7th e-Crime & Cybersecurity Europe Summit

Location: Amsterdam, NL Date: December 1, 2017

https://infosec-conferences.com/events-in-2017/7th-e-crime-cybersecurity-europe-

summit/ The 7th e-Crime & Cybersecurity Benelux

will cover these and other key subjects for its audience of professionals tasked with

safeguarding digital assets and sensitive data. There will be case studies, strategic

talks and technical break-out sessions from security teams behind some of the world’s

most admired brands, who know, just like you, that security is now critical to business

success. Black Hat Europe 2017

Location: London, UK Date: December 4-5, 2017

https://www.blackhat.com/eu-17/ Black Hat provides attendees with the very

latest in research, development, and trends in Information Security. Here the brightest

professionals and researchers in the industry will come together for a total of four

days - two days of deeply technical hands -on Trainings, followed by two days of the

latest research and vulnerability disclosures in the Briefings.

cyberSecure - the Events for Business

Continuity & Growth

Location: New York, NY, USA

Date: December 4-5, 2017 http://www.almcybersecure.com/ehome/ind

ex.php?eventid=272311& cyberSecure is a unique cross-industry

conference that moves beyond the technology of cyber risk management, data

security and privacy. Unlike other cybersecurity events, cyberSecure brings

together corporate leaders from multiple function areas who help shape policies, risk

management strategy, compliance programs, and an organization’s cyber-

incident response playbook. RSA Conference - Virtual Session: The 5

Artificial Intelligence Origin

Artificial intelligence is more and more in seminar, speech, business plan and even in the latest Dan Brown book. In this novel, the author put artificial intelligence against religion. Origin, the title of Dan Brown's latest fatigue, proposing a new dangerous adventure of the Prof. Robert Langdon and his eccentric ex-student Edmond Kirsch. This guy became a millionaire thanks to patents and inventions linked to the most advanced technologies such as neuroscience, robotics, nanotechnologies and artificial intelligence. In the book we find, also, another protagonist, Winston an assistant that is conducting Prof. Langdon through the Guggenheim Museum. But Winston is not human, he is a digital assistant who combines a technology in the field of artificial intelligence (AI) which is called Neural Language Processing (NLP). Technology, those of AI, which promise to revolutionize all industries sectors by promising efficiency and profitability for the new industry 4.0. The numbers estimate a dizzying growth in investments in this area and the big players of the net are running to acquire startups and people with artificial intelligence skills. In many business applications AI systems are already used and are managing the relationship with consumers, more and more evolved chatbots, based on AI algorithms, are able to recognize the natural language, understand the habits and behaviors of the customers. Others application are, for example, in the field of Fraud Management, where many platforms are integrating AI The numbers estimate a dizzying growth in investments

in this area and the big players of the net are running to acquire startups and people with artificial intelligence skills in order to correlate real-time data and anticipate fraudulent activity. We could continue to list areas and solutions that have long been using AI and that will change our user experience and businesses as we know them. The user's approach, will be similar to Prof. Langdon's chat with Winston and the new 4.0 industry will move away from the stagnation of production chains towards more flexible models. Intelligent hardware and software, self-configuring devices that may anticipate problems and launch actions to minimize the risk of stopping production. As we try to explain along this year technological innovation must go hand in hand with the development of a secure digital ecosystem. Innovation and Industry 4.0 benefits can easily be fired without an effective CyberSecurity strategy. Just as I write this editorial we learn that Uber has suffered a data breach that would involve 57 million users and would seem to have paid $ 100,000 to have the data stolen by hiding the violation. Always in these hours we learn that Google tracks Android even when the localization feature was off. The good news? The Mountain View giant declares to cease this practice by the end of November. Certainly, still a lot to do on this subject. Enjoy your reading Nicola Sotira General Manager GCSEC

events

editorial

2017 November

7 Reasons why organizations get hacked by Marco Essomba – Founder and Executive Chairman, iCyber-Security

A Business recovery during a breach - How to protect reputation and revenue by Kevin Duffey - Managing Director, Cyber Rescue

Using machine learning to create virtual security analysts by Uday Veeramachaneni – Co-Founder and CEO, PatternEx

published first in Cybersecurity Trends English Edition n.1/2017, pp. 32-33, courtesy of iCyber-Security

