Ran$umBin: Disruptive Innovation for the Black Market

By Susan Richardson, Manager/Content Strategy, Code42

ransomware-infographicSometimes the ingenuity of the free market is truly remarkable. And in the case of the new black market for ransomed data, remarkably scary. One of the latest triumphs of the entrepreneurial spirit is Ran$umBin, a sort of eBay for ransomers—or as Dark Reading described it, “a one-stop shop for monetizing ransomware.”

The ransomware middleman
Much as eBay acts as the middleman for sellers of all sizes, Ran$umBin popped up in early 2016 to act as a proxy for data ransomers. The site gives cyber thieves three options: Lock up the victim’s data and use the site as a payment proxy for the ransom; “dox” the victim, posting the stolen, sensitive information on the site to add extra urgency to the payment demands; or sell the stolen data to a third party and let them handle the extortion (or use the data in some other way). The site provides an easy bitcoin-based payment interface, and Ran$umBin takes a cut of every payment.

Making the ransomware business easier, lowering risk for veterans and newcomers 
Stealing or locking up data isn’t the tough part of the ransomware business (flawed systems and unreliable users make that way too easy). It’s the payment side—making direct contact with a victim and exchanging currency—that poses the highest risk. In eliminating this risk and handling the logistics of payment, Ran$umBin serves to streamline the business of ransomware.

Comparisons to eBay, Uber or Airbnb, are apt—and alarming—in this context. These disruptive innovations made it easy for the little guy to go into business for himself, particularly by streamlining and reducing risk around payment. Sites like Ran$umBin effectively lower the barrier to entering the cybercrime business, making it easier than ever for anyone to make money in the ransomware game.

Ran$umBin: We’re just an honest business—with great customer service!
The creators of Ran$umBin tell a familiar story, claiming that they’re a neutral business that just provides an honest service for activity that’s going on anyway. Interestingly, they say they view their responsibility as serving and protecting the “safety” of their customers, meaning both the data thieves and their victims. This business mission takes shape in the strange regulations that supposedly govern the site. Ran$umBin claims they validate stolen data to make sure it’s not inaccurate, old or irrelevant, though they don’t explain how this vetting is accomplished. An even more bizarre claim of business ethics: Ran$umBin says they won’t let an individual victim be extorted more than 10 times. But nine times is perfectly reasonable. How noble.

A sign of things to come
Ran$umBin hasn’t seen much activity so far, but that’s no reason for comfort. This is just the free market’s first shot at a solution for enterprising data thieves. Think of how Facebook took the MySpace idea to a higher level. With ransomware increasingly becoming big business, new and better versions of sites like Ran$umBin are sure to pop up soon, fueling the overall ransomware market with bigger incentives, more organization and greater sophistication.

The simple antidote: Back up your data—don’t pay the ransom
The free market drives some pretty crazy innovation, but it also follows some pretty simple rules. Namely, if the money dries up, the market looks elsewhere. Fortunately, snuffing out the cash flow to data thieves couldn’t be easier: Back up your data. When ransomware hits, you’ll be certain your data is preserved. You’ll be certain the restore will be fast and comprehensive. You’ll be certain that you never have to pay the ransom.

EFSS Spreads Ransomware; Endpoint Backup Guarantees Recovery

By Kyle Hatlestad, Principal Architect, Code42

flowchartOne of the objections I’m hearing more and more is, “Why do I need backup when I have Microsoft OneDrive for Business (or Google Drive, Box or Dropbox for Business)?” On the surface, it may seem like endpoint backup isn’t needed because with an enterprise file sync and share (EFSS) tool, a copy of the data is in the cloud. But if you dig a bit below the surface, you’ll find there are several distinct differences. We cover those in our Top 3 Iron-Clad Reasons Why File Sync/Share is Not Endpoint Backup, so I won’t go into them here.

Instead, I thought I would illustrate a situation in which it’s painfully obvious why it’s important to have modern endpoint backup. Every organization today is facing ransomware. No matter how sophisticated your defenses, ransomware invariably finds a way through.

For example, Jeff, a recruiter from the Human Resources team, is reviewing resumes to fill a new position. He receives an email with a link to download a resume in Microsoft Word. As part of his process, he downloads the resume to his OneDrive “Job Postings” folder which is shared with his HR co-workers. The document is automatically uploaded to OneDrive and synchronized to his co-workers’ devices.

