Cybersecurity Module 2: Trends in Malware - Joshua

McCloud
Malware issues (00:24)
Historical malware examples (00:24)
So I think a lot of you are here, undoubtedly, because you've been hearing about
everything that's been going on with malware. We, every week practically, hear
something in the news about somebody who was attacked, somebody who's lost
money, somebody whose reputation has been compromised, and some very
sophisticated piece of malware is behind it. I'd like to review some of the most
recent high-level events that we've seen in these terms.
So if we go back a couple of years, not even that far back, you probably
remember one of the most significant attacks involving malware in probably
recent history. This is incredibly sophisticated. This happened in Iran to their
Natanz Nuclear Processing Facility where they take, you know, low-grade
uranium fuel, enrich it into high-grade, and they were attacked by a virus, which
came to be known as Stuxnet. This was something that was developed by the
U.S. government and Israel, as it was later attributed, but they've never formally
admitted to it, but all the evidence seems to point in that direction. And this was
extremely sophisticated, because this malware was customized for that specific
environment in the nuclear processing facility in Iran, and how they got it into that
environment certainly required more than just computer hacking. It required a lot
of human intelligence, perhaps compromising people, espionage agents, and
malware was just one part of it that was ultimately used to destroy some of the
centrifuges there.
If we fast-forward a little bit, look at more of a corporate example, the offices of
RSA, a security company, were compromised not too long ago. A lot of you may
know RSA. They're a company that develops various security products, one of
them being these one-time secure password tokens. So if you use it-- if you have
a bank where you have to enter a one-time PIN before you log in, that all comes
from RSA, and one of the things that happened to RSA is, one of their
employees received an email with an Excel document attached to it, and that
Excel document had a piece of malware attached to it. The malware infected the
computer, spread into the network, and eventually compromised the proprietary
algorithm that RSA uses for these one-time PIN generations. Now, the
consequences of this attack are pretty far-reaching, and we don't know
everything that may have come out of it. One thing that is thought is that the
compromise of these PINs allowed people to get into Lockheed Martin's
infrastructure and steal blueprints for some military projects. So the
consequences here can be incredibly serious.

2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public

Page 1 of 15

Module 2: Trends in Malware

Even more recently, the Saudi Arabian oil industry was compromised. You may
have heard of this attack known as Shamoon, and this is a virus that infected
around 30,000 workstations inside Aramco and did a range of things, from
stealing information, providing remote backdoor access to the computers. It was
a pretty comprehensive penetration, and we're not exactly sure, though there is
speculation, what the ultimate goal of this attack was. Was it simply to disrupt
their operations, or is there something larger at stake?
And that feeds into one of the most recent high-profile attacks that we've seen
within the past couple of weeks. A company known as Telvent, based in Canada,
was attacked by an unknown virus, an unknown piece of malware. They believe
that some Chinese hackers were behind it, a group known as the Comment
Group, but all of this is fairly vague. What they do know is that the malware was
able to steal some blueprints to software that they use for controlling systems,
industrial control systems known as SCADA, and what the ultimate aim of this
attack is is unknown. It could be that the information will be used in a subsequent
attack. And all of this is a growing problem, not just in its severity but in our ability
to deal with it.

Scope of malware issue (03:57)

If we look at some of the statistics, we're only capturing about 50%-- 53% of the
malware out there, so of all the downloads that we're doing, only about 53% of it
is being caught by our antivirus, our firewall, our intrusion protection systems.
47%, roughly, is going unnoticed. On average, every day, we're seeing two new
pieces of malware appear. That means something that has never been seen
before.
Now, there are a number of statistics on this that you sometimes see out there.
You will hear very often the antivirus industry saying, "We're seeing thousands
and thousands, like, 12,000 new pieces of malware a day." That's--that's a
slightly misleading statistic, because, in fact, what they're mostly seeing is
modifications to existing malware, maybe something that is changed slightly in
the code or some functionality that's been augmented, but if we look at actual
brand-new pieces of malware, we're getting about two per day, but that's still a
lot. That's over 700 per year. And these are doing things that haven't been done
before, and it's dangerous, because when we look at the breaches, security
breaches out there, so, like, 49% of those security breaches involve some form
of malware, so they're-- they're crucial to the attacks. And it's just growing
exponentially.
A statistic I recently saw: over the past year, the number of domains issuing
malware has grown by over 200%. So we're not catching it. It's a significant
threat. We're not catching as much as we need to be, and it's a problem that's
very much growing. So we haven't really properly defined malware yet. There are
a lot of definitions out there.