As a security consultant and solutions architect helping clients in the

European region design and implement security solutions to protect critical

network infrastructures, I often ask myself why companies get hacked. A trivial

question it may seem but deeply rooted in the fact that we as humans are

often the weakest link in complex cybersecurity systems and do make

mistakes. If you are a cybersecurity professional or security enthusiast, this

article is for you. I cover 7 reasons why companies get hacked based on my

experience working with clients in several sectors including banking,

healthcare, insurance, oil & gas, etc. The question is not if your company will

get hacked but when. Planning and ongoing preparation is the ultimate

protection against cyber-attacks.

1. Humans are the weakest link Humans are programmed to make mistakes. That’s how we learn. That’s how we have evolved biologically. Look at SpaceX, they made lots of mistakes and eventually mastered advanced rockets and spacecraft technologies. Even with a team of experts, they still manage to crash lots of rockets before docking successfully to the ISS. The same applies to cybersecurity. Mistakes will be made, not if, but when. When that happens, an attack window opens. A hacker may strike within that gap. Even in the most tightly controlled networks, humans make mistakes. This is inevitable, so the best defense is to implement robust security

Most Dangerous New Attack Techniques, and What's Coming Next

Location: San Francisco, CA, USA Date: December 7, 2017

https://www.rsaconference.com/videos/virtual-session-the-5-most-dangerous-new-

attack-techniques-and-whats-coming-next Each year at the RSA Conference in San

Francisco, SANS provides the authoritative summary of the most important new attack

techniques in use today. Their 2017 list covered unnervingly accurate predictions of

attack vectors used in some of the most dangerous new attacks seen in the wild

including new crypto ransomware variants regularly hitting millions of systems, and

recent vulnerabilities exposing Internet of Things devices to attack. ISDF2017 – Greece – The Third International Conference on Information

Security and Digital Forensics

Location: Thessaloniki, GR

Data: December 8-10, 2017 http://sdiwc.net/conferences/3rd-

international-information-security-digital-forensics/

It’s a 3 day event, with presentations delivered by researchers from the

international community, including presentations from keynote speakers and

state-of-the-art lectures.

'Holy Grail of Google bugs' exposed firm's full vulnerability database of known and unpatched flaws http://www.ibtimes.co.uk/holy-grail-google-bugs-exposed-firms-full-vulnerability-database-known-unpatched-flaws-1645273 A security researcher uncovered a series of bugs in Google's internal bug tracking platform, called Google Issue Tracker aka the Buganizer, which allowed him access to Google's entire database of known and unknown vulnerabilities. Hackers abusing digital certs smuggle malware past security scanners. Hackers abusing digital certs smuggle malware past security scanners https://www.theregister.co.uk/2017/11/01/digital_cert_abuse/

Malware writers are widely abusing stolen digital code-signing certificates, according to new research. Malware that is signed with compromised certificates creates a means for hackers to bypass system protection mechanisms based on code signing. Security researchers at the University of Maryland found 72 compromised certificates after analysing field data collected by Symantec on 11 million hosts worldwide. New GIBON Ransomware Emerges http://www.securityweek.com/new-gibon-ransomware-emerges A newly discovered ransomware family called "GIBON" is targeting all files on

