tv Cybersecurity Intelligence Forum Part 2 CSPAN May 31, 2018 6:57pm-8:01pm EDT
next we will hear from rick driggers the deputy assistant homeland security secretary for cybersecurity and communications and jeff brown to chief information security officer for new york city's cybercommand. they were two speakers and a daylong cybersecurity and intelligence forum. this portion is about one hour. ♪
>> we still have 15 minutes. we have to get through the last 40 years in 15 minutes. what i decided to do is tell a story that i'm going to date myself. this is the evolution of the cyber domain through the eyes of the guy who grew up in texas. to think about the 80s as we are rolling into the beginning of the timeline we are going to cover here at startup of the bank of the soviet union had gone into afghanistan in 1979. we boycotted their olympics. they decided to come to ours. the u.s. completely shocked the world and beat the russians. the other was jr was shot. one of those shows. what was going on behind the scenes was the quest for intellectual properties of the soviet union is trying to keep up on the economic front and knew they needed western innovation to fuel their
economy. it was very desperate straits in the 80s. although cold war battles were turning their economy and they are trying to compete so they are trying to gain access to intellectual property the same way that the chinese were trying to do in the 70s. what we did back in the time? he reported in newspapers set up a false front with the french sold all the software they deployed it into their structure created the third largest exploration in space at the time. that was behind nagasaki and hiroshima at the time. that was 1982 and that was the digital kinetic effect more than 40 years ago. in 1984 i move over on the school of economics. i had three weeks left in might venture over there and british telecom must privatize so at the
time with kids in school i said i have to take out a way to get involved in this because it was a well transfer system to the work in class. the most you can participate as 2000 bucks. how my going to get my hands on the money? or remember it had this emergency credit card my parents gave me. with an american express card. how can i get this cash on this? my parents are going to know about for a while. .. >> so there comes a crash of 87. i'm working on wall street. working in their pension division, selling portfolio insurance. we'd go to somebody with a 3 billion dollars pension fund say hey, you got 3 billion dollars
of equity exposure, if it goes down we got your back, we will insure it. if it goes up, we will keep everything. you just pay us an insurance premium. here comes october of 87. how do we hedge ourself? who would sell that insurance? an insurance company. when the market started going down, we are selling futures. you know, trying to hedge ourself, market went down 22% in one day, october of 1987. that was the end of portfolio insurance as you know it back then. there came circuit breakers and everything else. innovation outpacing your ability to protect it. innovation the security gap that kevin talks about is always going to outpace our ability to manage the risks. it is the reality we live in and always create that gap. by the end of this decade which shapes the future, wall comes down in 1989, began to see the collapse of the soviet union, the 80s were a formative decade. here comes 90s. for me the 90s were a need for
speed, information superhighway, early days in the investment career back then, everybody was trying to figure how to get in on the information superhighway to create a digital infrastructure that could be used to advantage the world. so big innovation engines we are as a country of the u.s., obviously we're creating all this innovation at a pace without thinking about the consequences. what happened when the wall came down, and the soviet union collapsed, is a super power of crime was born in russia. a lot of the former soviet union countries out of money, you see the same talent base that we see at nsa today now unemployed trying to feed their families. we're creating this digital infrastructure, you are creating an opportunity to exploit it for criminal gain. so you saw real focus of shift of this tech engine and capability of talent base to how can i make money through this thing called the internet as we begin to move our commerce on-line, on-line banking, latency out of the system,
digital commerce moving on-line, the world is beginning to change and we create mammoth amounts of speed in our environment. in fact, going back into the wall street piece, we used to sell -- well on trading floors -- atm networks and all these different bandwidth protocols were being deployed and you would actually send one trade out and you would say i would want this one to go nanoseconds and i want this one to go out in a inmany out -- in a minute. you would pay for how fast you would want a certain trade to go. you were trying to beat other folks based on speed. speed became really the game in the 99s. that set the way for 2000. 2000 for me was a decade of pain when you think about it what a decade we went through. it starts off obviously with the dot com crash in 2000. bush comes into office and all of a sudden you have the markets tanking. all the innovation and expectation built in the
innovation in 90s had created a huge run up in the stocks, huge expectations. i remember meeting with folks that are at the time you know retired and say look i'm just looking for a safe return, 15, 20 percent a year. so i'm just going to put it in cisco and dell and let it roll. i mean, they got a lesson learned on that one. in the dot com crash in 2000, then followed by the towers coming down, geopolitical energy just surges, the globe begins to change. the world is at war on terrorism. and a lot of things are really beginning to shift in a way we look at the world and the way the world looks at us. in that age we moved on to the telecom crash at the end of 01. and then the world was really beginning to reshape. so at the time, everybody had their eye off the ball in terms of what was happening in the cyber domain because there was so much going on around us, from the dot com crash to the towers coming down, to the telecom crash, moving into the great
recession, if you went to a bank in 2008, 09, who is losing half a billion dollars to cybercrime and said hey, you know, if you use this capability, we can understand exactly how the adversary is targeting you and figure out how to build countermeasures and defensive protocols so we can knock 100 million bucks of losses out of your system. the response would be i just wrote off 10 billion dollars last week in bad mortgages. it just paled in comparison. so everybody focused on all the things going on around them, the economic collapse and all the things happening geopolitically, the cyber domain was ripe for the picking and people were driving a truck through it, from foreign nations stealing intellectual property, from criminals stealing money, from adversaries and activists that were anonymous and others really injecting their ideology through cyber campaigns. we were wide open, exposed, and
just taking it without even focusing on it. so the 2000s gave way to what we're looking at today when the stakes have gone up. so if you look at the last decade, really cyber has been exposed. what happened in the start of the 2000s with the eclipse of cybercrime taking over the narcotics trade as the most profitable form of organized crime in 2009 as reported by the fbi. you know, we had now given way to this huge dark economy that lived and thrived in our cyber domain globally and all the innovation advantages that we had used to exploit our economic and innovation edge was being exploited against us and created in effect the largest transfer of wealth from one cyber nation to another, when the chinese had taken our intellectual property stores and shifted them across the borders. so it was a tremendous decade.
