theCUBE Live At Splunk.conf 2014

There’s an old adage about technology that goes something like, “If you build a better mousetrap the world will beat a path to your door.” The flipside to this, especially in the world of cyberdefense, viruses, malware, and worms is that somewhere out there someone is building a superior mouse. The past decade of networked computer systems and infrastructure has shown an ever-increasing drive towards complexity in software and equally increasing perniciousness with the malware that infects it.

During the security keynote speech at Splunk.conf 2014, Mark Graff, Chief Information Security Officer at NASDAQ OMX, spoke about the new paradigm of cyberdefense as it pertains to what businesses face with respect to viruses and security threats.

In short: computer viruses and worms are seeing a trend towards surprising technical complexity that he believes will eventually culminate in self-automating viruses that no longer have a human intelligence driving their proliferation, action, and activation. To defend themselves, businesses will need to employ machine intelligence of equal caliber to detect and stop these threats.

In 2013 Kaspersky Labs detected almost 3 billion malware attacks with over 1.8 million malicious programs detected in these attacks.

The era of smarter, more complex viruses

The first computer viruses acted as self-proliferating software that could attach itself to executable data and spread only though human interaction. Copy a file, click a link, run a webpage, insert a USB thumbdrive. For the most part, the infections could be detected at the machine-level by anti-virus and rooted out with ease just by detecting anomalous file changes.

Soon, worms came onto the scene, a type of malware that exploited holes in software code at the machine or network level in order to get the virus code copied where it wanted to go. No human interaction needed.

One of the most prolific of which was the Sapphire worm (or SQL Slammer) which infected a majority of its 75,000 victims in under ten minutes. The worm used a zero-day exploit in the popular MSSQL code that allowed for a buffer-overflow that would propagate the viral code and allow it to spread to other MSSQL installations.

That was 2003. The concept of the zero-day attack or exploit, an exploit that had recently been discovered in a piece of software and not yet patched or fixed by the vendor, had already been well known. Modern day examples of such exploits would be bugs with cartoony names such as Heartbleed and Shellshock. Both of which could be exploited to uncover secure information or infect systems.

By 2010 a brand new worm with unconventionally high complexity was discovered infecting government infrastructure. Stuxnet was discovered capable of exploiting not just one zero-day vulnerability but four different vectors to infiltrate systems. Stuxnet was also one of the largest worms ever detected, weighing in around half a megabyte in size; most worms of previous eras, such as Slammer, were around 4KB—making Stuxnet 125 times larger than Slammer.

Aside from sophistication and complexity, Stuxnet also had another suspicious element: it was carefully targeted. The code could infect numerous industrial and government networks, but its payload would only activate when it detected a particular system. In the case of Stuxnet would only attack industrial appliances that appeared to act like centrifuges. Making it the first worm to be seen as a naked act of cyber-sabotage, because it appeared to be target Iran’s uranium enrichment centrifuges.

Anomaly detection and systemic insights needed to overcome machine smarts

Looking back at the evolution of virus software, it’s clear that future viruses will continue to exploit unpatched software, yet-unknown vulnerabilities, and adapt to circumvent already known security systems. As a result, systems that rely on rigid rules or traditional expectations will fail to reveal worms with kinship to Stuxnet.

This is where platforms such as Splunk come into play. The early model of antivirus was to detect changes made to the system under normal operation and check them against known virus signatures; the new model of computer security is to detect intruders by watching the behavior of the network and determine if an act fits expectations.

Since it’s impossible to categorize and analyze the behavior of every virus, worm, and piece of malware out there, it becomes necessary to understand the systems that they infect. The answer to the lesson of the Kobyashi Maru is not to predict every possible attack; instead what’s needed is a comprehensive view of how the system should behave so that when something is out of order it’s easy to detect, contain, and neutralize.

In a Wall Street Journal article about advanced persistent threats, Graff himself wrote that stopping threats is about detecting activities that do not map to normal operations.

“The idea is to narrowly monitor and constrain points of egress–all of them,” says Graff, “and then look for anomalous connections and attempts by automated malware to ‘phone home’.”

Much in the same way that beat cops assist in deterring crime by catching criminals in the act by merely patrolling; Splunk can be used to detect malware in the act by watching out for anomalies in system operations. With enough data, analytics platforms like Splunk can fish up strange events for further inspection or reveal problems just by comparing current activity to historical activity.

This property of big data analysis is capitalized easily by Splunk and even came into play during an event in 2012 when a water pump failure was thought to be an instance of cyberterrorism. According to a big data analysis done with Splunk it was not. Using the same methods that would have detected and stopped the problem, Splunk was used forensically to understand the failure and what sparked the cyberterror fears.

Splunk used to head off threats in the enterprise

Splunk.conf 2014 led to numerous customer stories about how the Splunk platform could be used for addressing cybersecurity problems. One such example comes from Flagstar Bank who use the platform in a manner that fits Graff’s model of proactive analysis.

David Casey, the bank’s Assistant VP, Security Operations Manager, said that the banking system uses Splunk for real time analysis of data throughout the entire network—ingress and egress—to engage in monitoring that watches for anomalous traffic changes that might signal an attacker. As a result, the security team is able to react faster to possible intruders or malware, without needing to know about yet-unpatched vulnerabilities (which, by their nature, a security team could not predict.)

The result: when threats happen, they get detected, the threat gets shut down, the underlying vulnerability (documented or not) can be discerned by following the attack through the system, and then with that information the exploit can be closed or mitigated.

Casey said that his team was able to fix issues in less than two to two and a half hours after detection.

A much better outcome than other reported intrusions where companies only discover that their systems had been infiltrated weeks or months earlier.