2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public

Page 2 of 15

Module 2: Trends in Malware

What is malware? (05:39)

Definition (05:39)
I pulled this one up from Wikipedia, and I think it does a pretty good job of
capturing what this is about. Malware is short for malicious software. It's an
agglutination of those two words there, and critically, what it's used to do is
disrupt computer operations, gather sensitive information, or gain access to
some private infrastructure. Now, when we think about malware, there are a
number of key characteristics that can define its behavior.

Key characteristics (06:04)

It's software that is designed to infect a system. That means to find some
vulnerabilities inside that system, get inside, and establish a foothold that allows
it to do something, usually nefarious. Malware's designed to conceal itself. The
longer it can stay on the system and hide itself from detection, the more
effectively it can do its job. It obviously proliferates, and in more modern
circumstances, we're seeing it proliferate in a lot more effective ways. That
means it gets inside a machine, it infects it, it hides itself, and then it copies itself
to another machine, spreading and looking for information and other things that it
can compromise.
And compromising is ultimately what the malware is all about. It's trying to get in
there and understand what secrets you might have, what information it can
exfiltrate, and get that out. And who knows, again, what the end goal is for this
malware? Some people use it to steal passwords. Some people use it to steal
blueprints. Other people use it as a way of stealing money. There are many
angles, and those angles are growing because of the nature of malware. As I
say, you know, malware is designed to do a number of different things, but there
are actually various subcategories of malware.

Subcategories (07:20)
Malware is a general, broad term, but if we look more specifically, there are
terms within that describe particular behavior of malware. Here you have a list of
general types of malware. So viruses, viruses are malware that attach
themselves to other things. So it may attach itself to a spreadsheet or to an
application and uses that as a vehicle to infect a system.
A worm is a type of malware that is capable of doing the infection and the
spreading all on its own, so it is a self-sustaining program that's written to get into
a system and propagate itself.
Trojan horse is a type of malware that usually masquerades as something else.
So somebody may try to convince you that your system has a virus on it, and in
order to inoculate yourself, you need to download a software package, when it
turns out that, in fact, that software that you downloaded to get rid of the virus
actually contains malware. And this is something we see a lot about out there,

2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public

Page 3 of 15

Module 2: Trends in Malware

people using what we describe as social engineering techniques, compromising
people's naivet or uncertainty about the information they receive in an email and
getting them to click a link that takes them to a bad location, and they ultimately
download something malicious.
Rootkit is a type of malware that very specifically focuses on opening up access
to a machine so that somebody remotely can control it or take information off
there, and spyware is a little bit of a variant of that where it's a type of malware
designed to spy on the system, to monitor it, to see what type of activities are
going on.
And adware is not necessarily the most nefarious thing out there. It's usually a
piece of malware that gets onto a system and displays advertisements, whether
you want them or not. All of these are types of malware. They perform specific
functions, but oftentimes, they're used in conjunction with each other. In fact, one
piece of malware can incorporate a number of these different functions. One of
the challenges in malware is understanding, as I've talked before, what is the
purpose?

Players/purpose/goal (09:25)
What is the goal behind this malware? And that very much depends on who's
using it. In the past, I think we would largely think of malware in terms of some
hacker or super intelligent person who's written this software to go out there and
crack into super secret sites. Certainly that still goes on out there, but malware, in
many ways, is increasingly a means to an end. When we talk about the Stuxnet
example that was very sophisticated, advanced malware pre-created by a wellfunded government, the United States and the Israeli government. What was
their purpose? Was their purpose just to hack in to the Iran facilities and see
what was going on? Or did they have a more strategic aim, to prevent, perhaps,
Iran from getting nuclear weapons?
So malware, in that case, was a means to an end, and governments see this as
a form of warfare. In fact, they describe it as the fifth dimension of warfare. You
have land, sea, air, space, and now cyberspace, the cyber dimension. Organized
crime is getting very big behind malware. When it comes to organized crime, you
know, generally, they don't care how they make money. They just care that they
do make money. So organized crime will get into drugs, human trafficking,
prostitution, arms distribution, all of these things. Well, if there's money to be
made someplace, they will go into that as well, and increasingly, organized crime
is involved in malware activities. And they've got a range of very sophisticated
businesses around this.
One, for example, is that if you have a piece of malware that you've written, but
you, perhaps, don't have the wherewithal to get it distributed-- you want
somebody else who has a network or who has ideas on how to distribute it to do
it for you-- you can approach certain companies which will take your malware,
and for a fee, for every, you know, X number of workstations it gets installed on,

