Analysis: HPE’s Tim Grieveson looks back at a difficult year in cyber security, and explains why data puddles, not lakes, are the answer.
HPE released its annual Cyber Risk Report earlier this week, 17th February 2016, assessing the state of cyber security in 2015. The picture wasn’t pretty, and it has branded the Year of Collateral Damage.
The report highlighted various issues. Tim Grieveson, Chief Cyber and Security Strategist at HPE, told CBR that one of the key takeaways is "the industry hasn’t learned anything about patching in 2015."
He said this failure to patch means that "the bad guys are still exploiting vulnerabilities that have been around for some time, a number of which have been there for at least five or six years."
Indeed, the report found that the top ten vulnerabilities that have been exploited in 2015 are over a year old, and 68% of them were at least three years old. In particular, 29% of all successful exploits in 2015 were using a 2010 Stuxnet infection that had been patched twice.
This lack of originality is borne out in the fact that the overall number of newly discovered malware was down by 3.6% year-over-year.
It was Microsoft Windows that had the dubious honour of being the most targeted software platform. 42% of the top 20 exploits that were discovered were directed at Microsoft platforms and applications.
The report also highlights the increasing "monetisation of malware", declaring that "2015 saw the culmination of the monetization of vulnerabilities."
Grieveson said: "The bad guys have moved from disruption to building that market place with a fantastic return on investment for a very minimal effort on their part." He said that consequently there has been a rise in malware aimed at ATMS, banking Trojans, and ransomware.
One of the banking Trojans that were popular, the Zbot Trojan and its variations, continued to try and push back against efforts to protect against it. In total over 100,000 such attacks were detected during 2015.
This challenges the traditional security approach of focussing on the perimeter. With increasing mobility, and an increasingly indefinable boundary to protect, Grieveson said that "I generally believe, and we believe, if you’re going to defend against the bad guy you really need to focus on the interactions between the user, the data, and the application, and that is your new perimeter."
Part of the increasing monetisation is a focus on mobile devices. The report found that around 75% of the mobile applications that it scanned had at least one critical or high severity vulnerability, while the number was just 35% for non-mobile applications.
In addition, vulnerabilities as a result of API abuse are significantly more common in applications than web applications, although error handling is more likely to be found in web applications.
There was also an 153% year-on-year- increase in Android threats being discovered daily, with the number reaching over 10,000. On Apple’s iOS the situation was even worse, with HPE finding a 230% increase, and the iOS platform becomes an increasingly popular target for hackers.
To better tackle this new style of threat Grieveson "recommends this spending of money on point solutions it’s really about looking at your security in a holistic manner." He said that "and in doing so you might actually find that where you think you’re spending your money might not be the best place to spend it."
As more and more solutions come on to the market, and organisations become more security conscious, there is the risk of data overload.
"Yes organisations are spending money on intelligence gathering, there’s lot of them on the market," said Grieveson. "The challenge is you don’t really link it back to business outcomes."
He said that "what tends to happen is organisations drown in data. So I actually advise to not try and build yourself a data lake, but actually build yourself a data puddle, and that data puddle is the thing that’s really important to focus on, is the bad guy."
Grieveson said that what brings this data to being useful is having a business understanding of what it is, and what it is for.
"What we see lots of organisations have technologies, but when it comes to actually running them, because they haven’t got that business understanding, that business context, and linking back to business outcomes, all they’re doing is collecting lots of logs. Reality tells you could probably only look at a small amount," he said.
"Indeed HPE has been trying to do this itself. A number of years ago our CSO said it would make sense if we could get to the crux of what the bad guys are doing," he reveals.
"You’ve got all this noise happening," said Grieveson, "there’s no point in focussing on the known knowns. What we really want to know is the unknown unknowns, which is the new stuff that the bad guys are using to exploit. So a great example is malware. Typically organisations deploy technology which is rules based in the malware inspection space. The problem with rules based approach is you have to know something, and as we know the threat landscape is changing."
His organisation is creating software that tries to focus on discovering what Grieveson describes as "unknown knowns".
"It looks at character recognition using an algorithm based approach, so you can actually understand classes of vulnerabilities rather than individuals. What this means is "instead of looking at these millions of logs, you’re only looking at 2%,3%,4%,5%".
One issue in cyber security may not be solvable just by numbers though. The report highlights growing political instability as an issue. "A difficult and violent year on the global scene, combined with lingering distrust of American tech initiatives in the wake of revelations by Edward Snowden and other whistleblowers, led to a fraught year for data privacy, encryption, and surveillance worldwide," it said.
This has certainly been demonstrated in the standoff between Apple and the FBI about decrypting the phone involved in the San Bernadino terrorist shooting.
"Those evaluating the security of their enterprises would do well to monitor government efforts such as adding "backdoors" to encryption and other security tools," recommends the report.
For Grieveson, "one of the challenges is security has always been an afterthought. So lots of organisations are focussing on getting things to market faster, cheaper, quicker. They’re thinking about their performance, and they tend to come back to security as an afterthought. So actually if they’d back it in and built security by design they wouldn’t be in that situation."
HPE’s report reveals that this approach is necessary, in the face of a highly accomplished adversary who is now acting as much as a business as the firms they attack.