TOM FIELD: When it comes to malware, what is the gap between infection and detection? Hi this is Tom Field, Vice-President of Editorial with Information Security Media Group. I'm discussing this topic today with Paul Martini. He's CEO of iboss Cybersecurity. Paul, thank you so much for joining me.
PAUL MARTINI: Absolutely, nice to be here.
FIELD: So Paul, security leaders often have what we might call an inflated sense of their own organization's ability to detect malware infection and data exfiltration. In your experience, what are they really overlooking?
MARTINI: You know most organizations are focused on building thicker walls, new mousetraps. Every time new technology comes out that allows them to detect malware in a different way they jump to that right away. But at the end of the day, even the Great Wall of China has been compromised. You can build a really thick wall, but you can't neglect that at the end of the day you will be compromised at some point. In really looking at that situation and asking yourself the right questions. Things like, what do I have in place not only to detect the malware but the data that it's trying to hijack which is a more important question. You know there's a lot of technology out there and a lot of solutions and algorithms that focus on malware. You know you're looking at command and control center callbacks, intrusion prevention systems, but if you take a step back and ask yourself the obvious question, what about the data? Data that doesn't have a command and control center type callback, a destination that's obvious. You know something like cloud storage, solutions like drop-box where they can host people's data and actually it can host your data as a company.
FIELD: So with all the attention that is given to cyberattacks now, why do you find that there remains such a wide gap between the time of malware infection and ultimate detection?
MARTINI: You know I think the real answer to that is no different than the fact that you'll always have the possibility of getting infected. There is no such thing as a 100% certainty in anything in life. I am including the fact that, there is going to be time where you do get compromised. The time from infection to detection will never go to zero. So there's always going to be that time. And I think asking the right the questions which is, what about the data? What about proactively monitoring the data directional in the outbound direction for example, high risk countries data moving to high risk countries or regions. That's really the question you want to answer and if there's, if there really is no answer around that it allows for such a big opportunity for hackers that are sitting in any part of the world and really targeting that data. That's really where their focus is and what they're looking to do. So really in a very legacy type of approach, you have some organizations that just continually build thicker armor and then on a more progressive types of security postures you see organizations that focus on you know command and control center, callbacks. They focus on finding the malware. You know where is the malware on my network right now? Who downloaded the malware and things of that nature? But still the most progressive organizations are looking at the data itself, you know data that doesn't have a fingerprint. It doesn't have any sort of type of key that you can key off of to detect malware and that's really where what allows the dwell time to go on much longer than it usually, than it should in reality. You know if you could shorten that dwell time by looking at the anomalous behavior of data as it moves outside of the network that actually will get you to a better place in a more effective manner.
FIELD: So Paul, let's make this real to an organization. Within that wide gap between infection and detection, what do you find to be the value of lost hours, lost days, and then the potential business impacts of that downtime?
MARTINI: You know we're talking about permanent data here, and I think the fact that it's permanent there really is no value you could put on the data. People look at the direct victims, which are the consumers, the users of the product, the people that the company sells to and services, but there is actually a lot of other victims as well. You know there's jobs, there is the CIO's job, the CISO's job, the board, the organization, and then you also look at just embarrassment that comes with it. So what are the costs involved in a breach that not only effected consumers and maybe their confidence to purchase or use the services, and in the case where your business to business type of organization where other businesses do not trust you. But even more further than that, look at a case like Sony where you have an organization that was so impacted by the breach that they had to absolutely sell assets and departments that were completely unrelated to the breach or to making movies in order to cover those losses. So there really isn't a value you can put on the data because it's permanent and I think that's what is important.
FIELD: Paul, organizations have made significant investments in security tools and personnel, but something is not working. Where do you see the biggest short-falls in the traditional security tools and skills that organizations have deployed?
MARTINI: It's absolutely in their ability to proactively monitor data. You know the focus has always been on the malware, which is absolutely important as well but to completely neglect the data, the data that is being hijacked is actually not only negligent but it allows for such a gap in security, which the attackers are taking advantage of. So they realize that, if I can get a very sophisticated targeted evasive attack onto your network, the very first thing I'm going to do with that malware is have it hijack data. I'm not going to phone home. I'm not going to do anything that is out of the ordinary in terms of presenting myself as malware. I'm just going to start transferring data right away and those are things you saw with companies like Anthem where a database query led to millions of records being uploaded to cloud storage. And so, really there's where the critical gap lies is that there is a lot of focus in one area which causes a diversion to create a very balanced security posture and I think that as we take a step we need to take one step back to look at the overall security posture and say, where am I most the deficient and invest into those areas.
