Author Archives: Greg Day

About Greg Day

As VP & CTO Greg Day is responsible for FireEyes’s technology strategy and security thought leadership across the EMEA. With over twenty years’ experience in the security industry Day is acknowledged as a thought leader and experienced practitioner in the security industry. As a senior consultant he works closely with CISOs and other senior executives in government organisations and global enterprises to develop and share security best practice, contribute to policy development and audit cyber strategies where security is mission critical. In addition to his role with Fireeye, Day is a member of a number of industry security groups including vice chair of Intellect’s cyber security group; which he was selected for by fellow security professionals, and the steering committee for CISP

Apple Pay: A Security Analysis

| By and | Security Perspective, Technology |
Comments
0

Has Apple taken a bite out of hackers’ arsenals? The company is betting on it. Its recent announcement about a new secure payment option has the retail and tech worlds buzzing. If Apple can implement its near-field communication (NFC) payment system correctly, it can absolutely increase security, guarding against the disastrous types of credit breaches that have dominated headlines. Being able to rely on NFC for securely making mobile payments could be a game changer in the current environment of data breaches. But that’s not the only possible outcome. As NFC payments become more popular, it may force new innovation and inspire more creative techniques for credit card payments. Apple is at least the third major player to enter into the NFC payment market, and it now seems increasingly likely that the demise of the antiquated magnetic strip credit card is underway– which also, ultimately, means more a challenge for hackers.

History Lessons

NFC has been around in the mobile payment arena for a while. In September 2011, Google entered into the market with its product Google Wallet. However, its rollout to Android phones and adoption was stifled by the cell phone carriers, resulting in only a small number of phones that could use Google Wallet. The issue stemmed from the fact that the Android phones used something referred to as a Secure Element (SE), which is where the NFC payment system stored the financial data in protected memory. Due to the use of the SE, wireless carriers requested that the Google Wallet application be blocked. This appeared to be a thinly veiled attempt to give the carriers time to develop their own payment system. In late 2010, Verizon, T-Mobile and AT&T created a joint venture called ISIS Wallet, designed to also do NFC payment systems (the platform has recently rebranded under the name Softcard). However, their rollout was slower than Google’s, only offering a pilot rollout by mid-2012. While this activity between Google, the carriers, and ISIS continued, Apple chose to initially move towards iBeacon. iBeacon is a first step towards proximity-based transmitters based on Bluetooth 4.0, and was believed to be Apple’s initial offering in the wireless point of sale offering. However, the technology never caught on as a payment platform. Both Apple’s and Google’s initial offerings met resistance, though both companies remained undaunted and worked to improve their respective platforms. Google’s engineers have worked around the SE issue by using Host-Based Card Emulation available in Android 4.4. Apple moved off of the iBeacon and moved towards NFC based payments, now called Apple Pay.

How Does Apple Pay Try to Stay Secure?

Technology-wise, the back-end architecture is ready to support this change. Over the past few years, several businesses, including McDonalds, have upgraded their electronic Point of Sale (POS) systems to allow faster payments through touch-less NFC readers. The Apple Pay process works like this: after you launch the payment application on your phone you will tap it on the credit card terminal to make an NFC connection. The device securely connects to the payment system and selects a credit card already stored in the phone. The actual credit card number is not stored in the phone, rather it is stored as a Device Account Number. During the transaction, that number is combined with a secure transaction code, and must be authorized via the fingerprint scanner on the iPhone 6. (On the iPhone 5, a PIN is used for approval.) The SE chip validates the transaction, relaying your authorization to the NFC modem. The transaction information goes to the merchant, who sends it to the acquiring bank, who vouches the information on behalf of the merchant. That information is then sent from the acquiring bank to the payment processing network. The payment processor (Visa, MasterCard, etc.) then has means to determine the account information, the credit card being used, and ensure that the transaction security code is valid. Because the payment processor is accessing the device data, Apple has no record of what credit cards are being used, or how.

Credit Cards are a Target

As the media has covered in depth, hackers have placed a bulls-eye on American retailers. There’s a good reason for that: that’s where the credit cards are. At the end of 2013, there were 1.2 billion debit, credit, and pre-paid cards circulating in America – more than any other region. Other developed countries have migrated to chip-and-PIN technology, whereas the United States relies nearly exclusively on magnetic strip cards, which is much more valuable for hackers because of their ease of use by criminals. Hackers cost global payment-card losses of $11.3 billion in 2012 (including retailers and card issuers), and the U.S. accounted for 47% of that.

