Skip to main content

tv   Cybersecurity Intelligence Forum  CSPAN  May 31, 2018 10:01am-1:36pm EDT

10:01 am
[inaudible conversations] >> now we take you across to him after a cyberforum hosted by fedscoop in fireeye, look at how corporations use cyberintelligence to defund hacks. >> -- and the rapid useful way. >> one of the things we like doing is leveraging indicators of compromise that help describe the behavior. the thing about that is you have to have a context. an ip address used at one point in time doesn't necessarily mean if you see that, that is
10:02 am
actually evil. it's actually relevant today. having some context behind it is incredibly helpful. finished intel products, so i understand the storyline between what they are doing for not only do i want to see technical indicators and observed that within environment, i want to know the story. what are hackers doing with the information? what are their goals and object is and how are they leveraging the tools of their operations. i also like to be able to hunt through a collection of raw intelligence myself because some of the data that might be prepared for organizations come in general with high fidelity indicator. being able to hunt through the database and large collection of raw information can also help you find other indicators in an environment. >> one of the things we've been engaged in for a long time and
10:03 am
we first started, we would send a threat reports come intel reports indicators to clients. the first question we would get his okay, this is great. now what do i do with it? should i resign? in the industry has come a long way since then. one of the things we are seeing now is we are getting much more from an intelligence perspective were being able to carry indicators and provide better context. the key thing is when to get the data, what you actually do with it? a lot of what we look at, our clients have who's clients have who's who set of tools. the problem is the tools aren't tuned to the threats of today. in my mind, the key question to ask is if its intelligence commander operationalized that within your enterprise and that includes your operations team to make sure it is attuned to the address, but also to be able to tune your sensors, what
10:04 am
mr. endpoint security tools, ips or ids to be able to operationalized then pop up like around these events. >> one additional note to that, which i found useful is loading capabilities for actual operators that are running in the environment. the ability to drop in a question and maybe this is a good use of a.i. you'll hear a lot about chief learning capabilities. being able to have a work bench area for a bunch of operators are used for working in being able to drop in information and kicked back whatever it knows about the data back quickly in real-time has been a huge asset to our team and it's a key componenof thinking about problems that is a usability fact there and not forcing users to connect to multiple tools having the front end work bench solution that allows them to easily access the information in a way they are come able doing.
10:05 am
>> i think it's important for a few reasons. one is you need to be able to respond and anything you can automate to remove will accelerate your ability to respond. the second piece that we see as there is a high turnover in cpi data appeared just on our team, the turnover rate is so high in the skills to do so in demand. we are never going to go to keep up with the gap in talent. we cannot automation to be able to accelerate the response. >> i agree. great. last question, maybe start with rat on this one. we talked about the legacy capabilities we can leverage in current response capabilities. had we see landscape shifting with the new cbn landscape another federal initiatives for response capabilities.
10:06 am
where do we see the area is evolving too over the next couple years? >> i had done this before, but the key thing is compliance gives you a good snapchat and there's mandatory reporting requirement. the only way we look it out in front of this right is to go on the offensive come and be more proactive in the enterprise. that's two things. one is applying more hunting, you know, using more data to be a lot to detect most advanced adversaries. how do you actually determining how a fact that you currently are. that is one of the things that most of our clients can answer. you're going to an operations center saying what is the last that you detected? everything is good. we all know that is not true. the other piece moving forward is continually being able to
10:07 am
refine your program by connecting teams to measure your effect goodness. >> great idea, charles. >> i will just reiterate the effective ways to test the efficacy of the program is to conduct an exercise against the organization. i often find that companies will engage testers, but they will say you can't test during certain hours. and if you find a vulnerability come you can't actually exploited. it is a false sense of security when they see the result because they found that someone was unable to break into the network. it's a good way to test advocacy. >> great. i think that is our time. i want to thank the panelists were a great discussion and looking forward to continuing conversations. thanks. [applause] [inaudible conversations] >> let's give them another round of applause.
10:08 am
[applause] okay. i'm really excited to introduce our next panel. first of all, the moderator is awesome sauce. he's my friend, ron ross, who is the fellow who had set the joint task force. they are going to be talking about leveraging cyberthreat intelligence and improved risk management outcome. we have a really diverse group of speakers with different dates. i think it's going to be a really interesting discussion. though howser, chief information security officer, sba, mike rolling, the state of missouri. randy vickers u.s. house of representatives. please join me in giving a warm welcome. [applause] ♪
10:09 am
>> good morning, everybody. this is a great crowd. thanks again to gold in your great organization and to fedscoop for hosting the conference. we have a great public-private partnership going on. you know, threat intelligence obviously you will learn today is getting very, very good. our capabilities in developing that intelligence has grown enormously. the people i work with, what the defense department and the intelligence community, we judge the adversaries, the threats by capability, intent and targeting. those are the three characteristics they look at. the important thing is we talk about the diverse organization. you'll hear from three who are in different environments but he represent something i said for a long time. the cyberthreats do not
10:10 am
distinguish between federal government, state and local private sector. we are all using the same technology today. the technology is awesome. it gives us great capability, but we are incredibly vulnerable because we depend totally on this technology to be dependable and give his mission business functionality. as you look at threat intelligence, the important thing from my perspective is not to look at it as one factor in the larger problem. you have to look at this holistic way. you look at risk management, i can hear everybody now. great. all my friends. when you look at risk management, there's a piece called risk assessment. risk assessment has always been about threat to mobile nobility, impact and the likelihood that can happen. today, if you are working on your critical assets in every company, every government agency is critical assets. you can direct the component because it is 100% or 20.
10:11 am
either you've been attacked or you're going to be attacked and that is something you can take to the bank. the important thing is how do we use threat intelligence? what do we use the threat intelligence for with respect for risk assessment process, known vulnerabilities and more importantly as someone said earlier in the zero day vulnerabilities are growing at eventually. those are the ones we don't know about until we know about them because the complexity of the i.t. infrastructure is growing enormously and that is a tax service. the real question i think our panelists going to try to answer in the next 15 minutes or so, 20 minute, is what is threat intelligence within your organization. in particular, how are you using the threat intelligence and how well is it working? once we go through the first round, we will circle back and talk about recommendations. let me start with my good longtime friend, randy, from the u.s. house of representatives.
10:12 am
can you talk about your view of threat intelligence, how you're using it in how well it's working. >> thanks, ron. the data, the understanding, and the understanding of the ttp and not information that can be used to reduce risk and two, to reduce that dwell time metric that everybody says that you hear in various speaking engagements with 200 day days that mauer sits on the machine or the threat that on the machine it. i think that is where threat intelligence can help reduce or prevent to some degree. how do we use that? one of the things that i kind of put it in turn all inside the wire as i like to colleges where you do your day-to-day business, your stock works, event management, hopefully the
10:13 am
response in the threat intel team sits right at the edge of the wire. the first thing they look at in our case is any information that we are getting from our partners within the legislative branch. the next circle would be information that we are getting from our partners like dhs and others within the government space. the last circle before we get to true open source intelligence is like organizations. we have a strong partnership with the five parliaments. the u.k., australia, canada, new zealand. we are starting a threat intelligence sharing program where we share information more and more. so i see that as i want my threat intel looking over the horizon. looking at those things to help us was just mentioned, how can we help reduce that attack vector and that surveys. they contribute not only to the
10:14 am
risk mitigation because anything that we know about a ttp, we can start looking for those kinds of activities for the indicators of compromise and other indicators. i agree we need to have contacts and that's where the reports come in and contributes to the hunt team. they kind of sit on the edge of the wire as well as internal because they are looking for the low-end selectivity that you will not get through day-to-day alerts. you want to look at the alerts and connect the dots and see where those things come together so you can take that incident response and start handling. for us, we are still growing. i have a team of two on my threat intel. we were putting in a threat intel platform to better automate certain types about committees. we are looking at orchestration. how can we interject some automation. i'm a firm believer you can't take the human out of the equation, but where you can you need to do so as much as
10:15 am
possible to prevent the risk. we want to do the minimal amount of incident response as i stated earlier. looking at various threat than platforms and threat intel sources. one of my previous jobs, one of my goals was to reduce our dependency on government intel. not remove the use of it because it has valuable insight. but because of classification and other types about committees, your distribution of the information isn't as robust and dynamic. looking at other threat intel sources, you know, like the eyesight of the world in being able to pull the information, put it in the system come and get indicators actively moving forward with the stock in those kinds of activities. >> thank you very much, randy. let's go to my brand-new friend from the great state of missouri.
10:16 am
mike, how are you using it and how well is that working in the state of missouri? >> you really nailed it does there is a big different our state government and we have jurisdiction over at 30 plus state agencies. we have 50,000 state employees, 6 million residents, 600 plus municipalities that we try to keep an eye on. when i hear threat intel, i think it's important to define the difference between threat intel and threat data because they think sometimes they get intertwined in their definitions to me, threat intel is actionable, timely, consumable and we can move on it right away and reduce our risk and/or hopefully prevent attacks. one such attack occurred back in
10:17 am
2016. there was an fbi notice that went out to certain local elected officials. not state officials, but local officials about a particular win somewhere attack. we witnessed first-hand the difference threat intel can make. that is actionable and targeted. going back a few years before, as you all may remember, the city of ferguson was under siege. we had civil unrest that occurred for a period of months and the state of missouri was right in the mix. the threat intel that we were able to gain two or critical part tears from the fbi, dhs and others, it is what kept us going. it is what kept us breathing an operational. the threat intel has been vital to the key of our success.
10:18 am
it is the lifeblood of how we view a key component of our security operations center and without it, i'm not sure where we would be today. >> thanks very much. now, most of us focus on the larger federal agencies of the small business administration and smaller agencies. this is a good use case because we have a lot of small mom-and-pop companies out there dealing with similar types of resource constraints and things like that. let me turn to you, bo, talk about the sba, you'd be a threat intelligence and how well it's working. >> i'll take a step back and provide a little bit of context to help me answer the question. there's really two approaches and cybersecurity. there is the well-known and loved defense in depth model.
10:19 am
i like to call it the capital approach. you have the outer keep come in or keep in the crown jewels always behind several layers of defense. very important, but inadequate by itself. and so, you know, there is that. it only takes one malicious insider to really circumvent all the defense and we've seen examples of where that's broken down. the other model considered when building these programs is a threat-based model. the key differentiator between a threat-based model is intelligence. you have to know who your adversaries are. you have to understand what the motivators are, how they operate, who they target and then you need to use that -- use the information to write a program to really strengthen the
10:20 am
overall posture. for example, under a defense in depth model, a vulnerability we see it under a threat-based model, it is a different approach. that vulnerabilities being exploited and you have a system that is vulnerable to die. better get out to the top of the stack. the way to infuse the analysis is through the use of intelligence in really knowing your threat i tears. at the fda, we have a program that centers around the 21st seven security operations of small cyberthreat intel team made up of intel analysts. not i.t. people, intel people. until folks think differently, so that is an important aspect to consider with the intel
10:21 am
capability. i have a small team of testers, cyberthreat hunters and forensics and now i'm able to say that imitate cybercriminal acts against this high value system. you know, that only proves the resilience of that specific system. also working with the 21st seven monitoring can show you if the stock has every visibility in the rate triggers in place. you can provide the same information to your threat hunters with the environment that identify if the threat actor has been inside your environment before. defensive depth very important. threat-based models really changes the aspect of the entire program. and then, if you do have good intel unspecific ttp do you need your staff to an outcome you can get them into your training and
10:22 am
awareness program to really emphasize if you're doing dishing exercises, you can and does the right way and raise the awareness the right way so changes dynamics of the entire program. at sba has been there for about eight months, so we are just getting this model off the ground. prior to this i was at the center for medicare and medicaid under the leadership and we built this model and it's very effective in the intel serves as a force multiplier across the cybersecurity program. >> thank you very much. before we go to our final round of recommendations, and will start to make my first recommendation. threat intelligence as i said before has to be looked at in the context of the totality of risk management. we can't just rely on continuing to build our threat intelligence because that's used in today, how we use the threat intelligence is the most important thing.
10:23 am
cdm, all of our great tools and everything we deployed our vulnerability hunting model, the number of vulnerabilities is growing exponentially because the attack services growing because of our appetite for the technology. one of the recommendations that would make in order to take maximum advantage two or greater threat intelligence tools and take makes in all the things we can bring to the fight, you have to do your part as well to reduce and manage the attack surface. it goes back to this is a physics problem. these functionality, least privilege. we tend to growing networks and systems because there is an intense desire for more functionality, more capability. we have to balance that. we know the threats are out there. we have great threat intelligence. the real question is how can you reduce and manage that because we have a tendency to go either way.
10:24 am
with that, i'll take the last couple minutes to go one more round and give us one recommendation on threat intelligence is applied to risk management. >> so i have a couple really quick. first, conservatives are out there. there's others besides that we can tap into in the prices right on those who take advantage of those. the other thing i'll say is that breaks down the attack process in two stages in each stage list all a bit known techniques that attackers use during that phase. you click on a specific technique and it brings up a page and tells you the threat actors that are known to use that. you can have your purple teaming model to account for all of
10:25 am
those that get you into the intel focus of approach. if you have resources like other key industries, they just provide a report to us about our network and should be concerned about. the last one a share. we've got to work through this and get to a point where we are comfortable sharing and really get to wear an attack on anyone of us equals protection for all the bus. so sharing is really critical. >> thank you. my recommendations. >> my big recommendation b2 partner well and identify those who care about health. the ones who are doing the research on the heavy lifting and identifying what is going on
10:26 am
out there. secondly, you've got to listen to the threat intel. we've mentioned how it shapes the fundamentals of how we conduct ourselves within security operations. where do we in boston where do we divest? how does it impact our processes? how does it impact the ability to gain visibility within our networks and endpoints and her people. i thought it was great that go mentioned about using threat intel to shape awareness programs. that is absolutely vital because that's what they go after first. we are the soft targets. >> randy. >> randy coming you get to bat cleanup and take us home. >> cybersecurity isn't just about say it that is really the capital kind of stuff. what are our high-value assets and then apply the appropriate
10:27 am
amount against all of that. it helps define the techniques you can use to use the risk. if you are blindly putting firewall blocks in with these kind of blocks in, you're going to hurt your business. so you use the know which are high value is, know what the threats are and then you can act accordingly because you can't block anything against all items. that threat intel ties quickly into how you do your risk management and i think that is a key point. we can't do it all. threat intel helps contribute to the risk. >> thank you guys very much. appreciate all your remarks today. we would get you back on schedule. thank you all very much. [applause]
10:28 am
>> let's give them another round of applause. [applause] i'm really excited to introduce our next speaker. talking about the commercial threat intelligence, about commercial threat intelligence. she's the vp of global intelligence at fireeye. put your hands together and give a warm welcome for sandra joy. [applause] >> thank you so much for letting me come and speak to you today. it is thrilling for me as vice president of fire i in charge of threat intelligence to have an entire conference to this important topic. what i would like to talk to you today about is how commercial intelligence can serve.
