Cw-Asean Ism 0716 Ezine Final

Home
Home
Philippines data breach

sends reverberations
around Southeast Asia
Theft of customer
data is top payments
technology worry for
ASEAN retailers
CWASEAN
The monthly magazine from Computer Weekly focusing on business IT in Southeast Asia
JULY 2016
Growing role for cyber

security insurance
Personal data at risk
Voter hack highlights need for stronger security measures

computerweekly.com
cw asean July 2016 1
BLACKJACK3D/ISTOCK
Boost your cyber

defences by actively
hunting down the threat
DATA SECURITY
Home

Theft of customer
ASEAN retailers

security insurance
Boost your cyber
Philippines voter data breach sends

reverberations around Southeast Asia
The recent hack of the data of 50 million voters is fuelling security concerns in ASEAN countries, reports Zafar Anjum
he sizeable data breach at the Philippine Commission on

Elections (Comelec) in April just a month before an election should serve as a warning to organizations in the
ASEAN region to ensure they use the right security technology
and policies.
Two hacking groups the Anonymous Philippines and LulzSec
Philippines claimed responsibility for stealing the personal information including fingerprint data and passport information of
around 50 million people.
While Comelec claimed that no sensitive information was
released, cyber security firm Trend Micro said the incident was the
biggest government-related data breach in history, and included
the fingerprints of 15.8 million individuals, and passport numbers
and expiry dates of 1.3 million overseas voters.
As news of the hack emerged, security experts questioned how
a hack of this magnitude was allowed to happen. Why was the
government in Manila downplaying the scale of the incident?
Could such a hack have been prevented? And what could governments in other ASEAN countries learn from the security breach?
Why did the hack happen?

By late April 2016, the Philippines government had arrested two
Manila-based individuals connected with the crime: Anonymous
Philippines member Paul Biteng, a security researcher who now
Two hacking groups claimed

responsibility for stealing the
personal information including
fingerprint data and passport
information of 50 million people
faces prosecution under the Cybercrime Prevention Act; and
Jonel de Asis, a systems integrator at a semiconductor firm in
Muntinlupa, who is part of LulzSec Philippines.
DATA SECURITY
Home
Theft of customer
ASEAN retailers

security insurance
Boost your cyber
According to media reports, Asis hacked the site and stole

340GB of data five days before the site was defaced by Anonymous
hacktivists. However, he denies uploading the stolen data to the
WeHaveYourData.com site.
Boye Vanell, BAE Systems Applied Intelligence regional director
Asia, claimed the website defacement contained messages that
suggested Comelec had not properly secured the automated voting machines scheduled for use in the upcoming elections.
Both groups are loosely affiliated with their respective wider
hacker collectives, he said. If this attack was indeed perpetrated
by these groups, as has been claimed, then this is a case of an
attack being carried out by cyber criminals known as activists.
The Philippine Commission

on Elections at the Palacio
del Gobernador: Hackers
stole the personal data
of 50 million voters
ELMER B. DOMINGO/WIKIMEDIA

DATA SECURITY
Home

Theft of customer
ASEAN retailers

security insurance
Boost your cyber
These activists are cyber criminals whose motivations are

driven by a strong moral, religious or political belief, said Vanell.
In this case the motivation appears to stem from a distrust of the
political system. The Manila Bulletin said Asis wanted to highlight
security deficiencies in the Comelec website.
Whether it be defacing a website, disrupting a network through
a denial-of-service attack, or causing financial loss or loss of reputation to those with opposing beliefs, the activist often has the
skills and the means to leave significant collateral damage in their
wake, said Vanell. In this case, 50 million citizens fingerprint
data is now reportedly available.
The profession of data theft

The attack was the latest in a string of cyber incidents to hit
the Philippine government. The Philippine central bank said it
had foiled attempts to hack its website in April, amid a warning from global financial network Swift [Society for Worldwide
Interbank Financial Telecommunication] about recent multiple
cyber fraud incidents targeting its system.
While the Manila voter data hack was reportedly committed by
activists, there are numerous threat actors, each equally dangerous in their own way. Hacking and data theft have become professionalized and industrialized, and perpetrators are often organized, disciplined and well-funded.
For emerging nations like the Philippines, this presents a considerable challenge where technology is revolutionising traditional
industries and enabling enormous growth but at the same time
opening up avenues for cyber attackers to exploit, said Vanell.
However, it does not help if governments rush to a deny security breaches that make it to the headlines, according to Cathy
Huang, research manager at IDCs Asia-Pacific services and cloud
research group.
The denial of this hacking incident reflects typical behaviour
when an organization has been hacked or their data has been
breached, she said.
The Philippines may have
personal data protection law,
but lacks effective enforcement

