Featured Posts

What Defines a Machine Learning-Based Threat Intelligence Platform?

As technology continues to evolve, several trends are staying consistent. First, the volume of data is growing exponentially. Second, human analysts can’t hope to keep up—there just aren’t enough of them and they can’t work fast enough. Third, adversarial attacks that...

Global Privacy Concerns: The World’s Top Five Cities Using Invasive Technology

Cities are expanding their technological reach. Many of their efforts work to increase public protections, such as using GPS tracking to help first responders quickly locate the site of a car accident. But, in the rush for a more secure and technologically advanced...

A Chat with Kelvin Murray: Senior Threat Research Analyst

In a constantly evolving cyber landscape, it’s no simple task to keep up with every new threat that could potentially harm customers. Webroot Senior Threat Research Analyst Kelvin Murray highlighted the volume of threats he and his peers are faced with in our latest...

A Cybersecurity Guide for Digital Nomads

Technology has unlocked a new type of worker, unlike any we have seen before—the digital nomad. Digital nomads are people who use technologies like WiFi, smart devices, and cloud-based applications to work from wherever they please. For some digital nomads, this means...

Cloud Services in the Crosshairs of Cybercrime

It's a familiar story in tech: new technologies and shifting preferences raise new security challenges. One of the most pressing challenges today involves monitoring and securing all of the applications and data currently undergoing a mass migration to public and...

What Defines a Machine Learning-Based Threat Intelligence Platform?

Reading Time: ~ 4 min.

As technology continues to evolve, several trends are staying consistent. First, the volume of data is growing exponentially. Second, human analysts can’t hope to keep up—there just aren’t enough of them and they can’t work fast enough. Third, adversarial attacks that target data are also on the rise.

Given these trends, it’s not surprising that an increasing number of tech companies are building or implementing tools that promise automation and tout machine learning and/or artificial intelligence, particularly in the realm of cybersecurity. In this day and age, stopping threats effectively is nearly impossible without some next-generation method of harnessing processing power to bear the burden of analysis. That’s where the concept of a cybersecurity platform built on threat intelligence comes in.

What is a platform?

When you bring together a number of elements in a way that makes the whole greater or more powerful than the sum of its parts, you have the beginnings of a platform. Think of it as an architectural basis for building something greater on top. If built properly, a good platform can support new elements that were never part of the original plan.

With so many layers continually building on top of and alongside one another, you can imagine that a platform needs to be incredibly solid and strong. It has to be able to sustain and reinforce itself so it can support each new piece that is built onto or out of it. Let’s go over some of the traits that a well-architected threat intelligence platform needs.

Scale and scalability

A strong platform needs to be able to scale to meet demand for future growth of users, products, functionality. Its size and processing power need to be proportional to the usage needs. If a platform starts out too big too soon, then it’s too expensive to maintain. But if it’s not big enough, then it won’t be able to handle the burden its users impose. That, in turn, will affect the speed, performance, service availability, and overall user experience relating to the platform.

You also need to consider that usage fluctuates, not just over the years, but over different times of day. The platform needs to be robust enough to load balance accordingly, as users come online, go offline, increase and decrease demand, etc.

Modularity can’t be forgotten, either. When you encounter a new type of threat, or just want to add new functionality, you need to be able to plug that new capability into the platform without disrupting existing services. You don’t want to have to worry about rebuilding the whole thing each time you want to add or change a feature. The platform has to be structured in such a way that it will be able to support functionality you haven’t even thought of yet.

Sensing and connection

A threat intelligence platform is really only as good as its data sources. To accurately detect and even predict new security threats, a platform should be able to take data from a variety of sensors and products, then process it through machine learning analysis and threat intelligence engines.

Some of the more traditional sensors are passive, or “honeypots” (i.e. devices that appear to look open to attack, which collect and return threat telemetry when compromised.) Unfortunately, attack methods are now so sophisticated that some can detect the difference between a honeypot and a real-world endpoint, and can adjust their behavior accordingly so as not to expose their methods to threat researchers. For accurate, actionable threat intelligence, the platform needs to gather real-world data from real-world endpoints in the wild.

One of the ways we, in particular, ensure the quality of the data in the Webroot® Platform, is by using each deployment of a Webroot product or service—across our home user, business, and security and network vendor bases—to feed threat telemetry back into the platform for analysis. That means each time a Webroot application is installed on some type of endpoint, or a threat intelligence partner integrates one of our services into a network or security solution, our platform gets stronger and smarter.

Context and analysis

One of the most important features a threat intelligence platform needs is largely invisible to end users: contextual analysis. A strong platform should have the capacity to analyze the relationships between numerous types of internet objects, such as files, apps, URLs, IPs, etc., and determine the level of risk they pose.

