Detecting and preventing advanced attacks isn't just a technology issue - it's a business risk that needs to be elevated to the highest levels of an organization. Trend Micro's Tom Kellermann shares strategies.
Attackers vary - they could be organized criminals, hacktivists or nation states. But one point they have in common: They understand the virtual supply chain, and they will target an organization's weakest link.
"They are conducting what's called 'island-hopping attacks' to leverage weaker elements of your supply chain, whether it's your outside general counsel or the PR/marketing firm that you depend upon," says Kellermann, Trend Micro's chief cybersecurity officer. "They understand your environment, they understand who your partners are," and they are exploiting any entry point to obtain the access and data they desire.
And one only needs to look at the recent news headlines to realize the potential business impact of such exploits.
"The Target breach really illustrated the unexpected and unintended consequences," Kellermann says, "which can include strategic impacts from costs to risks to professional impacts on the careers of the executives."
In an interview about evolving attacks and strategies, Kellermann discusses:
- Why targeted attacks are a strategic business problem;
- Biggest misperceptions about handling targeted attacks;
- Trend Micro's breach prevention capabilities.
Kellermann is a trusted advisor for Cybersecurity. He is responsible for analysis of emerging cybersecurity threats and relevant defensive technologies. He served on The Commission on Cyber Security for the 44th Presidency and serves as an advisor to the International Cyber Security Protection Alliance (ICSPA), and the National Board of Information Security Examiners Panel for Penetration Testing. He is a Professor at American University's School of International Service.
TOM FIELD: What are you seeing from attackers in terms of their strategic and tactical shifts?
TOM KELLERMANN: The adversary in today's environment, whether it be a criminal, hacktivist or nation-state, has greater recognizance and understanding of your virtual supply chain. They are conducting what's called "island-hopping" attacks, to leverage attacks against weaker elements of your supply chain, whether it's your outside general counsel, PR marketing firm or a managed service provider. They are understanding your environment, who your partners are and targeting that through the use of island hopping. In addition, mobile malware has exploded, and there are more capabilities that are being endowed upon the adversaries so they can automate attacks against both Apple and Android devices. Lastly, watering-hole attacks and click-jacking becoming hostile to users has become a very troubling phenomenon, especially in North America.
Attacks as a Business Problem
FIELD: Why are targeted attacks a business problem, not just a technology problem?
KELLERMANN: If you think about the concept of island hopping and you look at the recent Target breach, you can understand that with a mismanagement of the vendor, attack paths were viable from that vendor into that network. The Target breach really illustrated unexpected and unintended consequences, which can include strategic impacts from costs to risks to professional impacts on the careers of the executives. Strategic impacts: There's a tremendous issue related to headline risk; that the reputation of your organization and the reputational risk of your organization is inherently dependent upon proper cybersecurity and proper cybersecurity risk management. There is the theft of intellectual property, the deterioration or loss of intangible assets from the market to the customer. And then there is the erosion of market value, as you can see not just from the shareholder value, but the market value of the brand itself.
Addressing Targeted Attacks
FIELD: What is the biggest misperception about how to address targeted attacks?
KELLERMANN: The greatest misperception is that there is an overreliance on technology and perimeter defenses. There is not an over-arching increase in situational awareness: where you need to expect to be hit, prepare, survive, improve incident response plans, and understand that time will be of the essence. When it comes to targeted attacks, you need to know where, when, and how you're being attacked and understand what the objectives might be. You have to understand that it goes beyond your web and email vectors alone. You need to truly worry about that virtual supply chain, whether it's your cloud, outside general counsel or public relations and marketing firm. In addition, you need to fundamentally recognize and appreciate that the adversary could already very well be within your systems. The paradigm itself has to shift. One must gear less towards that of building a fortification around your infrastructure and one more towards an increase in level of discomfort of someone who might already be in your house. So from an architectural perspective, shifting it toward the risk management approach which is more like that of a development of a super max prison, than that of creating a fortress around your data.
FIELD: How are you positioned to help organizations better detect and respond to these targeted attacks?
KELLERMANN: Trend Micro has made a tremendous investment of close to a billion dollars over the last six years alone in advanced threat protection and breach detection system capabilities, which are based upon our significant investment in personnel. We have over 1,200 dedicated threat researchers well positioned around the world, speaking 46 languages that give you 360 degrees of visibility into the latest attacks and attacker activity, specific to industry and specific to your own organization and enterprise network. We provide this capability through single low-cost appliances, but most importantly we provide you with the capacity to anticipate and predict attacks as they occur. We've created something called The Smart Protection Network. It's a cloud-based big data analytic network that feeds intelligence from our threat researchers to the products and platforms that secure your enterprise today.
Harvard Business Review Research
FIELD: What can you tell us about the research you commissioned with the Harvard Business Review and the results?