2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public

Page 4 of 15

Module 2: Trends in Malware

you pay them. And you can pay them more if they get it installed on workstations,
let's say, in high-security areas or in countries like the U.S. versus China versus
Russia, et cetera.
Terrorists are also leveraging malware. It may not just be for direct attacks. They
oftentimes will use malware to gain funds in order to conduct their operations,
and not too long ago, this was revealed with an Indonesian terrorist organization
known as, I believe, Islamic-- Jemaah Islamiyah, where it was revealed that they
were using malware and hacking techniques to get money by compromising
AT&T's network, which was then funneled into terrorist activities. And we
certainly see a lot of activists who develop and use malware. In fact, many
activists are really doing it to draw attention to a cause.
And then, of course, there's a catchall category we might call opportunists,
people who are unscrupulous, who just want to find a way to make a quick buck,
who want to test out their skills. But these-- this broader landscape of actors has
complicated the creation of malware and what it's ultimately being used for. What
are the end goals? And the work that each of these different communities is
doing on malware feeds into other people. So if an activist creates a piece of
malware for one purpose, there's nothing to stop an organized crime organization
for using that malware for their purposes or even the government using the
networks built by organized crime for their purpose.
There's an example that I think is really interesting that stands out in this case. In
2007, the Estonian government decided to relocate a Russian war memorial, and
that was followed by several days of riots and protests. And then after that, they
came under a large and sustained Denial of Service attack, which is an attack
where a lot of computers which are under the control of somebody-- this is known
as a botnet-- was used to send traffic to the various government websites, then
caused that website to come down. It is thought that this network of botnets was
developed by an organized crime organization, and then the Russian
government borrowed it temporarily in order to use it for this particular type of
attack.
So you can see, there's a very complex interrelationship growing between the
people behind the malware and how they're developing that malware out there.
But malware is not necessarily something new. It's something that's been around
for a while. It's-- from the earliest days, I think one of the earliest pieces of
malware, at least that's widely known, is the Morris worm. That came out in 1998,
and it was very sophisticated for its time. It was a piece of software as a worm
that was designed to probe a computer system for vulnerabilities-- a port that's
open-- using some things known as Remote Procedure Calls and then get itself
onto that system. And then after it infects that system, it would start to overwrite
the memory of the system, getting the system essentially to run the code that the
worm has contained in itself. And from that, that system would then become
infected and further propagate the worm.

2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public

Page 5 of 15

Module 2: Trends in Malware

Flash forward to 2001, a pretty popular virus known as Nimda started to use a
more sophisticated technique for infecting machines. It would use email scams,
things known as phishing, where you try to convince somebody that what they've
got is a legitimate email sent to them by a legitimate person, and attached to that
is something they want you to click on. And so Nimda would use those vectors,
and it would download itself onto a PC, overwrite system files, and open up the
system for administrative control to somebody outside the network.
Going forward, in 2005, we saw an interesting case of malware, and this is one
that I don't think started out initially as malware, but it really turned into a type of
malware. In 2005, Sony, trying to deal with copy protection for their CDs, put
some software on their music CDs such that when a person installed that CD in a
computer, this software would be copied onto the computer, and the purpose of
the software was to keep people from copying the music, but what it did is, it
opened up certain vulnerabilities on the system. And as hackers out there found
out about this software and what it did, it gave them the ability to hack into the
system and take a degree of control of it. So this was not necessarily designed to
be malware, but because of the vulnerabilities it created, it ended up, in a sense,
becoming a type of malware.
And these are just a few of the examples. Literally, you could spend days and
days talking about high-profile attacks, different types of malware. What's clear,
as you can see from the graph, is that over time, the complexity and the
consequences of malware have gotten more significant. So when we look at
today, modern malware, it's off the charts how complex and how focused it is.

