ClawBack Insights :: A Conversation with MicroSolved, CEO, Brent Huston

I recently got interviewed over email by one of my mentees. I thought their questions were pretty interesting and worth sharing with the community. This session focused on ClawBack™ and was done for a college media class assignment. I hope you enjoy the interview as much as I did giving it. 

Q: What is ClawBack?

ClawBack is a platform for helping organizations detect data leaks. It’s a cloud-based engine focused on three specific kinds of leaked data – source code, device and application configurations and credentials. It systematizes many of the manual efforts which mature organizations had been doing either partially, or in an ad hoc fashion, and makes them ongoing, dependable and available to organizations of any size and technical capability.

The engine lets the customer pick monitoring terms, and yes, we have a very nice guide available in the online help to guide them. Once the terms are chosen, the engine goes to work and begins to scour the sites most commonly associated with these types of leaks. At first, it does historical searches to catch the client up to the moment, and then, periodically, it provides ongoing searching for signs of leaked data.

Once a leaked dataset is found, the user is alerted and can view the findings in the web portal. They can take immediate action from the takedown advice we provide in online help, or they can choose to archive the alert or mark it as a false positive to be ignored in the future. Email alerts, team accounts and alert exports for SEIM/SOAR integration are also available to customers at the advanced levels.

Basically, ClawBack is a tool to help developers find code that accidentally slipped to the Internet, network admins and security teams find configurations and credentials that have escaped into the wild. We wanted to make this easy, and raise the maturity level of data leak detection for all organizations. We think we hit the mark with ClawBack, and we hope you do too.

Q: Why did your team create ClawBack and why now?

This is a great question! For many years now, we have been working a variety of security incidents that all tie back to attackers exploiting leaked data. They routinely comb the Internet looking in these common repositories and posting locations for code, configs and credentials. Once they find them, they are pretty quick to take advantage.

Take for example, a leaked device configuration from a router. The global paste bins, code repositories and forums are full of these kinds of leaks. In many cases, these leaked files contain not just the insights the attacker can gain from the configuration, but often, logins and passwords that they can use to compromise the device. Many also give up cryptographic secrets, network management credentials and other significantly dangerous information. The attackers just harvest it, use it and then spread into other parts of the network – stealing as they go.

At MSI, we just got tired of seeing organizations compromised the same way, over and over again. Time after time, the clients would say they had no idea the data had been exposed. Some had ad hoc processes they ran to search for them, and others had tools that just weren’t getting the job done. We knew we had to make something that could help everyone solve this problem and it had to be easy to use, flexible and affordable. Nothing like that was on the market, so we built it instead.

Q: How does ClawBack address the issues of leaked critical data?

As you read above, we wanted to focus on the things that hurt the most – leaked code, configs and credentials. These three types of leaks are at the core of more than 90% of the leak-related incidents we’ve worked over the last several years. We didn’t try to solve every problem with this new tool – or make it a swiss army knife. We focused only on those 3 kinds of leaks.

Today, ClawBack monitors the most common sites where these leaks often occur. It monitors many of the global pastebins associated with leaks, forums and support sites where folks often accidentally expose data while getting or giving help and work repositories where many of these items often end up from inadvertent user errors or via misconfigured tools.

ClawBack provides the dependable process and ongoing vigilance that the most mature firms have access to – and it brings that capability to everyone for less than a fancy cup of coffee a day.

Q: How is it different than DLP solutions?

For starters, there’s no hardware, software or agents to deploy and manage. The cloud-based platform is so simple to use that most customers are up and monitoring in less than 5 minutes. You simply register, select your subscription, input monitoring terms and ClawBack is off and running. It’s literally that easy!

Now, DLP is a great tool. When it’s properly configured and managed, it’s very capable. Most of our ClawBack clients have DLP solutions of some sort in place. The problem is, most of these data leaks occur in ways that render the DLP unable to assist. In most cases, the data leaks in the incidents we have worked have occurred outside of the corporate network that the DLP is monitoring. When we traced back the root of the incident, most of them came from workers who were not using the corporate network when they made their grave mistake.

Additionally, of those that did use the corporate network, often the DLP was either misconfigured, the alert was missed or the transaction was protected by cryptography that circumvented the DLP solution. A few of the incidents came from users who routinely handle code and configuration files, so the anomaly-based DLP tools assumed the leak was normal, usual traffic.