Cathy Huang, IDC
In some countries or some verticals say the healthcare
industry the enforcement of reporting a data loss is very strict.
However, the Philippines is one of the countries which may have
the relevant personal data protection law on paper, but lacks
effective enforcement.
Need for cyber security awareness

Vanell claimed organizations need to understand basic security
hygiene as an essential first step, as the vast majority of cyber
attacks will exploit unpatched servers or applications, and take
advantage of relaxed security awareness.
Cyber criminals are increasingly targeting organizations in the ASEAN area

DATA SECURITY
Home

Theft of customer
ASEAN retailers

security insurance
Boost your cyber
Organizations need to understand what it is they must defend,

how exposed these assets are and what their risk appetite is. Is
it payment card details, is it personal data, is it intellectual property? Preparation before the attack comes is vital to reducing the
impact on critical assets when it happens.
To prevent such attacks, there should be increased cyber security awareness across the organization, said Huang.
There needs to be management support with regular updates,
not just after an incident happens. Organizations must update
security patches regularly to ensure their IT systems security is
sufficiently robust.
Threat intelligence and data analytics

Vanell said organizations in the public and private sectors should
take proactive measures to address cyber threats: On top of
CW
TechTarget/CW ASEAN
55 B/C Tanjong Pagar Road
Singapore 088476
risk identification and asset protection, organizations can get on

the front foot by understanding their likely threats, he said.
Although the global connectivity of the internet may make
it seem as if youre exposed to the whole world, attacks will
often come from local sources. This is particularly the case with
activists, who may not agree with domestic government policies or groups impacting their immediate sphere of influence,
addedVanell.
Vanell explained that the recipe to prevent Manila-like security threats is to combine threat intelligence of the known threat
actors and vectors, with data analytics which look for potentially unknown threats through behavioural anomalies and patterns. Ultimately, this needs to be supported with an effective incident response plan in case a cyber attack succeeds,
he concluded. n
Editor: Karl Flinders

Production editor/design: Claire Cormack
Sub-editors: Jason Foster, Jaime Lee Daniels

Vice-president APAC: Jon Panker
2016 TechTarget Inc. No part of this publication may be transmitted or reproduced in any form or by any means without
written permission from the publisher. TechTarget reprints are available through The YGS Group.
About TechTarget: TechTarget publishes media for information technology professionals. More than 100 focused websites
enable quick access to a deep store of news, advice and analysis about the technologies, products and processes crucial to
your job. Our live and virtual events give you direct access to independent expert commentary and advice. At IT Knowledge
Exchange, our social community, you can get advice and share solutions with peers and experts.
SECURE PAYMENTS
Home

Theft of customer
ASEAN retailers

security insurance
Boost your cyber
Theft of customer data is top payments

technology worry for ASEAN retailers
Southeast Asian retailers say securing customer payments is a major challenge as new
technology is forced on them by market and consumer pressure. Ai Lei Tao reports
ecurity of customers details is the top payments concern for 68% of ASEAN retailers, according to the Global
Payments Insight study by ACI Worldwide and Ovum.
The study asked more than 1,600 executives at banks, retailers
and billing organizations of which 176 were from the ASEAN
region about their experiences, perceptions and expectations of
payments and how this is shaping their behaviour.
The study found that competition and security are the most
pressing e-commerce issues that are driving investments in payment systems in ASEAN. But retailers are fearful that the fast
adoption of new payments technology is risking data security.
The need to offer a wide variety of payment [systems] is
a growing trend in the past 12 months, said Leslie Choo, vicepresident of ASEAN at ACI Worldwide. With new competitors
offering more payment types, retailers have to offer these to compete from a user experience perspective.
Alternative payment methods are a big deal because card
usage or adoption can be very low in some ASEAN countries,
Choo added. Social payments and mobile are also big areas of
interest. Some 53% of retailers interviewed expect to increase
their investments in payment systems in the next year.
IDC agreed that there is a wide variety of mobile payment
options in Southeast Asia.
More developed markets

