Kevin Mahaffey ( @dropalltables ) is the founder and CTO of Lookout, one of the first mobile-centric security/anti-malware companies.
This talk is intended to explore how many large and forward-thinking companies are removing many traditional elements of security architecture (e.g., anti-virus, VPNs, firewalls) in favor of a data-driven security model. The talk was given on 02 March 2016 at the RSA Conference in San Francisco.
I'm providing a brief reaction/summary, and then my notes. The notes are my sort-of free-form notes, so if they are only semi-comprehensible.
I am a big fan of the concept of internal resilience and immunity as an approach to security, as opposed to building a bigger, better wall at the perimeter. This is a more and more important approach as mobile devices, BYOD, external cloud service providers, and other trends take hold in organizations. I'm not convinced that the data-driven approach is the road forward, though. Data analytics is a powerful tool, but at some point it becomes an exercise in navel-gazing. If you literally log and watch everything, including the system that is storing and analyzing the logs, the data grows virtually without limit. Big data technologies are making this more practical, but detection and remediation still lag. The ideas Kevin is sharing are very interesting, but these methods still seem like an enhancement to me, rather than a replacement for traditional security devices/software.
The best resource mentioned was the Google "Beyond Corp" paper.
The real world does not match the theoretical model of secure system architectures. Mobile and other devices may not be patchable by the organization, vendor-owned/managed systems are present, and users find ways to “work around” policies and safeguards.
The typical approach to security architecture attempts to create a sterile environment inside the network, keeping all the “bad things” out. The evolutionary analogy is that the skin provides a barrier, but it does not, and is not intended to, keep everything bad out. There is an intricate immune system to detect and defeat pathogens that make it past the skin level.
Least (manageable) privilege is a typical "solution" to the permissions problem
- complex to manage
- become calcified and doesn’t respond to changing requirements (“privilege accretion”)
"We need to engineer an immune system” for the organizational network.
- operationalized data + automation
Analogous to the way credit card fraud prevention works. You don’t need to get permission ahead of time to do something; instead transactions are analyzed and likely malicious/fraudulent actions are identified and dealt with.
Facebook and Square push user auth and some alert response to users and managers instead of IT or SecOps.
AEDA loop — Acquire, Enrich, Decide, Act
“I’ve never heard anyone say they have TOO MUCH visibility into their infrastructure."
If a given component were compromised, what specific data element would clearly indicate that?
“Should we put sensors on the device or the network?"
- both have problems
- on-device sensors have a compromise race condition; malware can potentially disable the sensor
The Privilege Accretion problem:
- privileges get added when needed, but not removed when no longer needed
- Square’s system Diogo Monica’s talk at Security@Scale
- model privileges to roles
- Emergency “break glass” access; can be used, but generates an alert when used
Many security analytic data systems don’t have enough data to be effective
You’re forced to choose between too many false positives or too many false negatives.
The only way to get better is to add more context.
Other times, there is enough (or too much) data, but it’s not operationalized/useable.
- analyzing data
- data -> information -> knowledge -> wisdom
- static/dynamic analysis of executables
- parsing of protocols
- data normalization
- “You can’t extract information that’s unsupported by the underlying data."
- joining data
- isolated data is of limited value
- provides context
- foreign key problem - can’t join datasets that have > 1 factor to correlate
- data must be normalized for smooth joining
Must ensure that data sources are accounted for in terms of reliability and trust.
Input -> Model
- Good, in that it can find novel threats
- Bad, in that new things happen all the time that are valid and benign
- anomalies, on their own, are not sufficient as indicators
Supervised Machine Learning
- train the system with inputs that have known outputs
- train the system to arrive at the expected output from those training inputs
Combined Systems are generally going to be the solution.
- traverse connections to known malware
- expensive and noisy
Machines (currently) cannot make all the decisions.
Over-Automation or automating too quickly can create, essentially, an autoimmune disease.
Start by improving your IR team’s UX (user experience)
- gather all the data in one place (e.g., SIEM)
- ensure it is useable
Build feedback loops
- figure out what works and what doesn’t, and change functionality in response
Pull humans out, a little at a time
- start by having machines recommend actions, with humans approving
- if rejection rates are low (maybe under 1% or even 0.1%) you can
- retain “circuit breakers” that keep a human in the loop if actions are particularly critical or if decision volume is high
Square “Sting” system sends some alerts to humans.
- similar to how credit card companies ask the user if they have taken an action and if it was intentional
- also cuts rate of alert-creating actions