KELLERMANN: The research was a testimony to the reality that organizations must address targeted attacks as a strategic imperative. This is a risk management issue that needs to be elevated beyond the level of the CIO to the general counsel's office, to the CFO and CEO themselves. The top concerns in targeted attacks from this study were illustrated by potential brand damage, loss of revenue, damage to professional reputation and unfavorable publicity and loss of intellectual property. To this view, 71 percent of decision makers were not fully comprehending that an investment in cybersecurity is for the greater good and sustainability of operations of that organization.FIELD: What kind of response did you see from them?
KELLERMANN: It's been mixed. Organizations and senior executives need to be of the mindset that plausible deniability is dead. That criminal negligence and lack of due diligence in cyber are here. That you're seeing more litigious behavior on the part of law firms to go after folks that have relied upon plausible deniability for years. And there is no longer the scapegoat effect of relying upon the concept of, "I didn't know it could happen, and if it did happen then I can just blame it on one person in the organization." The entire C-Level needs to be responsible for managing risk in today's environment, and when 98 percent of your operations are running in a virtual environment that is cyberspace, everyone's job is to sustain that and manage that risk.
NSS Labs Test
FIELD: What can you tell me about recent results from NSS Lab's breach detection test?
KELLERMANN: It was the first objective study to be conducted on the future of breach detection systems and next generation theft launch. What is illustrated within this study is that web and email threats are not the only threats that need to be prevented in today's targeted attack phenomenon. The key takeaways from NSS Lab's report were: Deep Discovery, our breach detection system, received the highest security effectiveness rating. That's due to our investment, but also due to the fact that these discoveries are powered by those threat researchers. It gives you 360 visibility into the threat landscape. No longer are you understanding that someone is in your house, but you're understanding how that relates to the outside world and to the van that is parked across the street. In addition, Deep Discovery had the second lowest cost of ownership in total and, because it was more advanced, it allowed you visibility in situational awareness across over 83 different protocols, including mobile and supply chain as a whole. With capabilities and product sets like FireEye, you need to understand they are significantly limited in their capacity to defend you for two reasons. One, they don't give you advanced visibility across over 83 different protocols, which limit you to just the purview of web and email. Two, when they terminate command and control of the adversary, they are not fully appreciating that it's not just about one command and control within these enterprises. That is like assuming that if someone broke into your house, and because you've shunned them from your household, there weren't two individuals that actually cased your house. The phenomenon here is, you must have greater understanding to the lateral movement of adversaries when they are within your network or supply chain, in order to truly eradicate the infestation that is being perpetuated by targeted attacks.
FIELD: What do your customers like about Deep Discovery and what do they find challenging?
KELLERMANN: They love the fact that it can be integrated with numerous things and provide them with advanced visibility into what is occurring inside their perimeter, and how that relates to the outside world. They love the fact that they are getting broad detection on a single affordable appliance, and they appreciate the fact that this appliance is correlating activity to allow them to anticipate the shift in six stages of attacks. Many of these capabilities give you no foresight into the visibility of how the attacker as a kill chain will evolve once they are already inside. Remember, a breach detection system is limited to alerting you that you have a problem within your enterprise. Understanding how that problem will metastasize is fundamental to your success.
FIELD: How can organizations leverage their existing security investments with Deep Discovery?
KELLERMANN: If you've appreciated the whole mission of Trend Micro, [you know] we as a company build platforms; we do not just put widgets together. We are focused on creating interdependent platforms that can provide you with the next generation advanced threat detection and response to these types of capabilities. There is no need to rip and replace our capability sets because they interoperate in various partnerships we have, for example, with a certain community, to allow greater visibility into the nature of attacks, and to be able to re-create your level of time which is fundamental for incident response. Time is the enemy here. Time, if not manipulated properly, can create a metastasis of a situation where your reputational risk will grow every day that you cannot respond to a situation.
FIELD: How do you help deliver a manageable total cost of ownership?
KELLERMANN: We provide the best in protection on a single affordable appliance. Unlike others, who charge reoccurring access fees, we provide you with what we believe to be is the best correlated threat intelligence in the business for no additional cost. As demonstrated by the NSS Lab study, we're easy to install and administer, but least of all, we play well with others in terms of sharing insights into our targeted attacks and advanced threats, and that is demonstrative on how we work well with other Sims and how we work well with other advanced threat capabilities.
FIELD: What's the single piece of advice you'd offer security leaders on pitching to business leaders?
KELLERMANN: To improve risk management, one needs to obtain greater visibility as to the targeted attacks that are impacting your organization. As your brand increases in value and posterity, you will be targeted by elite hacker crews. Securing both your customer base and your supply chain will be imperative, and deploying breach detection systems and the application of threat intelligence will really be the determinant of how you can sustain your brand and reputation in 2014.