Sui-Jon Ho, senior market analyst of IDC Financial Insights, AsiaPacific, said the more developed ASEAN markets of Malaysia
and Singapore have consumers who are more inclined to adopt
digital transactions, such as mobile and card-based wallets and
bank-led account-to-account systems, in addition to credit and
debit cards.
By contrast, emerging ASEAN economies tend to have a more
fragmented payments market, where the digital methods used
are more hybrid to accommodate the popularity of cash, low penetration and usage of cards, and the overall lower degree of financial sophistication.
SECURE PAYMENTS
Home

TYLER OLSON/FOTOLIA
Theft of customer
ASEAN retailers

security insurance
Boost your cyber
The study found card payments continue to dominate in the

region as a whole, with debit and credit cards accounting for 44%
of all transactions, while mobile payments such as QR codes,
e-wallet and near-field communication (NFC) account for 9%
of transactions.
Mobile more prevalent

As mobile becomes more prevalent and trusted by consumers,
this number will continue to grow, said Choo.
ASEAN retailers also view banks as the primary provider of payment services, according to survey respondents.
While the incumbent financial institutions are the preferred
financial service providers, startup financial technologies
(fintechs) are entering ASEAN retailers, with 20 to 40% of retailers choosing to work with a startup.
For example, 40% would work with a startup for mobile QR code
payments and location-specific payment and loyalty services.
Paul Thomalla, senior vice-president at ACI Worldwide, said:
For all of these organizations, the key takeaway is that competitive pressures are driving up spending in the marketplace.
Spending small, incremental amounts will only lead to an erosion
of market share.
Thomalla added: The payment initiators of the world want to
work directly with payment operators. By doing so, they will be
able to lower payment costs, reduce complexity and increase
investments to stave off the threat of new competitors. n
Singapore is first ASEAN nation to get Apple and Samsung mobile payment services
CYBER INSURANCE
Home

Theft of customer
ASEAN retailers

security insurance
Boost your cyber
Growing role for cyber security insurance

Cyber security insurance has gained more attention and acceptance from enterprises, but how does
it fit within an organizations enterprise security program? Sean Martin explores a growing market
n simple terms, there are two sides to every information security program: protection and response. A successful cyber
security program requires both. However, on both sides of the
coin, organizations must deal with five realities:
nT
here are things that they have under control and completely
operationalized.
nT
here are things they can handle, but its a pain to keep on top
of them.
nT
here are things they have to work hard at but can still manage somehow.
nT
here are things they dont know how to deal with, and
investing in process, technology or personnel will not make a
material difference.
nT
heir program is defined and managed by humans and
humans make mistakes.
The question is: how can companies deal with these inevitable realities, especially recognizing that they wont be able
to detect every attack before the damage is done or successfully mitigate every incident without a negative impact to
the business?
For some enterprises, the answer to these questions lies in the

form of cyber security insurance coverage.
CISOs now understand the value of cyber security insurance as
part of their overall risk management strategy, said Ben Beeson,
cyber risk practice leader at insurance broker Lockton Companies.
Understanding that prevention is hard and a resilience focus is
needed, transferring risk clearly becomes more relevant.
Necessary evil
So is cyber security insurance a necessary evil for every company
to consider? Or is it a viable option for only a few? To answer
these questions, it is important to look at the role cyber security
insurance plays within an enterprise security program but only
after determining what cyber security insurance actually is.
During the RSA Conference 2016 in San Francisco, cyber security insurance was the focus of several presentations and discussions. Experts in technology and financial services described how
it fits within a modern enterprise security program.
According to some people in financial services, the concept of
cyber security insurance or cyber insurance has been around for
CYBER INSURANCE
Home

Theft of customer
ASEAN retailers

security insurance
Boost your cyber
12-16 years. Blake Huebner, vice-president of security training at

Optiv Security, said during a panel discussion at RSA Conference
that cyber insurance has been around since the 1990s.
Regardless of when it began, the adoption of cyber insurance,
like the adoption of cyber security technology, was initially driven
by privacy and data breach regulations, and more recently by
actual breaches in security.
Its not the wild west, but

its a fast-maturing market
Blake Huebner, Optiv Security
Given the recent breaches at Target and Home Depot, this
market is getting a lot of traction, said Huebner. Healthcare has
the highest adoption, followed by education, gaming, utilities,
financial services and retail. Its not the wild, wild west, but its
certainly a fast-maturing market.
The market has taken off like a rocket in recent years, and there
are now many providers and brokers operating in the cyber insurance space and serious cash is being made.
There are close to 100 insurance companies offering cyber
insurance in one shape or another, said Jacob Ingerslev, head of
technology E&O for Cyber & Media Liability at financial services
firm CNA Insurance, during an RSA Conference presentation.
And 80-90% of the business is concentrated in 10 companies.
Locktons Beeson said during a panel discussion at the 2016