Unfortunately, this is no ordinary resume. It contains a crypto-ransomware. When Jeff opens the resume, the ransomware takes hold and begins encrypting the files on his local device as well as network shares. Because Jeff saves a lot of files in his OneDrive folder, as the ransomware encrypts those files, OneDrive then syncs them to the cloud. And for any shared/team folders he has, the encrypted files are synced to his co-workers as well as to any publically shared files/links. And even though Jeff is supposed to save all of his files to OneDrive, he keeps a bunch on his desktop where he likes to work. He’s also got a big .PST email archive sitting on his device as well. All of those files are being encrypted by the ransomware to lock out access.

Because Jeff saved the file to a shared HR folder, the ransomware file now appears on his co-worker Julia’s laptop. Julia takes a peek at the resume and now the ransomware starts attacking her device.

At this point, Jeff tries to open one of his files and gets the dreaded ransom note. For just one bitcoin, he can get his data back. He contacts the help desk to let them know what happened and get help. OneDrive keeps previous versions, so no problem, right? Help desk then informs Jeff that he can get his earlier file versions, but he has to do it file-by-file! And for those files that were saved outside of OneDrive, he’s out of luck. Next up is Julia who calls up help desk and is in the same boat as Jeff. Not only did EFSS not help with recovery, it actually spread ransomware!

Well, that’s when it becomes clear that EFSS is not a true backup solution. EFSS leaves it up to the user to pick the right spot to save his data. And when it comes time to remediate from an event like ransomware, EFSS is not equipped to handle large restores. Even EFSS vendors themselves recommend having a true backup of the data to recover from an event like ransomware.

Hopefully this real-world scenario makes it easier to distinguish the differences between file sync & share and modern endpoint backup—and the advantages of true endpoint backup when recovering from ransomware.

Eight Questions to Ask When Evaluating a CASB

By Rich Campagna, Vice President/Products & Marketing, Bitglass

8_questions_casb_imageCloud Access Security Brokers are the hottest technology in enterprise security right now, topping Gartner’s Top 10 list two years running. Widespread adoption of major cloud apps like Office 365 (and corresponding cloud security concerns) are accelerating CASB adoption in every major industry, from financial services to healthcare.

If you’re like most enterprises, you’ve already decided that a CASB can help you meet your security & compliance goals when moving to the cloud. The next step is to figure out how to evaluate a CASB. There are 8 key questions you should be asking when evaluating a CASB. Drumroll please…

1. How does the CASB differ from security built into my cloud apps?
Each cloud app vendor makes their own decisions on what types of security functions to build into their application. One app may include encryption for data-at-rest, but not transaction logging. Another app might offer the opposite. Ensure that the CASB vendor is offering value above and beyond what is built into your applications. And don’t shortchange the value of a single policy enforced across cloud applications or inter-cloud user behavior analytics.

2. Does the CASB protect cloud data end-to-end?
Cloud data doesn’t only exist in the cloud – as soon as you deploy, your end users will arrive with an arsenal of devices and start syncing or downloading data. Very quickly, your cloud security problem becomes a mobile data protection problem. Ensure that your CASB is able to protect not only data-at-rest in the cloud, but data downloaded to devices (both managed and unmanaged – see #3 below).

3. Can the CASB control access from managed and unmanaged devices?
A user logging in from an unmanaged device represents more risk than the same user logging in from a fully patched and protected laptop running an approved corporate image. Whether we like it or not, most organizations need to extend at least some access to the unmanaged device. Make sure your CASB can control access from these devices as well as unmanaged devices – and note that this means you’re not likely to be able to install agents or reconfigure these devices.

4. Does the CASB provide real-time visibility and control?
If data leaks for 30 minutes is it still data leakage? Absolutely. While there are some CASBs that operate entirely via API integration into major cloud apps, API-only approaches are subject to notification delays in the APIs, which may mean minutes, even hours of data leakage before something like an external share can be revoked. Only a hybrid approach, which leverages both API and proxies ensures total data protection.