Modern malware (16:24)

Let's just take a look inside modern malware, and we can see some really
interesting, sophisticated characteristics. One thing about modern malware is
that it's become extremely targeted. If we think back to Stuxnet, that piece of
malware, that was very specifically targeted to a particular environment. If that
malware was able to get inside a particular type of network and knew what it was
looking for, something called a programmable logic control built by Siemens-- so
a specific device by a specific manufacturer in a specific configuration-- and if it
found that, it would go into attack mode, but if it didn't, it wouldn't. So it obviously
takes a lot for somebody to write that, but increasingly, instead of just writing a
general piece of malware and throwing it out there, people are spending the time
to figure out what it is they want to go after and then write the malware to
specifically go after that.
Another thing we see in malware today, which is pretty baffling-- it's something
known as-- they've become polymorphic. Now, this is just a fancy name,
because, you know, in the industry, we sometimes like to have fancy names to
make it seem like what we're doing is complicated or difficult. "Polymorphic"
really just means "better." Something changes itself-- that it changed itself on the
outside or the inside, that over time, this is something that has the ability to selfchange. And that's one of the things we're seeing with modern malware, that

2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public

Page 6 of 15

Module 2: Trends in Malware

every time malware gets installed and propagates, it changes. It does this
sometimes by changing how it's encrypted.
A lot of modern malware will encrypt itself so that people can't figure out what's
going on with it. Oh, was there a note there? Okay, sorry to keep-- sorry.
Somebody just passed me a note, and I'm trying to juggle a couple things. So,
you know, as it gets into a system, it will oftentimes encrypt itself so that people
can't-- reverse engineering it-- reverse engineer it and figure out what's going on.
And then when it gets copied to another machine, it will re-encrypt itself in a
different way so that each time the essential functionality of the malware remains
the same, but to outside appearances, it looks the same. I'm sorry. It looks
different. It looks like a completely new piece of malware. So ultimately, we have
to really be concerned about that, because that is doing a good job of evading
what, you know, we're trying to do in terms of defending it.
Modern malware is also very persistent. It has a way of not only copying itself to
a lot of different systems but also getting itself on there-- Looks like my camera
angle has just been changed here, so I'm going to try to deal with this. It's
different here, so I apologize for that. So one of the things is that modern
malware has a good way of obscuring its presence on infrastructure. It will
oftentimes obscure the fact that it's running by fooling the system into thinking
that it's actually not running. If you look at the processes on the system, you
won't see that there's this extra piece of software there. It will cloak itself by using
standard file naming conventions, hiding itself, and then take what's called a low
and slow approach to propagation, which means that it won't send out a burst of
network activity. It will send little bits of traffic out, trying to find weaknesses in the
environment, and copy itself in a way that won't, hopefully, you know, on its case,
raise itself to the level of detection.
And the other thing is that modern malware is increasingly part of what's known
as a botnet, meaning it's under some type of remote control. And this means that
somebody has installed malware on a number of different machines out there.
Those machines have become bots or slaves, and they report back to and
communicate with a centralized command and control server. And this is
incredibly powerful. It gives people the ability to direct the activities of a whole
fleet of systems out there. It gives them the ability to update the malware itself.
So, you know, if somebody's written a signature to discover it out there, they can
say, "Uh-oh, I need to make changes to this malware here, so let me push out an
update."
So with all of these changes in malware, the other thing that we have to think
about is that malware is not just necessarily used alone for a particular purpose.
Increasingly, we are seeing malware used with other activities to form a wider
integrated attack. We can very often characterize an attack by a series of steps,
and in each of these steps, malware may or may not be used.