10:29 am
if we think about it, commercial intelligence really has the capability to widen the aperture for government and for other customers and how can we best do that. at fireeye, what we do to collect intelligence as we look at our machine intelligence that brings in current active threats against us. we pair that with what are many consultants are seen when they doing incident response. and then we can actually look at the campaigns during defense offerings. our eyesight intelligence analysts are in the underground, managing personas of collecting up is very intelligence. this is very rich information that we can correlate together, process, analyze and disseminate and give situational awareness and mouse will be able to give forecasting so you can proactively hunting your environment for the threat. before i get into it, we have lots of lawyers at fireeye.
10:30 am
they are very good and they want me to remind everybody that i may talk about case you care, but what we really value above everything else is the confidentiality of our clients act. i might talk about things i won't go into specifics about. specific customers. with that, let's get started. almost 20 years ago i joined the air force announced a good fellow. i'm sure people in the audience audience -- why are we clasping? it was awful. i do remember when we learned about intelligence, it is all classified. very serious. still is. but i also remember thinking about the sort of redheaded stepchild. there is the area come and ecology out now by the way. i saw him analysts in hawaii. and i thought, that is the best
10:31 am
job. they will sit in honolulu and read foreign newspapers all day. what a wonderful job that would be. it is so compartmented that even in the icu couldn't share with your fellow colleagues. things have changed a little bit. it is not perfect, but things have changed in that now with the onset of globalization, the information is so commoditized now. information that is no longer deep and buried in classified areas, it's still a great insight and is great value to the geopolitical situation going on. one very important inflection point in commercial intelligence was the release of the report were the second chinese people bureau units, the unit that was infiltrating and stealing i.t. from the united states over a series of years was finally exposed. not by the government, though.
10:32 am
as exposed by commercial intelligence and played a very important part in geopolitical policy. this inflection is really important because we also have to think about this as the commercial sensor. what are the roles and responsibilities of a commercial intelligence organization when they are part of that common operating picture? the front lines are no longer in the traditional battlefield front lines. the frontline of nationstate activity could very well be embedded in a company that has a breach on the other side of the world where normal government authorities would not allow the explication of that information. so how do we proceed in this new world? how can commercial intelligence serve? there are three main ways that it can serve. one that is shareable. one that is international and that its rapid.
10:33 am
the great thing about shareable intelligence is these days we know that a lot of times you're working with partners. there's not a lot of unilateral operations anymore typically with either a partner government we are working with an ngo in having unclassified shareable information can allow organizations to have a conversation, a narrative about a common place towards the strategic mission. international meetings the commercial intelligence can be deployed in governments and institutions around the world can be received, processed and looked at and outside of the resources or the priority said of the government. it could be in a commercial organization, financial organizations somewhere else. and it's very quick comparatively speaking. not a lot of special handling, not a lot of bureaucracy or levels of approval.
10:34 am
in these three ways, commercial intelligence can be a very part of the common operating for governments around the world. so how does fireeye do it? how do we contribute to this important mission? i would like to show you a few different examples of how they do commercial intelligence and how we have contributed to this in recent days. the first one is about shareable insights. the shareable piece of commercial intelligence. one very, very important part of having geopolitical conversations that sad it has to be multilateral and people have to be able to talk about them being that may have disparate organizations all over the world, looking not at and we were looking at the word documents that were sent by chinese actors against a southeast asian government employees. what they were doing is trying
10:35 am
to find information about the road initiative. and something that we have seen putting throughout europe and asia in the important part of this intelligence is that we were able to glean from these documents was the plans and intentions of the chinese state and we were able to raise this to a multilateral and multi-conversation that would not be able to happen if this intelligence was. in the bureaucracy of a foreign government and never brought to service. in this way, shareable insights are very important part of how commercial intelligence can serve. this is one way that fireeye did it. international. a lot of the adversaries that we track at fireeye have a very global to and they don't make it easy for us because they are targeting organizations all around the world they are
10:36 am
texting, poking, prodding in their playground sometimes in their text ads are in were government authorities are not applicable. an important part of this, an example of this was the now where we discovered while doing her sponsor receives in the industrial plant. a very dangerous piece of nowhere because it targets the safety systems of industrial control systems. if it's outside of the environment and it's intended to incrementally if you see it in an anomaly. normal safety systems spin down in a very safe way to prevent loss of life or property. do not wear attack with a very dangerous piece of nowhere and we get these insights overseas before they reach as is an
10:37 am
important part of how commercial intelligence can serve by being international. if you think about it, commercial intelligence can be the honest broker in between governments and collection and the privacy and confidentiality of customer. we can protect customers, but we can take and clean and provide that to the community. that is a very important role in the middle of governments and security community and passing information along. the alternative is increased authorities on the government in being a western democracy is not always the best course of action. the other thing that's important that commercial intelligence can provide is rapid and night. we can put information out very quickly, especially if the stakes are very high. last summer the spear phishing
10:38 am
e-mails were targeting the energy sector in the united states. the fireeye intelligence were able to link these to north korea and what was very disconcerting about past is that we were able to see that north korea was spearfishing energy target for the purpose of disruption. it was simply a very early stage that there was no clear present danger of anything being to start the period we can put this out immediately to the energy facts into our customer within hours. the important thing here is there's no need to think about special handling. there wasn't a big government process of approval. we rub to push it out there and communicate this immediately. that's a very important way that commercial intelligence could be speedy and rapid.
10:39 am
in the normal course of our day-to-day work at fireeye, we also uncovered more zero days than everyone else combined. you think about way that commercial intelligence conserves, this is an important way that we can serve. we can provide awareness to not only governments but the entire security community. it was mostly china, russia, but now we are seeing it exported for multiple countries and that will continue to happen. so what are the roles and responsibilities of commercial intelligence organizations? we cannot and should not replace the government functioning. however, we do have a responsibility and not give you a really good example. the north korean spearfishing example that i just mentioned, we could've taken that to the media immediately.
10:40 am
it would've been no problem. we could have benefited from a marketing. but we decided not to because of to because it couldn't of been the right thing to do. it would have been a very tense geopolitical situation and we knew that we had to be very mindful of the secondary and tertiary effect of doing such things. and so, we decided to exercise strategic restraints and put it out to customers. and we knew that was the right thing to do and now it's our commercial intelligence organization with the type of insect that we have needs to be able to do and to communicate very well about it. because at the end of the day, we really do share this mission. we need to know unhurt together as much about the adversary so that we can protect the good guys. thank you so much for taking time to come today i look forward to the rest of the
10:41 am
speakers. thank you. [applause] >> was give her another round of applause. thank you so much. [applause] so with that, we are going to first of all, how has the content been so far? what do you guys think? all right. we are trending on twitter. we are going to go for a quick 15 minute break and we are coming back. as you can see it is standing room only in the back. if you want your seat, come back in 10 minutes. thank you, everyone. thank you. [inaudible conversations]
10:42 am
[inaudible conversations] >> this is live coverage of a cyberthreat intelligence foreign posted by fedscoop and at fireeye taking place in washington d.c. the firm is taking a short break for the next panel begins. in the meantime, we will show you some speakers from earlier today. >> good morning, everyone. how's it going? is everybody ready for a great event? let me hear some noise. welcome to the cyberthreat intelligence summit presented by fireeye. and founder and ceo of scoop newsgroup and is ready could join us today. as many of you know over the
10:43 am
past decade, my team and i work closely with the last three administrations bringing the brightest leaders from government together around the white house priorities to exchange practices, collaborate and find ways to work together. i team and i said that the council every single week. we have lunch with them and sit down with them and talk about the things that are keeping leaders in our community up at night. whether we're talking about big data or mobility for any of the given hot topics of the day, the number one issue that keeps bubbling up in the top thing keeping everything up to cybersecurity. today we are speaking about a specific area of cybersecurity and fire i is the world leader in this area. we are thrilled to partner with them. we have an amazing agenda, lots of great speakers from government and the tech community. a lot of subject matter experts
10:44 am
from fireeye and some pretty big names. are you guys excited about this agenda? yes? because we have a really jampacked day, i'm going to have our first speaker kind of welcome us and kick off the events. he's the man of the hour come your host. please put your hands together and give a warm welcome to pat sheridan, vp factor of fireeye. >> welcome to our fifth annual government forum. i appreciate everyone making it out today. last minute. everyone should be in a good mood. seriously, thank you. each of you has a lot of other things you could be doing today. i think there's a few more seats as those in the back want to sit
10:45 am
down up front here. again, thanks for getting up early, making it downtown and those traveling far away, just saw jeff brown or new york city. i know we have some folks from asia, europe, middle east. right now we have some in like 103 different government agencies represented worldwide. i have seen this event come a long way in the last five years are the first one we had 350 attendees. i am most excited about this one because a lot of thought went into this we get a lot of feedback from each one of you out there. i'm most excited about this. the theme today is cyberthreat intelligence. why is that import? right now it is the threats that matter. that is what is most important right now. a lot of organizations and government that think they will solve this problem with
10:46 am
technology. some of you may have read it, which talked about not really having awareness of threat actions out there. this is what we do every single day. our experts on the front lines. our threat analysts come in the organization started appeared 10 years ago. this is the stuff that makes us different from everybody else out there. i left the army about 23 years ago and i have to say out of all the companies i worked for in that time, this is definitely the one i enjoy getting up every single day in working for. we are really making a difference out or not just for the u.s. government, the governments worldwide. anyhow, i do want to take up too much of your time. let's get this kicked off. i went to introduce our first speaker. he started his career over 25
10:47 am
years ago as an air force officer. actually, communications service officer in the pentagon. no stranger to washington d.c. here. definitely no stranger working with governments worldwide. i like to welcome to the stage, fireeye ceo kevin mattia. ♪ [applause] >> is good to be in a city where few show up at 830 clockers other people in the building. i spent 21 years here. i would like to say temporarily moved here in may of 1993 when i got stationed here. 21 years later when my company got bought out i got for us to move to california and i'll never forget the first time i showed up in the opposite was typical d.c. time. with 7:15 and i walked in.
10:48 am
like i am in the wrong building? and i was the the the california rabble. i wore a suit and tie to work every day for the first two years i was in california and basically there was a negative connotation to it. when i'm out there, every once in a while he don't wear a tie. it's good to be back in d.c. going through as much as i can. i want to start off by welcoming you here and hanging thank you for making the time to be here. we have a lot of experts in the room walking around. ask any of the questions you want. we are out there trying to solve the most complex problems in cybersecurity. we are in it together and we hope we can share from our experiences and learn from yours. the other thing you want to stay thank you as i could to stand your representing the women at fire island and it's a privilege to do so. i'm always within 24 hours of our folks doing really neat things. last night as i was about to go
10:49 am
to bed attacks from charles carmichael saying you're going to get a call from this one cio unix started. we get a move from the hands of the government agency dealing with the challenges well. we get a call when security matters most in people under duress. it's a privilege to be here and if i spent three hours dealing with an h.r. come i cannot get back to my roots. i'm about 20 minutes removed from the encoded notch for newer. as a fan of you at the fancy title of ceo, in reality it is cybersecurity person. it's what i'm doing for the rest of my career and it's been a privilege to be in his career the whole time. i started a company in 2004 and i'll never forget several things about it. you show up come you start doing your work and then you make your website.
10:50 am
our website will have the phrase security teachers are inevitable. don't be a headline. wildly unpopular in 2004. i remember meeting with analysts who said you're flat out wrong. your concept is ridiculous. but the whole concept was let's get on the frontline and respond to every single breach that matters because that is the front row seat to what needs to be made. every time he triggered, most people have the reaction they got a trigger, but the reality is you should have the reaction what did it miss for the last year and we better investigated. i felt we needed to get behind everyone else and do the arends occasion required, made-up word, do the forensics required behind everyone else's endpoint. at the time i started mandia, somebody named john keegan wrote a book called intelligence and were published in 2003. i am most named the company orange leonard.
10:51 am
bertie cool. just couldn't get there. but when you start a company come in the first thing you do is name the thing. you spend more time than writing any business plan. you need to get the domain. you've got a come up with a name with the domain is still available. i was reading keegan's book on on intelligence in war, recognizing in 2004 the whole cyberthreat intelligence that didn't exist. we knew what we were doing with intelligence. catalog what you learn from every single breach that matters because it's portable to the next one. it's a fascinating thing. there were always be a security gap. the website was so unpopular. this is why i'm never going to be the head of marketing. i'd come up with another way to say security breaches are inevitable. you cannot solely rely on preventive measures. that is boring.