Sadly, the last group of incidents that had DLP in place went undetected, simply because the DLP solution was configured to meet some regulatory baseline like HIPAA, PCI or the like and was only searching for leaked PII that matched those specific kinds of patterns. In those cases, source code, configurations and even dumped credentials were far outside of the protection provided by the DLP.

ClawBack takes a different approach. It lets users know when this type of data turns up and lets them respond. It’s easy, plain language monitoring term management makes it trivial to define proper terms to tackle the 3 critical types of leaks. We provide a very detailed set of suggested terms for customers in our online help, which most folks master in moments.

Q: If an organization doesn’t have any in-house development or code, what can ClawBack do for them? Same question for organizations that outsource their device management – how can they get help from ClawBack?

Organizations that don’t do any development or have any source code are few and far between, but they still gain immense capability from ClawBack. Nearly every organization has device and application configurations and credentials that they need to monitor for exposure. Even if you outsource network management, you should still use ClawBack as a sanity check to watch for data leaks. We’ve seen significant numbers of leak-related security breaches from networks managed by third parties.

Requesting the key device configurations from your vendor and inputting identifying data into ClawBack is easy and makes sure that those configurations don’t end up somewhere they shouldn’t – causing you pain. Identifying unique account names and such, and using those as ClawBack monitoring terms can give you early warning when attackers dump credentials, hashes or other secrets that could cause you harm. Being able to change those passwords, kill accounts, increase monitoring and claw back those files through takedown efforts can mean the difference between a simple security incident and a complete data breach with full legal, regulatory and reputational impacts.

Q: Several people have said you are leaving money on the table with your pricing model – why is the pricing so affordable?

The main reason that the product costs under $200 per month at the highest level, currently, is that I wanted not-for-profit firms to be able to afford to protect themselves. Credit unions, charities, co-op utilities and the like have been huge supporters of MicroSolved for the last 30 years, and I wanted to build a solution that didn’t leave them out – simply because they have limited funds. Sure, we could charge larger fees and only target the Fortune 500 or the like, and make a lot of money doing it. The problem is, the security incidents we built this to help eliminate happen to small, mid-size and less than Fortune 500 companies too and there are a LOT MORE of those firms than 500. They need help, and they need to be able to afford the help they require.

Secondly, we were able to get to such an affordable price point by really focusing on the specific problem. We didn’t build a bunch of unneeded features or spend years coding capabilities to address other security problems. ClawBack detects leaks of critical data. That’s it. It provides basic alerting and reporting. We based the monitoring technology off our existing machine learning platform and re-used much of the know how we have developing past products and services like TigerTrax™ and SilentTiger™. What saves us money and resources, saves our clients money and resources.

Lastly, at MSI, we believe in making more value than we harvest. We want to provide significant levels of value to our clients that way over scales what they pay for it. We can do that using technology, our expertise and by building solutions that focus on significant problems that many feel are untenable. We’ve been doing it for almost 30 years now, so we must be getting something right…

Q: What’s next for ClawBack? Is there a road map?

We are talking about adding some forms of risk determination to the findings. We are currently in discussion with clients and experts about how best to do that and communicate it. We are discussing using some additional machine learning techniques that we developed for our social media monitoring and threat intelligence platforms. That’s the next step for us, that we can see.

We’re also looking at user feedback and curating what folks are asking about and thinking about when using the product. That feedback is being ranked and added to the road map as we create it. We’ve got some ideas of where we want to go with ClawBack, but honestly, the tool addresses the problem we built it to help with. That’s the core mission, and anything outside of that is likely to fall out of the mix.

Q: You have a history of designing interesting products – what is on the horizon or what are you playing with in the lab these days?

I wish I could tell you about the things we are playing with, because it is fascinating. We are exploring a lot of new capabilities in TigerTrax with different machine learning models and predictive techniques. We’re working on updates to HoneyPoint™ and SilentTiger that will bring some very cool new features to those capabilities.