cyber exposed, so we see back to 82, selling faulty software to create kinetic effects. you see the inverse of that in terms of cyber campaigns to try to trade kinetic effects in that case against the nuclear capability of the country. you also started to see aggressive campaigns to actually destroy and disrupt operations. so you begin to use digital campaigns that create, you know, kinetic effects. you saw exposed china activity for the first time through the ap 2-1 report. congratulations for creating an awareness level in the world for what had been going on for almost a decade of really what had just transpired. that started to give people thought and so said wow, this is real, you know. it's not this black magic. it's actually happening right in front of me. what do we do about it? so we move into economic consequences against north korea. through all the sanctions we applied, creating cyber
repercussions, and you convert a rogue nation into a bank robber. if we're going to choke off their ability to raise money in official ways, they will become bank robbers and raise money if unofficial ways to fund their objectives. we saw that through the heist, 100 million was reported gone. of course they tried for a lot more than that and they haven't stopped. you are seeing crime take shape of funding those types of initiatives. in the prior decade, when al qaeda was being disrupted and we were fighting the war on terrorism very aggressively in the 2000, a lot of times when we would find al qaeda operatives they had manuals on how to fund their local operations through carding, local cybercrime activities trying to fund their day-to-day terrorist operations. criminal activity was associated with that's not my problem as a government, that's a criminal act but that's a means to fund something that's of vast importance to all of us, terrorism, in advancing nation aggression.
moving into the elections, that's pretty obvious what took place there. i mean, our sanctity as a country is our free election system, the ability to elect and approve and have a, you know, an open democracy system. when you see that under assault, that reflects a really big change, what's going on. all of these things in the 2010s to lead us to common day is the fact that innovation that we have exposed and exploited to our economic advantage over the years, the innovator of how you exploit that innovation has always been the bad guys around the world. and our security innovation has to keep pace with the innovation of the adversary. that's our only way to effectively compete. the security gap that kevin referred to will always be there. it will also be exploited by the bad guys. the best you can do is shrink that security gap and innovate at the pace of the adversary whereby as we're creating new technology, likely at a pace
faster than we can secure it, we are tracking the adversaries as they are mechanisms saying here's how we can exploit it to we can build mechanisms build innovation to protect our environment at the pace of their innovation. at the same time, kevin showed the first chart, not the second chart. chinese going after existing intellectual property. you know through intellectual property harvesting and all the espionage activity gives way to okay, we'll stop hacking your environment, you know, formalized in 2015, we'll just go acquire it. so at the same time you see an inverse relationship and all the amount of investment and acquisitions taking place with china acquiring u.s. intellectual property. present day, in the 27 years prior to the trump administration, technology acquisitions were blocked three times. the most
>> let's give him another round of applause. that was awesome, john, thank you. [applause] >> i'm excited to introduce our next speaker. he's going to be talking about cyber threat intelligence and support of npd's mission. he's the deputy assistant secretary for cybersecurity and communications at dhs. please put your hands together and give a warm welcome to rick driggers. [applause]
>> good morning everybody. i appreciate the opportunity to be here to talk to you about what we're doing inside the department of homeland security with regards to cybersecurity particularly around threat intelligence information sharing and things of that nature. as i was listening to the introduction, she used the nppd that nobody really knows what that means national protections and programs director, the headquarters organization that the cybersecurity organization sits in. we're very much a critical infrastructure security and resilience organization. we look at that through two lenses, one of them is a physical looking at asset based protections from a physical perspective and the other side is really looking at from the cyber perspective which is what we do. we have made some pretty tremendous progress in the past four or five years with regards to what the department of homeland security is doing in
cybersecurity. at the same time, the threat landscape is becoming more complex. it's becoming more crowded. we have nation state actors criminals and activists that are all, you know, playing the game and while that's happening, the adversaries capabilities are also becoming more complex as you're very well aware. but interestingly, the way that they are getting in, the exploits that they are using are not. they're still, you know, standard tactics that they've been using for a long time for the most part. we see vulnerability scanning for systems and things of that nature. and also spear fishing. i think the last report i read is anywhere between 80 and 85 percent of the attacks that we're seeing are incidents that we're seeing are being caused by those simple ways. what we're not doing is imposing cost on the adversary. how do we impose cost on the adversary so we can make sure they are spending time, energy,