Advisen Cyber Risk Insights Conference in San Francisco: In
2015, the cyber insurance market generated between $2.5bn
and $3bn in revenue. It is a profitable market and, according to
PricewaterhouseCoopers, it is set to grow by nearly three times in
the next four years and be worth about $7.5bn by 2020.
While it is clear that the insurance companies are making
money, it is coming from a only handful of organizations. Only
2% of companies in the US have cyber insurance, said Julian
Waits, president & CEO at PivotPoint Risk Analytics.
The biggest problem is quantifying the risk. It is not linear, actuarial information is immature, and therefore insurance companies
are grappling with how do we price this risk? and companies are
grappling with what type of policy and how much they need to
buy, and what theyre actually getting in return.
Critical component
Cyber security insurance does not replace security best practices, but experts say it is a critical component that fills the gaps
of a solid, well-thought-out security program.
Any security professional will tell you that you can never be
100% protected against an attack, said Jonathan Niednagel, CEO
and co-founder of DatumSec, a risk assessment firm based in
Altadena, California. If this were true, then best practices and due
diligence should get you 95% of the way there, and cyber insurance should cover the remaining 5% exposure. Too many professionals think they can accept lax security practices because they
are covered by insurance; this could not be further from the truth.
CYBER INSURANCE
Home

Theft of customer
ASEAN retailers

security insurance
Boost your cyber
As this challenge is met, the industry could begin to see more

insurance policies written covering more organizations to fill the
cyber security protection gap.
As a general rule, cyber insurance makes a lot of sense, experts
say. A policy can cost a significant amount of money, but some
organizations feel it is a safer bet to include cyber insurance as
part of their cyber security program.
But its not as simple as phoning an insurer or broker and taking
out a policy. A lot of analysis goes into making this decision. To
complicate matters further, organizations are beginning to look at
risk and cyber insurance differently. There is a pre-Target breach
world and a post-Target breach world, said Beeson.
Pre-Target and post-Target

Before the Target breach, cyber insurance policies were written
based on a static approach for evaluating risk. Companies would
fill out an assessment, deliver a presentation to the underwriters
and possibly have some form of dialog with them.
Once the assessments were complete and the policy written,
the insurers would leave and cross their fingers for 12 months,
said Beeson.
In the post-Target breach world, breaches are occurring more
frequently, and this hope and pray model no longer works for
the insurers. Cyber insurance is a relatively new financial tool,
and in my experience, up until the last seven or eight years, cyber
insurance was viewed as an afterthought on top of a companys
cyber security program, said William Dixon, vice-president at
cyber security and risk management company Stroz Friedberg.
Organizations now realize they will never be able to cover their

risk 100% using people, process and technology. So we see a lot
of clients putting cyber insurance into their cyber security programs not as a supplement to improve the security maturity of
their technology and processes, but as a means to handle recovery in the case of a breach such as remediation, breach notifications, credit monitoring and added support from outside counsel.
Too many professionals think

they can accept lax security
practices because they are
covered by insurance
Jonathan Niednagel, DatumSec
Ken Allan, global information security leader at Ernst & Young,
said some enterprises find the obstacles to obtaining a sound
cyber security insurance policy too great to overcome.
One of our large banking clients conducted analysis to figure
out what it could do with its cyber security investment looking
at whether or not it could spend more money to protect more
critical items, he said.
In some cases, the technologies were so complex, and the cost
to purchase and manage them didnt justify an investment. The
bank chose to cover that risk area with cyber insurance. n
Find out why cyber insurance could improve enterprise security

