal segmentation compartmentalises data and applications, either on-site or in the cloud, so that you can insulate individual groups of users, set multiple policies and contain and minimise the ramifications of any security breach. When combined with the operational and analysis capabilities provided by SIEM, enterprises now have unprecedented visibility into network traffic patterns and, by extension, all business processes. This granular level transparency enables organisations to optimise network operations, gain maximum value (indeed, it allows them to quantify IT spend versus performance, the ultimate benchmark for measuring ROI) and ensure that mission critical application services maintain maximum uptime for business continuity.
16 | Chief IT
Internal segmentation: Protection into the cloud Ensuring business continuity as enterprises move mission critical application services into the cloud can be problematic for risk management. Fortinet’s unique segmentation architecture isolates applications and data regardless of where (in-house or in the cloud) or how (physical, virtual or software-defined) they are stored and accessed. Indeed, Fortinet has been increasing its marketshare in the MSSP (managed security services provision) arena because internal segmentation is ideally suited for multi-tenant deployments. In addition, Fortinet’s granular-level visibility ensures that MSSPs can provide comprehensive traffic and activity reports for individual customers and groups of users. Continuous improvement Fortinet has evolved into a network optimisation and business continuity solution provider based on market-leading security technology, granular visibility and upstream and downstream SIEM analysis. Any security events can be immediately identified, contained (via segmentation) and mitigated resulting in minimal downtime, regardless of where on the network or in the datacentre or in the cloud they might occur. With real time traffic monitoring, including internal ‘east-west’ traffic inside the datacentre, you can see exactly which application resources use which data sets. And from there you can quantify how much resource each application service requires and correlate the costs to the benefits received. Cost accounting, risk reduction and maximising uptime are now functions of your network security infrastructure and no longer separate disciplines. This merging of governance imperatives is changing the way Boards look at their security profile. This transformation is being driven by a parallel convergence in network operations. And Fortinet is out in front on both counts. About the author Gary Gardiner, Fortinet’s senior security executive in APAC, is a seasoned network security professional with hands-on and management experience in every aspect of security across many different vendors, solutions and verticals. As a technologist, he understands the challenges and solutions. As a ‘C-level’ executive, he also is acutely aware of the drivers and challenges facing Australian organisations.
Integrated Security Fabric delivers business continuity Fortinet’s end-to-end Security Fabric delivers: •
World-class security
•
Tightly-integrated management
•
Transparency at the granular level
•
Business continuity
Driven by industry-leading secure operating system FortiOS and powered by the thirdgeneration FortiASIC SOC3 (System-on-a-Chip) architecture, no other security vendor comes close to providing the depth and breadth of security solutions. With the lowest latency on the market and real-time security updates from the global FortiGuard Labs, Fortinet is the security solution of choice for enterprise-level data centres.
Fully-integrated Fortinet’s Security Fabric solutions work together seamlessly to provide trouble-free installation, centralised configuration and ‘single pane of glass’ management. Combined with the FortiGuard Labs’ real-time security updates, Fortinet’s Security Fabric will always be armed with the very latest threat intelligence and detection / mitigation algorithms.
Extending security to business continuity When you install Fortinet Security Fabric solutions, you are investing in business continuity. With Fortinet’s Security Fabric, nothing that happens on your network goes unnoticed. Intrusions, data leaks, DDoS attacks, system slowdowns or simply business
as usual. Fortinet gives you unprecedented visibility into your network’s performance and virtually eliminates the ‘window of vulnerability’ that can result in interruptions in service delivery.
Validated performance NSS Labs has awarded Fortinet’s Security Fabric their highest recommendation. NSS certified that Fortinet’s ATP solutions detected 100% of exploits delivered by social media and drive-by downloads. Fortinet has also received NSS Labs’ recommendations for the FortiGate data centre intrusion prevention system, FortiClient endpoint protection and FortiWeb web application firewalls, amongst others. NSS has validated Fortinet’s security effectiveness above 99%. That, combined with industry-leading performance, delivers what you need to ensure fast, secure operations and business continuity.
