Security Keynote w/ Mark Graff, CISO, NASDAQ OMX - Splunk.conf 2014 - theCUBE - #SplunkConf

• Report rights infringement
• published: 09 Oct 2014
• views: 2664

Keynote, Splunk.conf 2014 @theCUBE #splunkconf There’s an old adage about technology that goes something like, “If you build a better mousetrap the world will beat a path to your door.” The flipside to this, especially in the world of cyberdefense, viruses, malware, and worms is that somewhere out there someone is building a superior mouse. The past decade of networked computer systems and infrastructure has shown an ever-increasing drive towards complexity in software and equally increasing perniciousness with the malware that infects it. During the security keynote speech at Splunk.conf 2014, Mark Graff, Chief Information Security Officer at NASDAQ OMX, spoke about the new paradigm of cyberdefense as it pertains to what businesses face with respect to viruses and security threats. In short: computer viruses and worms are seeing a trend towards surprising technical complexity that he believes will eventually culminate in self-automating viruses that no longer have a human intelligence driving their proliferation, action, and activation. To defend themselves, businesses will need to employ machine intelligence of equal caliber to detect and stop these threats. In 2013 Kaspersky Labs detected almost 3 billion malware attacks with over 1.8 million malicious programs detected in these attacks. The era of smarter, more complex viruses The first computer viruses acted as self-proliferating software that could attach itself to executable data and spread only though human interaction. Copy a file, click a link, run a webpage, insert a USB thumbdrive. For the most part, the infections could be detected at the machine-level by anti-virus and rooted out with ease just by detecting anomalous file changes. Soon, worms came onto the scene, a type of malware that exploited holes in software code at the machine or network level in order to get the virus code copied where it wanted to go. No human interaction needed. One of the most prolific of which was the Sapphire worm (or SQL Slammer) which infected a majority of its 75,000 victims in under ten minutes. The worm used a zero-day exploit in the popular MSSQL code that allowed for a buffer-overflow that would propagate the viral code and allow it to spread to other MSSQL installations. That was 2003. The concept of the zero-day attack or exploit, an exploit that had recently been discovered in a piece of software and not yet patched or fixed by the vendor, had already been well known. Modern day examples of such exploits would be bugs with cartoony names such as Heartbleed and Shellshock. Both of which could be exploited to uncover secure information or infect systems. By 2010 a brand new worm with unconventionally high complexity was discovered infecting government infrastructure. Stuxnet was discovered capable of exploiting not just one zero-day vulnerability but four different vectors to infiltrate systems. Stuxnet was also one of the largest worms ever detected, weighing in around half a megabyte in size; most worms of previous eras, such as Slammer, were around 4KB—making Stuxnet 125 times larger than Slammer. Aside from sophistication and complexity, Stuxnet also had another suspicious element: it was carefully targeted. The code could infect numerous industrial and government networks, but its payload would only activate when it detected a particular system. In the case of Stuxnet would only attack industrial appliances that appeared to act like centrifuges. Making it the first worm to be seen as a naked act of cyber-sabotage, because it appeared to be target Iran’s uranium enrichment centrifuges. Anomaly detection and systemic insights needed to overcome machine smarts Looking back at the evolution of virus software, it’s clear that future viruses will continue to exploit unpatched software, yet-unknown vulnerabilities, and adapt to circumvent already known security systems. As a result, systems that rely on rigid rules or traditional expectations will fail to reveal worms with kinship to Stuxnet.