FIELD: What do you find to be todays must have tools and skills to help reduce this gap between infection and detection?
MARTINI: Tools like, and algorithm techniques, like network anomaly detection and data exfiltration containment. Those types of techniques that focus on data proactively are absolute essentials for any organization. I'll give you an example. If you do a credit card charge that's two or three hundred miles away and it's not normally a city that you visit, you're going to get an alert from your credit card company. They'll call you, they'll ask you if that is your charge and then you have the opportunity to proactively neglect that, stop the charge and prevent it from going through. Now if the credit card company called you and said, last year we noticed that a few thousand dollars were, you know left your account but by the way it was a year ago and it's too late. That's really the situation that we're in when it comes to data. You know we look at situations where there is large losses of data and records and there is a lot of enthusiasm around finding the malware, which is the same as finding the criminal. But the reality is that the data itself is gone. That really doesn't do my any good if I have millions of records gone. No different than if I have thousands of dollars gone from my bank account a year ago. So the reality is, the tools that proactively monitor data such as network anomaly detection which look at things like packets, bytes, connections. Look for anomalies in that behavior, so they baseline the behavior and say on a normal day this is what the traffic should look like, and then in addition today it looks 25% different. That has nothing to do with malware, it has to do with the actual data itself and protecting that data.
FIELD: Paul, let's talk about some of your customers. How would they tackle this challenge and what do you find to be some of the key lessons learned from their experiences?
MARTINI: You know I'll give a good example of, you know we deal a lot with health and finance. Another particular CISO that manages a county on the east coast and he, you know we were discussing a lot of the solutions in technology and in the architecture. This is a sophisticated network so John had about fourteen different systems covering data, anything from the typical endpoint protection to intrusion, the obvious firewalls, all the application type monitoring and that sort of thing. And what happened was, you know as we talked about monitoring like what do we have in place in terms of monitoring the data and the direction of the data? What we found was, the closest thing that we can find out of the whole buffet of solutions was performance monitoring software that would monitor performance on his server, and monitor data on a particular server but it didn't have context. It didn't have direction. It didn't have a notion of data moving from an untrusted, from a trusted network to an untrusted network, and so what we did was we set up in a discovery mode - network anomaly and network anomaly detection and data exfiltration containment, literally just to look to you know is there anything anomalous going on in this network with respect to the data itself. And surprisingly within twenty-four hours what we found was there was over eighteen different transfers, very large transfers. One of them actually turned out to be as it was tracked back, it turned out to be a user that was using AOL Chat to upload files to China. And you know I never got into the details of what those files were, but they definitely weren't a good thing. And I think the great part of this story and this example was that in this particular case it actually wasn't malware that was doing this. So there would never have been a flag or an alert or anything like that, no command and control center callback. However, because it was still focused on the data itself, the flags went off immediately within those twenty-four hours to alert John that, hey there is something that is just not right and then track that down to the actual user. Now there was a bunch of other transfers as well. Some were good, others weren't but the good ones what he liked about it is, well even the good transfers it actually gave him the peace of mind that if someone were to ask me, where are all my transfers going to, the bulk transfers, the risky transfers, I felt very confident that I can answer that question. And the last thing you want to do is be in a situation where you're in the dark. You know you don't want to get caught with your pants down because you don't know where all your data is going and when you get asked whether through an audit or after a breach, you could even tell someone where the majority of the data in a massive amount, you know things like data going to high risk countries, you know what does that look like. What do it look like on a typical day on a typical month. I think being able to answer that question is ultimately what's the most important.
FIELD: So Paul we've thrown an awful lot at people today. We've talked about the gap between infection and detection and talked about shortfalls and technology and skills. Bottom line for an organization that wants to turn this around, where is the place to start to address this gap?
MARTINI: So address and fill where you're the most deficient. And today, most organizations are deficient at technology that monitors the data itself not just the malware. You know if you're a very progressive, there might be technology around finding infections on a network, identifying where they are located, finding out whether, when and why that happened. But you need to take it a step further and become even more progressive and focus on the data itself, proactively monitoring the data, monitoring it in a directional way by region, by amounts. And once you do that, you'll come to the realization that you know even though there is not one silver bullet that's going to solve this problem, at least it will put you in a better position and a better security posture so that you're not caught in the same situation as the large recent breaches such as Anthem and Sony.
FIELD: Well Paul that's great insight. I appreciate your time and your thoughts today.
MARTINI: Yeah thank you very much. It was great being here.
FIELD: The topic has been malware, the gap between infection and detection and I've been speaking with Paul Martini, CEO of iboss Cybersecurity. For Information Security Media Group, I'm Tom Field. Thank you very much.
[END OF INTERVIEW]