CYBER CRIME PREVENTION
Hunters: A rare but vital

breed of cyber defender
roactive security is taking on a whole new meaning with

the emergence of a rare breed of information security
analysts who sniff out traces of cyber attackers and go
in pursuit, relentlessly tracking down their quarry.
Information security leaders agree the days of relying on security system alerts to scramble first responders to cyber attacks are
past. Today, defenders need to be less reliant on systems based
on known attacks and more proactive, finding malicious activity and vulnerabilities before any harm can be done, thinking like
attackers and blocking avenues of attack before they can be used.
In the face of increasing volumes of attacks, defenders need
technologies that take care of the bulk of the low-level stuff so
they can concentrate on those slipping through the net.
AINOA/FOTOLIA
Hidden attackers
They wait, they watch, they search the outer reaches

of networks and all corners of the web, setting traps,
crafting tools, collecting evidence and going in pursuit
they are the hunters. Warwick Ashford reports
It is these below-the-radar attacks that are potentially the most

dangerous and the most persistent, giving cyber criminals the
possibility of unfettered access to mission-critical data assets
for months, even years.
Like dedicated law enforcers, hunters are typically the most
enthusiastic, passionate and driven security analysts. They enjoy
investigating and are not waiting for the alerts or emergency calls
to come in. They run where they know attackers run, they listen
where they know attackers communicate, and they watch where
they know attackers are likely to be testing the boundaries.
Some hunters, like those who work in the RSA FraudAction division, take it even further by pretending to be hackers themselves
HOME

Home

Theft of customer
ASEAN retailers

security insurance
Boost your cyber
to get inside the heads of the cyber criminals and

learn their techniques. They are long-standing
members of hacker forums, talking directly to hackers their intended prey. This is proactive security
in the extreme, and typically the preserve of only
the most dedicated seekers of the truth.
like effective logging and continuous activity

How to implement
monitoring. Despite the usefulness of these tools
a continuous monitoring
to investigators, most organizations have yet to
strategy with existing tools
invest in this capability.
and help from suppliers
Once the appropriate information is collected,
focused on this area.
it needs to be centralized using something like
Splunk, Hadoop or a traditional SIEM [security
Tracking behaviour
information and event management] system such
But at the most basic level, where there is no known or obvious
as QRadar or ArcSight, and then its a case of correlating that
intrusion, hunters are looking for abnormal, unusual or suspiinformation and doing some simple analytics by running queries
cious behaviour, especially in relation to high-value data assets.
to look at all the users that have only logged in once, or who log
Hunters typically look at all processes, tools, commands and
in mainly at night or very early in the morning, says Johnson.
network file shares that are running in an environment to pick up
potential indicators of compromise that security systems would
Weapons for the hunt
miss because they are not malicious in themselves, but a trained
Other typical hunter weapons include operating system logs,
eye can recognise if something is inappropriate, unlikely or ununetwork packet capture systems, endpoint detection and
sual, which can signal that something is amiss, says Ben Johnson,
response tools to provide data that can be analysed centrally
chief security strategist for Carbon Black.
to find what is unusual or rare. It is more efficient than the more
Where there is a known compromise, hunters have a role to
manual approaches such as memory analysis of every machine
play in finding out if attackers are active elsewhere in an organizaon the network that security analysts used in the past.
tion or doing anything else that may not be obviously connected
Despite the potential value of this approach and the fact
to the known compromise by looking for related or similar behavthat just about every organization recognises the need to do it,
ior and identifiers such as IP addresses, system commands and
Johnson says it is still very rare. It is not a matter of convincing
command formats or styles, he says.
them, he says. It is a matter of security teams not really knowBut before hunters can do anything, they have to be able to
ing what they could be doing and the lack of human resources
see whats going on. That means organizations have to do all
to do it.
they can to have the highest level of visibility of their IT environThe organizations that are adopting the hunter approach tend to
ment, including the network and all endpoints, through things
be those that have developers and engineers involved in security,

Home

Theft of customer
ASEAN retailers

security insurance
Boost your cyber
such as technology companies and large financial institutions

where they are able to write code to collect the data, run queries
to strip out the noise and present it to hunter analysts.
That is really how intelligence agencies like the NSA and GCHQ
work get as many sensors as you can out there to collect as
much information as you can, centralize it in huge data systems,
and then use computational power to put only the enriched, relevant data in front of the human analysts, says Johnson.
This approach, using automation and coding to sift through
multiple sources of data and to execute responses, offers a hunting approach at scale and allows security teams to be smaller.
Hunting skills
It is easy to start building up hunting skills by using something

like Splunk to collect where user logins are happening, then
looking at who is logging in, but only rarely at who is logging
into multiple systems at the same time and other simple queries
that can help catch malicious activity that would otherwise have
been missed, says Johnson.
For example, where attackers steal valid user credentials, it is
difficult to detect them because there is no malware or other
hacker code. However, Johnson says that when this happened
in a Fortune 50 company, by collecting everything running on
every endpoint and centralising it, it was possible to identify the
compromised computers by tracking commands that would be
unknown to normal users.
Once you find hunting algorithms that work in your environment, automate these and then go on to the next thing, continually
raising the bar for attackers, making it increasingly difficult for

