Ben Sapiro at The Dominion of Canada General Insurance Co. believes that taking an epidemiological approach to security can help drive risk to zero. Dan Kaplan reports.

When news broke over the Memorial Day weekend that one of the most complex-ever pieces of malware had surfaced, an espionage toolkit known as Flame, arguably the most surprising element was just how long the virus stayed in the wild before it was detected. Estimates ranged from two to seven years. And, while Flame’s target base was relatively small – roughly 1,000 computers, mainly in Iran, were believed compromised – the sheer time it took to flag the nefarious malicious code caused many security researchers to wonder aloud just how many other Flames still are out there.

For Ben Sapiro, manager of security and contingency at The Dominion of Canada General Insurance Co., headquartered in Toronto, the belated discovery served as a reminder of a much bigger problem facing many organizations today: They are going about evaluating and understanding risk in much the wrong way, while spending too much of their energy and resources on meeting compliance demands, which is leading to a vast underinvestment in security. And often, instead of fixing the problem that caused a particular incident, they remediate the subset of that problem – like patching a single SQL injection vulnerability instead of delving into a study of one’s entire code base.

“The worrying part to me is that what this signals to the world is it can be done,” Sapiro says. “All of the techniques used by Flame can be eventually learned [and] replicated by others, and eventually that knowledge will make it down to college kids. We clearly need a different approach to security to defend ourselves against this type of problem.” 

Sapiro isn’t just talking about viruses and trojans, though with most security companies receiving, on average, 1.5 million new variant submissions each month, and with oldies-but-goodies like Zeus still finding ways to spread undetected while costing businesses hundreds of millions of dollars, it’s no wonder he sees data-stealing malware as a prime concern.

“You are starting to hear stories of people taking existing malware and repackaging it slightly, and it bypasses all the anti-virus scanners.”

– Ben Sapiro, manager of security, The Dominion of Canada General Insurance Co.

“You are starting to hear stories of people taking existing malware and repackaging it slightly, and it bypasses all the anti-virus scanners,” Sapiro says. “It’s a continuous accumulation of things happening every day. We really need to do something different.”

But, the struggle to combat the latest threats runs much deeper than a skillfully built piece of malware. “They will never have a perfect virus detector,” he says. “It is computationally impossible.” Instead, what’s necessary is an effective way to understand and assess risk. Yet, Sapiro, who spent many years as a consultant, advising clients such as Motorola, says most organizations accept risks because they don’t understand them. That’s because businesses, even ones running proficient networks, generally operate under a false sense of security. They assume their defenses are adequate and that the traditional castle-and-moat approach will protect them – both myopic suppositions. “The tools we use don’t have all the visibility we need them to, and the perimeter doesn’t exist,” he says.

According to Accenture’s “2011 Global Risk Management Study,” which polled executives at some 400 companies covering 10 industries across the globe, more senior leaders are recognizing the need to align risk with business strategy, especially in light of reputational concerns, compliance worries and increased reliance on the supply chain for the purchase of IT equipment, software and services. (The U.S. Government Accountability Office, in fact, warned earlier this year that federal agencies face five threats when it comes to the supply chain: malware, bogus hardware or software, buggy hardware or software, service disruptions, and malicious or untrained personnel.)

The epidemiological approach

Yet, the Accenture report also found that despite entities forging increased investments to develop their risk capabilities, a quarter of respondents are “not measuring major risk items.” Another issue, the study found, is that risk management responsibility is too contained within the business, whereas it should be a discipline that permeates the entire organization.

Dan Geer, considered one of the security industry’s deepest thinkers when it comes to risk management, says he is “fanatical” about measurement because he is captivated with learning how to make the best decisions based on what one has to work with. Yet, he says most organizations likely are focusing on the wrong things. For example, last year he co-created the Index of Cyber Security (see page 10), a “sentiment-based” model that gauges the opinions of roughly 300 cyber security professionals on their perception of risk. The value of the index fluctuates each month, much like, for instance, the Dow Jones Industrial Average. Since the Index of Cyber Security launched in March 2011, its score has risen from 1,000 to 1,321. 

This should come as no surprise, considering the astonishing rate at which breaches have made headlines. But, Geer noticed something interesting: Respondents seem to be overvaluing the threat posed by hacktivists, and the stats back it up. Verizon’s annual “Data Breach Investigations Report,” released in March, found that politically motivated intruders, whose goal is to name-and-shame organizations with which they morally disagree, caused just two percent of the incidents studied, but were responsible for 58 percent of the stolen data. In other words, groups like Anonymous are going to cause “mayhem” if they successfully breach a target, but it’s more probable the average organization will draw the ire of a financially motivated criminal, not one who wants to publish an email spool. (It should also be noted that security vendors, trying to cash in on today’s threats, have done little to assuage the irrationality of their customers.)

“They’re moving from greatest fear to greatest fear, and moving that way probably only implies running around in circles a bit,” Geer says of security practitioners. He likens this mindset to his own life living on a farm. “If every time I went to the well [outside], and there was a wolf, I’d be pretty focused on wolves even if the water was poisoned.”

“Instead of just taking away people’s scissors, we [should] figure out what the terrorist is doing and react.”

– Bruce Schneier, the chief security officer of BT

To make his case that security pros must overhaul their line of thinking, Sapiro references John Snow, an English doctor who is considered to be a pioneer in the field of modern epidemiology, the study of patterns of disease. Specifically, Snow is credited with uncovering the cause of the devastating 1854 cholera outbreak in London. 