5. Can the CASB encrypt uploaded data?
Many organizations will decide that encryption is the best way for them to safely adopt cloud apps. If this is even a consideration for your company, make sure that you’re covered, as many CASBs do not offer encryption functions. Also beware that it is common for CASB vendors to weaken encryption in order to preserve application operations like search and sort

6. Does the CASB protect against unauthorized access?
Visibility into suspicious activities is helpful, but is usually too little too late. You want proactive protection against unauthorized access, something only a CASB with integrated identity management can offer. So for that often cited example of “detecting” a user logging in from two locations simultaneously, wouldn’t it be better if the CASB could force a step-up to multifactor authentication on both devices as soon as the rogue session is attempted?

7. Can the CASB help me detect risky network traffic, such as shadow IT or malware?
Understanding the unsanctioned apps in use by your employees is helpful, but what if that isn’t the riskiest traffic leaving your corporate network? Leading CASBs have moved beyond simple shadow IT discovery to rank and prioritize the riskiest traffic on your corporate network – whether that is shadow IT, malware, anonymizers, etc.

8. Will the solution introduce scale or performance issues?
Look to CASBs that have deployed on a global, high performance infrastructure. Appropriately architected and deployed, a CASB can actually have a CDN-like effect on your cloud applications, increasing performance versus going direct to the app!

CASBs are the most effective way to ensure a secure, compliant cloud deployment. By asking these 8 questions, you can ensure that you select the right vendor for your organization. Learn more about CASBs here.

Cybersecurity: “Change or Die”

By Paul B. Kurtz, CEO TruSTAR Technology and Member of Board of Directors, Cloud Security Alliance

“Change or die” is an old phrase computer programmers use to highlight the speed of change in a world of innovation. Its implications go beyond programming and underscore the precarious situation we find ourselves in today. The Washington Post’s Sept. 5 article on U.S. intelligence agencies’ investigation of a “broad covert Russian operation in the United States to sow public distrust in the upcoming presidential election and in U.S. political institutions” through cyber attacks is disturbing but should not be surprising. Russia, China, Iran, North Korea and non-state adversaries understand our dependence on cyber systems as an Achilles Heel of our economic and national security. What is more disturbing is the Federal government’s inability to help. The private sector must now rapidly expand its capabilities to work together to secure cyberspace. The Cloud Security Alliance is taking the lead.

Joshua Cooper Ramo in his book “The Seventh Sense” helps us better understand our traditional national security structure and how our levers of power and current strategy are of limited value in the networked world. Ramo states, “And while we know that effective foreign policy or politics or economics can’t be improvised, the speed of networks now outstrips the velocity of our decisions…” In cyberspace this means sanctions and indictments are necessary, but they take too long to apply to prevent the propagation of attacks. A military response to attacks leaves us waiting and wondering what, if anything will happen. Even if force is used, we can expect a very high threshold before action is initiated.

Russia’s alleged activities are particularly worrisome as they involve corruption of manipulation of systems and information. Typically we think of breaches, disruption, theft, but we do not think about how information can be surreptitiously corrupted or manipulated. Yes the Cold War brought us disinformation but not at Internet speed. Ramo states,

“Even though the connected age lets people around the world see crises and measure problems with unprecedented precision, our leaders can do almost nothing about them.”

The connected age brings good but also allows for mischief that traditional democratic institutions are ill suited to handle. Recall the New York Times Magazine’s June 2015 report on “The Agency,” which operates inside a nondescript building in St. Petersburg, Russia, with “an army of well-paid trolls” focused on causing havoc, including in the United States. Ramo continues,

“Many new challenges exhibit a worrying nonlinearity. Small forces produce massive effects. One radical teenager, a single misplaced commodity order, or a few bad lines of computer code can paralyze an entire system. The scale of whiplashing grows every day, because as the network itself grows it turns pin-drop noises into global avalanches.”

As government flails, companies continue to independently defend themselves spending more money on software, hardware and personnel. Adversaries remain steps ahead developing and sharing tools to defeat firewalls, anti-virus systems, authentication, and behavior-based detection systems. The costs of defending against attacks are going up, while at the same time the costs of conducting attacks are going down according to a recent reporting (See Graphic A).


Graphic A

With the ongoing investigation of Russia, we must assume that their intent extends beyond seeking to influence or unsettle our democratic institutions. We must also assume they are not the only adversary recognizing our acute vulnerabilities. There are other ways corruption or manipulation of data could cause uncertainty and panic. For example, witness the recent press in Bloomberg Businessweek over MedSec’s partnership with Muddy Waters to short sell St Jude Medical’s stock over a possible pacemaker vulnerability. It is unclear whether there really is an exploitable vulnerability but yet the stock has traded down.