7 Reasons why organizations get hacked

By Marco Essomba – Founder and Executive Chairman, iCyber-Security

in this number

news

measures, but also plan and prepare for fast remediation. 2. Cybersecurity technology is very strong but expertise is weak With all the stories we hear in the news about several small and large firms being hacked, a naive question may be asked as to why organizations can’t just buy the most secure and advanced solution and be done with security. Things are not so simple. For one, security systems are designed, implemented, and managed by humans. As long as that remains the case, a flaw may always appear in the chain. Moreover, cyber security technology is extremely strong and we are not short of amazing technologies. One only has to look at the many firms providing advanced cybersecurity solutions that deliver robust defenses in many unique ways. Yet the expertise to configure these sophisticated security products for their most optimum performance remain scarce and very niche. Cyber criminals know about this expertise gap and are exploiting it to their advantage. 3. Cyber criminals have the edge Cyber criminals do what they do for fun, money, government and industrial espionage, political reasons, etc. They only have to find ONE flaw in a system - whether technological or sociological - and it leaves security administrators scrambling to patch and protect against ALL flaws. That is not an even fight! With enough patience and will, even the most secure system can be compromised by dedicated cyber criminals with expertise. What really matters is how fast a company can react to security flaws, patch holes, learn, respond, train, and continue to strengthen security measures and on-going processes against cyber-attacks. 4. Cybercrime pays more Cyber criminals are moving to the ‘digital battlefield’. It makes sense since cybercrime appears to be transparent, less risky, and the chance of being caught seems remote. One can look at the recent cyber-attacks at several banks that exploited the Swift banking system with several millions of dollars at risk in what appears to be the greatest cyber theft attempt ever. Online crime is seamless, it’s cyber, and it’s often untraceable. No wonder why this is becoming a safer alternative for traditional criminals. 5. Humans do fall asleep in the cyber battlefield Security administrators can fall asleep in the ‘cyber battlefield’. When that happens, a cyber criminal may strike. Unless processes are put in place to constantly review security systems, improve products, learn from failures, and keep administrators and staff trained, the cyber security defenses in any organization will remain weak against Advanced Persistent Threats (APT). 6. Technology as a whole moves very fast and the pace is relentless With technology moving at lighting speed, it is not surprising that humans can’t keep up with cyber-attacks. Perhaps we should let the ‘machines’ with Artificial Intelligence (AI) take over cybersecurity administration and let them enforce security – and take humans out of the equation? A bit extreme of course, but not unrealistic. For one, machines can follow rules flawlessly and keep up with the pace of cyber-attacks, as well as adapt much more quickly than humans can. They won’t fall asleep in the cyber battlefield and may prove to be less sloppy than humans at maintaining security standards and processes. But there is still a long way to go before ‘Skynet’ can automatically defend organizations against cyber criminals without any human intervention. 7. In cyberspace, you only know what you know The challenge of cyber is the ghost like transactions that happen faster than

humans can cope with. What is really happening in your network may be a

mystery. But with security analytics, knowing what you should know is good.

But knowing what you don’t know is better.

machines that it has managed to infect, except those located in the Windows folder. The observed attack involving this threat was using malicious spam emails for distribution, but the exact delivery mechanism isn’t known at the moment. Once it has infected a machine, GIBON connects to its command and control (C&C) server and registers the new victim by sending a base64 encoded string containing the timestamp, Windows version, and the "register" string (which tells the C&C that this is a new victim). Symantec uncovered a new APT, the cyber espionage Sowbug group http://securityaffairs.co/wordpress/65293/apt/sowbug-group-apt.html Malware researchers from Symantec have spotted a new cyber espionage APT dubbed Sowbug group that has been active at least since 2015. It was involved in highly targeted attacks against a host of government organizations in South America and Southeast Asia. The group was spotted by experts from Symantec who uncovered clandestine attacks against foreign policy institutions. The Sowbug group uses a strain of malware dubbed Felismus to compromise target systems. It's 2017 – and your Windows PC can be forced to run malware-stuffed Excel macros https://www.theregister.co.uk/2017/11/15/november_patch_tuesday/ Microsoft and Adobe are getting into the holiday spirit this month by gorging users and admins with a glut of security fixes. The November of Patch Tuesday brings fixes for more than 130 bugs between the two software giants for products including IE, Edge, Office, Flash Player and Acrobat. Microsoft's patch dump addresses a total 53 CVE-listed vulnerabilities, including three that already have been publicly detailed. Those include CVE-2017-11827, a memory corruption flaw in Edge and IE that lets webpages achieve remote code execution, CVE-2017-8700, a flaw in ASP.NET that lets web apps access restricted memory contents, and CVE-2017-11848, a flaw in IE that allows webpages to track users when they leave the website. As usual, memory corruption and scripting engine flaws in IE and Edge make up the bulk of what Microsoft considers to be the highest risk flaws. Uber concealed huge data breach http://www.bbc.com/news/technology-42075306 Uber concealed a hack that affected 57 million customers and drivers, the company has confirmed. The 2016 breach was hidden by the ride-sharing firm which paid hackers $100,000 (£75,000) to delete the data. The company's former chief executive Travis Kalanick knew about the breach over a year ago, according to Bloomberg, which first broke the news. The hackers found 57 million names, email addresses and mobile phone numbers, Uber said.