Credit Cards - US

So How Secure is Apple Pay?

By nature, NFC payments should be more secure. Unlike a traditional credit card, a new string of numbers is created for each purchase, in lieu of transmitting the user’s card information. This security element makes it extremely difficult for hackers to use a stolen number for any other purposes. In a traditional model, the merchant must accept the credit card information, even if it is encrypted. In doing so, the merchant must accept the liability of holding and processing the credit card number. However, NFC payments make skimming credit card data more difficult using current hacker techniques. Because a card is not swiped during the transaction, there is no way to introduce a skimmer to capture the magnetic credit card data. Additionally, this would also mitigate the threats from memory scraping malware such as BlackPOS or Dexter. It may be possible at some point in the future that a small antennae placed hear the NFC reader might be able to capture the communication between the NFC reader and the device. However, because the hacker would only capture the Device Account Number combined with the transaction code, it is highly unlikely that an eavesdropped communication could be reused malicious purposes. The process should deter hackers looking for credit card data from merchants who only use NFC-based payments because they will only handle the Device Account Number and the secure transaction information – not the credit card number. Even if threat actors are able to access the retailer’s network, the one-time-use-only nature of the information makes it essentially useless for their purposes. And at this point, it is unclear if a retailer will even store such information at all. Of course, we can possibly expect an adoption time where they will use NFC-based payments as well as the traditional magnetic-based credit card data.

What About the Future?

Moving forward, mobile payment security will rely on three components: user authentication, validation of mobile applications, and third-party payment processers. First is authentication. Apply Pay uses biometrics for authentication. However, this is still an emerging technology as demonstrated when the iPhone 5S Touch ID could be bypassed just two days after launch. While convergence is the key value, it also proves to be one of the key risks that comes with these new forms of finance. While we look at the individual components and the vulnerabilities and risks they bring, we must also look at the process as a whole. Second, we must consider third-party apps and malware that may negatively impact Apple Pay. While Apple may not be opening Apple Pay up to third parties, we have previously observed malware in nearly every mobile environment. In this case, the credit card number may be vulnerable when being entered into the mobile device. The credit card information is entered into the Passbook by taking a picture of the credit card, or by manually typing it in. This is the time the data is most vulnerable, as malware may attempt to capture the image used, or capture the credit card information that has been manually entered. Finally, there are the payment infrastructure services, which typically have strong security considering the volumes of money processed through them. As POS systems move towards NFC payments, there will be fewer magnetic-based card credentials available on merchant networks. It is likely that hackers will not give up their craft, but rather redirect their efforts toward the next weakest link in the chain.

Final Thoughts

Consumer fraud is a massive market. We must expect those who participate in online consumer fraud to look to this new technology space to maintain their crime revenue streams. Add the popularity of shopping and banking on smart devices, and you clearly see a convergence point for future criminal focus, whether recreating traditional fraud in an evolving environment or identifying new vulnerabilities and opportunities. At the moment, though, it appears Apple Pay and other NFC mobile payment systems in general offers enhanced security against traditional retail credit card breaches. As mobile payments continue to provide convenience and speed, the credit card as we know it will most likely evolve while we as consumers will increasingly rely on virtual wallets, payments, and accounts. As this shift in behavior occurs, we expect criminals to move with the trends and to continue to innovate or be shut out of the market.

Economics of Security Part II: Qualifying the Economic Return From Cybersecurity Solutions

| By | Business of Security, Executive Perspectives, Security Perspective

In part one of this series, my colleague, Bryce Boland, CTO, APAC touched on aligning a security program with the value-areas of a business. To be successful in this endeavor, you must calculate the return on investment (ROI) that a robust security program will offer. In part two, I will offer recommendations to achieving this.

The economics of security is an interesting challenge. I polled some contacts and discovered that, as much as we focus on reducing the capex on software and hardware, the majority of costs are actually opex. Therefore if we want to drive efficiencies in security, we should look at the usability (i.e. the time and costs required to achieve the desired outcome) of the tools as much as what they actually do.

Cybersecurity is a multi-dimensional problem, so whilst we consider efficiencies we must look at them in the context of outcomes and value. Our value question in cybersecurity has two factors: (1) are we able to leverage the most efficient path to obtain the solution and (2) being able prioritize on events/incidents that have the greatest business impact.

