Author: Sam Erdheim

Sam Erdheim has more than 15 years of experience across all facets of marketing and product management for enterprise software companies. Mr. Erdheim has spent the past 10 years in the information security space, most recently serving as Director of Marketing for AlgoSec, a security policy management vendor, where he was responsible for leading the strategy and development of the company's corporate and product positioning, content and communications. Prior to AlgoSec, Mr. Erdheim served as Director of Marketing at Lumension, an endpoint security provider, where he drove a comprehensive demand generation program that supported more than a third of the sales pipeline and created an automated email nurture campaign that received a Gold Medal from MarketingSherpa. Previously, Mr. Erdheim served in product management and marketing roles for other technology companies such as Softek (acquired by IBM Global Services), iLumin (acquired by CA) and Thomson Financial. Mr. Erdheim is a graduate of Tufts University.

Greater Interconnectivity Means a Greater Level of Presence and in Turn More Risk

Technology advances continue to push boundaries — remember when a phone was just a phone?! More “smart” devices, more interconnectivity between businesses and customers, businesses and suppliers, businesses and partners … all of this speeds transactions and the way business is conducted. Information is shared, items are purchased — all with the click of a button these days.

Inherent in all this productivity goodness is that your digital presence is expanding across many channels that are outside the traditional company boundaries. With this expanding presence comes greater risk. It’s become much harder to have visibility of the level of risk your organization faces across the many digital channels. You of course have physical risks that have been around in the past, but now can be tied into cyber activity. You have cybercriminals (and potentially other types of adversaries) looking to exploit weaknesses for financial or competitive gains. Social media. Your supply chain. Insider risks (whether malicious or negligent). On and on …

The more connections you have, the more presence you have, the more opportunity that exists for malicious actors. This isn’t to say close your business off from the world. That’s obviously not realistic and not a good way to do business. But there two essential things you can do to minimize this issue:

Get an understanding of your level of presence and the level of risk associated to different areas. Having this intel sets the stage for how to stay on top of your risk and proactively address it.
Identify people, processes and technology to help continuously monitor and manage these risks — so they don’t become larger issues for your business.

Some questions to pose to your organization as a starting point:

Who in the organization has accountability for digital risk? Corporate security? Info security? Risk management? Legal? Compliance? Executive suite and/or board level? Brand officer?
What about “smart” building devices? Who owns these?
What about “smart” devices brought in by your employees? How are these managed? And by whom?
How does digital risk play into the organization’s overall risk management process?
What processes are in place to limit the risk?
What processes are in place to address a threat?

This list isn’t exhaustive, but you get the idea of how you need to think about this issue.

We recently announced a strategic partnership with PlanetRisk to deliver comprehensive cybersecurity and enterprise risk analytics and visualization for Fortune 1000 and government customers. Together we’re hosting a live webinar discussion on How to Mitigate Risk from Your Expanding Digital Presence.

I look forward to seeing you on the webinar. For more information and to sign up for the webinar, visit: http://info.surfwatchlabs.com/Webcast/How-to-Mitigate-Risk-from-Your-Expanding-Digital-Presence/05102017

Do You Know Your Adversary?

Threat intelligence means a lot of different things to different people. Oftentimes organizations think of tactical information that helps defenders in their on-the-network battles with the bad guys. But, as Forrester Research recently noted in their report Achieve Early Success In Threat Intelligence With The Right Collection Strategy:

“Don’t fall into the trap of subscribing to tactical indicator feeds that you can just pump into your security information management and forget about.”

Tactical intel has it’s role and importance, but starting there can lead you down a rathole. To start off, you need to understand the big picture and then from there you need to understand your adversary, specifically:

Who is the actor, what is their motivation and intent, capability, and opportunity?
What is the threat campaign they are deploying? What is it targeting? How is it being carried out?
What are the associated events and supporting evidence that can be used to provide a level of confidence around the seriousness and impact of this threat to your business?
How can you reduce the adversary’s opportunity? What are the processes and/or tools to minimize this exposure?