published first in Cybersecurity Trends English Edition n.1/2017, pp. 4-8, courtesy of iCyber-Security

Chief executives worldwide are confronting an urgent new

responsibility. While profits and success have flowed from

digital transformation, the risk to their reputation and

revenues has risen with wave after wave of successful

cyberattacks. In the search for profit, many companies

have turned to data lakes and digital oceans, using

information as their compass, cargo and fuel. But if data is

the energy of the digital economy, it follows that data

breaches can be explosive.

Commercial recovery during a catastrophic cyberattack is

increasingly recognised as an essential competence. A

Board-level executive must be accountable for how a

business recovers from a breach, as every function can be impacted when hackers break through. The shock, speed

and ambiguity of a successful cyberattack sets it apart from other crises, so progressive companies are calling on

experts to help them rehearse, plan and achieve corporate recovery.

Cyber Rescue is a leader in this field, operating across Europe from its London

HQ. Cyber Rescue has helped enterprises like Maersk, Vodafone and

Swedbank, and many small companies from fintech to pharmaceuticals. In this

article, we look at how Cyber Rescue is helping Boards, CEOs and CIOs to

confront the challenge of our times: the successful cyberattack.

From all the breaches we have assisted with, we have noticed a strong demand

for three precise capabilities:

1. cyberattack simulations for executive leaders, to demonstrate risks and responsibilities

2. bespoke recovery plans for each business, to ensure efficient and effective response

3. coaching CEOs during the “golden hours” after a breach, to avoid mistakes made by others.

We will consider each of those needs in detail, after considering why businesses are turning to experts.

Why now?

Computers will never be safe, according to the front page of The Economist this year. But

business leaders have been slow to hear that message, since they are typically more

interested in “when will our new app launch” than “is our new app secure?”

The IT Directors who build those apps are under enormous pressure to be fast and flexible, with few benefiting from a Board that recognise the risks such pressures create. So increasingly it is the IT Director or CIO who insists that the executive leadership experiences a data breach simulation. Based on our experience it is our opinion that, investing sixty minutes to rehearse the cascade of commercial consequences from a breach is the best investment a Board can make. Further, an effective simulation brings home to the CFO, the COO, Marketing and even HR

heads, that they all have a crucial role in leading recovery when the unthinkable happens.

In just an hour, the leadership’s understanding of why they need to support IT security is

transformed. Simulations can be designed either as introductory Board-level or with more

customised and larger enterprise-wide events sometimes running over two days.

IT Directors and CISOs initiate about half of the calls that Cyber Rescue receives, with other requests coming from Chief

Operating Officers, Chief Risk Officers or CEOs. The rapid growth in

publicly reported data breaches is causing non-specialists to recognise

the increasing possibility that their business could be next.

FBI Director Robert Mueller probably said it best, when he warned that

“there are two types of company – those that have been breached, and

those that will.”

And the exponential growth in publicly reported cyberattacks is shocking

many executives into action, especially if they see graphs like this one,

from Verizon’s famous annual report on data breaches.

Chief Risk Officers are increasingly trying to estimate the chance of their

company being hit by a breach.

What’s the risk?

Business recovery during a breach How to protect reputation and revenue

by Kevin Duffey - Managing Director, Cyber Rescue

To help our Members understand emerging risks, we maintain a library of over two hundred recent reports on cyber

threats. Our research lead, Dr Chaditsa Poulatova, comments that “while many reports are sponsored by vendors with

an interest in highlighting such threats, the numbers should certainly be causing CEOs to reflect on the new risk

environment their businesses operate in.”

The vast majority of attacks are kept secret.

For example, in the UK, a major survey in May 2016 found that 95% of businesses keep their most disruptive data

breaches from the public, including 82% who don't report breaches to the police. That secrecy makes it hard for other

businesses to appreciate the scale of the problem. A good indication of the current likelihood of being attacked is given

by this finding: some 2.8% of medium sized organisations in Ireland are certain they suffered a data breach caused by

malicious attack in the last two years.

