John Stewart I’ve had the good fortune to have spent a lot of time in Australia over the last 20 years, predominately in my role at Cisco. I’m very passionate about Australia as it’s a country very similar to the United States both as an ally and in terms of global issues. Furthermore, it’s a strategic market for Cisco’s success for both revenue and innovation. Cisco now has a significant workforce down here and because I’m working closely with the Australian defence industry and I have the opportunity to deal directly with the Prime Minister and Cabinet (PM&C) office and sit on the defence review board as one of only two non-Australians representing national strategy.
Executive Editor How did you find the Prime Minister’s advisory council and that process?
John Stewart It was good, but got a bit confused when the Prime Minister switched from Tony Abbott to Malcolm Turnbull right in the middle of our work. This certainly set us back a bit while the new prime minister settled into deal with the priority issues facing the country. From a collaboration standpoint, there was plenty of input and we were submitting dozens of pages of considerations back to PM&C, highlighting the need for government, education and the commercial sector to work together to address some of country’s more strategic issues. Innovation centres in Perth and Sydney are examples of these, where government, education institutions and the private sector are collaborating.
Executive Editor Cisco has reported that it’s detecting 20 billion attacks across its customer base every day and resolving somewhere between 99.2% to 99.9% of those attacks. I am interested in how many APTs are targeting Cisco systems on a daily basis?
John Stewart I think APTs often get mixed up with malware and vice versa. With APTs, the focus is more about who the actor is, but I only care a little about the threat actor as I’m more concerned with what they are trying to do. We’ve had very unsophisticated threats that aren’t really radical APTs, which could potentially be just as damaging if they broke loose as a truly advanced one. I think more about the threat, its impact and how we get resilient against it. I would rather focus on how fast we detect it and what we can do to stop it as quickly as possible. We should be spending energy on making sure that we can detect 99.999999 of the attacks that come in and that even if it gets through all the lines of defence, we’ve detected it within 36 to 24 hours. This is industry leading, especially for a company protecting itself. We are continually trying to improve these timeframes and our aim is to reduce these down from12 to 6, then 6 to 3, and finally down to 1. Once we get down to dealing with all attacks within minutes, we’ll have solved it.
Executive Editor In terms of understanding “Zero Day” threats, it’s taking between 100 to 200 days to detect?
John Stewart Yes, for most businesses the average is 130 days.
Executive Editor And for Cisco customers? Are you are bringing that down into hours?
John Stewart Yes. By October last year, we managed to achieve detection times of 36 hours. The total telemetry we are collecting from malware analysis during every single hour of every single day, along with the total amount of DNS traffic we are analysing, excluding the DNS, is now down to 36 hours for full protection.
Executive Editor That’s pretty impressive. Obviously, following that trend, you’ll soon be getting down to almost real time detection.
John Stewart We can hope. Cisco is always going to be pushing at the edge of this. It was 48 hours in June. We got it to 36 hours in October, and now we are pushing very hard to get it down to less than 10 hours. There is still a defensibility. We want to make sure we are accurate when reporting this kind of data, so, despite all our hard work, we are going to play it conservatively and it might only achieve 20 or 25 hours in the short term, but rest assured, what our customers and our business needs, as a subscriber to our own capability, is to have these detections down to minutes.
Executive Editor I attended a Talos presentation earlier today who detailed how a ransomware group made over US$34M in 2015 – tell me what you are doing to tackle ransomware?
John Stewart Ransomware, by its very nature, is a criminal activity about profit, motives, driven by a series of hacking teams using packaged software that get into your computer in some way and lock up your data and demand money to unlock it. Cisco’s policy has been extremely aggressive in detecting the teams that are developing ransomware, along with the infrastructures being used to deploy it. We’ve also invested a lot in protecting our own computer systems from ransomware and how to disrupt it before it activates so that you are in effect immunised before you get actually hit.
What is obvious though are three things.
Number 1: If you have failed to patch your computer or mobile device, you are vulnerable to all types of attack, ransomware being just one. What steps do you take? Patch your computers. When systems report that updates are available, you need to update right away, don’t hold back.