All of these signs seem to be screaming, “we must change.” Change must be driven by the private sector as the traditional levers for government to protect us are limited and do not work in the networked age. The first step is beginning to work together — rather than independently — to defend ourselves. This is not a call for the private sector to take up cyber arms and attack others. Such a strategy is fraught with legal and technical challenges. Rather, this is a call for connective defense. A recent study showed that 39 percent of attacks could be thwarted through collaboration between companies. (See Graphic B.) The challenge for companies to date has been balancing market and reputation risks with a return on investment in exchanging incident data. The Cybersecurity Act of 2015 addressed legal challenges, but security and ROI on collaboration have remained elusive.


Graphic B

We can use the power of networking and technology to turn the tables and begin to stabilize cyberspace. The technology exists to exchange incident data securely between vetted parties. Anonymity and redaction allow vetted companies to exchange incident data without market risk or exposing personally identifiable information. This data is correlated providing immediate insight to users. Attack trends and exploits are tracked, and users can securely collaborate with each other. Indicators of compromise and supportive context can be downloaded from the platform by vetted members to help defend systems before an attack. In the wake of an attack, a company can enrich what they know about an incident and quickly understand whether others have experienced similar events and if mitigative measures are available. Incident exchange and collaboration are affordable and scalable.

Several companies have quietly started exchanging data already, including members of the Cloud Security Alliance that are using TruSTAR as the technology backbone of their exchange. As the private sector begins to collaborate, new avenues of protecting ourselves from adversaries will become clear, and the costs to adversaries will increase as risks of contagion are reduced. We can turn the tables, but we have to accept real change.


WSJ Warns of Ransomware—Misses the Obvious Solution

By Susan Richardson, Manager/Content Strategy, Code42

envelopeRead through the recent Wall Street Journal ransomware article and you’ll find some great stats on the growing threat and cost. One thing you won’t find: the word “backup.” We’re happy to see ransomware finally getting the attention it deserves, but why discuss the problem and leave out the obvious, simple antidote? It’s like an article on a bike theft epidemic that fails to mention that none of the bikes were locked up.

Focusing on payment: a dangerous way to frame the issue
The WSJ article backs up stats on the increasing threat with stories of both people and businesses victimized by ransomware. But these case studies use quotes like “he had no choice” and “this is a worthwhile bet” to frame paying the ransom as the unfortunate, inevitable, and ultimately, most responsible option, which couldn’t be further from the truth. When payment results in the return of stolen data, the WSJ concludes the “investment paid off”—confirming that extortion promises dividends.

Paying the ransom is the fool’s bet
The problem with paying the anonymous extortionist? Look at the major ransomware attack on Hollywood Presbyterian Medical Center in Los Angeles earlier this year. The hospital paid the ransomers’ initial demand of $9,000, but they didn’t get their data back. Instead, the perp demanded an additional $8,000 the very next day.

Why would you bet on criminals staying true to their word? It’s foolish to expect honor and decency among thieves.

Stockpiling bitcoin = playing into the ransomer hand
The closest the article comes to the idea of “being prepared” is highlighting the alarming trend of businesses stockpiling bitcoin so they can quickly pay when ransomware inevitably strikes. A recent U.K. survey found that one in three companies have bitcoin reserves in case of ransomware. But more telling, half of these companies don’t even have daily data backup.

Again, it’s like hanging a sign on your bike that says, “REWARD for bike’s return,” instead of just getting a bike lock.

Endpoint backup is the only bet worth taking
Ransomware can make for a sensational narrative, but the real story is actually much simpler. Unlike most other infosecurity threats, ransomware has an easy antidote: endpoint backup. With the automatic, continuous and near-real-time backup of all endpoint data, your headline is “We Laugh at Ransomware.” You start clean, stream all your data back, minimize the downtime, and get back to work with no bitcoin drama.

So, in case the WSJ is listening, here’s how the story should have gone: Ransomware is increasing. The costs can be huge. The only investment that pays off—the only bet worth taking—is modern endpoint backup. Back up your data. Never pay the ransom. The end.