Example figures include the 125% annual growth in sophisticated Zero Day attacks, the 71% increase in large DDoS

attacks; the 55% growth in Spear Phishing; the 29% growth in Malware and 21% increase in SQL injection attacks.

Interestingly, it’s images instead of statistics that often engage the busy executive. For example, live attack maps attract

many visitors. And there seems to be a rather morbid fascination with quotes made by executives who have been

closest to major cyberattacks, as for example:

Interestingly, it’s images instead of statistics that often engage the busy executive. For example, live attack maps attract

many visitors.

And there seems to be a rather morbid fascination with quotes made by executives who have been closest to major

cyberattacks, as for example:

There was this horrible moment where I realized there was nothing at all that I could do. Amy Pascal, ex-CEO at Sony

JP Morgan spent $250m dedicated to cyber security. They did everything right, and they still got hacked. Erik Avakian, CISO, Penn State

Breach Prevention? How is that working for you? Jason Hart, VP, SafeNet Inc

There are 2 types of companies: those that have been hacked, & those that will. Robert Mueller - FBI Director.

I am incredibly angry about this data breach and we will institute a thorough review. John Legere, T-Mobile USA

There’s no conceivable system that can stop 1 person in 100 opening a phishing email and that’s all it takes. Ciaran Martin – Director, GCHQ.

It’s important to remember that the vast majority of companies won’t suffer a major breach in the next twelve month. By

emphasising this, we highlight that cyberattacks are just one of the business continuity challenges that a company

should prepare for. Security Directors and Risk Officers often want us to simulate a data breach for their Board as part

of their wider risk mitigation strategy. It makes sense to use any Board-level interest in cyber to build resilience to all

kinds of challenges a company might face.” Major cyberattacks are a low probability, but very high impact event. And

they are much more likely than other scenarios that companies rehearse. For example, there were 17 deaths from fire

in UK office buildings last year, during which thousands of British organisations suffered major breaches. Yet every

company holds at least an annual rehearsal of its evacuation for a fire. What should they rehearse to ensure

commercial recovery from successful cyberattacks?

Business challenges! The Board need to be ready to be blindsided by a breach, to appreciate that authorities may be

unable to help and their could be poor internal command and control. Here are some of the issues typically addressed

during a simulation.

The shock of a breach is often made worse by several factors. For example, you may be told of this Breach by an

outsider, most frequently by Law Enforcement (41%) or Third Parties including customers (35%). You may then

discover you weren’t told of previous Data Incidents. Even worse, you are weeks behind the attackers, as the average

time to discover a breach is 69 days (followed by 70 days of technical containment.)

Help from authorities is easier if you already know the right people. But who? There are 31 organisations fighting

cyber threats to Financial Services in the UK, where 68% of Directors are unaware of who to call.

Some authorities have less resources than they’d like. The UK’s ICO has 30 officers handling 200,000 concerns and

1,000 cases per year. The police have said only 4% of cybercrime is dealt with appropriately.

Your chain of command will be stressed by ambiguity during a suspected breach. The UK Parliament is clear on who

should lead cyber response in a business. Opinions may fill the gap where facts are missing. Only 45% of security

professionals are confident they can determine the scope of a breach. External forensics typically lasts 43 days. And

decisions must be made fast: 91% of consumers expect "24 hours or less." Your legal and moral responsibilities might

not be immediately clear. For example, law enforcement may ask you not to notify customers, so that the hacker won’t

be alerted to their investigations. Extra-territorial laws on protection of citizens from cyberattack mean you may be

subject to the requirements of more countries than you operate in. Just a summary of Privacy & Breach Notification

laws runs to 425 pages.

Serious decisions require money. In the UK, 52% of CEOs think they have cyber insurance, but <10% do. Some

81% of companies with cyber cover in USA have never claimed on it. Claims paid have been on: Crisis Services (78%),

Legal Defence (8%) & Settlement (9%)

Will you pay for a big gesture? 53% of Breach Notifications offer Credit Monitoring. And what will be the long term

revenue impact? Abnormal churn after a breach ranges from 6.2% in Financial Services and 5.3% in Health, down to

0.1% in Public Sector.