We’re also continuing to gather, analyze and deliver specific types of threat intelligence and data analytics of hostile data sets. We’re studying adversarial use of machine learning techniques, attacks against different AI, IoT and cloud platforms and we’re diving deep into cyber-economics and other factors related to breaches. I’m also working on a pretty interesting project with some of my mentees, where we are studying the evolution, use and capability growth of various phishing kits in use today. The mentees are learning a lot and I’m getting to apply significant amounts of machine learning techniques to new data and in new ways that I haven’t explored before. All in all, pretty cool stuff!

I’ll let you know what we come up with. Thanks for interviewing me, and thanks to the readers for checking this out. Give me a shout out on Twitter – @lbhuston and let me know if you have questions or feedback on ClawBack. I’d love to hear your thoughts!

State of Security Podcast Episode 16 is Out!

This episode is a tidbit episode, weighing in just under 20 minutes. I sat down last week with Megan Mayer (@Megan__Bytes) in the lobby bar of the Hyatt during the Central Ohio Security Summit. Pardon the background noise, but we riffed on what Megan believes are the top 3 things that every security manager or infosec team should do this week. She had some great insights and I think her points are fantastic.

Give it a listen, and as always, if you have feedback or have someone in mind that you’d like to have interviewed on the podcast or a topic that you’d like to see covered, drop me a line (@lbhuston). 

As always, thanks for listening and stay safe out there!

 

We’re Growing Again!

From social media:

Got #infosec skills? We’re looking for a new team member to join MicroSolved. Pen-testing, threat intel & innovation are core reqs. Ethics, rapid learning, positivity are must haves. #Columbus preferred. Get in touch!  

Here is a bit more information: 

This engineer will engage with clients to review technical systems/applications, perform vulnerability assessments/pen-testing, application assessments, cyber threat intelligence assessments, network segmentation analysis, validate technical findings and support customers with security issues across the attack event horizon. 

Projects will cover the scope of networks, applications, security devices, servers/systems and likely embedded systems/components. Deep enterprise network knowledge in one or more areas of networking and/or security is a requirement. Familiarity with NIST standards/cyber security frameworks is preferred. 

To apply, send a resume and cover letter to (jobs <at> microsolved <dot> com). Please, no recruiters and no phone calls. If you have questions, please reach out on Twitter to @lbhuston. 

Thanks! 

Ask The Security Experts: Public Facing Workstations

This time around, we have a question from a reader named John: “I work in a small financial institution and we have problems with physical access to our computers. Many of our workstations sit in semi-public areas and could easily be attacked with USB devices or physical access when a teller or customer service person leaves the customers alone with the machine at a desk or cubicle. What advice do the experts have to help counter these types of attacks?”

Bill Hagestad started the conversation:

Recommended Points for mitigating this digital & physical vulnerability;

1) Remove workstations from semi-public areas; 2) Deploy & install single – purpose Internet workstations at no more than 2 public locations with VERY limited access to financial institution records only after 3 factor authentication has been authorized by credentialed users only; 3) Set time limites on inactive sessions on all banking terminals to logoff after physical proximity to machine exceeds 15 seconds; 4) Enforce 32 random, alpha-numeric character password changes to all critical financial institutional systems weekly; and, 5) Implement and /or continue aggressive financial institution information assurance education program with goal of 100% employee participation; review/update monthly and, 6) Mandate information security and awareness program participation from financial institution leadership throughout all employees and ranks within the organization.

John Davis expanded: I know how difficult this is for financial institutions. Your customer service representatives need computers in their cubicles in order to provide service to your customers, while at the same time those same computers are a main point of physical vulnerabilitiy. Easy steps can be taken, though, to harden these work stations.

First, workstation users should be allotted local administration rights on their systems only when a business need is present. So, CSR workstations should have their USB and DVD ports disabled. Furthermore, their is no need for them to have the ability to upload or download software. In addition, workstations in publicly accessible areas must be turned off each and every time they are unattended. Perhaps you could implement a system similar to the cut off device used on treadmills or at casinos: CSRs would have to clip a device from their clothing to the workstation before it will work. You could accompany this with biometric access for quick and easy access for the users.

