​Infosec-Related Insights From Flash Foresight

​One of the things I did not expect to get out of the recent Check Point Experience conference was: a book to read. That’s exactly what happened when, due to an encounter with Flash Foresight author Daniel Burrus on Twitter, a book showed up on my doorstep.

The Twitter encounter happened because Daniel Burrus spoke at Check Point Experience and I tweeted a few photos from his talk. Though he had about a half an hour slot, I could have listened to him for hours. Many of his insights could easily apply to the field of information security. In fact, plenty of the trends he discusses have immediate implications to the field.

Depending on how quick you read, you may be able to knock it out in an evening or two. This book is definitely a recommended read. Unlike many “business” books I’ve read, this was an easy read and found it to immediately resonate with my own experiences. I also found it to be very optimistic. Specifically, the problems we have today will be solved. The question is, by whom and how? If you apply some of the principles of Flash Foresight, maybe it could be you?

Walking Through the Seven Flash Foresight Principles

Daniel Burrus breaks down the process of Flash Foresight into seven principles. The application of one or more of these principles can be used to solve a variety of challenges. Surely, they can help us in infosec, no?

The first place to start: certainty. Specifically, what you know. That is largely reflected by trends:

The main difference between hard trends and soft trends is: level of certainty in the trend. They can sometimes be hard to tell apart, and people often make poor decisions because they can’t tell the difference.

A soft trend are “future maybes.” They can be changed. For example, your organization’s information security budget. The time it takes you to respond to the inevitable breach. You do have a response plan, right?

A hard trend cannot easily be changed. For example, the level of technological innovation, particularly in three key areas: processing power, storage, and bandwidth. The trends point to an ever increasing quantity of all three at ever decreasing costs.

Think that doesn’t have implications in information security? You bet it does, and I bet you’re already seeing it: more business information on more devices from more places in the world. The problems will only get worse.

It’s far easier to see the future when you start with what you know. If you look at the hard trends and know where innovation is taking us, it’s pretty easy to anticipate the future (the second principle).

As some of you probably know, I spent 10 years working for Nokia, which was, in those days, the largest mobile phone manufacturer in the world. They were also in the network security business, which is where I worked. That said, I was exposed to many of the mobile phones Nokia made and thus I saw these Pathways to Innovation play themselves out from a vantage point somewhat different from a typical consumer:

It was very obvious to me in the 2000s that smartphones would become our personal computing devices–personal computing devices that accessed websites and had data on them. Nokia, being in the handset business, the network infrastructure business, as well as the security business, was uniquely positioned to provide this security both on the handsets and within the network.

It was one of the many opportunities that Nokia did not have the foresight to take advantage of. Nokia, as mighty as it once was in the smartphone industry, lost out and lost big. Had they made a proper transformation from the inside out (the third principle) as they had done several times throughout their 152 year history, they might still be a household name. Instead, since they transformed largely as a result of external forces and trends, they are barely a blip on the radar.

Another thing Nokia failed to do: take their biggest problem and skip it (the fourth principle). At the time, one of their biggest challenges as far as breaking into the US market: working with the US mobile operators. They wanted nothing to do with Nokia’s products. Meanwhile, they could have easily marketed and sold the products to the US public directly, bypassing the operators.

To bring this back to information security for a moment, what is our biggest problem in information security? Surely it has to be all that data on all those devices connecting from everywhere with data hosted everywhere using our traditional information security tools. What if we could skip that problem and bake security into the data and/or the method used to access that data?

Sometimes, the solutions to your problems are also in the opposite direction everyone else is looking (the fifth principle). For example, I see a lot of newer security vendors focusing on detection of threats rather than prevention of threats. While I’ve said a few times this is not an either/or proposition, I openly wonder: as infrastructures grow more complex and more virtualized, all driven by hard trends, how helpful is detection by itself going to be in the long run? Unless it is followed by automatic remediation—or better, preventing the incident in the first place—it will be just one more signal that gets ignored.

Information security has no choice but to redefine and reinvent how and what it does (the sixth principle). The underlying infrastructure that supports our business is commoditizing and evolving rapidly at a rate that will only accelerate. Likewise, security vendors will have to find a way to continue to provide unique value in this environment else their products will be replaced.