On Wednesday, April 26 at 1pm ET, please join us for a threat intelligence discussion and see a live demonstration of SurfWatch Threat Analyst, which recently received 5 out of 5 stars from SC Magazine. Adam Meyer, our Chief Security Strategist and head of the SurfWatch analyst team (and formerly a CISO with the 2nd largest transportation system in the US) will lead this discussion and demonstration.

Cybersecurity Rant Part Deux – The Threats Aren’t As Complex As We Make Them Out to Be

Last summer, after being inundated with false claims from fellow security vendors, I let loose in a “cybersecurity rant” blog. As we approach RSA, the FUD dial is being turned up again and instead of just throwing up my hands and yelling “GREAT SCOTT!” I thought it would be healthier to air my frustrations with the goal of us focusing on what’s really important.

If you read a lot of what comes out in the news or from the cybersecurity vendor community, there is an overwhelming focus on the sophistication of threats. Having been in this space for 10+ years I’ve been guilty of playing into this FUD as well. Certainly some of this does exist, but as my colleague Adam Meyer recently wrote in a SecurityWeek article if we look at what the intel is telling us, many of the cyber threats we face are, in fact, not sophisticated at all.

Ransomware, extortion, exploit kits, data breaches, DDoS attacks and more. These are some of the hot threat trends from the past year and moving into 2017. But when looking at these threats and how many of them are actually carried out, the intel points to security basics running amok. Patching software, enforcing better credentials management, backing up important data on a regular basis, segmenting your networks so that attackers don’t have freedom of movement once they break in, etc. This is all stuff that has been talked about for years. It’s not new. And yet, the same things keep happening over and over again.

Let’s use passwords as an example. It’s always a balance of security vs. usability when it comes to passwords, but more often than not usability wins out at the risk of poor security. Many big breaches from the last year were driven by used previously stolen credentials. So if my password is Sam123 and I’ve used it across my business email, personal banking, etc. and my credentials are compromised in one place, they’re compromised in the other place as well (unless I change ’em up). Pretty basic right?

It’s human nature to look for that shiny new whiz-bang toy that does something cool as opposed to the basic toy that isn’t fancy, but just works. I’m not saying we shouldn’t worry about the more sophisticated and targeted threats, but before tackling these challenges, why do we as an industry keep overlooking fundamental basics.

Working for a company that delivers cyber threat intelligence, I’m quite fortunate because I have access to a wealth of intel and an experienced analyst team. I’m constantly learning not only about threats, but the path those threats take in order to wreak havoc. It’s what we refer to here as the adversary’s “avenue of approach.”

There are always variances in how a threat works its way into/through an organization, but the common denominator is that it always exploits the organization’s level of presence — whether through an employee who’s active on social media, poor credentials, poor patch management, a supplier with weak security practices who has access into your network, etc. etc. etc.

At the end of the day I’m just a marketer with some industry awareness and expertise, not a cyber expert. I can’t code. So while some of this to me is still complex, overall we’re not talking about sophisticated security practices … we’re talking about the fundamentals.

As a sports junkie, I’ll wrap this up with a baseball analogy …

In baseball, to win the game you must score more runs than the other team. Trying to hit home runs is one way, but the more guys you get on base, the more runs you can score. Keeping it simple and making good contact results in a greater likelihood that you will get a base hit. Do that consistently, and you’ll score plenty of runs. My point here is instead of swinging for the fences, if we focus on what’s in front of us, we’ll be in pretty good shape and change outcomes for the better.

Cybersecurity Rant – Security Marketers Misusing Terms

Let me start off by saying that I am a marketer. I’ve been in the cybersecurity space for roughly 10 years with multiple companies focusing on different aspects that can be bucketed under the following segments of the market: endpoint security, network security and threat intelligence. In every segment there are buzzwords that seem to take on a life of their own.