Jim Klun added:

From my experience, and assuming the worst case of Windows systems configured as normal workstations with end-users having admin level access, some immediate things I would do:

1. Disable all removable media access at the hardware ( i.e. BIOS) level. At minimum: disable ability to boot from such sources. or: remove all DVD and CDROM drives and physically disable USB ports. (e.g. glue) 2. Ensure all workstations log activity and ensure that the logs are directed to a central log repository and reviewed. Example: http://www.intersectalliance.com/projects/SnareWindows/ 3. Ensure surveillance cameras cover workstation areas. 4. Aggressive screen-lock settings 5. Removal of admin access for all but limited support staff if at all possible. 6. Consider Usage of security cabinets for workstations: Example: http://www.globalindustrial.com/g/office/computer-furniture/cabinets/orbit-side-car-cabinet 7. Network Access Control to limit what devices are allowed on the local network. That unattended RJ45 jack or poorly secured wireless environment is as much a threat as that USB port or CDROM. Bluetooth setting should also be reviewed. 8. Ensure all sensitive information traveling over the local LAN is encrypted. 9. Use a firmware password ( e.g drivelock or a BIOS power-on password) to limit who can boot the machine. 10. Monthly re-iteration of security policies – including need to lock workstations. In my experience such messages are best tied to real-world examples. It makes the risk real – not just an abstract “security guy” worry. For example, this event could be used to ensure employees are aware that an unlocked workstation could lead to the installation of malware: http://news.techworld.com/security/3256513/sovereign-bank-and-penfed-warn-customers-after-keyloggers-are-found-on-laptops/

I note that both JD and Bill talk about enhanced authentication – including the use of proximity devices. Using such devices ( mostly bluetooth ) to secure these workstations sounds like a great idea to me and may be the easiest and most effective solution. Once the financial institution walks away from the workstation – it’s locked and ideally will not boot. http://btprox.sourceforge.net/ – open source Google “computer proximity lock” for a number of commercial alternatives.

Adam Hostetler closed the conversation with:

Everyone has really good suggestions so far. I am a fan of the simple phsyical solutions. I would put the workstations in locked cages. This would prevent any malicious people from inserting USB devices or CDs, or implanting sniffers between the keyboard and USB ports. Additionally, follow the other advice of disabling them through software, just to be sure.

Another solution may be to move to a thin client solution. It is possible to buy thin clients that have no USB ports or optical drives. This would also ensure that no sensitive information was on the workstation, in the event that it was stolen.

April Touchdown Task

April’s touchdown task for the month is a suggestion to update your contact list that you should have included in your incident response policy.

A few minutes now to make sure the right people are in the list and that their contact information is current could pay off largely down the road. It might also be a good time to check to make sure your contact process has been updated to include SMS/texting, Skype and/or other supported technologies that may have not been around when your policy was last updated.

Watching the Watchers…

“Who watches the watchers?” is an often overheard question when we assess the information security program of clients. Way too often, the answer is either, “Huh?” or “No one, really.”. That’s a LOT of trust for an organization to place in an individual or small team.

At least in a small team, you hopefully have peers checking each other’s work. You do that right? You either rotate duties, have a peer review process or otherwise make sure that a second set of eyes from the team double checks critical work in a peer review methodology. That’s what mature teams do, and they do it both often and formally. This is a great control and an effective means to build cooperation between team members.

The problem gets harder when your security team (and/or IT team) is one person. Then it absolutely REQUIRES that someone, be it a manager, another department peer, an auditor or even a consultant checks their work periodically. After all, if they manage the servers, the firewall, the network, the intrusion detection and the logging, they essentially have complete control over the data and can do as they please without fear of getting caught. Now, that is not to say that folks in this role aren’t trustworthy. They usually are. The problem is that some are not and to further complicate the matter – it is often quite difficult to tell the difference between the honest and the dishonest humans. So, as we always say, “Trust, but verify…”. Implement an ongoing process for peer review, even if that peer is an auditor or consultant. Have them come in and double check the progress for this quarter. Ask them to spot check reports, logs and configurations. It’s not comprehensive, but it at least sends a message that someone is checking and just having someone checking different items often leads to interesting discoveries, usually not of a malicious nature, but often times something missed in the day to day.

How does your organization use peer review? What works and what hasn’t worked for you? Leave us a comment or drop us a line on Twitter (@lbhuston) and let us know.