Finally, the future is largely what we envision it to be (the seventh principle). Do we envision a future where the threats run rampant over our networks or do we envision remaining one step ahead and keeping the threats at bay (or at least contained)? You may need other resources to achieve it, but it starts with a clear future vision. To shape the future will require communication, collaboration, and trust—all something information security is in the critical path to ensure happens.

This diagram in the book I think illustrates something that I already lived:

I’ll ask those of you who used my FireWall-1 FAQ back in the day: what did that content represent to you? Data? Information? Knowledge? Wisdom? I’ll settle for knowledge since what I had there was largely product specific. Wisdom is probably stretching it.

But is it? I’ve had numerous people come up to me over the years thanking me for that FAQ as it helped them become information security professionals. Back in the 1990s, there wasn’t a whole lot of information out there. Rather than keep it locked up, I shared it with the Internet. I collaborated with people on the Internet to improve it. And, because the information was largely accurate, and I was accountable for mistakes, people ultimately trusted it.

Even though I haven’t operated that FAQ site in more than 10 years, I built a very nice career for myself as a result. Maybe if the information security industry would communicate better, truly collaborated with each other, and operated in a truly trustworthy matter, we could all be one step ahead.

How To Separate Security Solutions from Snake Oil

From Darwinism in IT Security, Pt. 3: Time to Deal with These No-Good Parasites:

[Detection] adoption has become the norm in the IT-security industry; and based on that, a whole ecosystem of parasites now successfully bullshits (successfully – i.e., keeps getting away with it!) the public. No, I am not making this up.

What all parasites agree on is their opposition to ‘traditional methods’ (the very same scanning methods they adopt via VirusTotal) and their love of all things ‘next generation’ (though what exactly is new about detection copy-and-pasting – and also AI – they don’t point out).

Conclusion: if you get approached by folks from an unknown company bandying about words like ‘next-gen’, ‘behavioral analysis’, ‘artificial intelligence’, etc., with no results of independent tests to make those words mean something real, watch out. The marketing materials of such companies show that the only artificial intelligence they use is that for peaking on real IT-security companies via the cloud.

It’s like I said before, you have to wonder about security vendors who do not willingly submit themselves to third party scrutiny. If their products are as good as their marketing claims, this will prove itself out in third party testing, or better yet, your own testing using objective criteria. Reputable security vendors are more than willing to support such an effort.

If you rely purely on marketing to make decisions about what security solutions to buy, you may be buying snake oil. Caveat emptor!

Old Password Breaches are New Again

In the past couple of weeks, a couple of old breaches of social media sites have come into the news again, mostly because the data from the breaches of MySpace, LinkedIn, Tumblr, and some site called Fling that I never heard of before, are for sale on the dark web. Aside from chatter on Twitter, the first thing that could be deemed a “formal” notification came from Troy Hunt’s site Have I Been Pwned, something I recommend everyone subscribe to as he seems to do a better job of notifying people than the providers do.

You might wonder why we who care about information security care about years-old breaches from social media sites. It’s pretty simple: most “normal” people use the same login and password everywhere they go on the web. It’s also quite possible they didn’t get the memo the first time these breaches occurred, either.

And let’s be honest, even if you changed your password when the breach was first announced, what are the odds you changed the password since then? Most likely, you haven’t and now is as good a time as any to change your password for these sites, if for no other reason than to leverage improved password hashing algorithms these sites are surely implementing.

Of course, a couple of other pieces of advice to implement:

  • Different Passwords on Every Site: As noted above, password re-use is what makes these older breaches relevant to a lot of people. You can mitigate this risk in the future by using unique passwords on each site you authenticate to.
  • Use Two Factor Authentication: Even if someone is able to crack your password, two factor authentication should slow down any determined hacker. That said, two factor authentication is still not something the majority of people do because it’s still not easy. Also, systems have a reliance on SMS (which itself can be compromised) or a token that operates only on a single smartphone. What happens when you lose your phone?
  • Use a Password Manager: The primary benefit of a password manager is the ability to use unique, complex passwords on all the sites without having to type or remember them. Yes, your password manager becomes a huge target, but the security benefits outweigh the risks.