The epidemic, which killed more than 600 people over the course of just a few weeks, was widely believed to be introduced by a pollutant in the atmosphere. At the time, amazingly, most people didn’t believe in the spread of germs. But Snow wasn’t buying the “bad air” theory. So he investigated and eventually traced the source of the infection to a contaminated public water pump on Broad Street in London’s Soho district. To determine the source, Snow interviewed victims’ families and charted where the fatalities were taking place. Sure enough, there was a pattern. “I found,” he wrote afterward, “that nearly all the deaths had taken place within a short distance of the pump.”

Some experts agree that similar to infectious diseases propagating in tainted water, computer viruses can be stymied through epidemiological analysis. “Certainly that’s a good idea, the idea of reacting quickly to things as they’re happening,” Bruce Schneier, the chief security officer of BT, says. He analogizes the idea to airport security in the United States, a technique he has unabashedly criticized as nothing more than theater and not something that truly reduces risk. “Instead of just taking away people’s scissors, we [should] figure out what the terrorist is doing and react.”

Of course, within the security industry, actualizing a process of determining the threat and cleaning it hasn’t gotten very far because most organizations rely on technology that often misses incidents, Sapiro says. IT security infrastructure mainstays, such as intrusion prevention systems and security information and event management (SIEM) solutions, are inherently limited in their reach. Part of the reason is they don’t tap into all of the data within an organization that could signal a threat, and another part is that IT administrators focus on tweaking the tools so they will tune out false positives, often referred to as “noise.” As a result, the real risks often are missed.

But now products exist that can conduct deep analysis into voluminous amounts of information – known as Big Data – that previously was impossible to study. This not only will provide businesses both large and small with the opportunity to make better decisions and gain a competitive advantage, but it also can be used to extract unprecedented security insight.

“A lot of data that you can use in the context of making security decisions isn’t specifically security data,” says Ed Bellis (left), chief executive officer of HoneyApps, a Chicago-based vulnerability management company. Bellis also is the former CISO at online travel company Orbitz. While there, he recognized the value of using operations data to make security choices. He got in touch with the product and customer service teams, which were using a program that analyzed customer habits when interacting with the Orbitz website. Bellis applied the software to a number of aspects his security group wanted to discover.

“We could start to see if someone was trying to manipulate the system and get by a specific logic control,” Bellis recalls. It made sense going this route. “Why buy another security tool to replicate what you’re already doing in house, and why not take advantage of the context you’re getting that a security tool may throw out?”

Strengthening the immune system 

With 13 years in the industry, Sapiro knows attacks and incidents often fall through the cracks when they fail to trip a security system. That’s why he supports applying disease models within information security. He’s not the first one to advocate for this non-technical approach. But he believes it may be the only way to turn a losing struggle into a winning one. 

Using the concept of epidemiology as the basis, Sapiro says IT managers must study the social composition of their network. First, they must analyze their “population” to determine shared traits and behaviors. Next, they must determine which of those characteristics result in harm. Finally, they must identify commonalities between network components who have been harmed and those who haven’t, which allows a pattern to develop that may not have been otherwise spotted using generic tools.

“Create within your environment [the ability] to detect the currently undetectable,” Sapiro says. “Once you have enough data, the ability to detect will be in the form of patterns you can observe.” 

The second piece to his call to action – the one that focuses on hygiene – is easily the most important one because it can help others negate the threat. In other words, one can solve the problem for everyone, by default, Sapiro says. “Take this pattern and share it with the world. You [can] start building up this ability to detect all wonderful things. The thing about epidemiology is once you understand it, you can target it and drive [risk] toward zero. The question should be how do we eliminate this thing completely? The things we leave lying around come back to bite us in some way.”

Bellis likes the idea of detecting patterns and then sharing them because if one organization is dealing with something, chances are, lots of others are, too. But, he envisions plenty of reticence to this type of model because businesses are inherently timid to admit they have been breached.

“I think we’re a long way from that because of the mindset that’s out there,” Bellis says. “We, as an industry, don’t talk about what’s going on. Heck, we don’t even talk about [which] controls [we have in place] because of fear that that creates weakness.”

Applying a hygiene-centric approach to network security is a fine idea, Geer says. “You can certainly drive it down to where the opportunistic attacker will go someplace else,” he says. However, he adds, all bets are off for targeted attacks being created by world-class code writers whose deep-pocketed sponsors will stop at nothing to achieve success. 

Like Flame. “I can surely make my next-door neighbors’ car more attractive to steal than mine,” but Geer says he is out of luck if a thief, dead set on stealing the car, has a “heavy lift helicopter and a Marine brigade” at their disposal.

New focus: Why we’re losing? 

  • We lack visibility and awareness into what actually is happening in our environment.
  • We try to solve security problems by using practices that are unable to confirm if we are secure.
  • We accumulate a backlog of insufficient protective tools not designed to meet current threats.
  • We apply flawed risk management practices the encourage a perpetual state of insecurity.

– Ben Sapiro


Reducing risk: Mitigation efforts

Smaller organizations

  • Implement a firewall or ACL on remote access services.
  • Change default credentials of POS systems and other internet-facing devices.
  • If a third-party vendor is handling the two items above, make sure they’ve actually done them.

Larger organizations

  • Eliminate unnecessary data; keep tabs on what’s left.
  • Ensure essential controls are met; regularly check that they remain so.
  • Monitor and mine event logs.
  • Evaluate your threat landscape to prioritize your treatment strategy.

– 2012 Verizon Data Breach Investigations Report