10:52 am
so that was our website. believe it or not people still called it. there will always be security. i could, but 10, but i'm going to share a couple. you can hack the united states. it's a freebie. in fact, if you're sitting in russia right now and you can't get a good job, why not extort patent in the anonymity is your friend. without repercussions there is no deterrent of these things will continue to happen. one of the things i've also seen in this hasn't changed since 1998 would retract how do people break in? realizing with a skewed vantage point, nobody hires us to investigate intrusion when they are five minutes behind the problem. when they get to the scale and scope that folks need help, we go in and figure out what happened and what to do about it. for the breaches we respond to,
10:53 am
it is just trying to get a human to click on something in hack themselves. we are all a last line of defense and i could do a 102nd class on how to yesterday. that is a problem and we are used to communicating, not face-to-face, good used to getting to whatever they linked their news to to see where the drinks are tonight. so they are exploiting human trusts. there is a third reason. hiding behind the anonymity of the internet and this is just the problem. if you're anonymous, i've always said that anonymity does more to accentuate the committees about folks than it does help in good people. you see that on the internet. more on that later. cyberattacks are definitely reflect and geopolitical events. until we have world peace and no
10:54 am
espionage, there will always be cyberactivity and it's not going to go away. as we respond to every single breach that matters, as a company we have other trace evidence behind the same spirit infrastructure being used to have domain names. to register with the different structure in the past phrases used in the commands they type when they are online when they hacked in. we try to attack the hackers of every piece of trace evidence. we are so boring we came up with a schema to track trace evidence back in 2005 are wildly unpopular, but it has 635 different criteria so as we were doing forensics we could catalog all the forensics peered over the years we have noticed patterns. when you look at rings coming out of china with several dozen groups coming out of china in just different buckets. look at the evidence because that goes into bucket abt 19,
10:55 am
but get a bt 30. two out of russia. there is no less be snuggled up appeared. no fuzzy bear. i've always wondered, how do you get any board or miss a server, you are in the headlines for newer hack by fluffy snuggled up. it just doesn't work. we are just integers. we have groups that we track. look at the nation's been involved in this without we are clearly defined rules of engagement. iran may have two different groups. north korea we say tracking. i called them outside of the big networks. a bunch of folks later today about what i say it does, but it is an awesome component because you have her services folks in the victim network trying to figure out what happened and what to do about it.
10:56 am
they can always think about attributions in reality all of these bucket and it's just a time saved. this is apt 37. here's all the indicators. let's go look for them all. that is what we use it for. then we have over 100 analyst that speaks 32 languages in 19 different countries trying to figure attributions and we think attribution matters. north korea did report in february on this because it had a couple of rites of passage. whether they paid for it or not is irrelevant. they put it to use. that means they've got a government capability. that means no path they can execute it. take out what i would call the second wave of targeting. it can operate out of scale and scope where they can target things besides south korea appeared you go to south korea and they blame everything on north korea.
10:57 am
middle east is a digital cocktail party. the bottom line is it creates the scale and scope of their operations. it's neat to see the rights of passage. vietnam got into this. who would've thought that. dr. shows you have one great exploit developer and one great hacker, it scales pretty well. we keep going. right now i figure seven minutes into any presentation i have a bubble chart. so here it is. it's cool to look at. but as a company we find more zero days than any other -- basically every other security company combined added up. more likely than not we do not. but that is okay. we find them when we are investigating an intrusion and try to figure out how the payload gets on the machine. never seen it before. they are the ones putting some specific industries.
10:58 am
evil. as i prepared this presentation and it's a privilege to speak to so many people from the u.s. government. there is an unique disadvantages we have is the nation compared to other nations, so i will go through some of those. it is just the reality of the situation when you consider the cyberdomain. we have unique weaknesses compared to say russia or north korea. first is asymmetry. every nation has to deal with asymmetry. always rather be taking a penalty shot than playing goalie. i would anyway. it seems more interesting to do that. that is essentially yet. on offense, you can create work for millions of defenders. when you look at the target zone in the united states, the biggest of any other nation. we have the most divided target service. we have the economy that relies on the internet more than any other country. asymmetry is just broader fear
10:59 am
for us than it is for a lot of other nations. that means no balance of power. a few weeks ago i felt guilty saying this because was taken out of context. i have set it for years, if we had just in the cyberdomain war. comic can go to land, can't go to seed, no space. justin cyber, let's have a war. if all their weapons work in all of russia's weapons work, we lose. it's the same argument that if you're in a billion-dollar spouse in both houses blow up, you lose because you got the billion-dollar spouse. that is what we have in cyberspace. you look at other domains that the balance of power sometimes in land, air, still dominant in every domain. in favorite is one that even dominate on offense, the unfortunate reality is the defensive side becomes an equation that is a challenge for us. there is no balance of power in
11:00 am
the cyberdomain. in fact, there's a lot of nations that if conflict is going to stick in cyber, we like that. there's a little bit of gray operation mayor in the united states is a little bit on the weaker side on defense. we also as a nation share critical infrastructure between the public sector and private sector. other nations don't have that problem. you will look at providers and communications. some nations totally controlled by the government. we can't, so we have to have a public or the consortium that works together, especially under times of duress and that's just a little bit different and a little bit broader here. there's no sound set of rules than this fascinates me. i can spend a lot of time talking about this. i can't figure out what is fair game for espionage. i don't know. ..
11:01 am
we're excited to have. they will be talking, the name of the talk is managing the critical infrastructure risk, understanding threat actors, their motivations and their capabilities. our panelists are john felker, director of national cybersecurity and communications integration center at dhs. paul morris, chief information security officer at tsa. rod turk, acting cio and longtime at department of commerce and/or moderator is rob caldwell, i see as manager at fireeye. please join me in giving them a very warm welcome. [applause]
11:02 am
♪ ♪ ♪ >> welcome back from break. appreciate you joining us again. what we want to focus on today is all of us are aware of the importance of critical infrastructure. we are aware of the intel that is out there and it seemed even kevins comments this morning, if you don't understand the critical threat space we're in right now, hopefully you will get some understanding through this panel. what we would like to drill into debate is really helping bridge that gap knowing there is a problem and then understanding what was going to do about it. as we spoke earlier what we want to focus on today is bridging
11:03 am
into, we know there is intel out there, we know there are attackers out there but how does that translate into protecting critical infrastructure. the first question for the panel is really we know there's intel out there. how does that translate into concrete action for defensive teams to protect critical info structure? >> a lot of the speakers before today were talked about a couple of critical elements. i think no one is that a lot of intelligence at the federal departments and agency level that can be used, but just as importantly maybe in some cases more important there's a lot of open-source intelligence. you can't discount. you have to have it to be part of your picture. so i think what we've got to do is we got to get critical
11:04 am
infrastructure, asset owners, particularly those who discussed earlier, the electric sector and healthcare sector and of those who understand that there is this information out there that they can use for their cyber defense teams to better prepare them to not just respond when you have a bad day but also to prepare your defenses for what could happen, the earlier speakers talk about getting left of boom and understanding what is possible out there. and if you know what is out there and what the bad folks are doing, you can better prepare for it by looking at what they do, what their motivations are an sort of how it is aligned with your risk. when you do that your team is better prepared. if you're doing the right things, the hunt has been mentioned, a lot this morning. the hunt teams can be looking for those things that could cause you to have a bad day in your entity. >> very good.
11:05 am
mr. morris, how about your opinion? >> i will just jump in a different the first thing i would say she got to build a team that you're going to share with. we had several different examples of how you do that. several peers i am constantly talking to but you have to have that prepared ahead of time. when did things go bad it's not the time to start the gratitude to call and what the phone number is. from the critical infrastructure site of the house each of our sectors has an isac and they can belong to. that information and intelligence of those are critical components of people that are like you or you can share with. at the end of the day think somebody sitting on john's watch for, on the nccic 24/7 has access to the kind of intelligence that are cleared folks that can make sure that the ship. that has to come up. the second thing is i have coffee every morning and read my intel products and that is key that goes back to that open source. but again you need to take those
11:06 am
and this goes back to where i always talk to the team about we have to have a plan on how we're going to integrate intelligence. i was an intelligence officer 15 years. had many people told me you guys do not own intel thing doesn't help operators now that among the operations side i know exactly what that means. it has to integrate and then drive operation capability. intel has to be available and then translated, i like to think about the things you were talking about in thing that helps me better explain up to my senior leadership at tsa and others. like does consequently me without getting into the technology perspective. the last thing is that intelligence is at opportunity for us to go, what's the threat model look like? could we see that if that was on a network? would we be able to respond correctly and respond quickly? you have to go back and look at your plans. will they work in this new environment? that gets into most dangerous,
11:07 am
most likely come of those kinds of conversations but again it's about strategy and planning. it cascade to do everything we heard this morning about making sure the security stack is properly tuned and you are empowering your folks who are out there that are doing the hunting and all of that other testing. >> mr. turk. >> on going to fall back on a very basic trite statement every cybersecurity person knows, and that is you can't protect something you don't know. i know, everybody has heard it. but i have to say i would love to have a silver bullet that would tell me exactly where my next threat is going to come from, and take me all the mountains of data both the unclassified and the classified site, using some artificial intelligence and then coming up with a way to tell me when and where and how that's going to happen. but that's kind of pie-in-the-sky.
11:08 am
it's not their ticket doesn't exist. so then what you have to do then is you have to then be available and able to take a look at information that you are presented with, generally after it really happens and be able to react quickly to it to be able to defend yourself against what's coming or what is already there. we think that's the essence of resilience, being able to identify that and quickly remediate. if you don't have good hand of what your architecture is and what your environment looks like, what software come what hard work, whatever services out there in that threat appears, if you don't know that threat is in your environment, you've got a problem. it's going to come and find you. when it does find you it won't be pleasant. the bottom line is you got to kind of no what's in your environment so when it does happen then you can go after it, remediate it, fix it and have
11:09 am
that amount of time that is in your environment, reduce that as close as you as you possibly can. there's a couple of the things. i guess when you talk about architecture, that may just got to have that done before the vulnerability happens. some pre-work pre-work is alwa, very important. one of the pre-work items i would offer is that get to know your guy over at nccic to get to know the guys at the three letter agency. get to know the folks that have or will have that information. i'm not saying they won't give it to you when the time is right but you want it now. because the longer you wait, the greater chance that you have some lateral movement or some of the kind of movement through your system which makes the clean up far more costly and expensive. so you want to have that early warning as quick as you possibly can. let me talk about open source.
11:10 am
we have in the department of commerce a fairly mature risk management process. we do it all in open source for the most part. you would be amazed -- may be wooden but you would be amazed what you can go to find in the open source. we use the open source to identify where risks are for new systems, devices, services, what have you been if we need to then we were going to the classified realm to support that but open-source for us is critical. it identifies those things in the supply chain that we do not want to have. >> very good, thank you. as my team has done numerous critical infrastructure, investigations and assessments around the world that's one of the key things we found as so many operators of critical infrastructure don't know what they have from asset perspective that's a very important point. let me ask another question.
11:11 am
what are the differences between understanding and the implications protecting the systems of understanding motivations and capabilities versus the actual techniques and tactics that the attackers use. >> i think both are critical when you think about the plan you put in place that you are trying to prioritize the information that you have, and you need to be able to draw on both of those dramatically in how you look for information and they put that information to work. the tactics, techniques and procedures we heard kevin talking about this morning if you have one single hit the says this really is, this particular actor come if i can quickly get the information that has that tactics, techniques and procedures, okay, i did go look your and that quickly gets into where your vulnerability is at in your system and those types of things.
11:12 am
there's a need for both. they are taken by different folks within our organization for either doing the defenders, the hunters, or looking at our planes. how are we putting it together. i would think there are equally important, just given folks because it goes off without to asset management and what we have and what we need to get rid of. but just as important, i want to bring up is i spent a lot of time looking at new acquisition, new systems, innovation. just as rod said we need to go and look at all of that from what the threat actors are out there, do they have capability, do they have intent, and then would they penetrate these new and growing systems? you apply even at that level. it's a comprehensive across the board requires all of that which we need folks who were are doit that kind of thing. >> you make a good point. i think about it included two steps. the first step in the most immediate are the closest is
11:13 am
remediate come stop the bleeding. kevin was talking to this morning as making sure you minimize them as much as you can and by the way contingent operate while you were doing that medication. the other way to look at it is before that occurs what's the motivation of the actors? we understand key ppp or if with some in networks were constructed think about okay, so i've got xyz actor in myspace. what does that mean? remember there's a human on the keyboard. what are they doing? why are they there? wired after me? why they after you? wide after a bank? if you can think to those of things you can better prepare yourself from a risk perspective and if you start to see those indicators, somewhere in between those two things you can back it up and say i need to make sure that i do these things based upon this actor and these motivations compared to the risk that i have against that sort of
11:14 am
a threat. >> i think it's one of the elements of being proactive. if you're going to think about where, what the threats are and why, then it gives you a clue as to how best to protect yourself. different job, different time, different government agency i could tell when that particular country was coming in to visit my organization. i could expect a phishing expedition, and it was like clockwork. 30 days before the meeting it started and it came from this specter and it looked like this, and what i would do is our get together with all of the folks that were potential targets and say listen, we're going to meet with him 35 days or no. five days of this is going to happen. be ready, be prepared, don't click on it. 2% always do. [laughing]
11:15 am
but don't -- if you know that then you can protect yourself. so the idea is, if you have a sense of what's happened in the past, how would present itself, then you can take action to better protect yourself in the future. it's part of that proactive nature looking forward to try to get ahead of the game if you can't. >> that's a a great example. any other examples the panel can share that you can actually talk about, perhaps even targeting your organization or critical infrastructure that intel is help you get ahead of and mitigate? >> i think from a tactical perspective certainly i think wannacry is a good example. the information that we received from international partners and wannacry for things that were sort of following the sun as you
11:16 am
saw the impact start to happen. and so our first indicators came from scandinavia and the uk, and just a simple knowledge of sort of what they saw and how they assessed it about us to create some production that went very rapidly to not just space but lots of others and critical infrastructure so that people could begin to think about and take action based on what we were seeing. in a tactical sense that's always really, really useful. it's a little more difficult you start getting more strategic but if you really know some of the actors behaviors and if you can chart that like you said over time you can prepare, you can prepare for those threats because you expect that they are going to. >> i would add a couple do that. i want to go back to a year ago, the thursday before mother's
11:17 am
day. i was playing on a barbecue that weekend but it would ruin my entire thursday when we first got the hint. i would ask those who do what we do, where were you and what did you do we heard about wannacry. our team, we knew there was something up because i saw the chatter online. we saw the different open-source reports say hey, things are going bad quickly, and we started looking up, , out, whato you know. that led into friday evening at the reworked through the weekend as we scrambled. i think that was in response to we built a network of how do we gather data extra and then how do we share, and then when you in this partnership to get that product coming out from john scheme which is okay, , here's what it is, but here's how you go fix it -- john's team. if you're undecided house side of house of try to collect from all the different vendors who had different ideas am editing
11:18 am
to a saturday morning we were finding out that the antivirus folks were breaking the patches and breaking the machines to have that committee of interest to help us kind of work through that. that was being prepared seen it moving on. i would say on a more generalized basis when we respond to intelligence we think it through if it's important and you take the temperature of the organization by doing a quick check, it there? but you take this prepared the blocks and measures him of the we see come later. and if it hits a box and start and it is blocked, why? because we were there about a week or two before. that's our responding to what we're doing and again that total collaboration effort. there is a successes. sometimes you can't point to them, but there are speedy any further examples? >> i'm wondering if we should have a vote about who has the
11:19 am
best socks appear. [laughing] >> so you don't have to look us in the eye. i think that's all i want to say. [laughing] >> this is nccic uniform by the way, so you know. >> very nice. any final takeaways you like to give it to the audience this morning? >> we haven't talked about high-value assets too much. i find the previous panel talked about the moat and the castle and all that stuff but you can't remember that in those castles there was a place called a a k, right? they keep was where you kept the jewels from where you kept on weapons, where you kept everything that you held dear. and, in fact, when you were being, when the castle was being deceased, all of the night back in the day with fallback to the keep to protect the most
11:20 am
important things in the castle. the analogy isn't then we should be doing the same thing for high-value assets, right? with the box and all that we have been doing this now with dhs for a while but i think there's a renewed emphasis on identifying what those key databases, he systems are, and then building that keep so that we actually put in place the things that we need to put in place to keep that stuff. >> i i would also add to that ts idea that dhs is going to come and put you on report if we're going to does high-value asset assessment. that's not our objective. >> would you put that in writing for me? [laughing] >> absolutely. >> everything that we do is to make you better come help you get better. there's a lot of people especially in the high-value asset program that don't understand that. the idea is not to make you look bad. the ideas to help you understand why the holes are.
