Back from GISEC 2016 – The day the lights went out

Hello,

IMG_8255

I’m just back from GISEC2016 in Dubai – a great show that brought information security professionals together from across the region. On the Splunk stand we gave out lots of T-shirts – but more importantly – we had great conversations about how Splunk can help small and big organizations to solve their big data and security problems. Examples in the region include Dubai Smart Government, Al Rajhi Bank (Saudi Arabia) or Saudi Arabian Airlines who all are using Splunk to analyze their log data for different functions. This ranged from security to IT operations and IoT , which Splunk is a great fit for.

There were several keynotes with great messages that I wanted to share:

Nigel Gibbons, Global Advisory Board Member at Microsoft:

“Organizations are often missing the basics” – how true. He mentioned that emerging technologies and sandboxed systems are nice – but can provide a false sense of security if the underlying components are not right.

Rt Hon Dr Liam Fox MP, former Secretary of State for Defence, United Kingdom:

“Invest in things you don’t see today”

image1

Dr Liam Fox outlined that with the growth of cybercrime, cyberwar and cyberterrorism, CIO’s need to understand that it’s their issue and not just the IT department. This approach shouldn’t just start with technology to combat threats; it also requires things like adequate screening of all staff. This starts at the top and goes all the way down to the cleaner. As an example, it’s very easy to compromise an organization by connecting an USB Keylogger to multiple machines when an employee is out of the office and no one is working in the room next to them. Employees also need to be properly trained to not use foreign laptops to login or to borrow a phone for a quick call. Such actions might inadvertently release more information than you would want.

 

He also commented on the growing focus on protecting critical infrastructure, with governments carefully watching what IT skills other countries are using and hiring to protect their infrastructure. This includes countries like Iran, Syria and North Korea all acquiring IT experts over the past year with knowledge in electrical management systems, stock exchange software as well as water treatment systems.

John Bumgarner, CTO United States Cyber Consequences Unit

“AntiVirus is dead – the future is behaviour analysis”

If you haven’t seen John presenting – I really recommend you do. He talked about how with 500 Million AV Signatures, and around 140 Million being unique, this technology is no longer able to scale. He also talked about how hackers have all bought common AV solutions and are testing against them regularly. like you could do it on Virus Total.com. Another topic covered was cyber sabotage, as was first seen in the Iran nuclear program and then continued elsewhere. He also mentioned the “delete everything” campaign that was seen in the Middle East region in August 2015. John compared this with the Sony attack and found similarities: in both situations the malware was created with the same software just a different version, in both situations the attack was on a holiday.

“The day the lights went out”

image2

John also talked about his expectation that cyber terrorism will continue to emerge. In particular this is where critical infrastructure will be affected and in Ukraine we have already seen the first successful blackouts. In cyber terrorism malware will look completely different – it might virtualize itself or through machine learning recompile itself. Malware might also listen to the network for some time and then behave as though it was authorizing traffic.

“Another trend that will remain for some time is Ransomeware”

We already have it today – but it will evolve. Currently it’s attacking organizations like healthcare – sectors that traditionally haven’t had a lot of security around personnel or equipment – and it will evolve into other sectors as well.

His recommendations:

  • Think about scenarios of how hackers could attack you, what they could get and how they could get in?
  • Then think about your defenses and how they could be revealed by attackers?
  • Know your Network
    • Do you know what is running on your environment?
    • Do you review your VPN activities? Do you know when there is a new device connecting the first time?
    • You might have two factor authentication which is great – but do you monitor who is registering new tokens and why?
  • Behavior Analytics
    • Use tools that do analyze behavior of network traffic, users and systems.

See you next year at GISEC!

Br

Matthias