In threat intelligence there are a few that really do us a disservice. The two that I want to pick on are “real-time” and “actionable.” Let’s dissect these:

“Real-time” Threat Intelligence

When I see this, to me it’s like nails on a chalkboard because “real-time” and “threat intelligence” cannot possibly go hand in hand. Threat intelligence requires analysis … by humans who have the expertise to do so. This does not and cannot happen in “real-time.” You can certainly get real-time information, but information and intelligence are not one in the same.

As my colleague Adam Meyer wrote in an article titled “Setting the Record Straight on Cyber Threat Intelligence,” information is unfiltered and unevaluated, available from many sources, and can be accurate/false, misleading and/or incomplete. Additionally, it may or may not be relevant to your business. The beauty of cyber threat intelligence is transforming all of that information into meaningful insights that drive better decision-making. That transformation process can be discussed in its own blog or collection of blogs, but the point I’m trying to make is that none of this is in “real-time.” I’m comfortable with near real-time because timeliness is an important attribute of intel … along with accuracy and relevancy.

“Actionable” Threat Intelligence

The word actionable isn’t bad, it’s just that we’ve overused it to the point it no longer means anything. Too many vendors equate information with actionable threat intelligence, but again, these are very different. A lot of information for you to research certainly creates lots of action, but is it actionable? To me, “actionable” means a decision can be made without requiring much, if any, additional research and analysis. If it is refined, final, actionable threat intelligence, all that prep work has been done and now you can make a sound risk management decision.

When I first joined SurfWatch Labs I had a friend who worked for an e-commerce business take me through a “day in the life” of how his company used threat intelligence. They took in a feed of low-level, tactical data and fed that into their SIEM, which spit out hundreds of alerts per day. The company had a team of analysts that would research each alert (which I was told could take as little as 20 minutes and sometimes up to a full day) and try to understand if they needed to worry about it and if so, how to deal with it. Every day this team of analysts had a lot of actions to take regarding their threat-related data. Just a few types of questions they needed to be able to answer:

What was the actual threat?
Was it relevant to their business and infrastructure?
What was the potential impact? Did it impact sensitive information/systems?
If it was relevant and important, then what steps and tools were necessary to mitigate this risk before it was too late?

Again, the information they received required lots of actions, but I would argue it wasn’t actionable intelligence at that point. Actionable intelligence takes that information and then runs analysis and correlation against the business profile where at the end there is a decision point and a method for addressing the risk. If you look at all the companies throwing around the term “actionable” I bet the majority provide an aspect of intelligence or a step in the direction of intelligence, but do not actually provide “actionable” intelligence.

Ok so why am I ranting about this? The above are just two of the more obvious examples where vendors are actively confusing the market and doing a disservice to customers trying to understand what threat intelligence is, what type of intelligence is right for them, and how to use it. Threat intelligence is not tangible like a firewall or some whiz-bang appliance, but if properly understood it can be extremely valuable to directing a cybersecurity program and reducing an organization’s overall risk footprint.

How Threat Intelligence is Used in the Real World – Customer Interview

I recently had the pleasure of sitting down with Larry Larsen, Director of Cyber Security at Apple Federal Credit Union, to learn about the cybersecurity challenges they face and how threat intelligence fits into their overall approach to risk mitigation.

Larry explained that his primary objective is two-fold: to protect member information and assets, and to protect Apple FCU’s organizational information. With increasing complexity around cyber, he discussed with me the need for threat intelligence to become more apparent. Beyond just blocking threats, he wants to understand what attackers are trying to do so he can prepare as best as possible. And while there are many sources of open source threat information, intelligence takes it a step further by correlating patterns of behavior that the cybersecurity team at Apple Federal Credit Union uses to guide their efforts and anticipate threats before they occur.

When it came to discussing how they use the intel from SurfWatch Labs, Larry said that it has “led to direct changes in Apple FCU’s infrastructure due to emerging threats we would not have known about as quickly if we did not have that pattern analysis and comprehensive picture.”