Simple event/incident response process

The rudimentary processes behind cyber have been around for years and are well documented in various standards. There’s a catalyst event that drives us to understand the problem, so we can qualify and prioritize if and when we need to respond – i.e. solve the problem.

Screen Shot 2014-07-02 at 10.41.08 PM

Are we increasing or decreasing efficiencies?

In recent years many have suggested the logic that “big data” can help us make smart decisions. Yet there is danger that this can create a spiral effect that has the potential to cripple us. By adding more content, we increase the cycles required to understand, qualify and respond. There is also a key question around the quality of that data. Take for example all the events we aggregate into a SIEM tool today, how many of those are truly worth taking action on?

How do we measure success and value?

If we are to evaluate the economic value cyber security solutions bring we need to look less at what they do and instead more how they do it. We need to understand the quality of the information they provide, both in terms of business impact and conversion to action, as well as the operational cycles required to achieve this; which are the cost & time multipliers.

As our technology world complexity continues, the operational aspect as a multiplier can only increase. Today I hear more companies asking for partnerships to solve problems rather than products; they see the time and skills challenge in solving the problem as prohibitive. If we are to succeed today, we need outcome focused solutions; that is they are efficient in providing actionable responses that are business oriented in their focus and/or services that reduce the operation costs associated with time to action. So how do we evaluate this in our buying criteria?

There have been many ROI tools that try to qualify the potential value that come from security investments. However if we are to align to business goals, we must drill into the process behind event correlation/validation – the heart of security – for business impact assessment and response actions.

Qualifying economic value from event/incident management

The framework below aims to give you a reference point to start to map out the economics of your security program.

Given solving this problem is entirely dependent on each individual organization; we must be able to qualify what makes our businesses profitable and how technology enables this. The model does not include metrics in each part of the incident lifecycle but does highlight some of the common key success metrics.

To make economic judgments, you need to assess the following:

  1. What is the ratio between events received and action taken?
  2. What is the efficacy level in the events & incidents you identify (i.e. the real cyber attack event to false positive ratio)?
  3. How many cycles do you iterate through to get from an event(s) to an action; is it timely and cost efficient? (Can you rank the processes/tools you leverage today in terms of man-hours and skills required to get to to action?)
  4. Do you align, prioritize and qualify events against against business goals and impact (How many cycles does this take)?
  5. Make the assessment using the framework & success criteria below to evaluate the key time and cost multipliers in your event/incident security process, so you can validate the economic value that comes from the processes and tools you leverage today, to see which are effective and which are not?
Measures of effectiveness of event/incident management

Measures of effectiveness of event/incident management

In conducting the evaluation process above (and visually outlined above), there is a defined process for tying operational expenditures with investments for securing the processes that generate business value. By analyzing the actions taken to conduct security operations and the, ideally, efficiencies in doing so, security leaders will be able to provide a full picture of their impact on the business. Ultimately, this changes the security conversations from just security to business practices overall.

The Road to Resilience: How Cybersecurity is Moving from the Back Office to the Boardroom

| By | Executive Perspectives, Security Perspective

For too long, our industry has framed cybersecurity as a technical issue.

We have measured success on the volume of malware we detect and block, not how we respond to the threats that matter. We have taken a one-size-fits-all approach to security incidents, regardless of who’s attacking, how they work, and what they’re after. We have rarely engaged other business units when responding to incidents — and when we do, we fixate on the technical details rather than weighing their business impact.

Yes, cybersecurity has a technical component. But more than anything, it is a business issue.

Fortunately, the old mindset is changing. Under the banner of “cyber resilience,” security leaders are beginning to acknowledge that cybersecurity must evolve. Striving to ward off attacks is no longer enough — organizations must also respond to incidents with a focus on managing their business impact.

To gauge how far along organizations in the Europe, Middle East, and Africa (EMEA) are in this evolution, FireEye recently asked 25 security leaders across the region about their experience and perceptions. Their answers reveal a sizable divide among in both awareness and maturity when it comes to cyber resilience.

