Tag Archives: gigamon

Machine Learning to the Rescue on Cyber?

Machine learning has been a staple of our consumer-driven economy for some time now.

When you buy something on Amazon or watch something on Netflix or even pick up groceries at your local supermarket, the data generated by that transaction is invariably collected, stored, analyzed and acted upon.

Machines, no surprise, are perfectly suited to digesting mountains of data, observing our patterns of consumption and creating profiles of our behaviors that help companies better market their goods and services to us.

Yet it’s only been in the past few years that machine learning, a.k.a. data mining, a.k.a. artificial intelligence, has been brought to bear on helping companies defend their business networks.

See also: Machine Learning: a New Force  

I spoke with Shehzad Merchant, chief technology officer at Gigamon, at the RSA 2017 cybersecurity conference. Gigamon is a Silicon Valley-based supplier of network visibility and traffic-monitoring technology. A few takeaways:

Machines vs. humans. There is so much data flowing into business networks that figuring out what’s legit vs. malicious is a daunting task. This trend is unfolding even as the volume of breach attempts remains on a steadily rising curve. It turns out that cyber criminals, too, are using machine learning to boost their attacks. Think about everything arriving in the inboxes of an organization with 500 or 5,000 employees, add in all data depositories and all the business application depositories, plus all support services; that’s where attackers are probing and stealing.

Understanding legitimate behaviors. To catch up on the defensive side, companies can turn to machine learning, as well. Machines are suited to assembling detailed profiles of how employees, partners and third-party vendors normally access and use data on a daily basis. It’s not much different than how Amazon, Google and Facebook profile consumers’ online behaviors for commercial purposes. “You have to apply machine learning technologies because there is so much data to assimilate,” Merchant says.

Identifying suspicious behaviors. The flip side is that machines can be assigned to do the first-level triaging—seeking out abnormal behaviors. Given the volume of data handling that goes on in a normal workday, no team of humans, much less an individual security analyst, is physically capable of keeping pace. But machines can learn over time how to automatically flag events like a massive file transfer taking place at an unusual time of day and being executed by a party that normally has nothing to do with such transfers. The machine can raise a red flag—and the security analyst can be dispatched to follow up.

“We’ve got to level the playing field … today, it’s machine versus humans,” Merchant says. “Organizations have to throw technologies, like machine learning into the mix, to be able to surface these threats and anomalies, so that we take out the bottlenecks.”

Why More Attacks Via IoT Are Inevitable

The massive distributed denial of service (DDoS) attack that cut consumers off from their favorite web haunts recently was the loudest warning yet that cyber criminals can be expected to take full advantage of gaping security flaws attendant to the Internet of Things (IoT).

For much of the day, on Friday, Oct. 21, it was not possible for most internet users to consistently access Twitter, Spotify, Netflix, Amazon, Tumblr, Reddit and PayPal.

Using malware, dubbed Mirai, an attacker had assembled a sprawling network of thousands of hacked CCTV video cameras and digital video recorders, then directed this IoT botnet to swamp the marquee web properties with waves of nuisance pings, thus blocking out legitimate visitors.

See also: Insurance and the Internet of Things  

Mirai is designed to take over lightweight BusyBox software widely used to control IoT devices. The source code for Mirai can be found online and is free for anyone to use. ThirdCertainty asked Justin Harvey, security consultant at Gigamon, and John Wu, CEO of security startup Gryphon, to flesh out the wider context and discuss the implications. The text has been edited for clarity and length:

ThirdCertainty: Why do you think these attackers went after BusyBox systems?

Wu: Because Busybox is lightweight; it’s used on most IoT devices that have limited memory and processing. Busybox is a utility with lots of useful commands.

Harvey: BusyBox is very standardized. It is highly used in the field, and it also runs Linux, so the internals are very straightforward and easy to duplicate in testing systems.

3C: How did the attacker locate so many vulnerable devices?

Wu: Standard IP scanning would identify the devices, and then the attacker could use the admin interface to install the malware. These devices had weak default passwords that allowed hackers to install Mirai.

Harvey: Cross mapping manufacturers with types of devices. Then using the website Shodan to get a list of open devices. Once they had the list of devices, they could create a massively parallel script to step through each and determine whether they used the version of the OS they wanted.

3C: How many devices did they need to control to carry out three waves of attacks over the course of 12 hours?

Harvey: 300,000 to 500,000.

 Wu: Probably a few hundred thousand devices. Because it’s distributed, there is no way to simply block all the IP addresses.

3C: Are there a lot of vulnerable devices still out there, ripe for attack?

Harvey: Yes! Shodan specializes in noting which devices are out there and which are open to the world. The devices used in this attack were but a small fraction of open or insecure IoT devices.