In this 5 minute clip, you can learn about how strategic and operational threat intelligence are used throughout the organization – beyond just the cyber team – to prepare for impending threats and reduce risk.

Sharing is Caring – Threat Intel for You and Your Business Partners

As kids we’re taught to share our toys. It’s a hard lesson to “get.”

When it comes to cybersecurity and information sharing, many still don’t “get” it. Liability concerns, competitive disadvantages, and so on. But even if some of these concerns are legitimate, this lesson really shouldn’t be so hard.

According to the latest Verizon DBIR, while compromises are happening faster, the time to discover the compromise is taking longer than in previous years. We can combat this challenge through the use of sound threat intelligence and sharing among “friends.” Through intel you can be more prepared in advance of an attack, reducing the amount of incidents you need to respond to.

Many are trying to address this sharing problem — hence the creation of Information Sharing and Analysis Centers, aka ISACs. There are a boatload of ’em — 18 listed on Wikipedia’s page on ISACs. Each of these ISACs is specific to an industry, so in theory there is relevancy built in to the information that is shared. The intent of these ISACs is sound, and there are many good people working to make these ISACs really useful. But they have their limits as well. We all have businesses to run and support after all.

So how do we take the ISAC concept up a notch, where the intel being shared is more than relevant, but SPECIFIC to your business? Privatize the ISAC to fit your own business ecosystem. This means pulling in your partners and suppliers. You should already be sharing information with them anyway, just include cyber as part of it.

Whether you are a big, medium or small business, most likely you have partners and suppliers that are an extension of your cyber footprint. They typically have some level of access to to your network, applications and data. Having these intersecting points allows business to run more efficiently. But with these intersections comes risk. A company’s suppliers are often integral to their business — I need X and Y to fulfill Z, and X comes from a supplier. Suppliers that don’t pay enough attention to security ultimately can cause a very direct and painful impact on your business (Target is the obvious supply chain cyber example used often, but there are plenty more where that came from).

As opposed to sharing information with folks you don’t know (and let’s be honest, how much do you want to really expose to a wider audience not within your control?), your own supply chain is, for all intents and purposes, just an extension of your own enterprise. It only makes sense that your security “umbrella” should extend out a bit over them as well.

As such, sharing info, analysis and expertise within your “extended family” can be very valuable to establishing the kind of early warning system that is the promise of cyber information sharing to begin with — and without most of the risks.

Sharing threat intelligence, risk identification and other analysis with your partners helps you help yourself. Cybercriminals work together and share information all the time in Dark Web forums and even sometimes out in the open.

Sharing is caring. And the group of folks that you will get the most value out of sharing cyber threat intelligence with are the companies in your supply chain.

When it Comes to Cybersecurity, Take a Good Look in the Mirror

Recently, we participated on a webinar panel – What You Need to Know about the FFIEC Cybersecurity Assessment Tool – where audience members were asked the following question:

How would you rate your organizations’ cybersecurity maturity level today?

Possible options (taken directly from the FFIEC CAT) for the attendees were:

Baseline – meets the legal minimum; compliance-driven objectives
Evolving – risk-driven objectives in place; cybersecurity formally assigned and broadened beyond protection of customer info
Intermediate – detailed, formal processes with consistent controls; risk management integrated into business strategies
Advanced – formally assigned throughout the business; automation and continuous improvement
Innovative – cutting edge practice potentially extending beyond firm

Interestingly, a majority of attendees put their organizations’ cybersecurity maturity level at “Evolving”.

There are two ways to look at this:

The pessimist would say that organizations have a long way to go still with protecting information (the regular stream of data breach headlines back this up).
A more positive outlook is that through real self-assessment, understanding where we are and where we need to reach is a good thing.

Many folks who aren’t in cybersecurity and/or don’t follow cyber-related news have an enormous false sense of security. People are too trusting and too curious. Cybercriminals know this and use it to their advantage. So it’s good to see that as security professionals many are taking a good hard look in the mirror and recognizing where we are at. Now the question becomes what do you do/where do you go from here?