partnerships, engaged partnerships, not only with the private sector and critical infrastructure owners and operators, but it security firms. it requires partnerships with our international allies that have the same kind of behavior, norms and objectives as we do for secure and safe kind of network and internet. we also -- we also -- with regards to partnerships we want to make sure that we're partnering with the state and local community as well. you know, we take our partnerships very very seriously. we have, you know, really there's two things inside of our organization that underpin everything that we do from the capabilities of doing incident response to vulnerability assessments, penetration testing, to our training and exercises that we do on behalf of critical infrastructure, owners and operators of state and local governments and really it is about partnerships and it's about information sharing. we work every single day to try
to build our partnerships, to try to strengthen the partnerships that we have. we do this through formal large kind of robust, you know, government partnerships, where we sign memorandums of agreement and memorandums of understanding with different companies and things of that nature so that we can kind of open up the information sharing channels. but we also want to do this informally. we want our analysts to have relationships and be able to collaborate and coordinate with analysts that are in the private sector. the private sector, the i.t. security firms that are represented here and those that are not, they see things differently than we do. they have different visibility than the federal government does because we're not looking at private sector networks. we're looking at our government networks. and we're getting also information from our international partners as well as from the intelligence community and law enforcement community, that maybe the private sector isn't -- isn't getting. so we want to take that
information, and at the end of the day, get the technical data out to the cyber network defense community. but at the same time, we want the private sector to share what they're seeing as well. so that we can get that technical data out to the cyber network defense community so we can cover down on what we know is bad so we can secure and make our networks and the internet quite frankly more safe. the federal government as i said earlier, we can't do this on our own. we require the private sector across really all industries to help us reduce and to mitigate these risks. really it is about a culture change. i was over in the u.k. last week or the week before, talking about culture change. you know, in the physical side, there is a culture security. if you go into any building, there's usually somebody at the
front door. if you -- there's vehicle -- so you can't normally drive up to a building. even in the 7-eleven there's deterrents with cctv everywhere as well as that strip that measures the assailant running out the door so you can tell how tall he or she was. those are all deterrents. but we don't have that on the cybersecurity side. we don't have that visible deterrents in that culture of security across, you know -- across our nation. we do in certain aspects and in certain places, but for the most part, we don't. and, you know, it's not lost that whenever something happens on the physical side, private sector entity is looked at as a victim, an emergency management structure kind of folds in on them, whether it's local state or national. at the -- you know, with regards to cybersecurity, that's not necessarily the case. the entity isn't looked at necessarily as a victim.
they are looked at why didn't you protect the data better? they are looked at as not, you know, necessarily protecting their customers. and so how do we change this culture? how do we create a culture of security within not only the federal government, state and local government, but the private sector? and really, from our perspective, this starts with partnerships. it starts with sharing information and making sure that whatever we have inside the federal government we're getting down to lowest possible classification level and we're sharing it as broad di as we possibly can -- broadly as we possibly can. that obviously doesn't necessarily mean that we share it out to the public at large. a lot of the times, but we do have communities of interest where we will share unclassified sensitive information. we have a private sector security clearance program where we do bring in certain folks from industry so that we can read them in and give them security clearances so that we
can kind of make known what really the threat landscape looks like across particular industries to get them to -- to, you know, kind of pay attention to this issue. earlier this month, the department of home land security just released our cybersecurity strategy. the department of homeland security cybersecurity strategy. there's five pillars that underpin that. the first pillar is risk identification. how are we assessing evolving risk? the second one is vulnerability reduction, how are we protecting the federal government systems and networks as well as critical infrastructure? threat reduction, what are we doing to disrupt criminal activity? and criminal use of cyberspace? and consequence management, how are we responding effectively to cybersecurity incidents? and then the last one is enabling cybersecurity outcomes,
and really how are we improving at least in the department of homeland security how we are managing our cybersecurity programs not only to protect the federal dot gov mission which is one of the missions that we have but also to again partner with industry, protect critical infrastructure, get information out so we can get the bad stuff off the internet that we know about. and then how are we making security -- how are we making our systems more secure and more reliable. all of this goes to, you know, how are we collectively doing this? we've got three priorities for my organization, the office of cybersecurity and communications that we're pretty focused on for the next probably three or four years. the first one is cyber workforce. how do we build a cyber workforce, not for us to recruit against, but how do we build the cyber workforce as a national asset? right now we have about 300,000