11:21 am
if you really care about the high-value asset, if you care about the crown jewels then you need to take not just from nccic but you need to take help from other people that will help you understand where the holes are in your, because anybody has a pin. if you think you don't you are dreaming. >> i would just follow up and the thing always bring up when talking to other executives about the critical infrastructure is i can play over my head what happened in ukraine to the energy sector that was brought down. the of us it was in the networks for months trying to find a way to get into what essentially what it been gap on the other sandwiches were all the control systems were at. they found a privileged user who made his way through and they compromise him and they made their way to the protected area. the weakest link wasn't the one user they were looking for. they were there for months and when they got over they took the
11:22 am
time, set up essentially what they're going to do and wreak havoc. they turn all the breakers on account the power of the if they do that in the united states widow have those breakers. it's all, you know, digital in that way. if you are in your sector in a critical infrastructure private you need to know those kinds of stories and think through could that happen to me. then what you need to know. that sets your requirements that dried sage your business and that's a we're talking about, or amortization of intelligence putting it to use and driving i do you plan for strategy. that's important. it's all on the front end. >> thank you very much. appreciate your time at thanks everyone for your attention. [applause] [inaudible conversations] >> all right. let's give them another round of
11:23 am
applause. [applause] for the people who are stand in the back of the room, are arson seats here if you guys want a seat. there are some in the front row and we can wait a second for you guys to take a seat. no one wants to come to the front. i know how that is. all right, so let's see. our next session is going to be a fireside chat. i'm really excited to welcome these guests. it will be a fireside chat between david hogue who is a senior technical director at nsa cyber threat operations center, and travis reese was president of fireeye. please join me in giving them a warm welcome. [applause] ♪ ♪ ♪ ♪
11:24 am
>> that's about all the dancing i'm going to do. so my pleasure, it's not very often as as a trained interrogr former special agent i get to interrogate someone from nsa 415 minutes. let's see what we can extract. >> no comment. >> exactly. a really boring interview. all good. this is the fireside chat between two ferns, no fireplace. not sure why they called that but to give context, so the audience understands the lens of which you look through, the context that you have and you share what you will share today, give us a bit of your background and your agency. >> again, thanks for the warm introduction at again this is a great venue to see government and industry together to talk with some of the key cybersecurity i'm david hogue, i oversee an essay cyber scooted threat operations center, that
11:25 am
is 24/7 response cypresses operations that cover the entire agency. our primary mission is and classified networks that those over 3 million posts all over the world. everywhere from dia building in washington, d.c. to a network that is protecting three troops and the dog in afghanistan. you can imagine a wide variety of threats we see on a daily basis. in addition to the dod focus we also work with our partners to include john's team over at dhs and fbi. while we can see into the dod networks, the rest of the critical infrastructure, , u.s. government, those are other concerns. we have to be in constant contact with her teammates to say what are you seeing? is what i'm seeing in my space. it's a really great environment to be in. it's fairly dynamic and exciting but you can imagine every single day where working somewhere around the world. >> i can imagine the visibility
11:26 am
is just unbelievable. we have run into you in a few commercial places like sony and a few others. it's interesting when you see the relationships rather working on the ground to help protect folks. want to say thank you for everything you doing for the agency. great relationship that we have. we really do appreciate the trust of partnership. what's would you think about liens and visibility, you can imagine nsa is essays visibiliy from the big pipes and all of the open source and all the other intelligence assets to have and that's what's interesting about a company like ours. we are in 67 countries boots on the ground from the victim's perspective. so to see inside all these victims to 215,000 sensors in l these countries reporting back. it's interesting to then take a look at that lens and start getting contacts of which was going on from a threat landscape perspective. >> certainly. we can identify from a threat intelligence perspective who they're going after and how they may be doing it but having that victim inside information to say
11:27 am
once they are on target here's what you're looking for, or some the actions we can fingerprint. together we can bring in much more holistic understanding. >> given your lens give it your perspective on what you consider like the relevant trends in the threat basket? >> i spoke at a bit less but i'm one of the key points i made was from in essays perspective when not responded to a to respond that as used zero gullibility 24 months. monthly ongoing to double down on the statement. i think a example was a router attacks last week where you 500,000 routers across the world that have been compromised by converted nationstate actor. that was not involved in a seat with a probably. are fully security devices, have a default passwords are now your 500,000 infected routers all over the world and the responses basically you can reboot that you indeed a firmware update. how long will that take?
11:28 am
those routers will be out there for months if not years. it's easy for the adversary these days to take advantage of known vulnerabilities and cause great damage. the second trend is the move to using legitimate services to obscure activity, attribution is very difficult. adversary has the get out let's not the captain obvious and use domain i use yesterday. let's go through a ws are something a can't block to conduct my command and control activity. you are looking for much, more unusual user behavior and large data files and things of that nature. really makes it difficult from that perspective. last, i will say every single geopolitical action has a cyber component to it. you see that whether it's the nuclear framework talk, whether it's economic sanctions, our adversaries are constantly using cyber as a means to find out the
11:29 am
advanced talking points, try to find out what the current negotiating status and i will conclude with a from a domain perspective, cyber is probably the last area in which they will pull back. your reduction, flyovers, may be troop movement that cyber operations seem to be continued unimpeded. they don't really apply to other norms we see in the other thinks. >> i'll be honest i am just saying that statement about not seeing zero days when you talked back a cyber cyber defense summit last year and it shocked me because we have detected about 50 of them over the last i don't know, two or three years. we are still catching them pretty regularly and so much so that in 2015 for the first time we started seeing russian actors really started to go through zero days. that was not normal for them,, like 14 we start locking onto the. we started forget who they were. 15 we started seeing speedy we're leaving this forum
11:30 am
momentarily to take you live to the use senate for a pro forma session. the presiding officer: the senate will come to order. the clerk will read a communication to the senate. the clerk: washington, d.c., may 31, 2018. to the senate, under the provisions of rule 1, paragraph 3, of the standing rules of the senate, i hereby appoint the honorable mike lee, a senator from the state of utah, to perform the duties of the chair. signed orrin g. hatch, president pro tempore. the presiding officer: under the previous order, the senate stands adjourned until 3:00 p.m. stands adjourned until 3:00 p.m. >> senators are in their home states this week for in-state work time over the memorial day weekend. they will return next week on
11:31 am
monday, june 4 at 3 p.m. eastern. it will work on judicial nominations. now we return to our live coverage from the cyber threat intelligence forum in washington, d.c. >> attributions getting a little bit harder. we are seeing that. we've got some of the best commercial intelligence i've ever seen and a come from the government side and it's getting harder for us, especially when we see actors like in north korea and russia, by day they are government hitting the government job, and at night they are stealing money. it's really boring between some of the groups. >> what is your perspective on attribution and importance of that going forward especially given the comment you made all of the other domains in warfare are going to pull back because there are obvious. you can't send troops and and o the art unless you are the russians going in.
11:32 am
so what is your opinion on attribution and what can we do to make sure that we can lock onto that in the future? >> i think you with the nail on had. we have to understand if an actor is conducting an activity where the with a directed by a government entity to do so or are they doing it for the own personal economic incentive or other means? that's really difficult that informs the greater government response. if this is a government directed action then you're talking non-cyber means could be in turn. sanctions for things of that nature. i think we have to work together in sushi and government to have a true understanding of activity from attribution standpoint and we can't be rushing to judgment. we have to be methodical in how we assign blame because of the consequences that will result afterwards. >> do you think we have made any progress as far as drawing a red line from modern nations on what
11:33 am
is acceptable and not acceptable in cyberspace? to think about attribution getting harder and we done a lot of things to try to put the red line. what is your perspective? >> i don't think there's a one-size-fits-all approach as far as red line. we approach things, try different means, the presidential agreement, intellectual property for economic gain, sanctions. it's really difficult to find a singular bullet that's going to work in this case. i think we have to keep being creative and keep reinforcing. there's shortly that behavior we will not tolerate, i.e., the sony attack, the ukrainian attack. the coven has been vocal calling out different types of activity with its videos government or the uk government and he think we have to keep that up. >> given your experience, the
11:34 am
visibly and time you had in government agencies, commercial, using just about everything. what is your advice -- a two-part question. what is your advice to the practitioners out there and what is your advice to leadership in management to help prepare themselves for the threat you talk about? >> from a practitioner standpoint you have to practice like to fight. you look at a lot of your -- the best analysts come from the military because they used to training, use to understand what's would happen before it happens. you can wait until you're in the fog of war to forget how fast can we do malware analysis, who do i need to talk to to load up the countermeasure? you have to kind of work in different scenarios so how fast can you detect an endpoint and i sleep that host? that is especially critical in activity like ransomware for example, where time is of the essence. you've got to fight and isolate that host before the entire network is compromised. from an executive standpoint
11:35 am
it's essential you understand and are accountable for your security environment. the poster child being the ceo find out, testify in front of congress does one person responsible for patching. you have to have a holistic understanding, understand where critical assets are and have a program in place to address any coverage or vulnerability assets exist. you need to be able to communicate to the board and say there's a pci advisor, i will protect it with two factor identification could provide them a risk in these types of different environments. >> from the dod side, we try to use those approaches such as training. basic administrative training in which were flying troops in and out of combat situations. that's a mission-critical cannot fail network for us versus more of an administered network. we're going to have different
11:36 am
policies in place. >> so what keeps you of that night? would you think about though worst-case in a what keeps you up and what are your perspective of top challenges, top opportunities? >> one of my top concerns is best that we spent 76 billion on cybersecurity last year and can anyone say we're getting better? again from 500,000 routers being compromise last week, the wannacry. i think there's been a real rush to market. that's an incentive right now. it's hard to incentivize security along with the rush to market their way look at things like the iot environment, i am worried we are going to continue to see more devices attached to networks that raise the risk profile and have unintended consequences. so that's definitely a huge
11:37 am
concern is getting better instrumentation of confinement from these devices that are getting constant plug-in and their only designed to live a few months. they don't have any security controls baked into place. >> you sleep pretty well then. when you live in what will we live in everyday when you wake up and use organizations getting preached every single day, he start becoming a little numb to it. it's an everyday occurrence. what most people see in the press in the media, it's like 2% of of what we see every day. so it's an interesting sort of perspective when you see day in and day out organizations that have spent a lot of money at a lot of time and energy to secure themselves still get bypassed. i just was at the conference and hate to say this, i shouldn't say a public about i go to that conference and want to leave the security industry every year. it is the most broken industry would you think about it from a vendor perspective. there is no one incentivize to fix this problem. people build a new widgets,
11:38 am
deployed new widgets and we do it in cycles because someone in silicon valley has an investor. if you look at the economics of cybersecurity it's all broken. we can't sit here today as a big of an agency, big commercial enterprises and vendors and partners and not realize over the next decade we better figure out how to solve this problem so security gets cheaper. that means this got to partner better, break the silence done. i can't believe and they come from the u.s. government, i can't believe how many silos we still have in the united states government. it's amazing to me if we put the economic might of this country together we would like this problem so fast. other countries heads would spin. we can't get out of her own way is a problem. we've got to challenge ourselves. we really do. fortunately, we've got great technicians and great folks inside of all of these agencies who in my opinion have the right mission in my to protect the citizens, protect the departments. we need to look at that path
11:39 am
forward. >> give me your break what is the path forward look like to you from cyber three perspective? >> from it in a safe standpoint we are excited because in too much would move into the integrated cyber center overrun fort meade. that's a brand of $509 billion dollars building which will be co-located with the new cyber command conducting joint services operation. it will become the focal point for the intelligence community. it's a beautiful building, 53rd tv screens that will make jerry jones a a jealous. natural light coming in. have you ever been in a a washr that has naturalized? it would be amazing if early capacity and scalability standpoint, i think we are going to be the mark on the wall for others or hopefully going to be from a 20 for some perspective in three to five years. with a great opportunity to inform and influence as of this buildup their presence. we have an opportunity. if we can build a global 24/7 real-time awareness that we can
11:40 am
instant awareness of the next wannacry, and we can provide that instant guidance, aware do so if we can propel these, and personal attacks and we continue to seek. >> outstanding. i think that was the five and nine dollars building was the recruitment pitch. if anyone wants to go to nsa, sounds like the building will be far better than fireeye operations center. all good. i get so much for your service. what you think your agency for the trust of partnership and every thing you can our citizens. thank you. [applause] >> thank you. thank you so much. let's give them another round of applause. thank you, gentlemen. [applause] >> so i'm really excited to have our next speaker. he is here from indiana pick is going to be talking about building an integrated cyber operations platform picky the cio of the state again. please put your hands to give
11:41 am
and give a warm welcome to dewand neely. [applause] ♪ >> thank you. thank you very much. thanks for allowing indiana to have a place here today and talk about kind of what we're doing here. as i was thinking about the question here from my presentation here, what is an integrated cyber platform, i thought i would start with an answer that if i had, it is up to me and the staff team that her work with what had the perfect world this is the answer we would come up with. i think it was rod turk two sets of the same thing when he was type of here's what we want to get it read the silver bullet. this is the definition and
11:42 am
subsequent the system we're all looking for. we been told it's out there. indiana is still looking for it. i have a hunch there is probably a dozen or so folks in her that will catch me in the networking break and say i've got your tools right here. [laughing] so i'll be looking for that. so i want to talk about what we doing ned and i thought i would set that the landscape for dealing with in indiana. i know in all states are the same in terms of how they do their support for the day-to-day operations around i.t. in indiana we did go under a massive consolidation run the executive branch in 2005. that was the entire executive branch and 100 100 plus agencis under one roof, collapsed six or so data centers, , ten plus infosystems, 13 domains, all that jazz down to one data center and one recovery peace. we did realize lots of efficiency for the governor at that time, saving dollars around
11:43 am
i.t. with economies of scale and maintenance, but we increase the complexity and the number of different profiles that we had to protect from a security standpoint. now i have come i don't have all the fireworks and network devices in between the agencies. they are all under one roof and i have one agency that can't work in the light of business at the less -- two years behind. that's closing the wrist for all the other folks. so the complexity now, the things we have to protect is much greater than it would have been. and some tried to think about how i can talk to the summit indiana perspective and i am by no means a cybersecurity expert. so you may disagree with some of the things i say i am a cio, not a ciso but i do understand the importance of this and how it relates to state government and protecting the reputation and the data from the citizens.