It’s no longer enough to determine if a given file is malicious or not. A sort of binary good/bad determination really only gives us a linear view. For example, if a bad file came from an otherwise benign domain that was hijacked temporarily, should we now consider that domain bad? What about all the URLs associated with it, and all the files they host?

For a more accurate picture, we need nuance. We must consider where the bad file came from, which websites or domains it’s associated with and for how long, which other files or applications it might be connected to, etc. It’s these connections that give us a three-dimensional picture of the threat landscape, and that’s what begins to enable predictive protection.

The Bottom Line

When faced with today’s cyberattacks, consumers and organizations alike need cybersecurity solutions that leverage accurate threat telemetry and real-time data from real endpoints and sensors. They need threat intelligence that is continually re-analyzed for the greatest accuracy, by machine learning models that are trained and retrained, which can process data millions of times faster than human analysts, and with the scalability to handle new threats as they emerge. The only way to achieve that is with a comprehensive, integrated machine-learning based platform.

Global Privacy Concerns: The World’s Top Five Cities Using Invasive Technology

Reading Time: ~ 4 min.

Cities are expanding their technological reach. Many of their efforts work to increase public protections, such as using GPS tracking to help first responders quickly locate the site of a car accident. But, in the rush for a more secure and technologically advanced city, privacy can fall by the wayside. We’ve reviewed the top cities around the world that are using technologies that may invade citizens’ privacy, so you know what to expect and what you can do. 

Big brother in Beijing, China 

China is infamous for its mass surveillance, with Beijing often serving as a testing ground for new surveillance software. The Chinese government uses internet monitoring, GPS tracking, and the “world’s biggest camera surveillance system”, with more than 170 million CCTV cameras to monitor the country’s populace. These CCTV cameras are backed by powerful facial recognition algorithms, which can track an individual down in just seven minutes. It is safe to say that you are probably being monitored anywhere you travel while in China, but a general rule is that, the higher the population, the more surveillance there is.  

The town of Yizhuang has more than 2,243 high definition security cameras, 277 vehicle recognition cameras, and 267 facial recognition cameras. It also features six patrol vehicles with mobile cameras, and enforcement officers equipped with video capture equipment. Each of these cameras is sending live video streams to a main control center 24/7—all to monitor a single 11-square-mile suburb of Beijing. 

Beijing is also preparing to roll out a social credit system in 2020. This system will award personal trustworthiness points to citizens and businesses based on their financial credit scores, as well as their personal and professional behavior. In the meantime, how the Chinese government plans to use this system to reward or punish its citizens remains a mystery. 

Always watching in Moscow, Russia 

Not one to be outdone, Russia has also embraced mass CCTV surveillance. Moscow alone has more than 170,000 cameras, making it the most surveilled city in Russia. Facial recognition software is paired with this massive network of cameras to track down persons of interest, though exactly what defines a “person of interest” is somewhat nebulous. In fact, Moscow officials recently admitted that they “can now trace the debtors’ movements,” thanks to this massive network of CCTV cameras. He declined to comment on the number of debtors who have been traced using this technology, nor the severity of their debts. 

Mass monitoring in Darwin, Australia 

Darwin, Australia is piloting a surveillance system similar to the technologies used in China, with some warning that it could evolve into a social credit system. Darwin has installed poles throughout the city outfitted with speakers, cameras, and WiFi. These monitoring stations track people and their movements all around the city, and are aided by facial recognition software. They can even respond to triggers, such as when a specific individual breaches a “virtual fence.” 

“We’ll be getting sent an alarm saying, ‘There’s a person in this area that you’ve put a virtual fence around.’ … Boom, an alert goes out to whatever authority, whether it’s us or police to say ‘Look at camera five,’” said Josh Sattler, the Darwin Council’s General Manager for Innovation, Growth, and Development services in an article with NT News.  

This system also tracks mobile phone use, web traffic, and mobile app usage—but only to help local businesses, of course. 

“[It will tell us] where people are using WiFi, what they’re using WiFi for, are they watching YouTube, etc., all these bits of information we can share with businesses… we can let businesses know ‘Hey, 80 percent of people actually use Instagram within this area of the city, between these hours,’” said Sattler. 

‘I spy’ in New York City, USA 

In an effort to assist its police force, NYC has turned to the world’s largest surveillance technology company—the Chinese state-owned Hikvision—to install the same surveillance tools being used in China. Thousands of surveillance cameras have been operating in New York City since 2014, using the same facial recognition software that enables law enforcement in Beijing to locate and track individuals within the city. These cameras are equipped with infrared sensors that help capture high resolution images even in very low light. The NYPD has direct access to this surveillance network, and monitors the footage remotely to avoid showing an obvious police presence. The full extent of the surveillance in New York is unknown, but reports indicate the NYPD is using these products on a “large scale.” 