them to operate in your environment without exposing themselves by continually adding Mission Impossible-style laser beams
or tripwires, says Johnson.
Dedicated hunters, however, go beyond the capabilities of existing tools and technologies, using more art than science to push
the boundaries of what is possible by coding new tools on the fly
to discover what was formerly undiscoverable.
And this is where cyber hunting reveals itself as a truly dark art,
with most hunters unwilling to shed much light on how they practise their craft. This is partly to avoid tipping off attackers about
how they can see the bad in what appears to be normal and good,
partly down to professional jealousy, and partly a result of the
non-disclosure agreements (NDAs) that keep the best tales of
cyber sleuthing out of the public domain and which have stopped
several hunters from sharing their finest moments.
Secret methods
Details of our methods must remain secret to be effective,

says Andrew Nanson, chief technology officer of Corvid, the
high-end internal and external security services division of the
Ultra Electronics Group, and former cyber security adviser to
Nato and the UKs intelligence and defence agencies.
Hunting is so much more than behavior analytics and anomaly
detection, he says. Attackers know companies are going to be
doing that, so they are either patient or just ensure that all their
actions look like normal user actions and use applications that
are valid user applications. Attackers are not stupid.

Home

Theft of customer
ASEAN retailers

security insurance
Boost your cyber
According to Nanson, searching for anomalies is the easy bit.

Hunters will also look at what appears to be normal because
that is where you will find the attackers they operate in the grey
space. If you are not getting at least 50% false positives on your
investigations, you are not investigating the grey space where
attackers often operate.
If organizations investigate only anomalies and incidents, then
skilled attackers will almost certainly be able to operate in their
networks undetected, Nanson warns.
of bad, we assume that the best you can have is a signature of

good, and even then you shouldnt trust that because attackers
can still inject malcode into legitimate processes using a technique known as process hollowing and get these processes to
hide and run the malicious code, making it very difficult to identify
that something that is running is bad.
For this reason, the essential next step is to do memory analytics to identify if any of the benign-looking processes running on a
machine are actually malicious.
Generically speaking, we analyse at the network level, at the
The good, the bad and the malicious
host level and at a metadata level, applying our intelligence to as
Hunters, he says, start with the assumption that all systems are
many different places as we can in the IT environment, but withcompromised. But because there are various levels of sophistiout giving the IT department extra jobs to do, such as blocking
cation in compromise, the first thing is to
IP addresses that happen to have scanned
ensure the system is not compromised by
the organizations firewall, which is not very
obvious malware that is well known and
helpful, says Nanson.
hat
we
don
t
know
easy to detect.
A purely product-based approach to
If an organization has Conficker on its
security, he says, is doomed to failure. If I
we assume is bad until
systems, then thats a bad situation, he
were to come up with a product today, then
says. It means the systems are unpatched
by the time I have got finance for it, develwe know that it isn t
and the antivirus software is not up to date,
oped it, tested it and released it to the marA
ndrew Nanson, Corvid
and that is just not acceptable, even though
ket, the attacks would have moved on.
Conficker was brilliant.
Instead, you need a continually evolving
Nanson says Conficker was the first to use a domain generation
platform of capability and to be as agile as the attackers, because
algorithm (DGA) to call home and get control instructions.
if you are not, you will always be waiting for someone else to
The next step is to analyse all the systems to ascertain what is
develop a product to defend against the current attack vector.
on all of them. What we dont know, we assume is bad until we
This is why you need good people, not just people who can
know that it isnt, says Nanson. Instead of looking for a signature
drive a graphical user interface (GUI) because all they can do is

Home

Theft of customer
ASEAN retailers

security insurance
Boost your cyber
what a software developer came up with for them to do. You need
people who can work at a raw data and content level and know
how to create new methods of detection, or at least hypothesise a
new compromise vector that you have not considered previously.
Close the window
Hunting, says Nanson, is the most effective way of detecting