unfilled cybersecurity positions across our nation. i read a report a couple weeks ago that said there's going to be over a million by 2026 across the globe. what are we doing to engage k-12? what are we doing to engage academic universitys? what are we doing to change at least in the federal government our hiring practices and our human resource apparatus so we can bring on cybersecurity talent, we can keep them engaged. but we can't do this alone. this is something we're going to have to work with in the industry with. you guys are facing the same challenges we are. you have different incentives you can put on the table that the federal government can't, but at the end of the day, how do we from a nation perspective build out a cybersecurity pipeline so that we can have this type of skill and talent at the ready to bring on to help us with this particular mission? the second one is driving down
systemic and catastrophic risk to our critical infrastructure, owners and operators so we can make sure that we're looking at supply chains. we understand what supply chain risks are. and that we are covering down on those risks. it seems to me that when i look at supply chain and look at any supply chain that starts for whatever reason when you start to peel back the onion with someone sitting in a garage writing code for a small business that's supporting a medium sized business that's supporting a large business. not enough to just do perimeter based defense for a critical infrastructure asset. we have got to evolve past asset based protection. we have got to look at critical services and functions. and those critical services and functions that underpin our national security, our economy, and public health and safety. and then the last piece is collective defense. this is pretty much what i have been talking about the entire time i have been here is this collective defense idea about how do we get the entire nation
engaged in this cybersecurity mission? again we can't do it alone. we have one of our flagship programs trying to share indicators at machine speed, we are doing that. since 2016 we have shared about 1.8 million unique indicators. those indicators are coming from our international partners, we have 11 international countries that are hooked up to ais. we also have all of the departments and agencies in the federal.gov and we have several hundred private sector entities as well, but we also have information sharing analysis centers and other organizations like the cyber threat alliance that are further sharing those indicators with -- throughout their partnerships. what we're not seeing and what we'd like to see more of is the private sector sharing back into the automated indicator sharing system so that we can again push those indicators out to the
broad cyber network defense community so that we can get what we know is bad off the networks. we are making some changes to the automated indicator sharing system so we're providing more context around the indicators. there will be sitings that will be available so you can understand the quality of the indicators as well. we're doing this as a direct feedback from private sector. we've listened to you. we've heard you. we're making those investments in the automated indicator sharing system. we will continue to do that. we need your feedback so that we can make sure that that system evolves and keeps pace with what we need to. and then we also are looking at, you know, how do we automate defense. this isn't something that the federal government can do. this is something that the private sector has to do. this is really the private sector's lead. how are, you know, i.t. vendors that are putting out different devices and things like that, how can we compel them to automate the security in those
particular devices? and, you know, the market is going to have to do that. the individuals and the companies and the government that are buying those types of devices are going to have to -- are going to have to demand that that happens. you know, as i say, it is kind of a little bit funny but it is kind of true, you know, don't make my mom turn on a cybersecurity feature in a wifi router or in the iot device that she has. make her have to go in and turn it off. she doesn't know there's a default passport in her router she doesn't know what a router is to be honest with you. i think we've really got to get smart about how we scale security in this particular mission space. and again, we can't do it alone. it's going to take the collective we to put in place a real robust collective defense for cybersecurity. and with that, that's my time. thank you very much. appreciate it. [applause]
>> let's give him another round of applause. thank you, rick. [applause] >> our next speaker is here, all the way from new york city. we are really excited to have him. he's going -- the name of his talk is new york cyber command, government's role in protecting citizens and the economy from cyber threats. he's the chief information security officer of new york city. please put your hands together and give a warm welcome to jeff brown. [applause] >> good morning. >> good morning. >> i have some prepared remarks, but before i get into that, i just first wanted to thank you for the warm welcome and i wanted to say that it is