The surge in enquiries can quickly turn into even more irate calls from customers who – in their moment of crisis - want

to receive the global standard in call centre response, 80% of calls answered in 20 seconds. But after a breach, call

volumes can be one hundred times higher than normal. And in addition, you must communicate with Regulators,

Suppliers, Press, Staff, Police and Shareholders, and manage Social Media.

You will be criticised, even if your company suffered a criminal attack. Customers complain that you notified “too

slowly … too fast … without cause … putting us at risk of scammers.” Consumers might say “Credit Monitoring doesn’t

help me” or “How will you make this good” or simply

“I want to break my contract and leave.” The UK

Parliament has called for bigger fines for poor

response and a cyber impact on CEO bonuses.

The format of a simulation is as important as its

content. Some executives can feel nervous about

exposing their ignorance in front of their colleagues,

for example. Cyber Rescue does a lot to customise

the format of a simulation to the individual

participants.

No one is evaluated in the simulations. Participants are to be put at ease, and assign them to teams. But a simulation

isn’t realistic without a bit of pressure. Friendly competition can energise participants, and create a little pressure. But a

simulation is an opportunity to learn, to bond and to reflect.”

“Simulations are very positive experiences, even fun” notes Anjola Adeniyi, one of Cyber Rescue’s busy advisors. “I

hosted a session we ran for the UK’s Worshipful Company of Information Technologists, an exclusive association of

executives and thought leaders who have done the most to deliver the digital world we all now live in. Rather than the

traditional death by powerpoint, a simulation creates energy through engagement.”

A key lesson from every simulation is the need for a plan. “All large enterprises have a continuity plan,” notes

Patrick Donegan, one of Cyber Rescue’s specialists in the telecoms sector, “but too many assume that it covers the

challenges of modern cyberattacks. Without a bespoke plan, under intense pressure, the executive leadership can take

a cyber incident and turn it into a commercial crisis through ill-informed, wrong-headed, decisions.

They might take too long to inform impacted customers, or

raise the alarm prematurely. They might fail to consider how

notify affected parties in the correct order and effective

manner, from regulators and law enforcement to suppliers,

staff and shareholders.”

Going into battle, fighting to save your reputation and

revenues during a major hack, is like boxing an invisible

opponent.

You can’t assume that the crisis management plan you’ve

written for situations like a fire or a pandemic will work against

a cyberattack.

We sometimes quote what Mike Tyson used to say, of his over-confident opponents, ‘everyone has a plan until they get

punched in the face!' Every executive likes to think they’ll make the right decisions during a crisis, and given enough

time and information, most of them do.

But the speed and ambiguity of a cyber crisis makes for a unique dynamic. A customised commercial response plan,

prepared in advance of a major data breach, will make your response much more timely and effective. It provides

Directors with simple checklists, templates and instructions about each of the decisions they must face.

Crucially, it will document where sensitive data is held, including by third party suppliers and information processors, so

that breaches caused by partners are considered during the initial forensic stage of response.

The plan has to be easy for executives to use. A section for each designated executive has to be provided, highlighting

the resources they can call upon, the consequences of alternative actions they must choose between, and even the text

of communications they may need to issue very urgently.

Who you gonna call? One thing that executives can forget when drafting a response plan is that normal business

won’t stop during a crisis. The leadership team of a typical enterprise is full highly competent individuals who are already

giving everything to their job.

They are in essential roles, not redundant positions. So naturally, when a

crisis hits, the business may want to bring in one or two specialists to at least

help with the workload.

Cyber Rescue provides Crisis Coaches to help executives triage and

resolve conflicting demands. For example, many organisations discover

they have more than a dozen “stakeholders” who expect to be briefed,

consulted or notified. Technical staff may be swamped with unreasonable

requests for updates, and given conflicting priorities. Legal responsibilities

many be unclear, and your communications team may be unprepared.

Our library points out that 91% of consumers say they expect notification of a

breach in 24 hours or less, but also that it is very harmful to send a badly

worded notification. A crisis coach can help the executive team navigate

such challenges.

The crisis coaches bring wisdom and experience. If there are conflicting views among your executive team, your crisis

coach is a trusted sounding board. If blame or politics might creep into conversations, your crisis coach is a reliable and

neutral partner to all. If things start to become over complicated, your advisor will bring you back to basics.