LastPass is my password manager of choice. Works across all the platforms I use (Mac, PC, Linux, Android, and iOS). At $12/year, it’s an absolute no-brainer. Yes, I know a lot of people like 1Password, but I find their apps a much more expensive propopsition.

Perhaps one of my favorite features of LassPass is their Security Challenge. It evaluates all the passwords I have in my vault to see which passwords may have been compromised, ones that are weak, ones I’ve reused, and ones that haven’t been changed in more than a year. This allows me to quickly identify which accounts might need a new password–one I can make significantly more complex thanks to LastPass. Note that even without using the Security Challenge, I’m warned when I reuse a password–a very good thing.

Disclaimer: My employer Check Point Software Technologies might have a different point of view on passwords, these are my own.

CPX 2016 Chicago Post-Mortem

It’s been a few years since I’ve been able to attend Check Point Experience (CPX), the annual user conference held by Check Point in Europe and the US. This year, I attended the event held in Chicago and, according to Check Point Founder and CEO Gil Shwed, had close to 2,000 attendees. It’s definitely smaller than RSA Conference, a more general security industry trade show that I also attended earlier this year. It is a bit more intimate, though, which is a good thing.

Yes, I managed to get the registration folks to print PhoneBoy on my badge

CPX runs for two days and has a combination of general sessions and smaller, more focused sessions covering individual products and services. A handful of customers also schedule one-on-ones with Check Point executives. There is also an expo floor where vendors have booths demonstrating their products and services. Check Point had a few booths for its various product and services offering, and yes, I had to stand at a couple of them to do my part for the cause.

While I always enjoy hearing what the Check Point executives have to say, the reality is, as a Check Point employee, I’ve heard a bit about what they had to say at our Sales Kick Off earlier this year. I was more interested in the other speakers at the general sessions, which at CPX, included a congressman, a futurist, and customers.

The guy from the Missouri State Police Department provided the most unique perspective, I thought. Not so much about the threats, though it was interesting to hear a bit about the Anonymous attacks they suffered during the Ferguson incident a couple years back. What stuck with me was the why, something we often don’t think a lot about. In this case, the “hacking” and “doxxing” Anonymous was doing in Ferguson was having immediate, real-world consequences to the very people entrusted with protecting citizens.

Information security for the Missouri State Police Department is about protecting these fine folks who protect our safety. A bit of a different goal from a lot of other organizations.

One of my favorite sessions was from Daniel Burrus, a best-selling author and futurist predicting the future for more than three decades. Lots of talk about hard and soft trends and using all that big data to look at the future instead of the past.

The Pathways to Innovation in the above slide were originally written in 1985. They haven’t changed. My favorite insight from his presentation? Rather than complaining about government regulations (a hard trend), look for the opportunities they present. They’re there.

And, of course, there’s Moti Sagey. I always enjoy his Sales Kick Off presentations about the competition and his CPX presentation did not disappoint. Even though he is part of Check Point’s marketing organization, his presentations are low on fluff and high on facts, with plenty of humor.

There were a few tracks of breakout sessions, which I have to admit I did not attend because I already knew a lot of the content in these sessions and I had to work some of the Check Point booths on our expo floor. The feedback I got from customers on the sessions were excellent and provided a lot of great information on new and recently announced products.

Other Vendors at CPX 2016 Chicago

Over the 23 year history of Check Point, a lot of former employees have gone on to start their own companies or work for companies started by former Check Point employees. One of the newer entrants in this space that had a booth at our expo was a company called Fireglass, which basically takes all of the code that runs in a browser and runs it somewhere else, exposing only visuals to an end user. It can also use Check Point’s SandBlast technology to handle file downloads, reducing the risk of zero-day malware entering the end user workstation. It’s extremely clever.

Another company involving former Check Point employees is GuardiCore, which has a clever solution for figuring out the traffic flows inside your virtualized environment so you can perform appropriate microsegmentation with vSEC. It can also identify rogue traffic flows–also a useful feature. For a bit more, check put Micro-Segmentation, the right way. Also, Product Manager Lior Neudorfer snapped a photo with me:

Indeni is a tool that monitors security devices like Check Point to, in their words, “power smarter networks through machine learning and predictive analysis technology, enabling companies to focus on growth acceleration rather than network failures.” They gave out happy face shirts–who can be unhappy wearing a happy face shirt?–and let you shoot Nerf guns at their booth. Looks easier than it is.