incredibly humbling to stand up here in front of a community that i really owe a lot of thanks to. thanks to every single person in this room who is involved in the mission. we all know what that mission is. and it's absolutely critical to the defense of this country that we all love. i also want to say a special thanks to kevin and john who already spoke today and their company that they build is an incredible partner for new york city and has been pivotal to me professionally in my own success and the success that i represent in what we're trying to do on behalf of our city. also thanks to rick for the great partnership and the work being done with dhs for some critical things that i will talk about today. so again, my name is jeff brown. i'm head of new york city cyber command. so what in the world is new york city cyber command? so, let me talk to you a little
bit about that. this is kind of setting the stage for remarks today. okay. we all know new york city; right? new york city, global leader and an absolute presence not just here in our nation, but a global leader in, you know, commerce, and culture and all of those great things. so new york city cyber command created on july 11, 2017 by mayor bill de blasio. he signed an executive order -- we are charged simply with leading the city cybersecurity efforts across more than 100 government agencies what makes up the city government of new york? you can imagine all those critical things that are provided to new yorkers each and every day. the teams at n.y.p.d., the water utility, sanitation, finance, you know, all those things that make the city run, makes up that
city government. what makes our approach unique in the city from our optic, there are a number of duties and authorities that are vested in new york city cyber command, but i'm going to give you a couple highlights. what you see in this slide breaks down this elegant two page executive order. i encourage anybody to read it. we're very proud of it. it is not a long read. it is just two pages; right? let me highlight a couple things. one, this organization can mandate the deployment of technical controls that we centrally operate. giving us the ability to see and respond across the over 500,000 computers and various ways that make up the technical landscape of the new york city government. so not only can we say these are the technical controls that we'll put on these machines, we will operate those controls, which is very important in centralizing a mission. another highlight we can review city agency requests on cyber. so when it comes down to it, that allows us to make sure that
we're unifying the effort and the efficiency of how we spend new york city taxpayer dollars. and finally, we do report directly to city hall. so that tells you the type of executive sponsorship that, you know, cybersecurity receives in new york city. this is, you know, to use the private sector term, this is certainly a boardroom issue in our city. why is this important? why are these authorities and duties in new york city cyber command important? really the executive order signals our city recognition that cybersecurity needs a center of gravity, even across what is a highly federated technical environment and highly federated services delivery environment. you can think of these hundred plus agencies of separate businesses. some of which have been around for over 100 years and have invested in various infrastructure and technology projects since the beginning. to be able to say what are the
things that we can do to be effective in cybersecurity in that very federated landscape, you can't have every agency doing their own thing and trying to map that. you have to have some unification, your technical and administrative controls. you can really think of being -- we're a technology disrupter, leveraging solutions and approaches at scale with great partners, many are in the room today. since we are in full build mode, you know, we're actively building this team today and how we, you know, how we use technology in our processes, we're using modern data science and behavioral approach. we're proponents of zero trust architecture and not afraid of the cloud. we have a slogan, an asset that exhibits bad behavior is guilty
until proven innocent. which means we can take action swiftly when where we cannot wait for the investigation to be fully completed, or indicted, before containing the threat. underlying all of our work in new york city command is the realization that our city uniquely at the municipal level has direct responsibility to critical services and infrastructure that new yorkers depend on for their society to function. these are core areas, like our water utility, our safety services, our traffic system, our health services, and the city government's financial system that is completely interwoven into the daily sustainable operations of our city. new york city has no choice but to be responsible for the cybersecurity of these functions. these are the functions of the very life blood of our city. where are we going? we have a lot of important work in front of us and critical gaps that carry serious risks to fill. you know, i'm not naive to the fact the mission is not completed. there are many many criticals gaps still to fill -- critical
gaps still to fill. i think everybody in this room would be in a similar position. but the city now has a team dedicated to this mission and resource for growth accordingly. that's the baseline on new york city cyber command. our portfolio expands a variety of issues but i'm addressing you today to show our growing prioritization of cybersecurity in the public domain. now i want to give you a way of thinking, a way that i'm thinking about cybersecurity in new york city and it really goes to, you know, something my wife always tells me which is expectation management. you know, manage expectations. get home when you say you are getting home. and if you are late, tell me you are late. i fail at this quite often unfortunately. i really do. when it comes down to it, every day i wake up and i want to succeed in that critical mission to me. i want to succeed every day and i don't accept it as inevitable that i will fail. i don't. i fail often. but i don't accept it.