Breaches Increasingly Routine
Not surprisingly, EMEA security leaders say that cyber breaches are increasingly routine. In our survey, 44 percent of organizations said they had breached at least once per year. And that total probably understates the problem — a full 28 percent were not sure whether they have been breached.

img1

All threats viewed equally — regardless of risk or impact
A solid majority of respondents (68 percent) said they “always” care about breaches. Only 16 percent said their level of concern depends on the severity of the incident. This lopsided statistic suggests that IT professionals are not yet looking at breaches from the perspective of risk or impact.

img2

Priorities misaligned in incident response
We see the same lack of business alignment in organizations’ responses to breaches. When a breach occurs, 84 percent of those in our EMEA survey notify relevant business leaders, and 76 percent notify company executives. We often hear that companies are looking for security leaders to engage at a business level. But if business leaders and executives are still being notified about most breaches, we’re still treating security as a technical problem.

img3

Our survey found a split in where security teams focus their response. About 60 percent base their response plan around all IT systems, and 40 percent focus on critical systems and resources. This response, too, suggests that organizations see many breaches as a technical problem rather than a business problem.

Along the same lines, communications, public relations, and business teams are typically far less engaged in incident responses than IT security and technical teams, executives, and HR departments. If cyber resilience is about enabling business resilience, then business teams should play an equally critical role in incident response.

When engaging with executives, we in the security community do not seem to be taking a risk-based approach. And clearly, we are not speaking executives’ language: the impact of a breach on the company’s financial results.

Who is included in incident response plans?

img4

Moving toward a risk-based security framework
Most security leaders leverage at least one security framework or standard — and in most cases, they leverage two or more. These frameworks include best practices defining what to protect, how to protect it, and how to monitor deployed controls. These features make the frameworks valuable tools to help define strategies and gauge their effectiveness. But adoption of ISO27005 — which focuses on business-risk assessment — is far behind that of ISO27001.

Adopted security frameworksUntitled

Leveraging automation
Just about every security leader would like more resources. But most of us must make the most of what we have.

What is clear from our survey is that incident response is consuming the biggest share of time and resources.

Security tasks that consume the most time and resources (weighted average)img5

The volume of attacks is rising. And IT systems are playing an increasingly critical role in business. So having well-defined and tested response capabilities that leverage automation would seem a key component to cyber resilience.

Bolstering cyber resilience
Cyber security is, and will remain, an evolution. Everyone is on their own journey along the maturity curve. Security leaders must evaluate their place along that curve based on their perceptions of risks and the controls they need to put in place.

Cyber resilience recognizes that prevention is only part of the solution. Organizations must realize the following:

  • Businesses will increasingly measure security leaders not just on what they stop or let through, but on how they respond to what does get through.
  • A breach can happen in seconds, yet the exfiltration takes hours or days and can last for months.[1]
  • When it comes to measuring business impact, not all breaches are equal.

At the same time, organizations must retool their strategies to better discover and respond to security incidents. This shift requires:

  • Having a documented, regularly reviewed, and well-tested cyber response strategy that includes both the business and technical response plans.
  • Reducing the time and costs involved in response.
  • Being able to qualify the business risk of the incident. By better aligning cyber strategies to business drivers and business risk, security leaders can have a bigger business impact and increase their relevance to executives.

The Economics of Security

| By | Business of Security, Executive Perspectives, Security Perspective

During many of my customer meetings, I often hear security leaders ask the question: “What technology could I remove to free up budget to enable the implementation of FireEye?”

My natural response is to inquire how and when they assess the real value, not the ROI, they get from their existing solutions. Whilst every security solution provides an “ROI” – often a metric based around industry data on how many security “events” they return – this assessment should not focus on noisy “ROI,” but which solution gives your company the most valuable information. Considering the nature and pace of change when it comes to malware and advanced attacks, this is something to validate regularly and involves looking at more factors than a generic ROI tool can factor in.

In a small survey of about 30 European CxOs we ran in December 2013, I asked the question of how they validated the value of security controls, and, surprisingly, at least 36 percent still didn’t conduct any annual assessment.

doyouvalidate

Having spent quite a bit of time looking at analyst models and what exists publically today, the fact that some still don’t conduct these assessments emphasizes that there still isn’t a well-defined model to correlate business value against investment for security solutions.

Take, for example, the outsourced model where Key Performance Indicators (KPIs) are typically established. Too often I hear anecdotal examples where KPIs were based on incidents found; this simply encourages dialing-up the technologies being monitored so that every incident – malicious or not – is tracked and reported, drowning out the ability to identify real threats.

For example, companies investing in big data solutions that gather and equate the millions to billions of events delivered each week to value. However, because they are too resource-constrained to convert these into actionable data, the true value is not extracted and, because doing so in a resource-constrained environment takes so long, the return here would seem extremely poor to a sheer numbers-based evaluation.