2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public

Page 7 of 15

Module 2: Trends in Malware

First step, very often, is that somebody will scout a particular environment. They
also call this fingerprinting. This is trying to find out what systems are inside that
environment. What's going on? What are the potential avenues of attack or
vulnerability? Malware may or may not be used in this, but this can just be one
part of attack, not the attack itself. And then the next step is often some type of
infiltration. So once the malware has figured out the environment out there, it
tries to find a way in. And there are some really clever ways that people have
found to get around traditional security systems. Why sit there and try to hack
through a firewall or some type of other security system when you can get inside
their network in a completely different way?
One way that we've heard about is at conferences. We all sometimes go to IT
conferences, and we visit vendors' booths, and a lot of times, those vendors will
have giveaways, like USB sticks. Well, some people have gone up to those
vendors' booths and left behind some USB sticks. So somebody comes along.
They pick it up. They connect it to their laptop, and unbeknownst to them, a
malicious piece of software got copied to their hard drive. And the next time they
go into the office, that malware has an open door into the infrastructure. No
complicated hacking going on. Of course, then once it gets into the environment,
the malware needs to spread. It needs to spread both from a resilience
perspective but also because it needs to be able to find vulnerabilities.
Depending on what the end goal of the malware is, it's looking for high-value
targets, maybe internal servers with proprietary information, financial details. And
then ultimately, somewhere out of that is the attack. And as I say, ultimately, it's
hard to know what the actual attack is. It could be to disrupt a nuclear power
plant or a control facility. It could be to exfiltrate information.
But the important thing is, we don't just need to focus on the attack itself.
Increasingly, we need to look at the pattern that constitutes the integrated attack,
because all along this chain, malware may or may not be used, and it's not
necessarily the attack that we're seeing out there.

Defense against malware (23:14)

So this may seem pretty grim, you know, when we talk about the sophistication of
malware and this kind of cat-and-mouse game, each trying to stay ahead of each
other, the security researchers trying to get ahead of malware, and the virus and
malware writers finding a new way around it. It can be quite a difficult task for
how to deal with this, but what's important is not just the technology that we have
in place. Certainly, we do need things like antivirus software, firewalls, intrusion
protection devices, and new generation devices that do some pretty nifty things.
What's important is to have a more modern approach to how we deal with the
malware problem, recognizing that it's not simply a technology issue. One of the
first key fundamental things to approaching how we can secure ourselves in our-in this environment is to take what we describe as an architectural perspective.

2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public

Page 8 of 15

Module 2: Trends in Malware

Now, I'm not gonna go into much detail, but I will give you an understanding of
what this is. But, you know, from a quick sense, architecture is about taking a
broader view of the challenge that you're faced with, not simply looking at things
in terms of a technology problem that requires a technology solution but thinking
from the business as well. What are you trying to achieve, and what are the
different ways, including technology, you can about achieving it?
Another key thing is to begin to look differently at how we approach the threat.
I'm gonna talk about this in just a bit, but increasingly, intelligence is becoming a
key asset for addressing the malware problem and also having greater context
on the information about the threats out there.
And then finally, we need to be able to protect the infrastructure as it serves the
purposes of the business, because the infrastructure is out there for businesses
to conduct their activities. People need to access information and access their
email, and we need to be able to keep that secure, and increasingly, that security
requires automation and needs to be policy-based. So let's look at each of these
approaches in turn. And one thing I want to emphasize here: I'm not gonna talk
about any specific technology or product. That's not the purpose of the session.
The purposes of this is really to help you understand what malware is, the
challenge it poses, and then how we can address it through approaches. There
are products and solutions out there, and we will certainly go over those in
subsequent sessions, but I want you to understand the bigger picture. Part of that
bigger picture is taking the architectural view.

Architectural perspective (25:34)

An architecture really defines an approach. It's about how you look at a problem
from a broader perspective and a higher-level view. When we think about
security, protecting ourselves from malware, what is the purpose of what we're
doing out there? I think some people may have looked at this and said, "Well, the
goal of our security is to eliminate vulnerability inside of our network." Now, that
sounds like a good goal, but does that goal necessarily guarantee security?
Because you may find out that you've eliminated all the vulnerabilities in your
network, but yet somebody's found a backdoor way to do it. So are you secure?
Have you achieved your goal? With an architectural approach, one of the most
important starting places is by defining, what is your goal? What are you trying to
do? Are you just trying to eliminate vulnerabilities, or are you trying to keep
sensitive information from being compromised? Are you trying to protect valuable
assets? Are you trying to prevent the disruption of a nuclear power facility?
You really have to start with thinking of security in terms of your end goals before
you start to go down the road of, "What products, what solutions, and what
processes do I need to undertake?" From goals, then we need to look at how we
can realize and implement those goals in a particular environment. Hold on a
second. Sorry. My laptop just froze for a second. And this is the area of policy