every day i wake up to succeed. and i think in our industry, sometimes our expectations in that regard need to, you know, maybe be evaluated carefully. what do i mean? like i think sometimes we aspire to manage the risk of cyber threats but not to finally defeat them. we aspire to protect our enterprise and built incredible silos but do we aspire to protect the community and how do we define the community? how do we fine clients? -- how do we define clients? usually a client is someone that contracts and pays. does that scale to the problem, the speed and the size of a problem in a city like new york? the word cybersecurity contains a word cyber to represent technology and the intersections of our digital life and a word security which represents safety and resiliency and reliability against the people out there that are trying to disrupt our way of life. we must approach cybersecurity with the understanding that a threat to any one person,
organization business or government is a threat to all of us really in our way of life. events in previous years have shown us the consequences are very sobering and real. when we were talking about critical services that we rely on, it's that much more sobering. if our purpose is truly to be involved in securing the peace of digital space, time is now to move beyond silos and move toward technical defenses at scale that meet the public's right to privacy. we should not decide in advance that this is impossible. we should accept the challenge as our obligation in this mission. what i've just covered is really some of the formative thinking in new york city. we decided to confront this and we started by first recognizing our role, our role of the primary responsibility of government to protect its citizens, to deter crime and respond to emergencies when they occur. safety to us is an essential service. we therefore have the responsibility to bring that same commitment to cyberspace. mayor de blasio initiated this
journey in our city on march 29th this year with the announcement of new york city secure. this is what he said: all right. here we go. this is what he said our streets are already the safest of any big city in the count country -- country. and now we're bringing that same thing into cyberspace. we will ensure that we're applying the best and most effective protection efforts to help new yorkers defend themselves on line. keeping with the mayor's vision of digital equity, nyc secure is built on some fundamentals. one that cybersecurity is a public safety issue and essential service not a luxury. we must work on behalf of all new yorkers. too often the only people and businesses that are defended are either those that can afford to pay or have deep technical knowledge. this is not going to work when e everyone is walking the streets with a powerful computer in
their pocket that they depend on for everything in their life. two we believe cybersecurity does not need to come at the cost of public privacy. we are building solutions that are technically provable to respect user privacy. with nyc secure, what are we doing? increasing public awareness. we are committed to providing city wide awareness of cyber threats and advocating for the widespread adoption of best practices. we will educate new yorkers on cyber hygiene, literacy and effective use of technical tools we are offering. this will begin in earnest with a media campaign in the city this summer. we are also making committed to making a measurable technical difference. we are adopting tactics that are technical and produce a measurable reduction of the cyber risk in our city. for example, to strengthen our mobile defense, this summer we will make available for any member of the public a free threat detection app for their mobile devices engineered indeference to the privacy of its users. any new yorker that is interested in this app will be able to go to the app store and
download it. the strength and the protection of the wifi environment in the city's public spaces nyc secure is working with nonprofits global cyber alliance and quad nine to deploy protection across all city owned systems. so if you think of the city owned systems, these are the public spaces where new york provides the public with wifi. nyc secure believes our responsibility simply to help you stay safe when you're using something that we give you for free. we think other providers of free wifi in public spaces should avail themselves of similar solutions. there are similar solutions that will help people not hit that website that's only put there by a criminal to victimize them. we think if you are walking into a coffee shop or a lobby or a public place, where it is free to connect to wifi, that, you know, proprietor should think carefully about whether or not they think they should do something about you being victimized. we know these measures will enhance security and privacy
because it will keep the bad guys from invading the privacy to the person that gets victimized. the city is not collecting the data with these initiatives and we are striving to give the public a fighting chance to protect their own personal data. we will strengthen partnerships in the private sector in academics to help them create resiliency in the place. in fact we already partnered with nyu, calling it the cyber fellows program. we recognize these are initial steps. we will need to evaluate our technology and how we're doing and get more precise and build new approaches as, you know, new techniques emerge. and we're counting on new approaches. in fact we are challenging the industry, it could be a giant company, it could be the academic sector, it could be the brand new start up that just moved into their garage to build something right? we're challenging the industry to build up solutions that can scale to our great city and help all new yorkers defend themselves on line and will fully protect their privacy.
so new york city believes that a strong safe fair and prosperous city depends on securing the digital space where so much personal and economic activity happens. we hope the new york city secure initiative will spark a public discourse on how governments can take action to help improve the cybersecurity for the public. all of us at new york city cyber command are deeply honored to defend the city's digital infrastructure and its assets and help new yorkers begin to protect themselves on-line. in closing, make no mistake here, in new york city we are really having a conversation about the role of government in cybersecurity on behalf of its people who walk the streets every day and if there is an event that, you know, impacts those services, that they rely on, those critical services hits home, you know, not necessarily in the big towers in the big skyscrapers in our city but hits home to every single person, who, you know, expects to safely conduct their lives in any way they want on our streets.
again, i want to thank you for your time this morning. and i look forward to listening to everybody as the day proceeds. thank you very much. [applause] >> let's give him another round of applause. thank you, jeff. [applause] >> i'm excited to introduce our next session. the topic is under pressure, effective and fast, how cyber threat intelligence informs incident response. we have got some subject matter experts on this topic for sure. i know a couple of them well. we're going to welcome charles carmichael, cto strategic services, also a senior vice president for cyber and our
moderators who is the vp at fireeye. please give all three of them a warm welcome. ♪ >> the goal of this event was to feel and look like a ted event. that's a high bar we're trying to meet here, try to keep the energy up for you guys. i think we have an interesting topic from the panelists. we will dive into a few key questions on how we can use or leverage threat intelligence to better pursue the adversary and get an advantage maybe leaning on what jeff just talked about, how do we not only think about defenses but prevention as well in cyber specifically, you know, with government systems, data, and critical applications and assets. so charles, let's start with you with a question, where do you see based on our knowledge of threats and threat trends, where
do you see in 2018 and going forward trends focused on government targets, dot gov, and where do we anticipate potential risk areas that we need to focus on across the government space? >> ron, first of all, before i get started, a little bit about my background. i run a team of incident responders. i've had the opportunity to work on over a thousand breach investigations. and one of the things that i have seen over the past few years is a significant increase in the disruptive attacks that threat actors are causing. by disruptive, quite frankly any breach is disruptive. when somebody steals data from an organization, that causes a lot of disruption to the entity. what i'm trying to talk about is the threat actors that are deliberately trying to destroy systems, take businesses off line, publicly shame organizations, extort them, publicly release data that they have stolen from the environment. what we are seeing over the past few years is the increase in that type of disruptive activity. for a lot of the organizations we work with, they are dealing with that type of activity for the first time.