Clearly doing the same thing over and over again isn’t working. Cybersecurity is not a technical problem, it’s a business problem in a technical venue. Cybersecurity should and can be viewed in the same way other parts of the business are run.

Another important self-assessment to make is knowing you cannot defend everything perfectly. There simply are not enough resources or budget to do so. Shifting from a reactionary mindset to proactive, data-driven intelligence approach can help you focus on your biggest cyber risk areas.

Look at data, analyze it, understand trends and make decisions. This approach is relied upon to run other areas of the business – it’s what business intelligence is all about. And it can be applied to cyber risk mitigation. The business and IT security sides of the house need to work together and look at cyber from a risk perspective. What are your high value targets (what would a “bad guy” go after and why?)? Then what vulnerabilities and threats are out there that apply to your targets?

Looking at your cybersecurity program and your risk posture through this lens can help you unearth big problems that are coming or identify active threats to your sensitive information and brand. An organization’s appetite for risk is fluid – when all is quiet on the cyber front, there is typically less urgency. That urgency level increases significantly if an organization is breached. But waiting for all hell to break loose isn’t usually a good strategy from a risk management perspective.

In spring, we’re told to change our batteries in the smoke detectors as a precaution. I’d suggest we take a step back and take an honest look in the mirror to see where we’re at from a security perspective and how we can use threat intelligence to drive more effective risk mitigation decisions.

Gone Phishing in Q1 2016

We’re already a quarter of the way through 2016, and a clear trend is the rise of social engineering. Based on the cyber event data that we’ve collected, roughly 25% of all targets can be tied to a social engineering attack. This is the highest percent we’ve seen since the beginning of 2015, and over the last 6 months the share of social engineering attacks have doubled.

Just a few examples of common social engineering practices include:

Phone calls from a “Microsoft customer support representative” who needs remote access to your computer to fix an issue
Leaving an infected USB stick in a parking lot that when found and inserted into a computer by an unsuspecting person, malware/spyware is dropped onto the machine

However, the largest percentage of social engineering attacks (25%+) revolve around different types of phishing. While email is the most common delivery method, phishing attempts are made through text messages, Facebook, etc.

Over the weekend I received several phishing emails from individuals I know. These emails weren’t spoofed to make it look like they were coming from people I know, but actually sent from their email accounts without their knowledge.

The emails were both related to a “signed document” that needed my attention — except I had no previous knowledge any e-docs to sign should be coming my way. Of course, that’s because they should not have been coming at all.

Having been in the security industry as long as I have, I am cautious (or some would say paranoid) — especially compared to friends and family who say they “get it,” but don’t really. Even still, these emails came from legit addresses from people within my circle, and the content within the emails also looked reasonable. Luckily, I knew better, but many don’t.

Here are some quick security tips to consider when it comes to phishing attacks:

Watch out for spoofed email addresses. Confirm the sender of the email is an address you recognize/know. Don’t just check the name in the “From” field, but actually look at the email address. This tip would not have made a difference in the instance above, but it is still a good way to catch a phishing email.
Do not blindly trust links within an email. Banks and credit cards are usually pretty good about directing you to type in the url to go to their homepage and how to navigate to a specific place if necessary, as opposed to including links in their communications to you. This is a good practice to follow with any emails that include links. In my situation the links sent looked like DocuSign links, with familiar DocuSign branding and all. But it was missing the security code. Links can also be spoofed, so make sure you know what it is you are clicking on before you click.
If you have any questions, pick up the phone. Is a vendor asking you to provide information or is a contact of yours asking you to click on a link? Questioning it is good. Call the vendor or individual and have them confirm.

Social engineering is one of the trickiest types of attacks to prevent because it plays on human nature and less on technology. Looking at the intel so far in 2016, the bad guys are going back to a tried and true method for gaining access to sensitive information. Be aware and think before you click.