Dealing with Dropbox: Unmasking Hackers with User Behavior Analytics

By Ganesh Kirti, Founder and CTO, Palerra

DropboxBlogDropbox was in the news a few months ago due to false reports of a data breach. Unfortunately, they’ve made headlines again. Vice reported that hackers stole over 60 million account details for the cloud storage service. This time, the breach is real, and a senior Dropbox employee confirmed the legitimacy of a sub-set of stolen passwords.

Many people keep sensitive documents in cloud storage services like Dropbox, Box, GoogleDrive, and OneDrive, and the latest breach shows that hackers are focusing on online storage cloud services more frequently. This opens the door to huge vulnerabilities if employees are storing sensitive enterprise information in the cloud. From a preventative perspective, security personnel should review their security measures for the following:

  1. Require multi-factor authentication to access the application
  2. Enforce password strength and complexity requirements
  3. Require and enforce frequent password resets for employees

But manual processes and policies are not enough. At minimum, enterprises should look at automating the enforcement of these policies. For example, you may require multi-factor authentication, but how do you ensure that it’s required at all times? A cloud access security broker (CASB) continuously monitors configurations to alert security personnel when changes are made, and automatically creates incident tickets to revert security configurations back to the default setting.

How can enterprises prevent further damage if their employees’ credentials were compromised in this hack? We recommend utilizing user behavior analytics (UBA) to look for anomalous activity in an account. UBA uses advanced machine learning techniques to create a baseline for normal behavior for each user. If a hacker is accessing an employee’s account using stolen credentials, UBA will flag a number of indicators that this access deviates from the normal behavior of a legitimate user.

Palerra LORIC is a cloud access security broker (CASB) that supports cloud storage services that are similar to Dropbox, including Box, GoogleDrive, and OneDrive. Here’s a few indicators LORIC can use to unmask a potential hacker with stolen credentials in Box:

  1. Flag a login from an unusual IP address or geographic location
  2. Detect a spike in number of file downloads compared to normal user activity
  3. Detect logins outside of normal access hours for the user
  4. Detect anomalous file sharing or file previewing activities

The ability to gauge legitimate access and activities becomes even more important when you consider that many people use the same password for multiple applications. This is highly useful for the recent Dropbox breach. Instead of just protecting Dropbox, UBA helps the enterprise protect any cloud environment that could be accessed using the stolen Dropbox passwords.

If you’re concerned that hackers may access your cloud storage environment using stolen employee credentials, you must take preventative and remedial action. Adding a cloud security automation tool prevents a breach by enforcing password best practices, and prevents additional damage after a breach by unmasking hackers posing as legitimate users by flagging anomalous activity.


Five IT Security Projects That Will Accelerate Your Career

By Cameron Coles, Director of Product Marketing, Skyhigh Networks


The skills required to be successful in IT security are changing. In a recent survey (download a free copy here) 30.7% IT leaders reported that a lack of skilled IT professionals is the greatest barrier to preventing data loss. Respondents also listed incident response management, expertise analyzing large datasets, communication with non-IT executives and departments, and security certifications as skills they expect to be more important in the next five years. But it’s not enough to invest in your skills, you also need visible projects to demonstrate your value within the organization. This article covers five such projects.

But before we dive into the list of projects, let’s first frame what’s important – for executives that means what delivers the most value to the business. Today, there is greater visibility for IT security with non-IT executives and the board of directors. The reason is simple: security breaches cost the company money and can result in the CEO losing his job. Executives and the board are understandably concerned about what appears to be an increasing number of high-profile breaches, which can ignite a wave of class action lawsuits from consumers and shareholders. These breaches also attract unwanted attention from government regulators.

According to IT leaders, IT security is a now an executive-level and board-level concern at 61% of companies. As boards take a more hands-on approach in overseeing security, they are primarily interested in understanding the company’s security strategy, policy, and budget; security leadership; incident response plan; ongoing performance metrics; and employee education program. By leading projects that executives and the board are interested in, you’ll gain greater exposure for yourself. When you can execute well, it reflects positively on the entire IT security department from you all the way up to the CISO.

Once you execute a project well and deliver measurable results, you’ll be able to socialize the project internally. You can also identify opportunities to educate other IT professionals about how you approached the project at conferences and perhaps even in the news media.