Small-town surveillance in Hillsboro, USA 

Hillsboro, Oregon is the smallest city on this list, with a population of just over 100,000. So why is such a small town on the same list as places like Beijing, Moscow, and New York? The Washington County Sheriff’s Office, which presides over Hillsboro, recently became the first law enforcement agency in the United States to use Amazon’s AI-powered facial recognition tool, Rekognition. As this is the first real-world test of this technology, its accuracy is hotly debated. Many experts argue that this technology will likely lead to the wrongful arrest of innocent people whose only crime is bearing a resemblance to the accused. 

More than 300,000 mug shots taken at the Washington County jail have been uploaded into the Rekognition system. These pictures can be cross-referenced with images from a security camera, social media accounts, or even a deputy’s mobile device—without requiring a warrant. More than 1,000 facial recognition searches were logged into the Rekognition system by the Washington County Sheriff’s Office, but public records requests show that only nine official case reports mention the use of the tool. Washington County deputies are under no imperative to note when facial recognition software assisted with an arrest, so we have no way to judge how accurate the system is. 

Your Privacy is Your Concern 

While the only way to avoid detection through the facial recognition algorithms is to hide or alter your face, there are some precautions you can take to protect your privacy when visiting these cities. As an example, you can easily obscure your digital traffic, which can help prevent the kind of tracking reported in Darwin. Strong encryption is your best protection against privacy invasive cities. Research a reliable VOIP and text messaging encryption service, and invest in a trusted VPN to shield your web and mobile traffic. Encryption may not stop state actors from intercepting your data, but it will make it nearly impossible for them to interpret it. 

Have other tips for protecting your privacy while traveling? Let us know in the comments. 

A Chat with Kelvin Murray: Senior Threat Research Analyst

Reading Time: ~ 3 min.

In a constantly evolving cyber landscape, it’s no simple task to keep up with every new threat that could potentially harm customers. Webroot Senior Threat Research Analyst Kelvin Murray highlighted the volume of threats he and his peers are faced with in our latest conversation. From finding new threats to answering questions from the press, Kelvin has become a trusted voice in the cybersecurity industry.

What is your favorite part of working as a Senior Threat Research Analyst? 

My favorite part about being a threat researcher is both the thrill of learning about new threats and the satisfaction of knowing that our work directly protects our customers. 

What does a week as a Senior Threat Research Analyst look like? 

My week is all about looking at threat information. Combing through this information helps us find meaningful patterns to make informed analysis and predictions, and to initiate customer protections. It roughly breaks down into three categories. The first would be “top down” customer data like metadata. The data we glean from our customers is very important and a big part of what we do. The interlinking of all our data and the assistance of powerful machine learning is a great benefit to us.  

Next would be “whole file” information, or static file analysis and file testing. This is a slow process but there are times when the absolute certainty and granular detail that this kind of file analysis provides is essential. This isn’t usually part of my week, but I work with some great specialists in this regard.  

Last would be news and reports on the threat landscape in general. Risks anywhere are risks everywhere. Keeping up to date with the latest threats is a big part of what I do. I work with a variety of internal teams and try to advise stakeholders, and sometimes media, on current threats and how Webroot fits in. Twitter is a great tool for staying in the know, but without making a list to filter out the useful bits from the other stuff I follow, I wouldn’t get any work done! 

What skills have you built in this role? 

Customer support taught me a lot in terms of the client, company culture, and dealing with customer requests. By the time I was in business support I was learning the newer console system and more corporate terms. Training on the job was very useful for my move to threat, where I also picked up advanced malware removal (AMR), which is the most hands on you can get with malware and the pain it causes customers. All of that knowledge is now useful to me in my public facing role where I prepare webinars, presentations, interviews, blogs, and press answers about threats in general. 

What is your greatest accomplishment in your career at Webroot so far? 

Learning the no-hands trick on the scooter we have in the office. And of course my promotion to Senior Threat Research Analyst. I have had a lot of different roles in my time here, but I’m glad I went down the path I did in terms of employment. There’s never a dull moment when you are researching criminal news and trends, and surprises are always guaranteed. 

What brought you to Webroot? 

I like to say divine providence. But really I had been travelling around Asia for a few months prior to this job. When I got back home I was totally broke and needed a job. A headhunter called me up out of the blue, and the rest is history.   

Are you involved in anything at Webroot outside of your day to day work? 

Listening, singing and (badly) dancing to music. Dublin is a fantastic place for bands and artists to visit given its proximity to the UK and Europe and the general enthusiasm of concert goers. I do worry that a lot of venues, especially nightclubs, are getting shut down and turned into hotels though. I sing in a choir based out of Trinity College.  

Favorite memory on the job? 