However, if the value of said product is measured by the actions taken to mitigate a major security event, that extra time spent executing on a few major items rather than not executing on a large amount of items becomes invaluable to the business. As such, we must blend together the quantitative metrics such as the costs of a solution (capex & opex), incident levels and overlay those values with qualitative insight. These evaluation criterion would look something like the below:

opexcapex

 

  • Noise to incident ratio - What is an acceptable incident to noise (i.e., false positives or irrelevant alerts) ratio?
  • Volume versus impact - We can alert and respond to a million incidents but it’s the one outage of a critical system or breach of business IP or customer records will have a far more significant impact on the business.
  • How actionable is the solution - Critical to an alert is timeliness, how long does it take to identify an incident and what level of human skills are required to interpret the results. Spotting a breach is hard, doing the forensics is harder, and understanding the motives of the attacker is harder still.
  • Business outcome - Did a technology mitigate, reduce or simply delay the business impact. Did it tick a compliance control to avoid penalty fees or did it protect IP & customer data?

In the coming months we are going to delve into the economics of security in greater detail. Whilst there are many tools out there discussing security process and ROI tools showing generic return, we all have limited budget and resources. With the scale and scope of security tools continues to grow we must innovate our thinking, in how we each quantify the value of our investments.

 

 

Government in the Cross Hairs

| By | Advanced Threat Trends, Security Perspective

For two decades, security has evolved around the defensive framework of protecting assets, infrastructure, and information — all of them based around the principles of confidentiality, integrity, and availability. But as IT diversifies and grows increasingly complex, we can no longer afford to base our security on such outdated concepts. More and more, discovery and response are becoming focal points for strategic areas.

We call this evolution cyber resilience.

Much discussion has centered around cyber warfare (see our World War C report) and advanced targeted attacks. The challenge is twofold: how do I know if I have been targeted, and how do I marginalize the impact?  While key national capabilities may help deal with such challenges, they can seem like virtual reality for many national and local agencies.

Among our customer base, we are seeing the harsh reality:

  • Between 12–18 attacks occur per month per government customer
  • These attacks have been targeted and advanced enough to bypass the traditional security controls in place
  • The majority of such attacks are aimed at a single organization

Continue reading »

Security Is Like Eating An Elephant

| By | Business of Security, Executive Perspectives, Security Perspective

Today’s security environment is daunting. If it’s not advanced persistent threat (APT) actors compromising data systems, it’s good old human fallibility. Protecting IT assets can make a security professional feel like a modern-day Sisyphus, staring helplessly as the boulder breaks free and rolls back to the bottom of the hill.

In a recent article, the UK Information Commissioner’s Office (ICO) proclaimed that the majority of data breach incidents can be attributed to staff carelessness. Continue reading »

Security Consolidation: Leveraging Business Intelligence

| By | Business of Security, Executive Perspectives, Security Perspective

With business intelligence moving to the top of the priority stack followed by updating legacy systems, we must wonder when the same forward looking view will be applied to security strategies. All too commonly, we see overly complex security controls that have evolved into an ugly kludge, where the same focus is applied generically across the business.

If we can see the value that business intelligence has to focus the business, then surely the same should apply to our business processes and the security controls that enable them. We must be able to define core processes and information and the technology that wraps around them. Then, we must allocate relevant security controls based on the business value of those processes. Typically, security is far from being operationally efficient. If anyone is in the process of reviewing the modernization of legacy systems, then security would be one key aspect that is due for a face lift.

Cyber Insurance – the Chicken and the Egg

| By | Business of Security, Executive Perspectives, Security Perspective

Today, one of the most common discussions I have is “How do I qualify the cyber security risk to my board?” The security industry is very good at being able to define the type and scale of threats active today, and indeed with projects such as CISP, companies are starting to share intelligence with each other about the attributes of real time attacks they are seeing. Yet, we still have a major hurdle to tackle, which is the business impact that comes from incidents. While we continue to see any breach as a failure we will continue to keep the business impact of an attack a closely guarded secret. Legislation, such as the disclosure laws in the U.S. (which the EU is looking to repeat at some level in the proposed Network and Information Security directive) mandate the disclosure of what personally identifiable data was taken, yet this is not the impact, simply one of the potential catalysts of impact. Continue reading »