Here are five IT projects to accelerate your career:

1. Use Real-Time Coaching to Improve Security Awareness
When CIA Director Michael Brennan’s email account was hacked, it wasn’t the result of a sophisticated cyber attack using multiple zero days. It was closer to “advanced, persistent asking nicely what his password is.” According to Verizon’s 2015 Data Breach Investigations Report, phishing accounts for 95% of attacks attributed to state-sponsored actors. The report also found that 23% of recipients open phishing emails and 11% click on attachments. Clearly, traditional security awareness training programs have not reached all employees.

While companies can do more to prevent phishing by using email payload inspection, a DNS sinkhole for new domains for 48 hours, and enforcing inbound filtering, making users more aware of cyber threats is still one of the most effective ways to prevent these incidents. In addition to traditional security awareness training, conducting simulated phishing attacks and coaching users who clicked on links in mock phishing emails has been shown to double retention of security-related concepts with end users and reduce vulnerability to phishing.


2. Proactively Enable (Not Block) Cloud Usage
IT security has a reputation within many organizations as the department of “no”. As users discover that there are thousands of free or low-cost apps that can help them do their jobs better, IT security has recognized that not all of these applications are fit for enterprise data. In response, they have attempted to block as many cloud services as possible. But with over 20,000 cloud services, they often end up blocking well known apps, which forces users to find lesser known and much riskier apps in the same category.

Mike Bartholomy, senior manager for information security at Western Union, has taken a different approach. Under his leadership, Western Union’s IT security team monitors cloud usage and uses a rating process similar to a credit score to assess the security controls of each cloud service. Simultaneously, the company is proactively enabling cloud services within cloud service categories that are growing in popularity – such as Box for file sharing and collaboration. By proactively enabling cloud services and securing their use, IT security has become an enabler of the tools that drive innovation and growth in the business.


3. Complete Your Incident Response Plan
By the time a data breach occurs, it’s too late to formulate an effective incident response. While 82.2% of companies have an incident response plan, fewer than half of these companies have a complete plan that covers security remediation, legal, public relations, and customer support. Companies are even less likely to have cyber insurance, which can recover a significant portion of the costs of a breach. For example, following a credit card breach in 2013, Target’s insurance covered $90 million of the $264 million cost of the breach.

In addition to implementing a plan to respond to a breach, IT security can also deploy a process to proactively detect breaches. In the case of Target, if the company has been able to effectively detect and stop the breach on the day it began, the impact of the breach would have been much smaller. In the end, it took Target almost two weeks to identify and stop the breach, allowing attackers time to pilfer 40 million customer card numbers. Incident detection software such as SIEM, IDS/IPS, and user and entity behavior analytics (UEBA) can help identify incidents in their earlier stages so IT security teams can respond.


4. Create a Cross-Functional Governance Committee
Today, 21% of companies have a cross-functional committee responsible for setting and enforcing governance policies. These committees generally include representatives from IT and IT security, but they also tend to include legal, compliance/risk, audit, and the line of business. It’s especially important to include the line of business since end users are the primary consumers of technology within the organization. When end users don’t feel their needs are being met, they often go around IT and find their own solutions, resulting in shadow IT.

As part of running a governance committee, you’ll likely find yourself doing something you may not have done very often before: presenting to your organization’s executives and board of directors. They are interested in the policies in place, as well as metrics that track adherence to these policies. It is important to track key metrics before, during, and after taking action to enforce new corporate policies in order to demonstrate the impact of your work organizing a governance committee and enforcing policies.


5. Drive a Data-Centric Security Initiative
In an earlier era, IT security was focused on securing the network perimeter. Now that an increasing volume of corporate data is stored in the cloud, security needs to adjust to a world that no longer has a defined perimeter. There are a number of technologies designed to protect data in this new world including cloud access security brokers (CASB) and information rights management (IRM). What they have in common is that they secure applications and data in the cloud and on unmanaged mobile devices, rather than focusing on the network edge.

In Gartner’s 2016 list of the Top 10 Technologies for Information Security, the analyst firm ranked CASB as the number one technology of the year. CASB takes many existing security capabilities – including encryption, data loss prevention, access control, threat detection – and applies them to corporate data in cloud services. Like endpoint security and network security before it, cloud security is poised to grow into a strategically important function for every organization as they experience greater cloud adoption.