11:44 am
i am very close with my ciso. we talked quite a bit. actually he lives right across the street from me. that was not a mandate. that was just happenstance, but we all this he talked quite a bit professionally in the office and then probably we talk more often after hours with sigar's and bourbon. as we talked to our challenges and things we go to, we looked at this questionnaire and said how do we get to where we were there we like to look at and would like to steal can look for best examples and ways to do things and take them back to see how we can incorporate in indiana. we looked at mitre and very quickly we agreed that three areas were to focus on on this platform is people process and technology. it just so happened that number five, six and seven are three of the core strategies on their ten strategy for world-class if we
11:45 am
fail in all three of those. i want to talk about kind of where, when we found that out l on those, what lessons we learned and how we move forward as we built this together. and so favorite staff quality over quantity, we failed in this one pretty miserably. when you look at the problems you're facing and cut all the threats we did approach this with hey, let's go some more hands at it. we said let's bring over folks from operations and with him on the security team. that's got to be a good idea. they know the operations side. always have to do is teach them the security side. and what we found is that we had more hands in there, but we had no way to prioritize or identify what work they should be doing. so a lot of activity but it was a moving the needle. wasn't driving down the risk the way we need it to go. we realize very quickly that not
11:46 am
only were we favoring the quantity over quality, we were also trying to these people to solve a problem with our intelligence and power tools. as i put this code appear for mitre because something resonated in the past couple years when we were working amongst the teams that one of my ops guys, or security ops guys had a statement in one of her belief that i had not heard before in all my years being around i.t. and practitioners it and that statement was, hey, we put in this new tool and i got to tell you, it was like we just added another engineer to the team. when you do something like that from your practitioners, you get a little bit excited because you are thinking hey, we might be doing something. we might be doing something right. those are the kinds of things you want to talk about. you don't want to also will take more of your animals time for the attention away from what
11:47 am
needs to be. the wintry things like that he kind of know you're going the right way. we have refined our focus on looking at how can we add virtual hands, virtual bodies to those teams and making our teams more effective that way. second core strategy we failed on was maximizing the amount of technology purposes. i salute put what does this mean? as we did know honestly. we thought it meant taking vendor a product and let's take that an entire suite and just threw it in and scored work the way we want it to work. and what we found is that in the end we would've been better off just buying one piece of the, maybe even just fine av and putting all of focus and efforts on tweaking that, to me that and didn't getting it to where it needs to be, and we would at least have been able to check off some
11:48 am
boxes to know where going down the right direction. without is we got caught up in try tried to make all these things work together, these lifecycle integrations and they are honestly more complex than we were as a team. so that took some humbling, some addressing our shortfalls of being more humble in approaching this more strategic and said hey, this isn't the way we needed to go. so instead our new definition indiana for maximizing the value is being strategic for what we do and make sure we're doing something for a reason, not just because it's a full lifecycle. we've adopted like many of you, adopted the nist cybersecurity framework. we have certain areas and that we want to go after pics of maximizing value for us noticing which piece of the framework are we going after now? what are we ready for? and let's find the right tool for the right piece of that tool
11:49 am
that is going to meet that need for us so we can check that box, and let's focus everything on that and move on from there and not try to boil the ocean, per se. and then number seven issue, exercise discrimination in the data together. and usually talk about the ever infamous sin that i have certain feelings about because it always promised to meet the savior and i feel we spent so much time and effort trying to make this technology work pick some of things we discovered along the way that has gotten us further down the path is starting with the number one, not trying to throw every piece a bit of data and center data we have in the data center and around there into that system that we thought that was the magically, just get all into and is going to show us what we need to know. what we found is we kind of
11:50 am
choked the system. we can't keep up with all that. and there's so many things going on as you're trying to tune that, it's almost overwhelming in getting the amount of things down to make it palatable so people are becoming, the different things and it's just not being effective. we backed up on that john should go after specific data types based off what we want to do, what are we trying to solve? let's bring one datatype. let's tooted, if the correlations we need, get the alerts we need to first and then will we'll go on and add that next piece. second issue is ongoing maintenance and tuning. the operations guys never leave anything alone in the data center. there's always some new system getting turned on. there's some updates going on, os updates are things moving back and forth between firewalls and stuff. when you talk about keeping track of your assets, we went
11:51 am
with it such a way to automate this company to enrich that data so that we know exactly when things move and when things change. and again we found that some of the limitations when you start pumping that enriched data to track that automatically used to losing some functionality and efficiencies from that tool. and so take a step back we modified processes better to account for kind of that shortfall and we do more if automation on the asset cbt peace but we do manual processes in between to kind of keep that david keating and making sure that device is going to do what we need it to do and react in a result amount of time. another key area we modified your when it comes to the siem is we're trying to use one siem for everything. and i think out of the gate anyone brings into siem for a
11:52 am
compliance piece. by the very nature of compliance that's when you start getting into these very large data sets and a lot of data that then kind of makes the siem somewhat unusable. and so after banging her head on that for way too long, we decided to split these things, you know. we need to have complied so let's just let a device due complaints over. i know it will take a lot of data and it will be slow. we know it will take forever to get the alerting and collation when it but that's okay, it's for compliance. they will get it when they get it. and then let's focus now on having a more flexible, efficient, faster to event for this technical defense or hunting piece because we know exactly what we're looking for all those things. you only want the data sets that are going to kill you about your key risk, the ransomware. you can throw your coined light in there, suspicious activities at that digit a lot more
11:53 am
flexible now working with only those limited data sets to where you can get the time information you need. you can get the proper correlations and you could make sure you're not getting distracted by all these other things. lastly on the storage side, with security, intelligence and you shall talk about trying to get to her predictive state, there's a big correlation between security analytics and data analytics or data science pics i put this in a specifically because in indiana we've been able to explore and do some things around data analytics and data science on the human population, health and human services area. and the architecture that in place for those types of systems are tuned and they are use case specific for very large data
11:54 am
sets that have to have algorithms run across them to produce these addictive analytics. that technology basically is what we're trying to do when you talk about security data and trying to get at least somewhat ahead of the things you want to get ahead of. i say here challenge your operations teams to not box your security teams in to just what we have available for the agencies user or for the other entities of the organization. instead make a look towards building architectures that mimic more of your data science, data analytics practices and let that be your storage mechanism and your captures so that you can get the increased flexibilities and the efficiencies and just the more advanced capabilities that you get from data science operations. and so to bring it back around to the question, a more realistic response here is, you know, what is an integrated cyber operations platform, and
11:55 am
for indiana i think we ended up saying it is a bit of a shell game. i think you really have to be focused on what's the problem you're trying to solve, what outcome do you want and then let that drive where you want the data pieces to come in. how do you want your team, purity itself with the analysts, how do you want to organize? what do you want to looking at? that will help drive the tools they appreciate, the tools that they want and make them more effective in their job. and so those are just three of the areas that we kind of failed on, three core strategies that are helped by realizing that and changing that and trying to address it i think helped us move along to get a little closer to finding that silver bullet that everyone is looking for. so thanks for allowing me to
11:56 am
share, and i think that is my time. [applause] >> let's give him another round of applause. thank you, dewand. [applause] all right. and with that i'd like to welcome everybody to lunch, and we will meet back in this room in 45 minutes for a couple great keynotes, and looking for to send you back. enjoy. ♪ ♪ ♪ >> this cyber threat intelligence forum hosted by fedscoop and fireeye in washington, d.c. will be taking better 45 minute lunch break. until the return we will show you some of the speakers from
11:57 am
earlier today. >> all right. we have 15 minutes. haven't started yet. i'm going to try to get to the last 40 years in 15 minutes. should be pretty easy. the way i decide to do it is to tell a story. this is the evolution of cyber domain to the eyes of a middle-aged guy. who grew up in texas. if you think about the '80s as a rolling into the beginning of the time when we're going to cover, start off with a bank the soviet union had gone into afghanistan in 1979. we boycotted their olympics. they decided to come to ours, and miracle on ice, 1980 alindathe u.s. completely shocked the world and beat the russians in hockey. the other big bang was jr was shot in march of 1980.
11:58 am
one of those popular shows in order what is going on behind the scenes was a quest for intellectual property. the soviet union was trying to keep up on the economic front, do they need western innovation to fuel their economy because they were in desperate straits going into the '80s. the war in afghanistan was draining their funds to call the cold war battles was during the economy and they are trying to compete. they are trying to gain access to intellectual property the same way the chinese. what do we do back at the time is reported newspapers, set up a false front with french, sold faulty software. they deployed in the infrastructure created the third largest explosion ever seen from space at the time international gas pipeline exploded. that was by the nagasaki and hiroshima. that was digital creating kinetic effect, roughly 40 years ago. 1984 i move over to economics.
11:59 am
december needed beer money. how was i going to get a? i had three weeks left in my little venture there and british telecoms privatizing. for the time of right to disclose have got to get away to get involved because it was well transfer mechanism for working class. the most capricious fate with 2000 bucks. the appellant was almost one dollar back in. however going to get my hands on the money. i had this image credit cart my parents gave me. an american express card. i said how can i get some cash on this them apparently not going to know about it for a while? they said if you take cash out, if you tell me whether bank is in dollars, we will give you the money and then they will take it out of their account the next couple of weeks but that's the only window i need. got cash, participate in privatization, tripled my money, sent the money back to their account before ever hit the account. huge latency in the financial system. they are creating customer
12:00 pm
convenience at a pace before they figured out how to secure. then comes the crash of 87. i'm i'm working on wall street, we were solid portfolio insurance back at the time. we go to solely with a $3 billion dollars pension fund and say you have $3 billion of equity exposure, if it goes down with gotcha back and we will ensure it. if if it goes up you keep everything. you just pay the insurance premium. .. it creates a gap. at the end of this decade which shapes the future, in
12:01 pm
1989 they began to collapse of the soviet union. here comes the '90s. there was a need for speed the information superhighway, everybody was trying to figure out how to get in on building this information superhighway. they wanted to create a digital infrastructure for innovation. we weren't even thinking about the consequence. what happened, when the wall came down and the soviet union collapsed was a superpower of crime was born in russia. the former soviet union countries were out of money are now unemployed trying to feed their families. as were creating this digital infrastructure you're creating
12:02 pm
an opportunity to exploit it for criminal gain. these are real focus or shift of this tech industry thing how can i make money through this thing called the internet. as we remove all our commerce online, online banking, the latency is out of the system. digital commerce is online in the world is beginning to change. going back to the wall street piece, we used to sell atm networks and all these different bandwidths being deployed. you would send one trade out and you'd said like this to go indiana second for this to go out in minutes and you would pay how fast you one of a certain trade to go because you're trying to beat other folks based on speed and pace. the speed became the game in 1999. that's at the way for the 2000's. this was a decade of pain when you think about it. what a decade we went
12:03 pm
through. it starts off with crash in 2000. bush comes in the office and all of a sudden you have the markets tank. with all that innovation, all the expectations, it created a huge run-up in stock. huge expectations but i remember meeting with folks who at the time were retired and set i'm just looking for a safe return saul put it in cisco and dell and let it roll. they got a lesson learned on that one. in crash followed by the towers coming down, geopolitical energy is surging. the globe begins to change. the world is at war on terrorism and a lot of things are beginning to shift in the way we looked at the world and the way the world looks at us. in that age we moved on to the crash at the end of 2001 and in the world really began to
12:04 pm
reshape. everyone had their eye off the ball in terms of what was happening. there is so much going on around us from crash to the towers coming down in the telecom crash moving into the great recession. if you went to a bank in 2008, 2009 whose losing half a billion dollars a cybercrime and said hey, if you use this capability we can understand exactly how the adversaries targeted you and figure out how to build counter measures and protocol and we can work expenses out of your system. the response would be i just wrote off $10 million in bad mortgages. it just pales in comparison. everyone's focused on the economic collapse, the cyber domain was ripe for the pick an and. people were driving a truck threat from foreign nations
12:05 pm
and stealing money and adversaries injecting their ideology through cyber campaigns, we were wide open, exposed and taking it without even focusing on it. the 2000 gateway to what were looking at today when the stakes have gone up. if you look at the last decade , cyber has really been exposed. what happened in the start of the two thousands with the eclipse of cybercrime taking over the narcotics trade as the most probable form of organized crime in 2009 as reported by the fbi, we have now given way to this huge dark economy that lives and thrives in our cyber domain. all the advantages we've used was being exploited against us
12:06 pm
and created the largest transfer of wealth from one sovereign nation to another when the chinese had taken her intellectual properties force and shipped them across the border. we see back to 82 and against the nuclear capability, but you also saw aggressive campaigns destroy and disrupt operations pretty begin to use digital campaigns to create genetic effects. you saw exposed china activity for the first time. they created an awareness level in the world, they
12:07 pm
started to realize it was real, not just this black magic, it's actually happening right in front of it. we move into economic consequences against north korea. you can create a rogue nation into a bank robber. from the cut off the opportunity to do it in objective ways will do it in nonobjective ways. you now see crime take shape for funding those types of initiatives and in the prior decade when al qaeda was being disruptive, a lot of times they had manuals on how to fund their local operations. local cybercrime try to fund their tarif terrorist
12:08 pm
organizations. criminal activity has always been associated. that's just a means to fund something. move into the elections and that's pretty obvious. [inaudible] when you see the open democracy under assault it reflects a really big change. innovation that we have exposed and exploited to our economic advantage over the years, the innovator of how you exploit that has always been the bad guys around the world. it's our only way to effectively compete. the security cap that kevin
12:09 pm
referred to will always be there. the best thing you can do is shrink the security gap and create new technology. we are tracking the adversaries as they say here's how are going to exploit it. we need to build innovation to protect our environment at the pace of their innovation. kevin showed the first chart, not the second chart. he gives way to stop hacking your environment and will just go acquire it. at the same time you see an inverse relationship and acquisitions taking place with china acquiring intellectual
12:10 pm
property. prior to the trump administration they blocked acquisitions three times. three times since the trump election you had block eusebius to block technology transfer. were basically putting up the shield to say wait a minute. you can't acquire intellectual property and then use it against desperate and that's a right or wrong, but that's just what is happening. this could create a shift back to where we get it from other means. geopolitical activity will trigger cyber consequence and it will going forward.