so they are probably pretty familiar with the typical data theft types of breach scenarios, but dealing with extortion matter for the first time is quite challenging. the biggest challenge is actually figuring out whether or not the threat actor actually has access to the data into the systems they claim to have access to. because for every real threat that's out there, there are five other fake threat actors that are just trying to scam somebody to get access to information. so i think there's a great opportunity to share a lot of the lessons that have been learned from dealing with disruptive threats and, you know, dealing with extortion and destructive attacks and there's definitely a really good opportunity for organizations to be able to better prepare for it. >> brad, any other thoughts on that topic? >> you know, over the past few years, we have been dealing with a lot of, you know, ransomware attacks, but, you know, one of the things that we're starting to see is, you know, a much more sophisticated level of attacks that we haven't seen in the past, and we're working a job, and we are doing forensics, and
we found this piece of advance persistent ad ware and wasn't picked up by the end point solution. we had to correlate a lot of data to detect that. what was interesting is when we reverse engineered that and went back to its origins, it was actually -- it turned out not to be malicious, but it was basically an in memory attack established back to an ad ware company based in israel. and it had a complete command-and-control and could have had data at will. thankfully they were trying to follow users around the internet to sell them mini vans. but when we looked at that, you know, it was an ad ware company in israel that likely employed, you know, one that obviously had nation state level capabilities. and so now we're starting to see the propagation of much more sophisticated level of attacks,
and, you know, i think that in general we're not prepared for that from a tooling perspective or from an ir perspective. >> one thing to add to that, one thing we're seeing right now, we see a particular government threat actor that's targeting a number of banking organizations, and clearly they are interested in gaining money from those banking organizations. so one of the things we see them doing is we see them getting access to the swift alliance systems, sending messages and attempting to move money from certain organizations to other organizations. and after they that do, they then burn the house down. so they are essentially destroying the alliance servers so the forensic evidence is wiped and they are destroying the rest of the environment. this is a pretty big problem in latin america. so unfortunately, there isn't a great collaboration learning opportunity between this. i mean, you know, to some extent the banks are trying to share that information, but quite frankly, this is a pretty big problem that's going to continue to happen until we do a better job of getting that intelligence out there. >> okay, great. so that's an external focus kind
of threat view. i would like to switch the attention to something i think is overlooked which is what i consider internal intelligence. switching gears and thinking about we have a massive amount of data now we're collecting every 20 minutes in the government space through the continuous diagnostics and mitigations program, 24 hours a day, 7 days a week, 365 days a year. a lot of it is information that you wouldn't normally think of as intelligence driven or intelligence useful data, but in fact, i think there are opportunities that we may be missing to utilize compliance data and other types of vulnerability information to inform and focus efforts in hunting and incidence response engagement. brad i would like to get your thoughts on that and some ideas on how we might be able to leverage that rich data source for advantage and incident response. >> we have been involved in the program for several years. and you know back when we first started, it was interesting looking across the federal agencies, different levels of
maturity. some had complete asset visibility. others in terms of reporting were underreporting, you know, their total assets by, you know, maybe potentially over 100%. and so, you know, today through the cdm program, i think the program has done an amazing job in terms of getting that baseline of assets configuration and other types of data sets, and we saw that in action, you know, over the past, you know, year to 18 months on attacks like, you know -- if you rewind three to five years ago, the question would come down, what's the potential impact of this level of attack? and the only way that you would get an answer is be able to go out to the agencies and conduct a bunch of data calls, correlate data on spreadsheets and at some point get an answer which probably wasn't accurate. you know, when we saw some of these recent attacks, you could get the answer in a matter of seconds because cdm was able to correlate and provide that data
set. that's just the first step. so that's basically kind of looking in the rearview mirror in terms of figuring out what the potential, you know, the impact of an attack would be. moving forward, you know, as the cdm program matures, get more data and other data, that's going to allow us to do much more of a rich proactive set of hunting, and one of the things that we see across our mature commercial clients is not waiting to be attacked, not waiting for an event to pop before you do incident response, but employi ining hunt teams --t teams to go out and proactively look for advanced adversaries on the network. i think the cdm program is a catalyst to that next level of capability across dot gov. >> charles, anything to add on that? >> yeah, i think from a case load perspective, many years ago when we started doing response work, what we found was most of the organizations that we worked with learned about a breach because a third party told them about it. fast forward several years, today we're finding about half
of our clients are self-detecting breaches and the other half learn about it from a third party. i think the better data they have in order to try to practically hunt in their environment would help them more quickly be able to detect the breach in a much shorter period of time. >> i think i heard from several of the panelists today or lamenting maybe about the lack of ability or a lack in sharing threat intelligence information in a useful and meaningful way and in a timely way; right? i think we're still dealing with the challenge out there where threat intelligence tends to be produced and consumed almost like media, like stories. how do you guys see or maybe charles you take this one, how do you see useful threat intelligence data being driven, ingested, and actually brought into a format that can be used in a rapid useful way by incident response and hunt teams in >> one of the things we like doing is we like leveraging
