SAN FRANCISCO – A giant game of chicken is being played out on the Internet between countries that are trying to figure out who’s going to blink.
That’s the analysis of a senior official at Cisco Systems when he looks at the increasing number of cyber attacks attributed to nation states.
“I think we’re stuck with this race where countries are trying to figure out how far they can push the envelope before they can cause something like a war,” Craig Williams, director of engineering at Cisco’s Talos threat intelligence unit told reporters and an industry analyst Wednesday. “Meanwhile their victims try to figure out how far do I have to go to stop them.
“Hopefully that gap will end soon and we’ll have clear lines of what’s acceptable” in cyberspace.
”Some countries continue to not play well on the Internet. Unfortunately that’s going to continue for the foreseeable future.”
Williams was speaking on the sidelines of the RSA Conference here at a day-long for reporters, analysts and customers outlining Cisco’s cyber security strategy. The company says it’s the world’s biggest enterprise vendor, with a range of products and services from end point security and multi-factor authentication to incident response.
It sells about US$3 billion in security products and services a year. Still, Cisco is primarily known as a networking company. Network-related products and services accounts for about US$47 billion of is annual revenue.
Wednesday’s event is one of the ways the company wants to get more into the minds of security buyers.
Cisco officials stress that its strategy is to push the threat intelligence it gains into almost every product it sells, a move that started some six years ago. One message to Cisco network customers is that buying security from the company reduces the number of vendors they have to deal with.
Known for favouring acquisitions, its latest move was to buy multi-factor authentication product supplier Duo Security for about US$2.35 billion in cash and assumed equity in October, 2018. MFA helps with access control.
Al Huger, vice-president of engineering at Cisco’s security business group, gave reporters a peek at where the company is going.
With encryption increasingly being offered by browsers, network traffic network is becoming more opaque, he said. That impairs the ability of products like deep packet inspection to see inside traffic. It’s good for consumers worried about privacy, not so good for CISOs. So Cisco thinks endpoints will increasingly be more important as the place where some visibility will remain.
Cisco is focusing more on metadata collection there and using artificial intelligence to make decisions about the security of traffic relating to behaviour without having to see into the packets — do I trust the user? what does their endpoint look like, what do I know about their behaviour in the past.
It also means pushing security intelligence into the network fabric, turning switches and routers into data providers for security — where did the traffic came from, where it went, for example.
Just before the conference Cisco published its annual CISO Benchmark Study, a survey of more than 3,000 security leaders in organizations from 18 countries. (To get the report click here. Registration required)
Among the interesting findings:
— Only 24.1 per cent of alerts that were investigated last year turned out to be legitimate, down from 34 per cent in 2017. “This shows that the accuracy of the tools used to determine which alerts should be investigated are not doing their jobs,” the report concluded. 5.
–The number of legitimate alerts that get remediated fell from 50.5 per cent to 42.8 per cent in the latest report. That means a lot of legitmate alerts weren’t being looked into.
It’s also important to organizations that use time to remediation as a metric of their security maturity.
–Only 75 per cent of respondents were very knowledgeable about incident response. “This is a problem,” says the report: Everyone in an organization should be knowledgeable about incident response.
–Only 61 per cent of organizations performed a drill or exercise every six months to test response plans to cyber security incidents.
In Williams’ briefing he noted that many people think nation states – having a lot of money – often use zero day vulnerabilities in their attacks. Not so. “The vast majority of those threats (actors) take advantage of people: they = use old Microsoft macro attacks or vulnerabilities because they can convince someone at their target to click on it and compromise the whole company. It’s just not worth it for them to spend the capital to buy a zero day,” which could run up to seven figures.
To get an idea of his worst nightmare, Williams pointed to the global spread in 2017 of the Notpetya ransomware, which he estimated infected millions of computers. “It was the most destructive campaign we’ve seen,” he said.
The Talos intelligence unit rarely gives attribution to an attack. In this case the U.S. accused Russia.
While the malware was installed in an update to a popular Ukrainian accounting software, Williams said it is a common misconception that the target was Ukraine. The deployers could have limited the malware to only looking for devices with an IP address in Ukraine, he argued. Instead, the code was made to run on any computer with the software.
In his opinion the message of the malware was global: “Don’t do business in the Ukraine.”