12:11 pm
what other tech megatron's around us today? every smart house is going to be a smart house. hundreds of sensors. adversaries are looking at all of these megatron's. the only way that translates into proactive security is
12:12 pm
having intelligence drive your entire initiative. the only way you can attack security in the future and it's a way to do business for security. thanks for your time. that's my 15 minutes. thank you. [applause] >> let's give him a round of applause. thank you. [applause] next we have the deputy of secretary for cyber community and indications that dhs.
12:13 pm
please welcome rick. >> of morning everyone. i appreciate the opportunity to be here to talk about what were doing inside the department of homeland security around information security and sharing and threats and that nature. as i was listening to the introduction. the headquarters operation that the cyber security organizations attend. we look at the physical asset-based protections and the other side is looking at
12:14 pm
from the cyber protection which is what we do. we made some tremendous progress with regard to what the department of homeland security is doing inside cyber security. the threat security is becoming more complex and crowded. well that's happening the adversary capability are becoming more complex. the way they're getting in the exploits are not. the tactics they been using for a long time, we see vulnerability scanning for unpatched systems and things of that nature and spearfishing. i think the last report i read was anywhere between 80 and 85% of the attacks that we are seeing are being caused by
12:15 pm
those simple vectors. what were not doing his imposing costs on the adversary. how do we do that? how we impose costs on the adversary so that we can make sure they are spending time, energy, effort to cause the intended effect they want. and really, if you're in industry or in government you are a hard and yourselves so they look at you and move on to the next business. as was pointed out by john, the attack surface is also growing exponentially. i think the report i said is in the next couple years, each individual will have between six or eight devices that are connected to the internet. that just makes the attack surface kind of go out to infinity and this is across government and industry and
12:16 pm
individuals. what are we doing about this? when i say we, i mean the collective we. this is a team sport. this isn't something that the federal government is going to do on our own. it requires strong, robust partnerships, engaged partnership and it security firms and partnerships with their international allies that have the same behaviors and norms and objectives for secure and safe network and internet. we also, with regard partnerships, we want to make sure were partnering with the state and local community as well. we take our partnerships very seriously. really there's two things inside our organization that underpin everything we do. from the capabilities of response and vulnerability assessments in testing and our
12:17 pm
training and exercise that we do on behalf of critical infrastructure and partnerships and information sharing. we work every single day to try to build our partnerships and strengthen the partnerships that we have. we do this through formal, large, robust government partnerships where we sign memorandums of agreement and understanding with different companies to open up the information sharing channels. we also want to do this informally. we want our analysts to have relationships and be able to elaborate and coordinate with analysts in the private sector. the private sector of the it security firms are presented here and those that are not see things differently than we do. they have different visibility than the federal government does.
12:18 pm
were also getting information from our international partners as well as the intelligence community that maybe the private sector isn't getting. we want to take that information and at the end of the day get the technical data out to the cyber network defense community. at the same time want the private sector to share what they are seeing as well. we want to get that technical data out to the cyber network defense community so we can secure and make our networks and the internet more safe. we can't do this on our own.
12:19 pm
it's really about a culture change. i was just over in the uk talking about culture change. there's usually someone at the front door secant normally drive up to the building, even at the 711. those are all deterrents. we don't have that on the cyber security side. we don't have that visible deterrence and culture of security. for the most part we don't. whenever something happens on the physical side, of virtual
12:20 pm
is looked at a threat. whether it's local, state or national. the entity isn't looked at as the victim. there looked at why don't you protect it better. how do we change this culture? this starts with partnerships, it starts with sharing information and making sure whatever information we have within the federal government were getting down to the lowest classification level and sharing it as broadly as we can. that doesn't necessarily mean we shared out to the public at large but we do have
12:21 pm
communities of interest. we have private-sector security clearance program where we bring in certain folks to read them and make known what's really the threat landscape across industries to get them to pay attention. earlier this month the department of homeland security released cyber security strateg strategy. there's five strategies that underpin that. how are we protecting the government systems and networks as well as critical infrastructure, threat reduction, what are we doing to disrupt criminal activity and criminal use of cyberspace
12:22 pm
and consequence management. how are we responding to cyber security incidents. how are we improving in the department of homeland security. were trying to protect the program and industry to get the bad stuff off the internet that we know about. and then, how are we making security, how are we making them more secure reliable. all of this goes to how are we collectively doing this. we've got three priorities.
12:23 pm
right now we have about 300,000 security across our nation. there could be over million in 2026 across the globe. what are we doing to engage k-12 then change our hiring practices and our human resource apparatus so we can bring on cyber security talent and keep them engaged. we can't do this alone. this is something we have to work with industry. you guys are facing the same challenges that we are. obviously you have some different incentives you can put on the table. how do we, so we can have the
12:24 pm
skill and talent at the ready, to take on this mission. the second is driving down risks to our critical infrastructure, owners and operators so we can make sure were looking at supply chains and we understand what supply-chain risks are. we have to cover down on those risks and it seems to me when i look at supply chain in any supply chain, it starts by supporting a medium-size business or large business. it's not enough to just do perimeter base defense for a critical infrastructure asset. we've got to evolve past asset-based protection, we have to look at critical services and functions and
12:25 pm
those that underpin our national security, our economy and public health and safety. the last piece is collective defense. this is premature been talking about the entire time i been here which is this collective defense idea at how do we get the entire nation engaged in the cyber security mission. we can't do it alone. we have one of our flagship programs is the automatic indicator sharing system. we are trying to share in the skaters at machine speed. we are sharing them at machine speed. since 2016 we should about 1.8 million unique indicators. those indicators are coming from our international partners. we have 11 international countries hooked up to ais. we also have all of the departments and agencies in the and several hundred private-sector entities as well. we also have information sharing and analysis centers and other organizations like the cyber threat alliance that are further sharing those indicators throughout their partnerships.
12:26 pm
what we are not seeing and what we would like to see more of is the private sector sharing back into the automated indicator sharing system so we can again push those indicators out to the broad cyber network defense community so we can get what we know is bad often networks. we are making some changes to the automatic indicator sharing system to provide more context. there will be sightings that will be available c can understand the quality of the indicator. we are doing this is a direct feedback from private-sector. we've listen to you and her jew and were making those investments in the sharing system. we will continue to do that. we need your feedback so we can make sure that system evolves and keeps pace with what we need too. and then, we also are looking at how do we automate defense?
12:27 pm
this isn't something the federal government can do. something the private sector has to do. this is really the private sectors lead, how are it vendors putting out different devices, how can we compel them to automate the security in those particular devices? the market is going to have to do that. the individuals in the companies and governments that are buying those types of devices are going to have to demand that that happens. as i say, it's kind of a little bit funny but it's kind of true, don't make my mom turn on the cyber security feature on a wi-fi router or the iot devices. make her have to go turn it off. she doesn't know there's a default password in her router. she doesn't even know what a router is. we've really got to get smart about how we scale security in this mission space.
12:28 pm
we can't do it alone. it will take the collective group to put in place a robust, collective defense for cyber security. with that, that's my time. thank you very much. [applause] >> let's give him another round of applause. thank you. our next speaker is here from new york city. we are really excited to have him. he will, the name of his talk is new york cyber command, governments role in protecting citizens and the economy from cyber threat. he is the chief information scary officer of new york city. please put your hands together and welcome jeff brown.
12:29 pm
i do have some prepared remarks. before i get into that i wanted to thank you for the warm welcome. i want to say it's incredibly humbling to stand up in front of a community that i really zero a lot of thanks too. thanks every single person in this room who is involved in the mission. we all know what the mission is and it's absolutely critical to the defense of this country that we all love. i also want to say special thanks to kevin and john who have already spoke today and their company that they build is an credible partner for new york city and has been pivotal to me professionally in my own success and the success that i represent in what were trying to do on behalf of our city. also thank you to rick for the great partnership in the work being done with dhs for some critical things that i'll talk about today. again, my name is jeff brown.
12:30 pm
i am head of new york city cyber command. what in the world is new york city cyber command? let me talk to you little bit about that. this is sort of setting the stage for remarks today. we all know new york city, a global leader and absolute presence, not just here in our nation but in commerce and all those great things. new york city cyber command created, on july 11, 2017 by mayor bill diblasio who signed an executive order 28 which is charging with leading the cyber security efforts across or than a hundred government agencies.
12:31 pm
you can imagine all the critical things that are provided to new yorkers each and every day. the story, pd, fdny, sanitation, finance, all those things that make the city run makes up that city government. what makes our approach unique in our city, there are a number of duties and authorities that are vested in the cyber command but i'm going to give you a couple highlights. what you see in this slide breaks down this elegant two-page executive order. i encourage anyone to read it. were very proud of it and it's not a long read, is just two pages. let me highlight a couple thing things. this organization can mandate that appointment of technical controls that we centrally operate, giving us the ability to see and respond to the 500,000 computers and various ways that make up the technical landscape of the new york city government. not only can we say these are
12:32 pm
the technical controls that will put on these machines, we will operate those controls which is very important to centralizing the mission. another highlight we can review is cyber spend. when it comes down to it, that allows us to make sure were unifying the effort and how we pay city dollars. we do report directly to city hall. to use this term, it's certainly a boardroom issue. why is this important? why are these authorities and duties important. the executive order signals are cities recognition that needs a center of gravity
12:33 pm
across environments. you can think of these hundred plus agencies as separate businesses that have been around for over a hundred years and have invested in various infrastructure and technology projects. to be able to say what other things to do to be effective in cyber security, you can have every agency doing their own thing and trying to map that. you have to have unification, your technical and administrative controls. you can really conceptually think of cyber command and we are accountable to city hall and the new yorkers. we are leveraging best in class solutions with partners. since we are and full build mode were actively building this team today and how we use
12:34 pm
technology and processes using behavioral approaches is. were not afraid of the cloud. we even have a slogan in our front management space is as guilty until proven innocent. we can take action swiftly and not wait for the investigation. underlining. [inaudible] it's a realization that are city has a responsibility that new yorkers depend on for their society to function for these are core areas that is completely interwoven into our city. new york city has no choice but to be responsible for the cyber security of these functions.
12:35 pm
these functions are the very lifeblood of our city. where we going? we have a lot of important work in front of us. i'm not naïve to the fact that the mission is not completed. there are many critical gaps still to fill. i think everyone in this room will be in a similar position. the city now has a team dedicated to this mission and resource according. as you can see it spans a variety of issues. i'm addressing you today to signal the growing prioritization of cyber security in the public domain. now i want to give you a way of thinking. it really goes to something my wife always tells me, if you're going to be late, tell me you're going to be late and i fail at this quite often unfortunately. i really do. when it comes down to it,
12:36 pm
every day i wake up and i will work to succeed in that critical missio mission. i don't accept it as inevitable that i will fail. i don't. i fail, but i don't accept it. i think in our industry, sometimes we have to be evaluating carefully. i think sometimes we aspire to manage the risk of cyber threats but not to defeat them. we aspire to protect our enterprise and we built incredible silos but do we aspire to protect the community and how do we define a community? are technology providers and partners which do great work like protect their clients. how do we define client? usually a client is someone that is contracted and paid. when i think about the word cyber security, i know to change the word cyber to represent technology and the interconnections of our
12:37 pm
digital life and the word security which represents resiliency and reliability against the people out there who are trying to disrupt our way of life. we must approach cyber security with the understanding that a threat to anyone person or organization, business or government as a threat to all of us in our way of life. events in previous years have shown the consequences are very sobering and real. when we were talking about critical services that we rely on, it's that much more sobering. if our purpose is truly to be involved in securing the digital space, then time is now to move beyond the silos and move toward public safety defenses at scale that meet the public's right to privacy. we should not decide in advance if this is possible. we should accept the challenges as our obligation in this mission. what i've just covered is really some of the formative thinking in new york city. we decided to confront us and we started by first recognizing our role in the
12:38 pm
primary responsibility of government to protect its citizens to deter crime and respond to emergencies when they curb. safety to us is an essential service. we therefore have a responsibility to bring that commitment to cyberspace. mayor hilda brazeal initiated his journey in our city on march 29 with the announcement of new york city security. he said, our streets are committed to protecting new yorkers into cyber space. we ensure the most protection efforts to help new yorkers defend themselves online. keeping with the mayor's vision of digital equity across all five boroughs they have fundamentals that cyber security is a public service.
12:39 pm
we must work on behalf of all new yorkers. too often the only people and businesses that are defending are those who can either afford to pay or have deep technical knowledge but this not going to work when everyone is walking the streets with a powerful computer in their pocket that they did and on for everything in her life. two, we believe cyber security does not need, the cost of public privacy and therefore we are building solutions that are technically provable to respect user privacy. so, with this, what are we doing? increasing public awareness. we are committed to promoting awareness and advocating for the widespread adoption of those processes. we will educate on cyber cyber-hygiene, literacy and technical tools we offer under the program. it will begin in earnest with the media campaign in the city this summer. we're also making measurable technical difference by adopting tactics that are technical and produce a reduction of cyber risk in our state. for example, the strength in our mobile defense will make
12:40 pm
available for any member of the public a free threat detection at for mobile devices engineered by the privacy of its users. too any new yorker who is interested in this app can go to the app store and download it. to the protection of the wi-fi environment in the public spaces they are working with nonprofit level cyber alliance to deploy dns protection across all city-owned systems. if you think of the city-owned systems, these are the public spaces were new york provides the public with wi-fi. they believe our responsibility simply is to help you stay safe when you're using something we give you for free. we think other providers of free wi-fi should avail themselves to similar solutions. there are solutions that will help people not get that website that's only their by victor to victimize them.