compromise because if organizations hunt instead of sitting
back and waiting for something to advertise that an attack is
under way, then they are being proactive rather than reactive,
potentially reducing the window of opportunity for attackers.
This is so important, he says, especially in the light of reports
that the average time attackers spend inside corporate networks
before they are discovered is around seven-and-a-half months.
Ideally, organizations should be working to reduce this window of
opportunity to days, even hours.
In the absence of a security product that guarantees finding
attackers 100% of the time, that stops them in their tracks, and
can tell you where they are and how they got in, you need a constantly evolving, proactive hunting approach whereby you are
constantly looking at what is going on and constantly devising
new techniques of detecting compromise, says Nanson.
Refusing to be drawn on just how this is done and how hunters
tell the good stuff from the bad, all he will say is that attackers do
make mistakes. But he adds that hunters cannot rely on that, and
admits that sometimes it is simply a question of luck.
Attackers also all follow the same high-level script, says Jared
Myers, advisory practice consultant at RSA and one of RSAs
hunters for hire. Attackers have to get in some way, then they
need to obtain credentials and start moving around to target the
data, and then they have to get that data out, so that is where
we focus our attention rather than becoming caught up in chasing IOCs [indicators of compromise]. He says this approach has
proved useful in establishing the scope of an intrusion and finding
things that targeted organizations were not yet aware of.
Connect the dots
Although malware changes rapidly, some components, such as

communication protocols, do not change that much or that often,
so focusing on such elements can be useful, says Myers, although
it typically requires some reverse engineering and decryption.
Also, being able to connect the dots to find where and how
attackers get into systems and networks is important in preventing attackers from coming back in the same way, he says.
In connecting the dots, it is sometimes the strangest things
such as a shutdown taking fractionally longer than usual that
can provide the vital tip-off, says Nanson. But he reiterates the
importance of good processes, constant innovation around detection techniques, and constant monitoring of systems and analysis
of security data, communications and connections.
Hunters need to ask continually what is the thing they
cant detect, and then work out how to detect that, he says.
Consequently we spend a lot of time testing and validating new
methods of detecting compromise. How would I possibly identify file-less malware taking advantage of zero-day vulnerability
in Silverlight? That is an example of a typical question a hunter

Home

Theft of customer
ASEAN retailers

security insurance
Boost your cyber
might ask. Being able to come up with and test a theory quickly
In the face of the global shortage of cyber security skills, Yoran
and then refine and validate is really important for any cyber
is urging organizations to grow their own hunters by providing the
defence team because it gives you the chance to come up with
right environment for the most creative IT security professionals
a technique to detect, says Nanson.
to flourish, develop and hone their skills.
While a growing number of organizations recognise the need to
Hunters may not be the norm currently, but that is changing,
be more proactive in their approach to security, most lack the necand Yoran is one of the security industry figures encouraging the
essary human resources even to pursue hunting at the most ruditrend. If you dont have hunters, grow them, or at least dont stand
mentary level, which in many cases
in their way. Let them evolve into the
may be all that is necessary, while in
hunters you need, he said at the RSA
other cases, outsourcing the hunting
Conference 2016 in San Francisco.
f you don t have hunters
function to suppliers with state-ofYoran called on firms to focus their
the-art capabilities would make more
technology investments on supplegrow them et them evolve
sense.
menting and enhancing their security
into
the
hunters
you
need
Many firms would not need someteams native capabilities to make
one full-time to reverse-engineer malthem smarter, more efficient and
Amit Yoran, RSA
ware, so it would be cheaper to outmore scalable. He said they should
source that, says Myers. However, if
invest in technologies that give commost of the organizations weve been called into in the past year
prehensive network visibility to enhance human creativity and
had been more proactively hunting, they would have easily halved
problem-solving, and to create a culture that embraces the smart
their exposure time.
creative, the free thinker and the curious.
Free your people to chase the why, he said. Allow, train and
Grow your own hunters
equip your people to be hunters. Focus on empowering them with
For this reason, more companies are now seeking to have an
the tools that fuel their curiosity to find the answers they seek.
in-house hunting capability in some cases to have a specialDoing things differently is at the core of hunters-for-hire busiist on board who can derive and apply insights from company
ness Raytheon Foreground Security, which also provides the
investments in state-of-the-art technology and in other cases to
opportunity for customers to grow their own in-house capability.
avoid future cyber attacks. In that capacity, organizations must
The demand for hunter-supported security operations centers
be proactive to succeed, says Amit Yoran, president of RSA.
is mainly from big government agencies and suppliers of critical
.L

Home

Theft of customer
ASEAN retailers

security insurance
Boost your cyber
infrastructure, says David Amsler, president and CIO at Raytheon