Improving your skills and getting additional certifications are important steps in improving your value to your organization (and your career prospects). Once you have these in place, pursuing high-visibility projects – ones that get the attention not only of IT security peers but also non-IT executives – and executing on them well can help you accelerate your career within your company. They also provide ways to build your brand because you now have something meaningful to speak on to a group of attendees at a conference or even to a reporter.


CASBs in Healthcare

By Rich Campagna, Vice President/Products & Marketing, Bitglass

casb_healthcare_imageInitially a laggard in cloud adoption, the healthcare industry is now adopting public cloud applications en masse, with adoption of cloud based productivity apps like Office 365 and Google Apps. Adoption is up from 8% in 2014 to over 36% in 2015, with no signs of slowing down! This rapid change hasn’t come without plenty of healthcare CISOs losing sleep – not only does Protected Health Information (PHI), an ever more attractive target for hackers, need to be protected, but the accessibility of the public cloud makes even inadvertent data leakage as easy as clicking the “share” button. Pair all of this with the fact that over 90% of healthcare professionals use BYOD and you have a serious disease without a cure.

Or is there? Increasingly, healthcare organizations are turning to Cloud Access Security Brokers (CASBs) to get a handle on public cloud security & compliance challenges. The four CASB functions employed most often are (1) unmanaged device access control, (2) external sharing controls, (3) visibility and (4) identity controls.

  1. Unmanaged device access control – with premises applications, it’s relatively easy to contain access only to managed devices. Since the public cloud is available from anywhere, the ability to restrict access to only certain devices becomes much more difficult. That aside, most organizations realize that they no longer have a choice but to support BYOD, the question is on what terms? It’s difficult to manage employee devices with tools like MDM, and on the healthcare provider side, with 30-40% not employees but independent clinicians, it may not be possible at all.
    A CASB can help solve this problem by providing controlled access from unmanaged devices. This Fortune 50 healthcare organization uses Bitglass to provide full access from managed devices and restricted access from unmanaged devices. When a user attempts to access a protected application, Bitglass Device Profiler determines whether the device is managed or unmanaged. For unmanaged devices, the policy configured allows for restricted web and activesync access, but this organization has chosen to block access from file sharing clients like OneDrive.
    The rationale is that they don’t want large quantities of PHI and other sensitive data synchronized to unmanaged devices, but they are okay with web and Activesync with DLP applied to control the flow of PHI to the device. For example, they scan files being downloaded with Citadel DLP and any file with a large number of instances of PHI will either be blocked or encrypted on download.
  2. External sharing controls – File share and sync apps can be a great productivity boon, and if you’re a Google Apps or Microsoft Office 365 customer, chances are you have tons of “free” storage “included” in your enterprise license. That said, fear of the share button holds many back from using these applications. A CASB can allow you to scan data-at-rest in these applications, looking for sensitive data like PHI. From there, a number of response actions are possible including quarantine for investigation, share removal and encryption. This gives you the ability to allow your employees to share data, but without the risk of data leakage.
  3. Identity – Leading CASBs have integrated identity and access management functionality directly into the platform. In addition to saving you the hassle and expense of dealing with yet another vendor, integrated identity can provide for value-added functionality such as step-up authentication when suspicious activity is detected. Since phishing and credential compromise was the main attack vector in high profile breaches like Premera and Anthem, the ability to thwart this activity can be worth millions.
    For example, let’s say that a user logs into Office 365 from the East Coast of the United States. Five minutes later, someone logs into Salesforce with that user’s credentials from somewhere in Eastern Europe, or from an IP that is known as a ToR endpoint. A CASB can not only detect this suspicious activity across these disparate cloud apps, but it can take action – forcing, for example, multifactor authentication on both devices mid-session.
  4. Visibility – With HIPAA compliance requirements, detailed, audit-level logging is a must have for healthcare organizations. CASBs provide this, but a much larger set of visibility functions that can provide great value to the organization. From activity dashboards to alerts and user behavior analytics, a CASB is your one-stop shop for suspicious activity detection, compliance verification, and more.
    For example, if a user’s personal mobile device is lost or stolen, it’s a couple of clicks in the CASB dashboard to identify exactly which files (and whether or not those files contain PHI) are resident on the device in question. As a bonus, if you’ve been smart enough to choose Bitglass as your CASB, you can selectively wipe that data off of the stolen device, even if you’ve never installed any agents or software to manage the device.