2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public

Page 9 of 15

Module 2: Trends in Malware

and governance. This is, again, more at the business level, but this is how we
translate our goals into something that functions within the business.
So policy is really the rules of the business. What are you allowed to do, and
what are you not allowed to do? And governance is about how you put those into
place and make sure that they're being implemented effectively. So if we try to
achieve our security goals, we certainly have to have policies, things that define
how people are allowed to use the infrastructure, what they're allowed to do
when they're inside of the network, and then ways to check that that behavior is
being honored and respected.
And, of course, we need operations, because technology alone does not make
us secure. People, processes, technology, and other things together need to be
combined in an operational way that allows people to implement the policy and
the governance rule that ultimately achieve our goal.
And at the end of it, then ultimately, we will have some sort of underlying
infrastructure, and that infrastructure that we really need has to be a platform.
And when we talk about a platform, what we mean is an end-to-end capability,
not a collection of individual devices but something that is connected, that has
the ability to share information, that provides a feel of trust, meaning that this
device does what it's supposed to do, and you have a high degree of confidence
in that, that it's resilient, because it's not just a question of blocking attacks. We
get attacked, and we will get attacked in the future. The question is, can we
withstand the attack? And how does the platform play a role in ensuring that level
of resiliency?
And then increasingly, having visibility throughout our infrastructure-- we need to
be able to see what's going on in all locations and all times in order to really
understand if our network is being used for the purpose-- network and
infrastructure-- is being used for the purpose it intended and if we're achieving
our security goals.
Now, I recognize this is a little bit high-level, and some of you may not be familiar
with architecture or the concept and the various ways of going about doing it, but
conceptually, it's really just about taking a broader view of the picture and not
thinking solely in terms of technology and product as the way to solve this
challenge.

Intelligence-led and contextual (29:16)

Now, the next issue has to do with one of the innovative ways we can approach
this challenge. So we've got architecture, which helps to guide what we do, but
we also need some advanced tools and capabilities, given the complexity and
sophistication of modern malware.
One of the things that, you know, has historically been the approach to dealing
with security threats, whether it's malware, viruses, all sorts of things, is to look

2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Page 10 of 15

Module 2: Trends in Malware

for what we know about, right? If you know about a virus, you write a signature
that will then look for that virus in your environment. That works great if you know
what you're looking for, but as we mentioned, modern malware is very sneaky. It
changes itself. It hides itself. So we can't necessarily rely solely on these
signature-based methods.
What we need is a way of trying to get ahead of the problem, because once we
find something in our environment, in many ways, it may be too late. We've
already been attacked. How do we prevent this from happening? How do we, you
know, close the barn doors, essentially, before the horse gets out, if you're
familiar with that inspection-- the expression. And this is where the role of
intelligence comes in.
What I'd like to show you here is a graph that a colleague of mine came up with,
and I think it's a great way of illustrating the value of intelligence and what it
means to dealing with modern malware. Here we see two lines in this graph. The
vertical line is capacity, which describes our capacity to deal with certain
situations. And the normality line, the horizontal line, describes, you know, how
normal things are on a day-to-day basis.
So we wake up. We have our breakfast. We go to the office. We have lunch. We
come home, dinner, go to bed. All of those things are normal activities. But when
an event happens, suddenly we're thrown out of this normal environment. And
let's say that this event is some type of catastrophic attack on a power facility.
Somebody's used malware to attack the power facility, brought it down, and the
consequence is-- is that, let's say, at the hottest time of year, there's no electricity
or cooling for residents in a city. That will take us away from the normality line,
and it will also impact our capacity in two ways.
In one way, it will require us to increase the amount of resources we use to
address the situation. So suddenly, we're going to involve law enforcement.
We're going to involve emergency responders. We're gonna be throwing a lot of
resources at the problem as this event occurs. And then, of course, as the
problem is addressed and things start to return to normality, then we'll see a
reduction in the amount of resources we deploy.
But conversely, at the same time that we're hit by this event, our capacity to
respond and deal with emergency situations is reduced, because if our resources
are deployed in one place, then we can't address another situation. Everything
that we talk about on this side of the line of the normality curve describes
essentially how we approach security today. It's about responding to it, finding
that virus, and recovering from it, cleaning it and disinfecting it, and this is
obviously not enough. What we need to try to do is get ahead of this curve, and
everything ahead of this curve is what we generally describe as intelligence. And
that's about anticipating the attack or tackling it far upstream before we get hit.
And all of these activities are why intelligence agencies exist.