Number 2: Social engineering techniques for gaining access to your computer are very effective. You might receive a link in an email attachment or you might go to a website which already has malware on it. This is what needs to be disrupted, maybe by your service provider, sometimes by a vendor and sometimes by the company you work for.
Number 3: If you get hit, there are only a couple of options, Firstly, many law enforcement agencies, along with vendors like ourselves, have devised ways to reverse ransomware and malware installations. We can also retrospectively detect it and remove it. However, there are still going to be times when there is no option but to engage law enforcement and hope they can help you regain your data.
Executive Editor In Australia we have ACORN, the Australian Cybercrime Online Reporting Network, but we don’t have mandatory reporting yet. Are you pro mandatory reporting.
John Stewart Kind of. All too often, when an organisation is forced to report a breach data, the theory is that the mandatory disclosure will help the affected party or the consumer most affected. However, as this is near real time and, of course, you now have knowledge of the data at an aggregate level and know how big the problem is, there are some consequences that can be counterproductive. You can have the best strategy, you can have the best approach, one that is truly effective, leading in its class, but if you get eviscerated as a result of reporting the breach, now you’re the victim, getting victimised as a result. That part has got to be calibrated since the purpose of mandatory reporting is not to further beat the company that was attacked, it’s supposed to be about making sure the consumer is aware and that shareholders are briefed that an issue has arisen. Doing it right should not turn what should be a positive approach into punitive behaviour against the company that was victimised.
Executive Editor I like to think like a criminal, so I need to ask you, John, there are always going to be new capabilities for criminals, so how do we guard against these? Is this even considered at Cisco? Is there someone on your team red teaming new capabilities as they are discovered?
John Stewart Absolutely. Cisco is taking a broad approach to security considerations. To us, security is more about a state of protection, a state of privacy, hardware and software assurance and validation to build security in the right way and operate it in the right way. It must not turn into a vulnerable part of the problem. Each and every system has to be designed as best as is currently possible and tested rigorously to determine if there are any weaknesses in the design. Since you think like a criminal, you know there is always going to be crime; this is not something that is going away. Crime has always been part of society, but how do you ensure it’s contained and eradicated? With new technologies, you can start identifying behavioural patterns of people movements. Cisco’s CMX is a really good platform for that, identifying data privacy concerns and movement concerns. The architecture has a whole series of protections designed in to it, built on the theory that the individuals walking around, who would voluntarily let the world know, “hey, I am here,” versus this happening automatically. That’s one of the big issues, data privacy and personal privacy, which is exactly why there is a chief privacy officer at Cisco. I hired her to consider these issues and help educate us all, making Cisco a class leading, industry leading company.
Executive Editor Great Answer. I have seen capabilities for law enforcement in using CMX (Connected Mobile Experiences), such as for parolees or registered sex offenders moving into ‘Hyper-Location’ areas, such as Cities, Centres and Campuses. Have you seen any applications like that? You have been dealing with National Security, was there interest in the technology to track people who are under surveillance?
John Stewart I don’t know of any examples of that myself, certainly not at this stage. The PM&C are talking about national policy over the next 10 years. This includes education cycles to prepare for the coming services-based economy in Australia. This year’s big focus is on education, overall country-level awareness, mandatory breach reporting and discussions in each of these topics and what the threats to Australia are from an electronic standpoint. There are use-cases when you build technology, such as the original focus in CMX around advertising and globalisation and how you get directed to the right thing for a particular situation. When you develop a technology, other use-cases arise, which include some of the ones you described in the question. I have been asked similar questions, in terms of the use-cases you fielded, but I know for a fact that any one of the examples you describe could be possible, and in all candour this is when you have to design security in, you have to design resiliency in, because what its built for might be turned into something else. You don’t want it to become the threat when it was supposed to be designed for something good.
Executive Editor Beautiful, let’s stop it there, well done. Thank you so much John, it was great to meet you.
John Stewart Thank you.