indicators of compromise that help describe attack or behavior. the thing about that is you have to have a context around the indicator. just knowing an ip address that a threat actor used at one point in time doesn't necessarily mean that if you see that an ip hit today that it is actually evil because the attacker could have owned that machine many many years ago and it is not actually relevant today. having some context behind those indicators are helpful. i like seeing finished intel products so i understand the storyline between what are the attackers doing. not only do i want to see the technical indicators and observe that in an environment or hunt for that, i want to know the story, what are the attackers doing with that information? what are their goals, objectives? how are they leveraging some of the tools in their operations? to the e tent possible i also -- to extent possible i like to hunt through collection of raw intelligence myself. some of the data prepared for organizations generally want a
high fidelity indicator so you tend to weed down the intelligence shared but being able to hunt through a database and large collection of raw information can also help you find other indicators you could hunt for in an environment. >> one of the things we have been engaged in the threat intel space for a long time, when we first started we would send threat reports and intel reports and indicators to clients, the first question that we would get is, okay, this is great, now what do i do with it? you know, should i resign? should i jump out the window? and the industry has come a long way since then, but one of the things that we're seeing now is we're getting much more mature from a threat intelligence perspective. we're being able to curate indicators and provide better context. once you get the data, what do you do with it? a lot of the breaches we look at, our clients have the who's who set of tools but the problem is the tools aren't tuned to the threats of today. and so i think that, you know, in my mind the key thing -- the
key question to ask is based upon the intelligence, how do you operationalize that within your enterprise? and it includes both your security operations team to make sure you're tuned to detect and prioritize the threat but also to be able to tune your sensors, whether it's your end point security tools, your network sensors, ips to be able to actually, you know, operationalize and pop the flag around these high priority events. >> i will add one additional note to that which i found extremely useful is building capabilities for actual operators that are running in the environment right? so the ability to drop in a question and maybe this is a good use of ai, you will probably hear a lot today about ai and machine learning capabilities. in our experience, i think being able to have a workbench area where a bunch of operators are used to working and being able to drop in information and have machine learning algorithms kick back whatever it knows about that data set quickly if real-time has been a huge -- in real-time has been a huge asset to our hunt teams and our operations teams.
i think it is a key component of thinking about the problem set as the usability factor and not forcing users to pivot to multiple tool sets but having that front end workbench solution that allows them to easily access that information in a way that they are comfortable doing that. >> just on the automation piece, i think the automation piece is important for a few things. one is, you need to be able to respond at machine speeds. so anything that you can automate to remove the human from the loop will accelerate your ability to respond. but the second piece that we see is there's just a high turnover in cti staff. you know, just on our team, you know, the turnover rate is so high because the skill set is so in demand. so i think it is pretty obvious that we're never going to be able to keep up with the gap in talent so looking at automation to be able to axccelerate the response and also to compensate for the talent gap i think is key. >> i agree. >> great. last question, and maybe start with brad on this one.
we talked about kind of the legacy cdm capabilities that we can leverage in current incident response capabilities. how do we see the landscape shifting with the new cdm initiatives coming down the pipe and other federal initiatives for hunt incident response capabilities, where do we see some of those focus areas evolving to over the next coupling of years? >> -- couple of years? >> i think the key thing is moving beyond compliance. compliance gives you a good snapshot and there's mandatory reporting requirements, but the only way that we're actually going to get out in front of the front is, you know, to go on the offensive, be more proactive in the enterprise. in my mind that's two things one is applying more advanced threat hunting, you know, using, you know, more end point data to be able to detect the most advanceded a vore says -- adversaries. the second piece is how do you determine how effectively you currently are in terms of being able to detect threats? that's one of the things that
most of our clients can't answer. and you're going to a security operations center and say what's the last threat you detected? in a lot of cases they will say everything is good. we all know that's not true. the other piece i think moving forward is continually being able to refine your security program by conducting more continuous teams to be able to measure your effectiveness and improvement. >> great idea. charles? >> i will reiterate that. i often find that companies will engage penetration testers but they will say you can't test during certain hours. you can't test certain parts of the environment and if you find a vulnerability, you can't exploit it. it gives a false sense of security to the board when they see these results because they find out somebody wasn't able to break into the network. for effective teaming is a good way to test efficacy. >> that's our time. i want to thank the panelists today for a great discussion and looking forward to the continuing conversation.