12:41 pm
that proprietor should think very closely about whether they should do something about you being victimized. we know these measures will enhance security and privacy because we will keep the bad guys from invading the privacy. we are not collecting the data. the city is not collecting the data with these initiatives are starting to give the public a fighting chance with their own data. we also strengthen partnerships to help increase the city's resiliency and we already partner with nyu to support their new affordable masters degree program in cyber security. we recognize these are our hour and initial steps. we have to continue evaluate our technology and get more precise. we had to build new approaches as new techniques emerge. we are counting on them. were challenging the industry to give you a giant company or
12:42 pm
brand-new startup to build something. we're challenging the industry to build up solutions to scale to our great city and help all new yorkers defend themselves online and fully protect their privacy. new york city believes that a strong, safe, fair and prosperous city depends on securing the digital space were so much purpose personal and economic activity happens. we hope the initiative will start a public discourse on how you can take action. all of us are deeply honored to defend the infrastructure and its assets and help new yorkers begin to protect themselves online. in closing, make no mistake, in new york city we are really having a conversation about the role of government in cyber security on behalf of its people who walk it streets everyday and if there is an event that impacts those services that they rely on, those critical services and it
12:43 pm
hits home, not necessarily in the big towers and skyscrapers but hits home to every legal person who expects they can conduct their lives in any way they want on our streets but i want to thank you for your time and we look forward to listening to everybody as the day proceeds. thank you very much. [applause] let's give another round of applause. thank you jeff. i am excited to introduce our next session. the topic is under pressure, effective and half fast and incident response. we've got some subject matter experts on this topic. i know couple of them well. we're going to welcome
12:44 pm
mr. carmichael, brad who is a senior vice president at booz allen and our moderators who is the vp. please give all three of them a warm welcome. [applause] the goal of this event is to look and feel to attend event. that's a high bar were trying to meet and trying to keep the energy up. i think we have an interesting topic. we're going to dive right into a few key questions on how we can use or leverage intelligence to better pursue the adversary and get an advantage, leaning on what jeff talked about, how do we
12:45 pm
not only think about defenses but prevention as well in cyber and with government systems, data and critical applications and assets. let's start with you based on our knowledge of threats and threat trends. they focused on government and where do we anticipate potential risk areas we need to focus on across the government space. >> first well, before you get me started, little bit about my background. i run a team of responders and i've had the opportunity to work on over a thousand investigations. one of the things i've seen over the past few years is a significant increase in the disruptive attack that threat actors are causing. any breaches to disruptive.
12:46 pm
what i'm trying to talk about is the threat actors that are deliberately trying to destroy systems and take businesses off-line, publicly shame organizations, extort them, release date of a stone from the environment. what we are seeing is this increase in that type of disruptive activity and for a lot of organizations that we work with, they're dealing with that type of activity for the first time. they're probably pretty familiar with the typical data theft breach scenarios, but dealing with extortion for the first time, this is quite challenging. the biggest challenge is figuring out whether or not the threat actor has access to the data and the systems they claim they have access too. for every real threat that's out there there's five other actors trying to scan someone to get access to information. there's an opportunity to share lessons learned from dealing with these threats and extortion and there's definitely a really good opportunity for organizations to be able to better prepare for it. >> any other thoughts. >> the past few years we've been dealing with a lot of
12:47 pm
wind somewhere attacks, but one of the things were starting to see -- >> we resume our live coverage as they return from their lunch break. this is taking place in washington d.c. >> i'm really excited for next week to take the stage. we've had a lot of requests to hear from him. he will be talking about cyber security, way ahead for the army. he is the chief information scary officer in the u.s. army in please join me in giving a warm welcome to major general garrett e. >> i'm sure you heard a lot from tom and chad and maybe
12:48 pm
you had to request, but thank you for making me feel important to the. i'm at the pentagon and i'm here to help. that was kind of a joke. [laughter] what a timely topic for us. this is something that is gaining in traction in terms of understanding what that means for us. i do a few high-level messages to put out there. we have some good news. this past year we direct commissioned our first two cyber officers. to first lieutenant's and that was something that's been in
12:49 pm
the works for the well to be able to do that. the criteria is that you have to have a bachelors degree in some demonstrated expertise. maybe a business objective because we just learning how to bring direct commissions into the services. the army has to and will be doing about five year to kind of get it up to speed. any given day we have over a hundred thousand army soldiers. hundred 70000 soldiers serving worldwide today. you hear about the big ones in the middle east but around the globe, at any given day hundred 78000.
12:50 pm
on the heels of memorial day this past weekend, which was quite an opportunity for me too reflect on why we serve and it's really time for me too reflect my share with you that this past week i have a gold star mom with me and reconnecting to her, i've known her for over ten years but the ability to spend time and reacquaint and reconnect and to talk about how important cyber security is for our army. next couple weeks we will celebrate the army's 243rd birthday. [applause] here's a thing. the army spun around longer than the u.s.
12:51 pm
we were founded in 1775. we were founded as a country in 1776. let me talk about modernization. what does it mean? it's a four-star command. it happened because the army has tried to figure how to bring capability to our forces traditionally those of you associated with the services, whether your working in the private sector, we have these organization requirements or acquisitions and by the way we have a whole operational course that's out there. the idea is to bring the
12:52 pm
operational folks together with the acquisitions and the requirements folks to come up with what we need faster. in the cyber world were already doing that. were breaking new ground and the idea is the minimum viable product. you get in the hands of users fast. then you start working from there. if there's some promise potential, work with it. if it doesn't, kill it. i think we do that already quite a bit in this community. in my mind, i think so that most of, the hardware world folks can learn from what were doing here.
12:53 pm
there focused on six of the army's top parities. it's a manageable number. i will list them off for your awareness. for every one of these there is a cyber component to it. combat vehicle next generation, future vertical lift, air and missile defense and. [inaudible] six priorities. six cross functional teams have been stood up to support each of these plus two additional cross functional
12:54 pm
teams. it will make up part of the command. at a location to be determined. that's modernization. as i just rattled off those six, what's that mean from the cyber security perspective for me too those areas i lifted off. the network is easy but everyone has a cyber threat concern. let's talk about the people a little bit. they certified 41 active-duty forces and 21 reserve component cyber teams that will be foc by 2024. they've moved out way ahead to get after this.
12:55 pm
what we found was, at first i recall some years ago trying to figure out how to use this capability. we found out we didn't have enough capability. what that does inside and outside the military is raise the bar for what it means to be a cyber professional. they give you the training and the tools. now are getting the attention of focus and we've raised the bar.
12:56 pm
the third thing i will talk to about will be promoted tomorrow. he's coming back to be our commander of army cyber tomorrow. that's great. i'm about halfway done. they gave me ten minutes. as i said earlier, we are changing the way we view cyber security, cyberspace and operations. in fact, when i came to the pentagon three years ago, it was cyber what.
12:57 pm
we are still very much complian compliant. it was about why we have to do that. then a breach here, a breach their. you know what, we've got this now. we know this was something we need to work with. we will see that, out many different professions. some are more helpful than others, but we get it now. the good news is there is a tension. the challenge is how to channel focus. who's been to the conference? all right.
12:58 pm
i went there last year. 1100 of the sharpest cyber vendors. it's very difficult to navigate through all of it. the challenge for us when we see all that out there, that sounds good, that sounds good, i didn't know i needed that now i only have so much money. how do we prioritize what it is we need to pursue? over the past few years we've developed a few requirements to provide some focus for us. it's awkward to develop a requirement for something in cyber. when you create a requirement
12:59 pm
for future vertical lift, it sounds a lot like a helicopter. or a long-range precision fire, that kind of sounds like shooting something out of the system, right? how much is a pound of cyber worth? we don't know. we have to try and figure out and talk to our ceos about why it costs so much. we are changing the culture. we are doing with the reform of risk management framework so that is something that was on the compliant side. it's supposed to be more of a risk. right now it's very much a compliance hammer over the head.
1:00 pm
we are working to try to reform this sort ask more practical for us to implement. at the same time trying to do all of this, blend all of this with the art army priorities and the department of defense. whatever they do, however we tie it, how do we tie it to partnerships with partner nations or whoever we partnership with? and how we do things differently? how we do things better? : : :
1:01 pm
raise your hand. the public document, submit that the congress. that tells congress how we intend to move forward. and, in fact, it tells congress a alone but how we plan to spend the money. because we're telling this is what we are doing or how we won't spend the money. and i say that it's a good thing if you read that because if you want to know where the army is going, in high-level, easy-to-read, 27 pages this is what we plan to do. so that's on your renewal list. so the strategy we come up with, i got two things for you to think about. we're going to hold a few
1:02 pm
programs that are not working. there's -- yeah, some fans are not so fans. we're going to fix some things to improve our fight capability that tries to locality. and then we're going to give it to new way of doing business. in a lot of different ways in acquisition is part of that. that's the army's high-level strategy. now you are going to repeat after me. halt. try again. halt. >> halt. >> six. >> six. >> pivot. >> pivot. >> altogether. halt, fix, pivot. now you know our strategy. the last part of technology is that we come up with some things are characteristics that we want
1:03 pm
to keep in mind. there's a whole bunch of them but we been able to slip it down to four things so that we can quickly repeat and understand what those are as we go through our day. we want our network to be flat i think you know what that means. we have a lot of disparate networks. we are trying to pull together to flatten the networks. we want to be fast, not just high data rates but want to be able to make decisions faster. we could have the capability that informs our leaders to be quick on the decision-making process, and that's good for us. we want to be mobile. we're getting better at that but we need a lot of help in that area. we want to be protected. that's were cyprus could become cyber threats intelligence comes into play. we thought it was important enough, of the important things to talk about, on a network that needs to be protected.
1:04 pm
so flat, fast, mobile, protected. we will do this again. repeat after me. flat. >> flat. >> fast. >> fast. >> mobile. >> mobile. >> protected. >> protected. >> altogether. flat, fast, mobile, protected. okay good. give yourselves a hand. [applause] so we are doing things tivoli. it's not just a bunch of bumper stickers although they sound pretty good to me. the last time we had to change this paper is like 30 years ago. really, and that was, i don't even know what -- that's a long time ago. i was in the army 30 years ago but i were so new i did know what we were doing at the time. but that was before the internet. that was before bluetooth, before wi-fi, so shamika olivet. so for the army to undertake this is quite exciting and it's
1:05 pm
cool redoing it at this time. since we get to be involved in it. i will just give you a quick, you know, a story about this protected piece. although it doesn't quite fit, i think it highlights the fact that some a we are all vulnerable. about a year ago i got a call from an attorney who said that a friend of hers, you know, was thinking that she is going to marry me and she would give me 2500 bucks. she said, but but i looked youn the internet and you look like a nice person, you seem like a nice person, and what had happened was this person got catfish, right? someone had made of facebook of me. they take my picture, my name.
1:06 pm
apparently i was serious and any 2500 bucks to come home. what happens come hear about it, when it happens to you, you really feel sorry for the person who gave that money up. and so i know a lot of folks get fake accounts made of them and they use that to catfish, and maybe it doesn't bother you but i felt bad so we do facebook and they took it down. now i i checked. i checked every couple of weeks because it's so prevalent. i was home on leave last week in california. my daughter just graduated. she works at tesla, and let me show you what happens here. let me show you how they look. they cut my name into the facebook search line and three fake accounts came up. i've had about a a dozen fake accounts over the past year.
1:07 pm
it was this interesting that right when i said look, here's how you look yourself up, three fake ones came up. send them to facebook and this took him down right away. the one that was probably the most disturbing to me was about maybe three or four months ago and you can do this, you put your face into the search bar of the google and it will like find images of you. i found out i was on a dating site. [laughing] that was an assistant is a fact i do have very hits on that one. [laughing] anyway, but anyway that highlights just how vulnerable we are today. when it comes in to building cybersecurity into whatever capability we are building these cross functional teams and a future networks or whatever, how can we talk about this all the, how do you bake cybersecurity into something, right? part of it is there is just an
1:08 pm
avoidance aspect of it. that's where we have to be able to take, at this point until we get better at what we're doing,, at least in the army, take an appetite suppressant because if you want bluetooth enabled xyz device or you want your wi-fi enabled, they don't need it. then maybe you don't need it, right? so there's a nice to have and i need to have. we had so many capabilities nowadays with you david, internet and things, that we really could put ourselves in tough position to clean ourselves up later on which we are trying to do. especially the medical community. a lot of devices out there, bluetooth, wi-fi enabled et cetera that we need to make should go back to make sure we're locking den. the way to bake it is also avoidance. the rich dad poor dad will,
1:09 pm
whatever that one a few years ago, the guy says hey, if i gave you a car, did you an asset or a liability? some might say i got an asset. but the smart guy would say, the rich uncle would say that's a liability. now i have the fuel of the thing, ensure the thing, pay for maintenance, et cetera. if i gave you a really cool technical capability, , i might give you a vulnerability, right? so as we go through the department of defense and they look at all our infrastructure intersystems, all things that are maybe legacy but we pulled things onto it, that's a cleanup job for us. i'm going to close for spicing face again for inviting me. thank you to our hosts. thank you for a very intended crowd today. partnerships are keeping we say
1:10 pm
that all the time. and how do you do it though? how do you have partnerships? one way, i think, is join us later on in june for cyber request 2019. and that's where tied above, like we are trying capability that we haven't had before. we're trying it out on soldiers that are like brand-new to the army, very low to show it is usable, right? and that's the way. gauges onto those. we would ask for request for proposals our request for papers, throw something at it. that's how you do it. here's one thing we all need to be doing. i don't come from a real traditional staple background but i know a lot of folks in this community have deep intel background, what we need to be doing better is talking, use our
1:11 pm
returns, the say the folks need to be talking with intel folks better, right? and that is a challenge because we go up and one of the two worlds, we get good at that and i'm getting the hook, but the more that we talk together, the more that a thing the solutions that come to us will be better for us in the end. so i ask for your continued partnership in however we do it. be nice to us, we will be nice to you. be nice to each other. and thank you for having me here today. [applause] >> thank you so much, major general yee. thank you for joining us. let's give him another round of applause. [applause] >> i'm excited to introduce our next speaker. she's going to talk about cyber threats to veterans health care. something that i know we all care a lot about, very interesting topic as well. she's a senior analyst at fire
1:12 pm
eye. please put your hands to get into the warm welcome to sarah geary. [applause] >> hello. i want to start by giving a big thank you to our veterans in the room today. [applause] you have protected, fought to protect a country and freedoms against adversaries, and that deserters our deepest gratitude. and you are still in the fight. over the next few minutes i'll be speaking about how adversaries are still interested in targeting veterans in cyberspace. my name is sarah geary, senior analyst in fireeye global intelligence, and i come from about a decade of government, government service myself. focus mostly on cyber
1:13 pm
intelligence. it's a real honor to be with you all today. so one of our main goals in fireeye intelligence is to know the address it better than anyone else does. malware can change and compromise can vary intrusion by intrusion it but the adversaries themselves and their underlying motivations remain rather constant. so that's the best way to get ahead of the threat is a focus on the threat into is behind it. so at fireeye we've categorized four main motivations that adversaries take to motivate them to go after veterans. one is espionage, financial, ideological, and then attack or cyber physical. and i'll walk through each of those and specifically how they apply to veterans now. so let's start with espionage.