2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Page 11 of 15

Module 2: Trends in Malware

And what they do is, they plan. They try to think about, "What are the
consequences if somebody took a power facility off-line?" They analyze
situations. Who could be behind this? What could they possibly be trying to do?
And what can we do to perhaps prevent that from happening? And they monitor.
They look for things that are telltale signs that an attack may be coming.
Everything on this side of the normality line can be described as the stages of
preventing and preparing for an attack.
And I would say we now increasingly need to balance between the two sides. In
our security approach, we focus largely on impact reduction, trying to keep
something from happening. When it happens, we deal with it, and then we clean
up afterwards, but more and more, we need to focus on the left side, risk
reduction where we leverage intelligence, which is collecting information about
the outside environment, about what other people are seeing, analyzing it, and
it's using it in a way that gives us some indication of what might be coming so we
can tackle it far upstream, which means that we don't have to deal with the cost
and the degradation of capacity when this event happens.
Now, context plays into this as well. As you notice, I mention two things,
intelligence and context. Now, this is in a way that I like to talk about context. You
see before you a split screen, and on either side of the screen, you see two
figures. Some of you may look at these two figures and say, "Well, what I'm
seeing on both sides is a letter." Some of you may look at it and say, "What I'm
seeing on both sides is a number." Well, you may be right. You may not. There's
really no way to be certain just by looking at these two things, but when we bring
in context, suddenly, we've shed some light on what's going on.
We can now make a better determination of what we're seeing, so that it turns
out what's on the left side of the screen is actually a letter, the letter B, and
what's on the right side of the screen is actually a number, the number 13. And
this is where context comes in into the role of intelligence in a modern approach.
Just looking at the signatures or the core piece of malware out there is no longer
enough, because malware hides itself. We need to look at the context of it, and
that means looking at, what workstation is this malware getting installed on
potentially? Who is using this workstation? What do they have access to? And
what is the broader behavior surrounding this malware?
Since the malware is increasingly operating across the network, we can see
certain behaviors that we might describe as anomaly, and increasingly, by finding
these anomalous behaviors, these things that are outside of the normal scope of
things, we can develop a level of context that tells us if we're really finding
malware.
So this is one of the key approaches. We need to be able to bring together
intelligence, which is information outside of the traditional scope of what we're
trying to protect so that we can get ahead of the problem, and then context,
which is all sorts of information in our-- in our infrastructure that can maybe give

2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Page 12 of 15

Module 2: Trends in Malware

us a clue as to what we're seeing and whether or not that is something that's
anomalous. When you bring these things together, we develop a new level of
insight that is beyond simply looking for what we already know. It's about looking
for things before they happen to us and finding things that are unknown but
perhaps are anomalous and out of context in our environment. And this brings us
to the third core.

Automated and policy-based (36:04)

We've talked about a high-level approach based on architecture, looking at the
broader goals and the operations around how you secure yourself, looking at the
role of intelligence and context and how that can help us prevent and uncover
malware, but ultimately, the business still needs to function. It--the infrastructure
is out there for a purpose, for people to conduct their day-to-day activity.
Now, when we think about traditional security, it's been very much about building
static perimeters. People put things in place, security controlled, and then they fit
people into little boxes or devices into little boxes. So, for example, we determine
that only certain users are allowed access to the infrastructure. We say that they
can only use certain devices on that infrastructure. There are only certain ways
that they can connect to that infrastructure, maybe only through the office
headquarters. And then the resources that they're allowed to access are limited
as well. This maybe has served us well for a period of time, but the problem is,
this doesn't reflect the reality of modern business.
The reality is that all of these things have left the perimeter. They're, in many
ways, outside the static perimeter that we built. So users are no longer just the
users who work at the company. Sometimes they are partners. Sometimes they
are contractors. Sometimes they are guests visiting your network, and they want
to get access to the network. Devices are no longer just the thing that IT issues
you.
If you've heard of bring-- the Bring Your Own Device movement or Bring Your
Own Application, now everybody, in many cases, is using whatever kind of
device they want to use, an Apple laptop, an Intel PC, an iPhone, an iPad, et
cetera. IT doesn't necessarily have control over what you use. And they have
less control over how you access the infrastructure. It's not just about connecting
from the headquarters location. You may be on the road. You may be at a
Starbucks. You may be someplace that IT wouldn't normally expect you to
connect from, but you still need to get access to that information.
And information itself, the resources you want to access, that's also moved
outside of the static perimeter. With the advent of virtualization and cloud
computing, we now see our information being pushed into new locations running
on public clouds or community clouds. So in all of these cases, the idea of having
a static perimeter not only doesn't work in protecting us. It doesn't serve the
business. So what we need to do is, in many ways, refix the perimeter, and this is
where automation and a policy-based approach come in.