Ask The Experts: Advice to New InfoSec Folks

This time our question came from a follow up on our last advice article to new infosec folks (here). Readers might also want to roll back the clock and check out our historic post “So You Wanna Be in InfoSec” from a few years ago. 

Question: “I really want to know what advice the Experts would give to someone looking to get into the information security business. What should they do to get up to speed and what should they do to participate in the infosec community?”

Adam Hostetler replied:

To get up to speed, I think you should start with a good foundation of knowledge. Already working in IT will help, you should then already have a good idea of networking knowledge, protocols, and architecture, as well as good OS administrative skills. Having this knowledge already helped me a lot at the beginning. Then I would move into the infosec world, read and listen to everything you can related to infosec.  There’s much much more security related knowledge online than ever before, so use it to your advantage. You also now have the opportunity to take info sec programs in colleges, which weren’t really available 10 years ago. Social Networking is very important too, and how you would likely land a job in infosec. Go to events, conferences or local infosec meetings. Some of the local infosec meetings here in Columbus are ISSA, OWASP, and Security MBA. Find some in your area, and attend something like Security B-Sides, if you can. Get to know people at these places, let them know you’re interested, and you might just end up with your dream job.

John Davis chimed in:

If you want to get into the risk management side of the information security business, first and above all I recommend that you read, read, read! Read the NIST 800 series,  ISO 27001 & 27002, the PCI DSS, CobiT, the CAG, information security books, magazine articles, and anything else you can find about information security. Risk assessment, ERM, business continuity planning, incident response and other risk management functions are the milieu of the generalist; the broader your knowledge base, the more effective you are going to be. To participate in the infosec community, there are several things you can do. Probably the best and quickest way to get started is to attend (and participate in) meetings of information security professional organizations such as ISSA, ISACA and OWASP. Talk to the attendees, ask questions, see if they know of any entry level positions or internships you might be able to get into. There are also infosec webinars, summits and conferences that you can participate in. Once you get your foot in the door someplace, stick with it! It takes time to get ahead in this business. For example, you need four years of professional infosec experience or three years experience and a pertinent college degree before you can even test for your CISSP certification.

As always, thanks for reading! Drop us line in the comments or tweet us (@lbhuston or @microsolved) with other questions for the Security Experts.

Three Ways to Engage with the InfoSec Community

J0289893

Folks who are just coming into infosec often ask me for a few ways to engage with the infosec community and begin to build relationships. Here a few quick words of advice that I give them for making that happen.

1) Join Twitter and engage with people who are also interested in infosec. Talk directly to researchers, security visionaries and leadership. Engage with them personally and professionally to build relationships. Add value to the discussions by researching topics or presenting material that you are familiar with.

2) Join an open source software project. Even if you aren’t a coder, join the project and help with testing, documentation or reviews of some kind. Open source projects (they don’t have to be security projects) can benefit from the help, an extra set of eyes and the energy of new folks contributing to their work. You’ll learn new stuff and build great relationships in the development and likely infosec communities along the way. 

3) The way that most folks go about it works as well. Go to events. Network. Meet infosec people and engage them in discussions about technical and non-technical subjects. Groups like ISSA, ISACA, ISC2, OWASP and other regional security events are good places to meet people, learn stuff and develop relationships with folks working on hard problems. Cons can be good for this too, but often have less chances for building rapport due to the inherent sensory overload of most con environments. Cons are a good place to grow relationships, but may not be the best events for starting them.

That’s my advice. All 3 items are hard work. They offer a chance for you to learn and engage. BUT, you have to work to earn respect and rapport in this community. You have to contribute. You must add value. 

As always, thanks for reading and until next time, stay safe out there! 

Ask The Experts: Online Banking

This time we asked the experts one of the most common questions we get when we are out speaking at consumer events:

Q: Hey Security Experts, do you do your banking online? If so, what do you do to make it safe for your family? If not, why not?

John Davis explained:

I’ve been banking online for many years now and have always loved the convenience and ability it gives you to monitor your accounts anywhere and any time. There are a few simple things I do to keep myself secure. I do all the usual stuff like keeping a well configured fire wall and anti-virus software package always running. I also ensure that my wireless network is as secure as possible. I make sure the signal is tuned so as to not leak much from the house, I use a long and strong password and ensure I’m using the strongest encryption protocol available. I also monitor my accounts often and take advantage of my banks free identity theft service. One final tip; instead of using your actual name as your login, why not use something different that is hard to guess and doesn’t reveal anything about your identity? It always pays to make it as tough on the cyber-criminals as possible!

