Blog :: Security Operations

Security Reflections from RSA 2017 and CiscoLive! Berlin


The last fourteen days have been a whirlwind, having spent the week of February 13th in San Francisco at RSA 2017, and then the week of February 20th in Berlin, Germany at CiscoLive! I had the opportunity to speak with hundreds of people and thought I would share my observations, experiences, and security reflections from RSA 2017 and CiscoLive! There were four important and recurring topics that I thought were prevalent and worthy of review.

1. Prevention is impossible, but is still getting all of the attention

The most important topic that Plixer talked about during these events was that the complete prevention of security breaches is currently impossible. For generations, organizations have been investing budget in the name of prevention, but today, the bad guys are winning. The combination of rapidly increasing threat surfaces and the sophistication of attacks has brought us to a place where breaches are inevitable. It’s no longer a matter of whether a breach will occur, but rather a matter of when and how long it takes for organizations to react appropriately. From the boardroom to the security operations teams, companies must evolve their process to include systems that deliver forensic data in support of rapid and effective incident response.

Interestingly, at RSA there were two massive halls of vendors who, for the most part, were positioning their products as tools of prevention; at CiscoLive!, there was a large security-focused portion of the show floor. The overwhelming emphasis of messages being delivered sounded something like, “Buy my product and protect yourself from the bad stuff…” In my opinion, the industry’s overwhelming focus on prevention is leaving companies with a critical gap. When breaches occur—and we have already established that they will—what is really needed is the ability to identify that a breach has occurred and a wealth of forensic data to quickly resolve the problem. Network Traffic Analysis is needed to fill this gap.

RSA 2017: Plixer booth RSA 2017

2. IoT security has moved from a conceptual issue to a real world problem

Leading up to RSA 2017, I read many projections that the Internet of Things (IoT) would be a hot topic, and these shows did not disappoint. IoT has long been portrayed as a ticking security time bomb, but 2016 brought that fear to life. Thanks to the release of the Mirai botnet, which used thousands of IoT devices to launch the biggest Distributed Denial of Services (DDoS) attacks the world has ever seen, IoT security has become a hot topic with real teeth. The solution for securing IoT devices should really be a collaborative effort between the manufacturers and users of these devices. Manufacturers must move to embed greater default security into the devices. Default passwords should be random and lengthy. The devices themselves should be hard-coded to communicate only with the manufacturer’s web resources and the appropriate on-premise servers. End users should monitor the traffic generated by the IoT devices and alerts should be immediately generated if any communication beyond the least privilege occurs.

CiscoLive! Berlin: Plixer booth at CiscoLive! Berlin

3. Ransomware has become a very lucrative business for bad actors

Ransomware attacks quadrupled in 2016 and are expected to double again in 2017. Often these attacks are executed via phishing, and then code is placed on the device that eventually encrypts the data on the hard drive. A message pops up on the screen notifying the user of the encryption and delivers instructions on how to pay a ransom to get the data back. If an organization has backed up all their critical data across all devices, the hard drive can be wiped and restored; however, most companies are not consistently backing everything up, and in many cases restoring the data may be time-consuming and more costly than simply paying a modest ransom. Since most ransomware comes in as zero day attacks, security systems that monitor for anomalous behavior are needed to flag infections. Once a system is infected, it is very important that security teams have the forensic information to identify what domains the system has reached out to for the command and control server. Once this is known, all other devices should be monitored for similar activity. Financial institutions and healthcare are rapidly becoming the targets of choice for ransomware attackers. There is too much to lose from downtime, and ransoms are often paid very quickly.

4. DDoS attacks are on the rise and there is no good solution for mitigating your risk

DDoS attacks are on the rise and there is little that you can do to protect yourself. Many predict that DDoS will overshadow ransomware attacks in 2017. DDoS has become a significant source of revenue for bad actors. Many websites have arisen in the name of DDoS-for-hire. Disgruntled employees and students unprepared for a test can pay a nominal fee to attack anyone. In the past, a company might consider themselves as unlikely targets, living under the radar, but now it can be anyone. In addition, revenue from DDoS extortion is on the rise. Companies are contacted and threatened with an attack unless a fee is paid.

As I learned and saw firsthand at RSA 2017 and CiscoLive! Berlin, security risks are greater than ever. IoT, ransomware, and DDoS attacks will breach almost every organization over the course of 2017. While the industry at large is still shouting from the rooftops that you should be spending your budget and time on prevention, I believe organizations must be preparing for the inevitability of breaches. A high priority should be given to evaluating Network Traffic Analysis systems that provide forensic data in support of effective incident response.

Download a free version of Scrutinizer from Plixer to see how Network Traffic Analysis can help prepare you for inevitable security breaches associated with IoT, ransomware, and DDoS.