Reassessing the Advanced ThreatWill Irace of Fidelis on How to Marshal the Resources
Today's advanced threats are no secret. Focusing the correct resources on them is the true challenge, says Will Irace of Fidelis. He offers tips for harnessing the right skills and technology.
See Also: A Guide to Passwordless Anywhere
To start with, Irace says, organizations have to stop and realize that advanced threats don't refer solely to technology.
"Advanced threats are not things; they're smart people wielding sophisticated tools," says Irace, VP of threat research for Fidelis. "What this means to me on the defensive side is that you can't just plan to invest in a technology that's going to fix everything for you. We need advanced persistent defenders."
What, then, are the hallmarks of an advanced defense?
"Advanced to me means adaptive, tenacious, determined, skilled," Irace says.
In an interview about tackling advanced threats, Irace discusses:
- Why organizations struggle to detect and prevent known threats;
- The right skills, technologies and capabilities needed for the job;
- How organizations are deploying the new Fidelis XPS Vector.
As Vice President of Threat Research for Fidelis, Irace leads a team of professionals tasked with bringing customers closer to a state of justified confidence regarding their defensive posture against sophisticated adversaries. Since starting his career in information technology over two decades ago, Irace has brought his unique blend of skills and experiences to a diverse range of enterprises. Prior to joining Fidelis, he worked at Internet Security Systems and IBM, delivering penetration tests, security architecture design, security strategy workshops and policy development services. In the web's early days, Irace produced live streaming-media webcasts for a variety of clients in the entertainment industry.
TOM FIELD: At the outset here, why don't you tell us a bit about yourself and your background please?
WILL IRACE: My team provides the knowledge that fuels Fidelis products. The team is composed of incident responders, malware experts and gurus on the subject of the information landscape and Fidelis in particular. As for me, I joined Fidelis back in 2008. Before that I was at Internet Security Systems during its glory days. I also like to fly kites.
Advanced Defenders Needed
FIELD: We've been talking about advanced threats for years now. How do you find these threats are specifically challenging organizations in terms of detection and prevention?
IRACE: It's the use of the word advanced. By definition, that sort of makes it a challenge; it makes it a moving target. What I especially want my customers to remember is that advanced threats are not things; they're smart people wielding sophisticated tools. What this means to me is that on the defensive side, you can't just plan to invest in a technology that's going to fix everything for you. We need advanced persistent defenders. I wish I knew who coined that term because I like it better than APT. The answer is that advanced to me means adaptive, tenacious, determined and skilled, and so defending against that is really quite different from what we were doing when we were fighting the likes of Slammer, Blaster, Nimda, CodeRed and all those guys in the good old days.
Prevention: What's Lacking
FIELD: You have the opportunity to see lots of different organizations. What skills, technology and capabilities do you find that these organizations are lacking today when it comes to confronting the advanced threat?
IRACE: Like I said at the beginning, I fly kites. Let's take a fictional kite manufacturer as an example. They've got lots invested into their intellectual property, things like wing design or advanced materials, their construction methods, marketing techniques, supplier relationships, whatever. They've got thin margins. They've got hard business decisions to make. If I run a kite manufacturing company, do I hire kite experts and do I sponsor kite events and invest in my technology, or do I build a cutting-edge security operations center? I think the choice is clear, and risk people who think deeply about that are always thinking about things like the composite risk index. This is a formula that's the product of the impact of a risk event multiplied by the probability of its occurrence. Risk people like to apply some numbers to that, and, if you're a really mature organization, you know how much to spend on security. But when it comes to advanced threats, it's much harder to quantify risks in that way, and it was already hard to begin with. Having said all of that, it's a very rare organization that justifiably allocates enough resources to keep those most advanced adversaries at bay. If I'm a kite person defending against hackers, it isn't my core competency. It never will be. So what they lack is that little extra bit to go from due diligence and basic compliance to solid and effective protection.
FIELD: Fidelis is a player in the marketplace here. Talk a little bit about the solution that you bring to the battle.
IRACE: Given all that arm-waving, Fidelis is about helping customers increase the confidence with which they approach advanced threats, and not just increase, but justifiably increase their confidence. We do this with a combination of technology and service offerings. Our goal for customers to begin with is you need to realize that you're a target, and you either are or you will be soon breached. Then, once you make that realization, we have three goals for our customers. We want to help them establish a state of readiness to respond to those attacks. We want to help them maintain that state of readiness once they've acquired it. And importantly, we want to help them be ready to respond effectively to some sort of a breach event.
Fidelis is all about this blend of products and services that are aimed at fulfilling those three specific missions. On the product side, we've got really advanced customers who have been using what we describe as our broad spectrum, detection and prevention technology. They've been using it for years to great effect to combat advanced threats. We also have customers who have been telling us that they don't have the resources to use that powerful, broad spectrum tool to its fullest, and it's that second group of customers - back to my kite manufacturer - that are the ones we had in mind when we designed our latest product, which we call Fidelis XPS Vector.
Fidelis XPS Vector
FIELD: I wonder if you might be able to walk us through what you would call a typical customer case study. How are your customers deploying your solutions, your services and, particularly, your new product, Fidelis XPS Vector?