Foreground Security. The hunting concept was born out of frustration at the reactive, inefficient nature of standard security operations centers, he adds.
Before switching to a primarily hunting approach, 90% of
Foreground analysts time was spent chasing security systems
alerts, with only 18% of that time yielding positive results. This
meant analysts could spend only 10% of their time independently
looking for anomalies, says Amsler.
Analysts beat technology
The most telling finding of an independent study, he says, is that

100% of the critical threats and 88% of the high-risk threats
were found by an analyst and not directly by security technology.
That tells me the security industry is good at automating the
detection of run-of-the-mill stuff, but there is no technology that
finds the advanced threat actor, says Amsler.
As a result, he rejected the reactionary methodology driven
by signatures, rules and sandboxing that every managed security
service and security operations center was using.
Instead, he developed a hunting-led approach that is behavior and anomaly-driven and supported by machine learning and
technologies that provide full visibility of the IT environment.
Foreground set up a training school which offers 94 courses
to turn anyone into a qualified hunter within a year. It has also
developed its patented machine learning Automated Threat
Intelligence Platform to support hunters by talking to a range of
systems in an IT environment to provide complete visibility.
This switch in focus has boosted Foregrounds efficiency, says

Amsler. Now 61% of the analysts time results in finding the bad,
up from 18%, and weve reduced our false positives from 73%
down to the low 20s.
Although Amsler developed the hunter training school to keep
Foreground well supplied with the skills it needs, its courses are
now open to customers that want to train their own hunters. But
most companies struggle to find, attract and retain people with
hunting capabilities, so we are finding success with a hybrid concept where companies have a core security team that understands
the business and its processes, and have some basic hunting capabilities, but who work with our hunters as part of their team when
required. No one will win the war on their own, he says.
RSA has a similar philosophy. Yoran cites a case where a hunter
in RSAs incident response team trained an internal analyst from
a customer, allowing him to shadow the RSA teams activities to
ensure he understood the methodology and process of hunting.
Over a few months, he became a master analyst, capable of
hunting on his own, actively combating sophisticated threat
actors interactively, denying them access to systems which
would otherwise have remained owned for months or years, he
told attendees of the RSA Conference 2016.
Amsler believes this is a model that can work for a large part of
the market. He and Yoran may be right, as it offers a good compromise between having in-house hunters with state-of-the-art
capabilities and relying on a completely outsourced managed
security service or security operations center, while enabling
companies to grow their own hunting capability. n

Cw-Asean Ism 0716 Ezine Final

Încărcat de

Informații document

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

Cw-Asean Ism 0716 Ezine Final

Încărcat de

Drepturi de autor:

Formate disponibile

Home

Philippines data breach

Growing role for cyber

Personal data at risk

Voter hack highlights need for stronger security measures

cw asean July 2016 1

Boost your cyber

Philippines data breach

Growing role for cyber

Philippines voter data breach sends

he sizeable data breach at the Philippine Commission on

Why did the hack happen?

Two hacking groups claimed

cw asean July 2016 2

Growing role for cyber

According to media reports, Asis hacked the site and stole

The Philippine Commission

Philippines data breach

cw asean July 2016 3

Philippines data breach

Growing role for cyber

These activists are cyber criminals whose motivations are

The profession of data theft

The Philippines may have

personal data protection law,

but lacks effective enforcement

Need for cyber security awareness

Cyber criminals are increasingly targeting organizations in the ASEAN area

Philippines data breach

Growing role for cyber

Organizations need to understand what it is they must defend,

Threat intelligence and data analytics

risk identification and asset protection, organizations can get on

Editor: Karl Flinders

Sub-editors: Jason Foster, Jaime Lee Daniels

cw asean July 2016 5

Philippines data breach

Growing role for cyber

Theft of customer data is top payments

More developed markets

cw asean July 2016 6

Philippines data breach

Growing role for cyber

The study found card payments continue to dominate in the

Mobile more prevalent

Philippines data breach

Growing role for cyber

Growing role for cyber security insurance

For some enterprises, the answer to these questions lies in the

cw asean July 2016 8

Philippines data breach

Growing role for cyber

12-16 years. Blake Huebner, vice-president of security training at

Its not the wild west, but

Locktons Beeson said during a panel discussion at the 2016

cw asean July 2016 9

Philippines data breach

Growing role for cyber

As this challenge is met, the industry could begin to see more

Pre-Target and post-Target

Organizations now realize they will never be able to cover their

Too many professionals think

Find out why cyber insurance could improve enterprise security

CYBER CRIME PREVENTION