One other notable company was Avanan. They are a cloud access security broker (CASB), which sits between an organization’s on-premises infrastructure and a cloud provider’s infrastructure. CASBs integrate familiar security controls with SaaS applications to extend visibility and enforcement of security policy beyond on premise infrastructure. Avanan works with a number of security vendors, including Check Point. Specific to Check Point, they support Threat Emulation, Anti-Virus, and Data Loss Prevention with a growing list of SaaS applications such as Office 365, Google Enterprise, Box, and more.

There was a lot more to unpack from those two days in Chicago but that’s enough to give you a taste. If you use (or sell) Check Point products, I highly recommend attending next year to find out how Check Point and partners can keep you one step ahead of the threats.

Edited to add: I got Lior Neudorfer’s title wrong, he’s a Product Manager at Guardicore, not CEO. I also added a link to a Medium post about the product they showed me at CPX.

Disclaimer: If it’s not clear from the above, I work for Check Point. Hopefully it’s clear these are my opinions and Check Point’s official opinions may differ.

VirusTotal: Not a Replacement for Real Threat Prevention

From VirusTotal: Maintaining a healthy community:

VirusTotal was born 12 years ago as a collaborative service to promote the exchange of information and strengthen security on the internet. The initial idea was very basic: anyone could send a suspicious file and in return receive a report with multiple antivirus scanner results. In exchange, antivirus companies received new malware samples to improve protections for their users. The gears worked thanks to the collaboration of antivirus companies and the support of an amazing community. This is an ecosystem where everyone contributes, everyone benefits, and we work together to improve internet security.

VirusTotal is a great resource for users and security folks alike. It provides a quick way to validate how a number of antivirus engines view a particular file or URL (i.e. do they believe it is malicious or not). Think of it as a “peer review” for potential malware or even a “second opinion” when compared to whatever antimalware solutions you are using. Vendors who participate receive samples of files that aren’t detected as malicious for the purposes of improving their products.

VirusTotal is not meant to be used to compare different antimalware solutions. This is because the engines integrated into VirusTotal are not exactly the same version you might use on a desktop or on a network perimeter, which might take different information into account to determine whether or not something is malicious or might be configured differently than the “defaults” a particular vendor provides for a given engine. Also, signatures and engines change regularly, so even if a particular engine doesn’t detect something when you checked, it may detect it later.

Something VirusTotal is most definitely not is a replacement for a proper antimalware solution. This is noted on the VirusTotal about page:

VirusTotal is not a substitute for any antivirus/security software installed in a PC, since it only scans individual files/URLs on demand. It does not offer permanent protection for users’ systems either. At VirusTotal we think of our service as a second opinion regarding the maliciousness of your files/URLs.

It appears some vendors were using results from VirusTotal to supplement their products detection rates and not contributing their AV engine to VirusTotal. The comments in this article suggest the vendors that were doing this. VirusTotal has now expressly forbidden this behavior:

For this ecosystem to work, everyone who benefits from the community also needs to give back to the community, so we are introducing a few new policies to make sure that our community continues to work for years into the future. First, a revised default policy to prevent possible cases of abuse and increase the health of our ecosystem: all scanning companies will now be required to integrate their detection scanner in the public VT interface, in order to be eligible to receive antivirus results as part of their VirusTotal API services. Additionally, new scanners joining the community will need to prove a certification and/or independent reviews from security testers according to best practices of Anti-Malware Testing Standards Organization (AMTSO).

It’s yet another case of marketing hype not making you more secure. Companies who have deployed products from these vendors are most assuredly less safe than they were before, though I suppose they could switch to a number of VirusTotal alternatives easily enough.

Disclaimer: I am not aware of any relationship between VirusTotal and my employer Check Point Software Technologies. I’m also not aware of any relationship between my personal views that I’ve written here and Check Point’s views on this matter, either.