These functions and more are enabling leading healthcare providers to rapidly adopt the public cloud. Learn more about Bitglass’ solutions for healthcare organizations here. Or better yet, reach out to us for a free demo of the Bitglass solution

Déjà Vu: Moving to the Cloud Means Losing Visibility and Control All Over Again

By Todd Beebe, Guest Writer, Intel Security 

dejavuIf you have been in IT security as long as I have, when it comes to moving to cloud, you are feeling a certain sense of déjà vu. We have been here before, this place of uncertainty, where we lack visibility into and control over our sensitive data.

Think back to the first wave of the digital revolution in the early to mid-‘90s, when our organizations were just connecting to the Internet and every user in the company now had Internet access. At first, we had little or no visibility into what was coming into or out of our network. We put in basic firewalls to give us granular access control and activity logging, and we now had a secure perimeter that allowed us to see and control that new traffic. Of course, every few years a new set of holes was created in that perimeter – our first websites, business-to-business email, dial-up, wireless access, etc. In each case we had to deploy new security solutions to re-secure our network perimeter.

Today’s move to the cloud feels so similar to how I felt back then. This time the organization wants cloud-based applications, delivered as a service, and the lines of business are connecting their systems to the cloud without us knowing. All that visibility and control we had established just flew out the window. We know with this newest wave in IT innovation that our teams need to approach it with the same goal as before – visibility and control. This time, however, the perimeter isn’t around our network, it’s around our sensitive data – no matter where it resides.

I’ve found it helps to remember that the main tenets of cybersecurity haven’t changed. It’s all about critical data, the credentials that have privilege to access that data, and the applications and processes that run on the systems – wherever those credentials are used or wherever that sensitive data resides. Treat your sensitive data in the cloud just like you would when storing your valuables at a bank. When in the bank, your valuables are secured in their own safety deposit box, just like encryption at rest. While transported to and from the bank, your valuables ride in an armored vehicle, just like encryption in motion. And when they are being accessed, you need your photo ID and your key, just like multifactor authentication. At each step, access is being recorded by cameras and sign-in sheets, just like activity logs.

So the main tenets that haven’t changed are:

  1. Critical data – What sensitive data is monetizable? What is valuable intelligence that can be used by a competitor or nation state, and what would an attacker target for sabotage? Think like an attacker. Now, where is the data and what controls does the business require for it – encryption at rest, encryption in motion, or multifactor authentication?
  2. Credentials – Who should have access to your critical data and when are those credentials being used to access, modify, delete, or copy that sensitive data? Have those credentials been compromised?
  3. Processes – Know which applications and processes are authorized to run on the systems containing your sensitive data.

What has changed, however, is now you need to partner with your cloud service provider (CSP) and your security vendors to ensure visibility into and control over your sensitive data in the cloud. Be sure to ask these questions:

  1. Ask your CSP about its data practices to ensure your data isn’t being sent or stored outside of your control. Ensure your cloud provider offers encryption for data at rest, including backups and data in motion. Remember, disk-based encryption is not the same as file-based encryption. Inquire about how the CSP will support your corporate data retention policies. Most important, validate that adequate logging of all access to sensitive data occurs. And with any cloud service, make sure your data isn’t shared with other entities.
  2. Ensure that your CSP offers two-factor authentication to access its services and your sensitive data. Hackers are going to go after your servers first and then your credentials. Any compromise to your cloud service credentials can be devastating to your data security program. Inquire about what level of detailed logging for credential use is available. This is extremely important.
  3. Secure your cloud services with solutions that provide both visibility and protection over cloud applications such as Intel Security Public Cloud Security Suite. You should know and be able to control which applications and processes are running on the systems that store, process, or access your sensitive data. Security for the cloud should come from the cloud and work natively in Azure and AWS.
  4. Ideally the CSP you select fully supports giving your security team both visibility (access to the logs of sensitive data, privileged account access, and application/process activity along with control) and the ability to terminate the access of compromised accounts or rogue processes.

While it may feel frustrating, it’s a challenging time to be in IT security. The cloud provides us with a fresh platform to once again architect our security systems for visibility and control of our sensitive data. Déjà vu gives us the opportunity to do it better the second time around. Bring it on!

Todd Beebe is the Information Security Officer for Freeport LNG and co-chair of CSA’s Houston Chapter.