ChannelCon IT Pro Track Day 2 Dives Deep into Cybersecurity

You can’t avoid cybersecurity in the IT world, and ChannelCon 2018 is no exception. On Thursday, August 2, the IT Pro Track powered by AITP focused on cybersecurity, with four sessions that all touched on internet of things (IoT) devices, endpoints and red team versus blue team.

The State of Cybersecurity

The day started with an overview of the state of cybersecurity. CompTIA Chief Technology Evangelist James Stanger facilitated a discussion with SolarWinds MSP Vice President of Security Architecture Tim Brown and Malwarebytes Senior Global Threat Analyst Cody Mercer. The group talked about the dissolving (or dissolved) perimeter, endpoints and IoT devices, social engineering, segmentation and more. When it comes to cybersecurity tools, Mercer had a good reminder.

“There’s a lot on the market. It’s a matter of implementing and actually using it. It’s like having a book,” he said. “You can own a book, but if just it sits on your bookshelf and you don’t read it, it has no value.

Brown and Mercer brought different perspectives to the conversation, which gave the audience food for thought. For example, when discussing endpoints and IoT. Mercer asked why we even need smart appliances, commenting on how the manufacturers specialize in designing the appliance, not security. They are looking to sell their appliances, and security may be a secondary concern.

But Brown countered with a personal story. His elderly parents wake up every morning and make coffee between 8:30 and 9:30 a.m. With an internet-connected coffeemaker, he and his siblings can see that they’re waking up and making coffee and everything is right with the world. If there’s a morning when they don’t make coffee, that’s a signal to check in and make sure everything’s ok.

“We have to think about IoT in the home as something that’s not just a function, but what it can give you – what information it can give you,” he said. “[The elderly] need to have the support system [to stay at home], and the IoT environment can give them that support system without intrusion.”

Endpoint Detection and Response: The Next Frontier of Security

Next, ESET North America Senior Security Researcher Stephen Cobb continued the discussion about endpoints and how to protect them. He outlined the what and why of endpoint detection and response (EDR), how it differs from endpoint protection (EPP) and how it fits into the broader picture of cybersecurity.

“Typically, an endpoint not only has on it useful information, but it’s also an entry point into the organization’s information system, so endpoints seem to be heavily targeted and attacked,” he said. “Organizations need to monitor endpoints, detect threats and respond to them.”

He outlined the five main capabilities of EDR:

1. Detect security incidents
2. Investigate
3. Contain
4. Remediate
5. Enable improved prevention

As Cobb showed an example of an EDR system, he joked, “EDR is a lot of information in a small space, and a lot of squinting is required.”

He closed by saying that over the next five years, he expects to see a merging of EDR and EPP products.

“It’s an evolving space that’s moving quite quickly.”

Read more from Cobb in a recent article on endpoint detection and response.

Wargaming the Security Infrastructure

After lunch, IT pros gathered back in the Delaware Suite to hear from General Dynamics Information Technology (GDIT) Cyber Services Area Director Dr. Matthew McFadden about red-team/blue-team exercises. He explained the importance of practicing hands-on cybersecurity skills in a safe environment and described GDIT’s recent hackathon.

“It’s important to get our security practitioners in that mindset and use those real-world scenarios,” he said.

He added that GDIT focuses on providing a realistic environment and using the tools that cybersecurity professionals use everyday. The advent of cloud environments has helped to create that real-world experience from anywhere. For its recent hackathon, GDIT set up Amazon Web Service (AWS) cloud infrastructure for each blue team.

“The goal is to provide a realistic infrastructure that you can snapshot because students will break it and you have to revert back,” McFadden said. “Realism is key.”

 The blue team got about a 60-minute head start to secure their environment before the red team began trying to attack. They were encouraged to use services available online or within AWS, and communicated with each other and the judges via Slack.

Both the red team and blue team had specific challenges to accomplish – some of which related to the exercise and some that were intended to distract them, such as sharing a picture of your pet for National Pet Day.

“The idea is to give them as many challenges so they are overwhelmed and have to work as a team,” McFadden said.

Escaping the Cybersecurity Matrix: Red Pill or Blue Pill?

Closing out the day, Stanger took center stage to talk about the cybersecurity matrix.  

“The matrix is the defender’s dilemma. It’s a fear-based sort of model,” Stanger said. “We can get out of the matrix by using really useful metrics.”

When you’re trying to convince the CEO or the board of the value of cybersecurity investment, Stanger said, you need to speak in terms of risk.

“Any good board, any good CEO, is an expert at managing risk,” he said. “They won’t put it in terms of dwell time or [security information and event management (SIEM)], but they will ask very smart or pointed questions. They’re probably trying to do the best thing to manage risk.”

Help them see why dwell time is important, for example, and how a SIEM can help you identify incidents more quickly to reduce dwell time and thus reduce attacks.

“Move away from the defender’s dilemma to the hacker’s dilemma,” Stanger said. “The hacker has to go through a certain number of steps to compromise your system. Putting together security controls can help you identify what those steps are. Now it changes your perspective from a fear-based approach to something that’s more knowledgeable, proactive and risk-oriented.”

Stay tuned for the ChannelCon rebroadcast in September, where you can watch these sessions and more to earn continuing education units (CEUs) toward the renewal of your CompTIA certification.