The truth is like poetry... most people hate poetry. Prevention is possible and defence is doable
H By Chris Cubbage
aving been at Cylance since the beginning, Eric has been at the forefront of a stunning journey along with founder Stuart McClure and the inaugural team, setting out to shift the economics of cyberwarfare and force attacks to be highly targeted and thereby, expensive. Speaking in Canberra at the Australian Cyber Security Centre Conference this March, Eric made it clear at the outset “I want to make a rant against the Cybersecurity industry. I think we are all brain washed by all this stuff that is continually thrown at us. Defence is doable – but like putting Man on the Moon, you first have to believe it is possible. If the cybersecurity industry does not believe it is possible then what are ‘we’ all doing for a living. Though one size does not fit all and one person’s security is different from another.” As a proud product of the US Government, Eric was an exploit developer and coder, and after a 12 year Federal Government career, was appointed as Department of Homeland Security’s Deputy Director and Chief Technical Analyst for the Control Systems Security Program. “Most organisations will already have 80 per cent of what they need in terms of security – it is a case of the more you know the less you need. The process of assessment should be based on the business case of ‘annualised loss expectancy’.” With a reference to a concept of operations, Eric recommends, “ask what is the minimal path to the maximum damage.” Similar in process to red teaming, “identify the task of bringing the organisation down and the most likely method that would be taken to achieve that mission. It is not going to be just one exploit. Most vendors are only solving individual pieces of the problem. By taking several exploits and chaining them together, in a kill chain or attack tree, the security practitioner can build a concept of operations to determine what impact these attack chains would have on the business if they were to occur. This is the singular loss expectancy. The next question is how many times per year would this event likely to occur, what is the likely cost impact and what is the likelihood of it reoccurring
36 | Australian Cyber Security Magazine
if we don’t defend against it. Security practitioners are often very bad at articulating the value of the return on investment in security, in a business context. The solution is in the math. We should automate as much as humanly possible.” Eric outlines the key steps in gaining a measured security posture. “The first step is to do a good job with the asset inventory and know all your devices and end points. All the Window’s devices will be easily found on a passive network tap and any of the devices that are unknown are likely to be found by an adversary and exploited. Architecture network diagrams should be kept current, in order to protect the data, being the ‘Operation crown jewels’. Data has different values so it is up to the individual business to know what data is important – generally the data that is making the business money is the data that the attackers will be after. Once the data is identified you need to understand where it is and then the paradigms of protection – be it all the machines equally or the machines housing the data to be kept at a higher level of security.” Most importantly, people are not well trained. “If I had $10 to spend on security, I would put $8 into my people. I’m not talking about just a phishing campaign - people need to be compelled and empowered. People have to believe in the security program and understand their actions have impact.” “Next are such concepts as ‘indicators of compromise’. This is a fancy phrase for signatures and is not a suitable approach to rely on. By the time a signature is detected it is already too late. By the time the exploit has been detected and analysed, it receives an indicator and goes up the food chain to be shared and into expensive threat intelligence feeds. That process can take up to 500 days. It is at least 100 days stale. This is not good, because in that 100 days, the attacker knows they’ve been found, have pivoted and not using that exploit anymore. SIEMs and SOC tools are only ever looking for old stuff. What is the point of that? This entire paradigm is broken and the entire way we are looking at security is inherently flawed.” “Why do we accept from security practitioners that we