Data Privacy Expert Defines ‘Moving Target Defense’

'TF7' Guest Says Approach Hinders Adversaries



Dan Gunderman
07/10/2018

On the July 9 episode of “Task Force 7 Radio,” host George Rettas sat down with CryptoMove CEO and Co-Founder, Michael Burshteyn, to discuss entrepreneurial innovation, data security, encryption and more.

To kick off the show, Burshteyn discussed some challenges and benefits of being a startup in a crowded market. Burshteyn said that while the space is highly trafficked, many innovative technologies stem from new companies. Conversely, he acknowledged that oftentimes, recruiting, financing and gaining customers are always a challenge.

“As a CISO, or as a security team interfacing with the rest of the company, there are priorities and a budget, so is it really possible to look at hundreds, or thousands, of security startups?” the “TF7 Radio” guest said. “In some sense, it’s a crowded market. At the same time, there is exciting innovation… A lot of times it’s driven by startups.”

On being an attorney, and technical literacy in the space, Burshteyn said, “(Often), there’s a lot of interesting technical nuance to some of the incidents that end up getting litigated. You have judges, a legal system, and even laws that are not necessarily up-to-date on the latest and greatest technologies and attack approaches. It makes a difference in how cases are looked at and decided.

Securing Your Data

Where does the space stand with data privacy?

Burshteyn said, “Security and IT teams control the network and the infrastructure. It makes sense to focus on controlling that, whereas users control data… Users are (now) creating data all over the place. Security teams have a hard time getting involved in those workflows. (So, even still,) the top cyber security ‘giants’ mostly (deal with) firewalls and network security, even as people are moving to the cloud. It’s taking time to catch up – where data is getting prioritized.”

See Related: KPMG Cyber Director Outlines 'Expert Generalist,' Unified Data

The show guest also cited a “lack of visibility” or “inventory” of data present in an enterprise. That creates a weighty problem: “It’s tough to know where to start.”

“Another set of problems,” Burshteyn said, “involves how difficult it is as a security team to interface with all of the users through their technology stacks and workflows, for sensitive data. It’s spread out and oftentimes not protected as well as people would like.”

Encryption

Asked about encryption methods/tools, the “TF7 Radio” guest said that the programs are tough to own and implement, and that there’s a lot of “high-friction integration with encryption in general.” Although encryption projects attempt to rest in the background, they ultimately have to interfere with users or application owners.”

Burshteyn said the overall approach should be to “bake in” encryption with native tools. He also said this is becoming “more of a commodity.”


‘Moving Target Defense’

The CryptoMove CEO then took some time to define “moving target defense,” which he called a field of security that shifts and changes the attack surface over time. He said it “imposes asymmetry on cyber adversaries” to complicate their search and throw them off course.

Moving target defense also differs from deception/honeypots, the featured guest suggested. The latter involves the creation of fake infrastructure while the former “zigzags” and changes data/network properties. This effectively cloaks the protected resources.

‘Game Theory’

In implementing moving target defense, Burshteyn said that a risk-based approach is crucial. With regard to risk models, he referenced game theory (analysis of strategies, usually contingent upon others), and said that adversarial back and forth can be simulated – right through the kill-chain. This allows you to see how the infrastructure responds and calculate probability and effects.

Secure Ledger

The conversation then shifted to data decentralization and “blockchain.” The radio show guest said that banks, as well as others in different sectors, have announced “interesting blockchain projects.”

Burshteyn said that they’re using blockchain as a trust mechanism and as a ledger for their businesses. So, they utilize it as they might a new, distributed technology.

See Related: CSO Talks Pyramid-Shaped Risk Framework, Cyber Agility

Are there risks, however? Burshteyn said that the subject is still being studied closely. Yet, with blockchain, there are a lot more keys. Without them, data could be unrecoverable. Or, if keys are stolen, trouble follows. The CryptoMove CEO said “it’s important to have key protection.”

An additional challenge is storage capability. “You can’t really store large documents on the blockchain,” Burshteyn said. “You need some sort of off-chain storage.”

Smart Cities

As more and more cities see their infrastructure taken over by botnets or distributed denial-of-service (DDoS) attacks, a number of system issues arise. Outside of backups, Burshteyn said that there is also a privacy component.

“By making themselves ‘smart,’” the July 9 guest said, “they’re turning everything into a data collection and sensor. We saw that in Barcelona, which collected data on all of its citizens. It was celebrated and then they realized it was a privacy issue.”

One important component to smart city advancement, the CEO continued, is the creation of threat model reference architecture, so that security teams can prioritize data and its security.

In Closing

Additional topics in the back half of the show included quantum computing and the encryption concern surrounding it, as well as prioritized key management and DevSecOps.

On quantum computing, Burshteyn said, “The basic idea is: You can potentially take data, even if it’s encrypted, and read the clear text... It’s inevitable but we don’t know when it’ll happen.”

On software development, Burshteyn said that security does not want to hinder development, “but instead influence secure development processes.” Much of that reverts back to a security-driven approach.

The "Task Force 7 Radio" recap is a weekly feature on the Cyber Security Hub.

To listen to this and past episodes of "Task Force 7 Radio," click here.

Be sure to connect with Burshteyn, here.


See Related: 'Tone From The Top': Cyber Security & Digital Transformation