Phil Grimes chimed in with:

I do almost all my banking online. This, however, can be a scary task to undertake and should always be done with caution on the forefront! In order to bank safely on line, the first thing I do is to have one machine that was built in my house for strictly that purpose. My wife doesn’t play facebook games on it. My kids don’t even touch it or know it exists. This machine comes online only to get updated and to handle the “sensitive” family business functions like bill payment or banking.  The next thing I’ve done to protect this surface was to use a strong password. I used a password generator and created a super long password with every combination of alpha, numeric, and special characters included to reduce the risk of a successful brute force attack. This password is set to expire every 30 days and I change it religiously! Then finally, using Firefox, I install the NoScript plugin to help defend against client side attacks.

Adam Hostetler added:

Yes, I do my banking online. I also pay all of my bills online and shop online. I think the biggest thing that you can do for safety is just to be aware of things like phishing emails, and other methods that fraudsters use to try to compromise your credentials. I also always use dual factor authentication when possible, or out of band authentication, most banks and credit unions support one of these methods these days. Checking all of my accounts for suspicious activity is also a regular occurrence. 

There are also the malware threats. These are mostly mitigated by having up to date software (all software, not just the OS), up to date anti-virus software, and treating social networking sites like a dark alley. Be wary of clicking on any links on social networks, especially ones that are apps that claim they will do something fun for you. Social networks are probably the largest growing vector of malware currently, and a lot of times people install it willingly!

If you’re really paranoid, just have a dedicated PC or virtual machine for online banking.

Got a question for the Experts? Send it to us in the comments, or drop us a line on Twitter (@microsolved or @lbhuston). Thanks for reading! 

Ask The Experts: Favorite Tools

This question came in via Twitter:
“Hey Security Experts, what are your favorite 3 information security tools?” –@614techteam

John Davis responds:

I’m in the risk management area of information security; I don’t know enough about technical information security tools to give an informed opinion about them. However, my favorite information security ‘tool’ is the Consensus Audit Group’s Twenty Critical Security Controls for Effective Cyber Defense (which is very similar to MicroSolved’s own 80/20 Rule of Information Security). The ‘CAG’ as I call it gives me as a risk manager clearer, more proactive, and detailed information security guidance than any of the other standards such as the ISO or NIST. If you’re not familiar with it, you can find it on the SANS website. I highly recommend it, even (and especially) to technical IT personnel. It’s not terribly long and you’ll be surprised how much you get out of it.

Adam Hostetler adds:

I’ll do some that aren’t focused on “hacking”

OSSEC – Monitor all the logs. Use it as a SIEM, or use it as an IPS (or
any other number of ways). Easy to write rules for, very scalable and
it’s free.
Truecrypt – Encrypt your entire hard drive, partition, or just make an
encrypted “container” to hold files. Again, it’s free, but don’t be
afraid to donate.
OCLhashcat-plus – Chews through password hashes, cracking with GPU
accelerated speed. Dictionary based attacks, and also has a powerful
rule set to go after non-dictionary based passwords.

And Phil Grimes wrote:

NMap is probably one of my favorite tools of all time. It’s veristile and very good at what it does. Using some of the available scripts have also proven to be more than useful in the field.

NetCat – This tool is extremely well rounded. Some of my favorite features include tunneling mode which allows also special tunneling such as UDP to TCP, with the possibility of specifying all network parameters (source port/interface, listening port/interface, and the remote host allowed to connect to the tunnel. While NMap is my go to port scanner, there is built-in port-scanning capabilities, with randomizer, and dvanced usage options, such as buffered send-mode (one line every N seconds), and hexdump (to stderr or to a specified file) of trasmitted and received data. 

Wireshark – Sharking the wires is one of my favorite things to do. It allows you to examine data from a live network or from a capture file on disk. You can interactively browse the capture data, delving down into just the level of packet detail you need.

What’s your favorite tool? Let us know in the comments or via Twitter (@lbhuston). Thanks for reading!