2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Page 13 of 15

Module 2: Trends in Malware

In many ways, we could say the modern perimeter is not a static perimeter. It's
not just firewalled computers and devices. In modern circumstances, the modern
perimeter is identity and policy. And what that means is the ability to know what's
on your network, what, who is connecting to your network, and how it's being
used across all of the different devices in your infrastructure and at all the
different layers, the application layer, the network layer, the device layer. Identity
and policy is about being able to know, first of all, who is connecting to your
infrastructure? Being able to literally identify that to a person and know, is this
person somebody who belongs on our network? And what resources and rights
do they have? What permissions and access do they have on the infrastructure?
What kind of device is being used? How are they accessing the infrastructures?
We need to know if it's an Android-based device, an iOS-based device, a PC, a
Macintosh, what have you, and what type of hardware is it running on.
And again, policy gives us a level of control over permitting or denying that use.
Also, where are people connecting from, and when are they connecting? Are
they connecting from the office or from a remote location, during business hours
or outside of business hours? And then ultimately, what are they trying to get
access to? The information about being able to identify each of these, know what
they are, and associate them with a policy is what is the modern perimeter,
because this is what allows us to draw dynamic boundaries over interactions so
that you can say, "This person is allowed to access the infrastructure "using this
device in this location to get access to that resource." Monitor it, and control it. So
we very much now rely on identity and policy as the modern boundary or the
perimeter rather than simply locking everything down and ensuring that our
security controls are very static.
So we've covered a lot of territory here, and, of course, there's a lot more that we
can go into, but the key thing I want to impress upon you is that though malware
is a growing problem-- it's growing in sophistication; it's becoming more
complicated, more targeted; the actors behind it are becoming broader in their
goals, perhaps more undeterminable-- even though it's a growing problem out
there, we don't need to lose hope. What we need to do is adjust our approach to
how we deal with this situation, and as I've mentioned, it's not just about
technology.
In fact, technology, in many ways, is the final thing we bring in after we have
done a lot of other things, and that means taking an architectural approach where
we start with, what are the goals? What are we trying to achieve? How are we
gonna put those goals, if there's a goal, in an achievable way into practice in the
business? How are we gonna run the operations to make sure we're doing
secure things? And then ultimately, of course, use the correct infrastructure to
secure ourselves.
One thing I want to make clear: I'm in no way saying that we're getting rid of old
security infrastructure, antivirus, firewall, intrusion protection. These all serve a

2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Page 14 of 15

Module 2: Trends in Malware

very important, crucial piece in the overall security puzzle. What we need to do is
augment it by adding certain capability such as leveraging intelligence and
context so that we start looking for information that helps us get ahead of the
problem, that gives us a risk mitigation approach rather than simply a
vulnerability capture or elimination, that allows us to look at the problem not
solely as one individual thing but how that thing appears in context in a way that
will tell us whether or not we actually have a problem.
And then, of course, drawing perimeters that support the business, that allow the
business to be secure, but support the way people work in the modern world, and
identity and policy are the bases.
So with all of this said, you know, what I really want to emphasize is that it's not
just about modern technology and modern network infrastructure, modern
design. It's about a modern approach and using all of these capabilities and this
new perspective to really deal with the challenge we see in malware. With that,
I'd like to thank you very much, and I will turn it back over to my colleague Emma
for wrap-up.

2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Page 15 of 15