1:14 pm
for an intelligence agency one of their main priorities is to find out as much information as possible about foreign military, very capabilities, their people. fireeye, we've seen evidence of that within the cyber espionage space. even back to our first advanced persistent front that we track, a pt one which we attribute to china. what we saw with a pt one is they were interested in stealing military org charts to include the contact information, military personnel and the roles and responsibilities. and don't reason a nation that we interested in this is to figure out who to target. what you're looking for some of the main criteria some of who would know a lot about the military, someone who even after the military would be a natural leader and the defense or political spaces. and then someone who is well
1:15 pm
connected and can lead them to other targets. and veterans fit the bill and all three of those criteria. so if you remember the opm breach and the anthem hack, both of those happen around the same time, and fireeye, we believe that they are both attributable to china. so it's really quite plausible that china is correlating both of its databases, going through the opm database to find military members are those who used to serve in the u.s. military, and then running those names to the medical records to find the specific in-depth personal information about those military members. and that's one of the reasons that with this presentation will focus on healthcare, is because how extensive medical records are and are sensitive the information is within them. it's perfect targeting data for
1:16 pm
a nationstate. so just hypothetically, if china were able to put two and two together with those databases and then use that medical information to craft a very tailored spear phishing e-mail to go after, after a veteran, not many people would think twice if they saw an e-mail in their inbox that seem to come from their medical provider with an attachment related to the symptoms that they had been having. who wouldn't click on the attachment and potentially enable the macros and find out what their doctor is saying to them? well, in this hypothetical scenario that happened, their personal e-mail could be hacked. then china would have access not just to more of their personal information but also to their contacts, many of whom would be of the military members and
1:17 pm
veterans as well. and china's network and understanding of u.s. military would continue to expand. so veterans have also fallen victim of cyber criminals who routinely try to steal personal identifiable information, pii, and solid, monetize it somehow online. now, they are specifically interested in medical records given how lucrative they are invaluable when they go to resell. now, my eye with a team of researchers that called the dark web specifically looking for these sorts of threats. the picture here, the chart on this slide is a macro calls himself the dark overlord, , and is trying to summon medical records that he claims to have obtained. now, that's not the only method that we've seen the dark overlord employees inflicted ss
1:18 pm
instead of stealing it, oars instead of time to sell he would go and contact the medical establishment and try to extort them and say, if you do not pay up, i'm going to publish all this information publicly online. so that brings us to our next motivation, ideological. now, hactivists, if you heard the term, his activist hackers, in a known to be less sophistication than say a nationstate advanced persistent threat, but you don't really need to be that sophisticated if the information is already freely available online. so a hactivist group might be interested especially if they are motivated by antiwar ideologies, and agenda to take veterans personal information, medical information, publish it online with the intent of embarrassing a veteran, or
1:19 pm
potentially trying to spin it as well, look, war is detrimental to everyone, or however they seek to spin it. harris would also be interested in publicizing events, contact information, their addresses, their family members. we saw this with isis the filling hackers in kill list. what was even perhaps more concerning in a specific consent fireeye believes that the cat that information didn't even need a hack pick it was all available online for them. and then you've got groups like -- they've been in the news recently, they've been texting death threats to spouses of u.s. military members. a couple years back i had done some research into that group and we don't believe it's a hactivist group were also don't believe it the terrorist group. instead we think it's a false
1:20 pm
hactivist persona that was set up and leveraged by russian state-sponsored cyber actors. so that these cyber actors using the hactivist group to advance russia's political agenda at the expense of the u.s. military families. lastly, we have cyber attacks. so this goes beyond publicizing the personally identifiable information, medical records online. this is actually involving attacking medical devices themselves. i have some good news. there have been no attacks on medical devices to date, but, unfortunately, there are often vulnerabilities and there are many vectors for such exploitation. so it could just be a matter of time, unfortunately. one such factor would be the supply chain. that's a very insidious vector as well.
1:21 pm
a fireeye company was called in to do an investigation on a medical device manufacturer. and sure enough we discovered that there is a pt 18 on the networks and that the chinese advanced persistent threat. that apt 18 admin on the network for 60 days before being detected. that's plenty of time for any adversary, if they so desired, to subtly manipulate the specs of the medical device of the thankfully that didn't happen in this case but it just shows how such a threat could take place. but even when the devices are manufactured according to the right specifications they could still be vulnerabilities. just last year ics cert published some vulnerabilities on certain brand of pacemakers, and it took a while for that both believed to be patched and when you look at it, the
1:22 pm
patching process itself and updates could be another way to introduce additional vulnerabilities. this example was demonstrated to us back in 2012 at eight va hospital in tampa. over 100 medical devices were infected with the conflict or worm, and we believe that was the result of a vendor going into update those devices with a thumb drive that was unknowingly compromise. just to summarize, the importance of knowing who the adversaries are, knowing what their interests are, how they might go about exploiting their targets and accomplishing the end objective is so important. this is just a quick example of the type of strategic threat intelligence that we briefed to our customers. to help them prioritize where to
1:23 pm
focus. the last word here, just want to speak to our veterans. you have protected us, and we want to protect you against cyber threats in the healthcare sector. so thank you. [applause] >> thank you so much, , senator. let's give her another round of applause. >> all right. i am thrilled to introduce our closing keynote. he's going to be talking about is government friend or foe? is the assistant attorney general of the national security division at the department of justice. please put her hands together and give a warm welcome to john demers. [applause] >> all right, thank you, goldie. thank you to fireeye. thank you to all of you for being here focus on this very
1:24 pm
important topic for all of us. so i made to talk to you today -- by the way, the edge to the question is friend. [laughing] i'm here to talk to you today come to talk about importance of collaboration in confronting the national security cyber threat. protecting the nation from national security threat is the mission of the national security division which i had. although we were created in response to the terrorist attacks on september 11, its mission goes well beyond terrorism. in the past years it has come increasing to include a focus on cyber as part of the threat posed by certain foreign nations. as we do with respect to terrorism, nsd drives collaboration among prosecutors, law enforcement officials, intelligence attorneys, and the intelligence community to ensure that we approach the national security cyber threat using every tool and resource
1:25 pm
available to the federal government. some of you in this room come from the private sector. companies large and small, companies that consult and provide advice, companies that make things. others come from federal, state and local governments, or from other countries. your work may be diverse but you all appreciate one thing. you know that there are countries in this world that what what you have. they want our sensitive information, our technology, our intellectual property. and the want to destroy any competitive advantage that we may have. around the world that are people who wake up every morning thinking about how they're going to get it. and they go to bed every night, all too often, thinking about a job well done. one thing they are not spending a lot of time thinking about is our laws and international cyber norms. you don't have to be a defense
1:26 pm
contractor to be worried about this. recently we have prosecuted cases of folks who stole seeds of rice and kernels of corn. no one is immune. if you are in business, if you're in government, if you're in medicine, if you're an academic research, you have something of value to someone else. and to get it foreign countries will use all means, including computer intrusion. you are not going to stop these countries on your own. no private company or institution has the resources of a determined nationstate. nor is any one part of federal government or state or local government going to stop these adversaries on its own. we will only succeed in defending the nation's firepower and the fruits of our brainpower if we are partnered together. in recent years nsd has furthered the governments efforts to deter and disrupt
1:27 pm
malicious national security cyber threats by charging hackers acting on behalf of china, russia, iran and isis. but not every cyber disruption needs to be prosecution. in fact, just last week the department announced that it obtained a court order to disrupt the known as the dtn filter that that infected hundreds of thousands of home and office routers controlled by a group. and well known malicious cyber hacking organization. the botnet provide the group the ability to undertake all manner of malicious cyber activity. from unlawful surveillance did the available information to disruptive attacks. the department could not have begun to neutralize this threat alone. we work closely with the private sector including private security researchers and other government partners such as department of homeland security. if we continue to work together we will do much, much more.
1:28 pm
let me provide to other illustrations of the good that can happen when the private sector and the government work together. let's take the case of yahoo!. i'm sure you are often they with it. yahoo! was a victim of a breach in 2013. only to discover three years later that it'd been the victim of another breach a more massive one in 2014. when this information came to light, yahoo! notify the government and provide valuable assistance to the fbi come fully cooperating at every stage of the investigation. as the result of this effective collaboration, yahoo! and the fbi determine that hackers working both for financial gain and on behalf of russian intelligence officers had stolen information from least 500 million yahoo! accounts and use that still information to obtain access to the contents of accounts hosted by yahoo!, google, and other providers.
1:29 pm
russian journalists, u.s. and russian government officials, private sector employs a financial transportation and other companies had all been targeted. thanks to the close cooperation of yahoo!, google and others, doj prosecutors and the fbi were able to identify and expose the hackers without further compromising the privacy of the account holders. three of the defendants were russian nationalists residing in russia. two federal security service agents, and they know russian hacker, and fbi most wanted criminal. the fourth defendant was a 22-year-old hacker in -- resided in canada. following the u.s. indictment, canada captured and arrested him. he was brought to the u.s. and pleaded guilty to eight criminal counts including conspiracy to commit computer fraud and abuse and aggravated identity theft. earlier this week he was
1:30 pm
sentenced to five years in jail. the second case demonstrates that cooperating with the government and benefiting from its knowledge the tools can help a company that has been hacked see things for what they really are. a few years ago a midwestern consumer goods company was a victim of what appear to have been a run-of-the-mill intrusion. intrusion. an intruder had obtain unauthorized access to their customer database and had obtain personally identifiable information for the customers. the companies i.t. personnel work diligently to eject the hacker from the network lady kept coming back. eventually the hacker threatened to expose the companies customer information in less he was paid a ransom. around that time the company contacted the fbi. the fbi determine that a kosovo citizens studying computer science in malaysia was one of the hackers who would gain unauthorized access to the
1:31 pm
victims companies pii. although the hacker had a financial motive in demanding a ransom from the company, the customer pii he still was not destined for the black market. that data was of interest because, among the tens of thousands of customer names and e-mail accounts he stole, there were more than 1000 e-mail addresses that ended ultimately the use that information to produce a list of pii for proximally 1300 u.s. government civilian employees and u.s. military personnel. he provided information to a student-based isis member. a few months earlier hussein acting in the name of islamic state hacking division posted a kill list that reported to include the names and addresses of 100 members of the u.s. military. he wanted to help them create and disseminate a second kill list. and, in fact, soon after he received the information,
1:32 pm
hussein used twitter to publish the pii of all 1300 u.s. government and military customers of the company. in his tweet he threatened quote the crusaders who were conducting a bombing campaign against the muslims. doj charged a man with violations of the computer fraud and with conspiring to provide material support to isis. we were successful in obtaining his extradition from malaysia to the united states, and he ultimately pled guilty. september 2016, he was sentenced to 20 is in prison. he was also ordered to pay $50,000 in restitution to the company. even though the prosecution was public, the name of the company was never revealed. we are often asked why we would bring a case against foreign nationals located outside the u.s. well, for one, as those cases show, we may well get more than
1:33 pm
one of them. the u.s. government has extradition agreements with more than 100 countries so it is not enough for those defendants to forgo a visit to disney world. for the rest of their lives they will be unable to travel to more than half the countries in the world without fear of arrest and extradition to the united states. second, the investigation and charges can assist of the parts of the government in bringing their authorities to bear. for instance, treasury's office afford controls can designate and charge individuals or entities under an executive order that authorizes blocking the property of persons engaged in significant volitions cyber enabled activities. ensuring that the perpetrators will be financially isolated from the world. when we brought charges two months ago against the founders and employees of the iranian institute at hacked more than 300 american and foreign
1:34 pm
universities and government agencies and institutions around the world, treasury also visited the institute of ten iranian nationals. charges raise awareness. both generally and specifically to this threat. in some cases there may be additional victims that don't know they have yet been hacked. to help the private sector identified malicious activity and better protect itself, the fbi and dhs will often release technical details to the public. fbi did that just last week when it released a public service announcement about that vpn filter. advising you to reboot your router and including signatures of the botnet malware the network defenders can identify its presence on their network. and finally we pursue these cases to skip these hackers of the anonymity they so desire, and call them out. this prevents nationstate actors from hiding behind ritualized denial and feign ignorance.
1:35 pm
the recent indictment of the institute members and the part indictment of the chinese pla are cases in point. so that's what's in it for the country what's in it for you next what are the benefits of working with law enforcement before, during, and after a computer intrusion? one, we can help you understand what happened when your organization has the cyber. we can bring together human intelligence and your intelligence to get a more clear picture of what happened. we can share context and information about related incidents or malware. we can ensure proper investigative preservation of evidence for later prosecution. and we can assist you deal with regulators. at the end of the day, the government simply is more tools at its disposal to deal with the problems of national security cyber intrusions. tools that


info Stream Only

Uploaded by TV Archive on