You need to anticipate avoidable mistakes that others have suffered. You

must consider the commercial consequences of various actions you might

take. During the shock and ambiguity of a possible major breach, a Crisis

Coach is invaluable.

The speed at which response has to be delivered matters. Ideally, a Crisis

Coach will start travelling to the Members HQ within 60 minutes of a call

finishing.

There is a golden hour at the start of your commercial response to a major

cyberattack. This is when you establish command and control, stand-up

your response team,

identify uncertainties and

set priorities.

We’ve built Cyber Rescue to respond to such challenges.

You probably won’t suffer a major breach in the coming months.

A breach is a low-probability, high impact event. Preparing your Board for

such an eventuality is beneficial in many dimensions.

If you want to energise your GDPR compliance programme, or build

resilience to any kind of crisis, if you need to strengthen teamwork within

the Board or simply an appreciation of the importance of IT, a simulation

is a great place to start.

GCSEC - Global Cyber Security Center Viale Europa, 175 - 00144 Rome - Italy

http://www.gcsec.org

published first in Cybersecurity Trends English Edition n.1/2017, pp. 28,31, courtesy of iCyber-Security

The security industry has done an excellent job of creating a lot of noise around the rise of “machine learning” or

“artificial intelligence.” The industry says that rules are the problem - too many missed attacks and false alarms - and

that machine learning is the answer.

A company called PatternEx is set out to fix this problem. Humans and computers need to work together to identify

evolving cyberattack patterns buried in our data and PatternEx has figured out how machines and humans can teach

each other to combat emerging threats.

Machine Learning operates without rules and it does catch previously unseen attacks. But, what does it fix? What are

the trade-offs?

To explain this in detail, it is helpful to organize the Machine

Learning universe into the three distinct types used in the security

industry:

1. Unsupervised Machine Learning

2. Static Supervised learning

3. Active Supervised Learning

Unsupervised Machine Learning

Most of what you hear being touted as “advanced threat detection” is Unsupervised Machine Learning or simply anomaly detection. This approach is used widely in many domains to organize data and find outliers in that data. In cyber security, Unsupervised Machine Learning crunches log or packet data and seeks to find outliers in the data. This makes sense because the vast majority of online behaviors are legitimate, and the malicious behaviors could be outliers. Unfortunately, the relationships between enterprises and their employees, partners, suppliers, and customers is astronomically complex. Behaviors vary widely and what seems to be an outlier is actually normal. You might find out there is a data leak to the Ukraine only to find there is a legitimate contractor working there for a different division. The promise of Unsupervised Learning is tempered by an important nuance that illustrates the logical flaw in this

approach—the definition of “outlier” is not the definition of “malicious.” We confuse the two and deal with many, many

false positives.

Static Supervised Learning

Unlike unsupervised learning, supervised learning takes inputs from humans to create models. Think of supervised

learning models as systems that “think” like humans and learn over time. Data scientists collect human feedback and

then train a model with that feedback, and then deploy the model into production. This process-- learning to updating to

deployment-- often takes months or even years depending on when and where the new human feedback is

incorporated. These kind of models work in static environments where what we are trying to predict is not changing. But

“static” does not describe the world of cyber-security. Rather, our world is characterized by dynamism: it is

fundamentally adversarial, where the attacker is motivated to cheat you to succeed. The attackers morph faster than

supervised learning models can be trained.

So, how do you update the model in real time?

Active Supervised Learning

To bring AI into cybersecurity, active supervised learning is the most optimal approach. Active Learning is a way to train

Supervised Learning models on the fly, without millions of training examples. Active Learning delivers on the promise of

supervised learning with a massively reduced training period. This system continuously engages human analysts to

learn from them and to create new supervised learning models. We call these models Virtual Analysts because they can

distinguish between malicious and normal behavior patterns with great precision-- like an analyst.

The term Virtual Analyst also implies that we need to think through how we are going to incorporate them into our

security apparatus. Deployed right, they can tremendously benefit an organization to improve its ability to defend

against attacks and act as an early warning system.

Using machine learning to create virtual security analysts

by Uday Veeramachaneni – Co-Founder and CEO, PatternEx