IRACE: In the case of Vector, it's a network appliance. It deploys at network egress points on a tap, or a SPAN port, or even inline, the same way our customers are used to deploying their intrusion prevention systems. For Vector, that's the hardest point, getting it racked and stacked. There's almost nothing for them to configure. You give it an IP address. It pulls down the latest threat intelligence. It presents really thorough alert details, execution forensic details, and in many cases, depending on the way it's deployed, it will kill bad stuff for those of our customers who want it to be able to do that. There's no management console to set up; that's all built in.
Once it's installed and running, we're looking in real time for evidence of the four main phases of what we describe as the infection life cycle. Those are the infiltration phase; usually that's malware, but not always. The second phase is command-and-control, where there's some sort of "phone home" event where the infiltration malware gets some sort of instructions or additional software. There's a lateral propagation phase because, let's say, the benefits administrator's computer that's the first hacked probably doesn't have what the adversaries are looking for, they need to expand their foothold throughout the organization; that's propagation. Finally, usually but not always, there's some sort of ex-filtration event.
Between those four steps - infiltration, command-and-control, lateral propagation and ex-filtration - that's what our system's looking for and there's probably a longer conversation some other time to be had about what that life cycle looks like in more detail, but I will say that it's usually measured in months or years, as opposed to just hours. My favorite aspect of our Vector product is that those of our customers who want to start with that and then migrate from a plug-and-play TCO solution to the full spectrum product I was talking about earlier, they can do that with a simple software upgrade. When they do that, they get cool stuff like non-selective metadata analysis, our multi-tier management infrastructure, and all sorts of other cool stuff we can talk about another time. I'm a technology guy, so I will try not to say TCO again during this phone call.
FIELD: Lots of players have got products and solutions in the marketplace. What would you say most distinguishes Fidelis XPS Vector?
IRACE: This is the good part. I've worked for a lot of product companies, and I've got to tell you it's really nice to work for one that makes crazy claims that we can actually back up. Here are some of our crazy claims, and I'll tell you how we back them up in a second. Incredible speed is one of our cornerstones. A 1U box can process in real-time multiple gigabytes per second of traffic without any sampling, dropping or selection of packets. This means that it's analyzing multiple artifacts per second, payloads that might or might not be malware, and this multiple artifacts analyzed per second contrasts strongly with some of our competitors, where we're talking about multiple minutes per sample. That's a huge difference.
Another crazy claim that we make is the breadth of our protocol awareness. We support and inspect in real-time dozens of protocols beyond just mail and web, because there's a lot more going on egress points nowadays then just mail and web.
There's depth of support for document decoding and obfuscation handling, and that's really important because the stuff that's dangerous generally isn't being transmitted in the open. There are all sorts of encoding and obfuscation that are really difficult to see in real time as you're decoding and examining sessions.
Finally, [there's] the quality of the content supplied by the Fidelis researchers that stand behind this product. Those are our cornerstones: the speed, breadth of protocol, depth of support for document decoding, and then the quality of our research. The best thing about all of this is that NSS Labs put all this arm-waving to the test just last month. They tested us. They tested some other prominent players in the advanced threat space. Our test result in terms of accuracy and breach detection was 98.4 percent based on their analysis, and that's notable because if I have a competitor that had a better result than that, they've been very quiet about it and that I find interesting.
Advanced Threat Trends
FIELD: Based on your research, what are the advanced threat trends that we really need to be watching out for now?
IRACE: This question gets asked a lot and I won't say much different from what you've heard from others. Adversaries are not going to get any dumber. They didn't roll over and give up when we got better at defending web servers from buffer overflow attacks. They're not going to roll over when we get better at closing SQL injection holes - finally, I can't believe that's still happening - or cross-site scripting vulnerabilities, cross-site request forgeries, whatever the latest tricks are. They're not going to roll over when we catch up to their techniques for concealing command-and-control or ex-filtration. They're not going to roll over and give up when we reach 100 percent malware detection rate, if that's even possible. If there's a pattern, I think it's that attacks are moving higher in the OSI model for those of your listeners that are familiar with that. What I mean is that low-level attacks against public-facing servers have given way to what you describe as social engineering attacks, targeted phishing, high-level content based and payload based attacks against vulnerable human beings as opposed to assets. I think that's pretty big and will continue.
There's continuing excitement about BYOD and COIT. That's bring-your-own-device and consumerization of IT. That's the whole idea that you've got employees bringing their own gear into your network, and what that means in terms of risk is significant and important. You'll see a lot of study and discussion continuing on that.
On the defensive side, there are two topics that are getting a lot of discussion. One is this area of active defense. That's a tricky topic, but what does that mean? What can I do in terms of reducing risk with active defense? Where are the legal and ethical boundaries there? That's tricky and interesting. Then, a biggie, especially in terms of where I play, is this idea of threat intelligence sharing. [There's] the old saying, "A rising tide lifts all boats." You've got potentially competitors that have an interest in sharing threat intelligence information, even information about live and active breaches, conceivably because doing that improves the security landscape for all of us, so figuring out ways for all of us to work together between the government, the commercial space and between individual enterprises is an area of hot concern for me as well.