Wu: We don’t know exactly how many devices are still out there as sleeper bots. Mirai also is actively recruiting new bots. From what I understand, these IoT devices had open channels, and the users had practiced poor password protection for root access to install additional components.

3C: What do you expect attackers to focus on next?

Wu: I would expect the attacks to get larger and more sophisticated. Mirai also is working in the background to recruit more devices. The next attack may not be as public because they’ve already shown what the botnet network is capable of.

3C: What should individual consumers be most concerned about at this point?

Harvey: Consumers need better education on changing the default access and security controls of their IoT devices. Manufacturers need to take security seriously. Period. Congress needs to step in, conduct some hearings on IoT issues and perhaps regulate these devices.

 Wu: Consumers need to be concerned if their device is one of the devices already compromised or at risk of being compromised. They should contact the manufacturer to ask if a security patch is available. A simple solution would be to take the device offline, if it’s something you can live without.

3C: What is the most important thing company decision-makers need to understand?

Wu: If you are dependent on the internet for your revenue and business, you should be planning alternative communication channels. If DNS is critical to your business, you should look at backups to just one service provider. Let people know that, if email is down, you can still get business done over the phone.

Harvey: Businesses need to understand the implications to running IoT devices within their companies and question the business need for using IoT devices versus the convenience.

See also: How the ‘Internet of Things’ Affects Strategic Planning  

This article originally appeared on ThirdCertainty.

As IoT Expands, Risks Grow Even Faster

Get used to it. The Internet of Things is here to stay. In fact, IoT is on a fast track to make all manner of clever conveniences part of everyday commerce and culture by the close of this decade.

Tech research firm Gartner estimates IoT endpoints will grow at a breakneck 32% compounded annual growth rate over the next few years, reaching an installed base of 20.8 billion IoT units by 2020.

See also: Insurance and the Internet of Things  

Tiny, single-purpose sensors designed to collect rich profile data on individual behaviors — as well as on company systems — can already be found in all manner of medical devices, automobiles, TVs, gaming consoles, webcams, thermostats, utility meters, household appliances, manufacturing settings and wearable tech. Much more is coming.

It is incumbent upon the businesses that deliver both the IoT devices — and the new internet-connected services that IoT sensors make possible — to address the security exposures that are part and parcel of this rapid scale-up. Fortunately, cybersecurity vendors are stepping up innovation to do just that. Gartner projects that worldwide spending on IoT security will reach $348 million in 2016 — up 24% from 2015 spending — and will climb steadily to $840 million by 2020.

I recently sat down with Johnnie Konstantas, director of security solutions at Gigamon, a supplier of network visibility technology, to discuss what’s on the horizon. The following text has been edited for clarity and length.

3C: What is the core security challenge accompanying our rapid deployment of billions of IoT sensors?

Konstantas: IoT sensors are quite small and pretty cheap, too, and they don’t have a lot of memory on them. Their whole point is to store a little bit of information and then just forward it on to the cloud. If you think about how we traditionally use things like encryption and a firewall to secure a mobile phone or laptop, that’s very hard to do on a small IoT sensor.

So what you have is a conduit into the corporate network deployed for the purpose of receiving intelligence, and you can’t really push perimeter protection out to these IoT devices.

There’s no question IoT sensors can potentially be a way in. The IoT endpoint could get infected with malware, or it could be used as a lily pad to jump in deeper.

3C: What defensive approaches look promising?

Konstantas: A lot of it comes down to continuous monitoring. These devices are going to always be on, transmitting intelligence. The idea is to continuously understand what the IoT device is forwarding or receiving 24/7. Sounds like a tall order, but doing that allows you to essentially perform analytics on IoT-generated traffic. And with the proper kinds of security analytics in place, you will be able to surface anomalies.

See also: How the ‘Internet of Things’ Affects Strategic Planning  

3C: Sounds like big data analytics with an IoT twist.

Konstantas: Yeah, exactly. Big data analytics is nothing new. Security analytics is nothing new. But both are actually seeing a resurgence. Call it SIEM (security and information event management) 2.0 for lack of a better word. This time, SIEM is not so much about collecting large volumes of data; it’s more about getting the right kinds of data. It’s about pruning my data feeds to figure out whether I have any risks associated with my IoT deployments.

3C: What key developments are on the horizon?

Konstantas: I’ve been in security since ’98, so I’ve seen a few patterns play out. The one constant has been that when cool technology emerges — like our ability to do commerce on the web or virtualized storage and computing — adoption tends to be a lot faster than the arrival of the technology to secure it. So it’s fair to say that our desire to take advantage of sensor networks and IoT is going to outpace our ability to roll out security infrastructure to secure them as well.

More stories related to the Internet of Things:
Technological armor evolves to keep IoT devices safe from attack
Ripples from Internet of Things create sea change for security, liability
Consumers should brace for home network intrusions in 2016

This post originally appeared on ThirdCertainty.