AT A GLANCE •
Enterprise Firewall
•
Advanced Threat Protection
•
Cloud Security
•
Application Security
•
Secure Access
•
Security Operations
FORTINET AUSTRALIA Level 8, 2-10 Loftus Street Sydney NSW 2000 TEL 02 8007 6000 anz_marketing@fortinet.com
www.fortinet.com
FORTINET SECURITY FABRIC CORE SOLUTIONS Fortinet’s Security Fabric is built around a core set of solutions, anchored by the FortiGate firewalls, that provide security from the server to the smartphone, into the cloud and everywhere in between. •
FortiGate next-generation enterprise firewalls / data centre intrusion prevention
•
FortiSandbox, FortiMail and FortiClient advanced threat protection (ATP)
•
FortiWeb web application firewalls
•
FortiAP, FortiSwitch and FortiCloud secure access solutions
•
FortiSIEM, FortiManager security operations and network optimisation
•
FortiGuard Enterprise Service Bundle real-time subscription-based security updates
FORTINET SECURITY FABRIC PERVASIVE & ADAPTIVE SECURITY FROM IoT TO THE ENTERPRISE TO CLOUD NETWORKS
Chief IT | 17
I N V I T A T I O N
EXCLUSIVE INTERPOL WORLD 2017 AUSTRALASIA POLICE & SECURITY PROFESSIONALS SINGAPORE DELEGATION INNOVATION TOUR
5-7 July 2017 | Suntec Singapore Convention and Exhibition Centre MySecurity Media is pleased to be the official and exclusive marketing agency for the region of Australia & New Zealand for INTERPOL World 2017. INTERPOL World 2017 provides a premium platform for public and private security sectors to discuss and showcase solutions to fast evolving global security challenges. The biennial exhibition and congress brings together law enforcement, government bodies, academia, international security professionals and decision making buyers to security solution providers and manufacturers. For more about the program visit - www.interpol-world.com
MySecurity Media will manage all logistics, such as flight/hotel bookings for the visiting delegation. 2015: 7,807 Visitors & Delegates 2017: 300 Exhibitors
Some of the main topics:
PREMIUM SPONSORSHIP OF INTERPOL WORLD 2017 DELEGATION AVAILABLE:
Email: interpol_world2017@mysecuritymedia.com Delegate Profiles: Chiefs, Heads, Directors, Officers, Security Professionals, Security Consultants, System Integrators. Visitor profiles: www.interpol-world.com/visiting
• • • • • • •
IoT, cybersecurity, big data analytics Biometrics Genetic & synthetics biology Safe cities Robotics Unmanned/artificial intelligence Face recognition
• Forensics
“We came to meet senior police leaders from other countries with a view to exchange criminal records, biometrics and fingerprints. We achieved ten new partners.” -Ian Readhead, National Police Chiefs’ Council, UK
news.com
Express interest in joining us at this exclusive event interpol_world2017@mysecuritymedia.com 18 | Chief IT
TechTime - latest news and products CYBER SECURITY TRAINING & AWARENESS COURSES, WORKSHOPS & E-LEARNING
• FOUNDATION CERTIFICATE IN INFORMATION SECURITY (FCIS) • CYBER SECURITY INVESTIGATIONS & INTELLIGENCE • CYBER ATTACK-RESPONSE DRILL (CARD)
FROM ENTERPRISE AWARENESS TO FULL CERTIFICATION
SUITABLE FOR: LAW ENFORCEMENT, REGULATORS, JUSTICE MINISTRY HEADS, INFORMATION TECHNOLOGY / IT MANAGERS INFORMATION SECURITY OFFICERS NETWORK ENGINEERS / SUPPORTS HEADS OF PROCUREMENT / BUSINESS DEVELOPMENT FACILITY AND SECURITY MANAGERS HUMAN RESOURCE / TRAINING MANAGERS
w w w. a m l e ch o u s e . co m
Sands Expo & Convention Centre, Singapore, April 20 – 21, 2017 SPONSORSHIP OPPORTUNITIES promoteme@mysecuritymedia.com
Powered by
Limited Opportunities Available - Contact our sales agent today!