Heading to (the now closed) Mabos social events with my team. The Mabos collective ran workshops and social and cultural events in a run-down warehouse that they lovingly (and voluntarily) converted down in Dublin’s docklands. Funnily enough, that building is now Airbnb’s European headquarters. 

What is your favorite thing about working at Webroot? 

The people that I get to work with. I have made many great friendships in the office and still see previous colleagues socially, even those from five or six years ago.  

What is the hardest thing about being a Senior Threat Research Analyst? 

Prioritizing my time. I can try my hand at a few different areas at work, but if I don’t focus enough on any one thing then nothing gets done. I find everything interesting and that curiosity can get in the way sometimes! 

What is your favorite thing to do in Dublin?  

Trying new restaurants and heading out to gigs. I’d be a millionaire if I didn’t eat out at lunchtime so much. Dublin is full of great places. I like all kinds of gigs from dance to soul to traditional. The Button Factory is one of the coolest venues we have. 

How did you get into the technology field? 

I first become interested in technology through messing with my aunt’s Mac back in the early 90s. There were a lot of cool games on her black and white laptop she brought home from a compucentre she worked in, but the one that sticks in my memory was Shufflepuck Café. My dad always had some crazy pre-Windows machines lying around. Things with cartridges or orange text screens running Norton commander. 

 To learn more about life at Webroot, visit https://www.webroot.com/blog/category/life-at-webroot/

A Cybersecurity Guide for Digital Nomads

Reading Time: ~ 3 min.

Technology has unlocked a new type of worker, unlike any we have seen before—the digital nomad. Digital nomads are people who use technologies like WiFi, smart devices, and cloud-based applications to work from wherever they please. For some digital nomads, this means their favorite coffee shop or co-working space. For others, it means an idyllic beach in Bali or countryside public house. One thing remains true wherever a digital nomad may choose to lay down their temporary roots: They are at a higher cybersecurity risk than a traditional worker. So what risks should they look out for? 

Public Wifi

Without a doubt, public WiFi is one of the main cybersecurity hazards many digital nomads face. The massive and unresolved flaw in the WPA2 encryption standard used by modern WiFi networks means that anyone connecting to a public network is putting themselves at risk. All public WiFi options—including WiFi provided by hotels, cafes, and airports—poses the risk of not being secure. How can a digital nomad be digital if their main source of internet connectivity is a cybersecurity minefield?  

When connecting to public WiFi as a digital nomad, it is crucial to keep your web traffic hidden behind a virtual private network (VPN). A quality VPN app is simple to set up on your mobile devices—including laptops and smart phones—and uses a strong encryption protocol to prevent hackers and other snoops from stealing important personal information such as account passwords, banking information, and private messages. VPNs will keep your data encrypted and secure from prying eyes, regardless of locale.

Device Theft

Physical device theft is a very real risk for digital nomads, but one that can largely be avoided. The first and most obvious step to doing so is to never leave your devices unattended, even if your seatmate at the coffee shop seems trustworthy. Always be mindful of your device visibility; keeping your unattended devices and laptop bags locked away or out of sight in your hotel room is often all it takes to prevent theft. Purchasing a carrying case with a secure access passcode or keyed entry can also act as an additional deterrent against thieves looking for an easy mark. 

If your device is stolen, how can you prevent the damage from spiraling? Taking a few defensive measures can save digital nomads major headaches. Keep a device tracker enabled on all of your devices—smartphones, tablets, and laptops. Both Apple and Android have default services that will help you locate your missing device.  

But this will only help you find your property; it won’t prevent anyone from accessing the valuable data within. That’s why all of your devices should have a lock screen enabled, secured with either a pin or a biometric ID, such as your fingerprint. If you believe these efforts have failed and your device is compromised, enabling multi-factor authentication on your most sensitive accounts should help reduce the effect of the breach.  

However, if you cannot recover your device, remotely wiping it will prevent any additional data from being accessed. If you have a device tracker enabled, you will be able to remotely wipe your sensitive data with that software. If you’re using a data backup solution, any lost files will be recoverable once the status of your devices is secure 

Lower Your Risk

Being a digital nomad means that you’re at a higher risk for a breach, but that doesn’t mean you can’t take steps to lower that risk. These best practices could drastically reduce the risk incurred by leading a digitally nomadic lifestyle. 

  • Toggle off. Remember to always turn off WiFi and Bluetooth connectivity after a session. This will prevent accidental or nefarious connections that could compromise your security. 
  • Mindfulness. Be aware of your surroundings and of your devices. Forgetting a device might be an acceptable slip up for most, but for a digital nomad it can bring your lifestyle to a grinding halt. 
  • Be prepared. Secure your devices behind a trusted VPN before beginning any remote adventures. This will encrypt all of your web traffic, regardless of where you connect.  
  • Stop the spread. In case of a device or account breach, strong passwords and multi-factor authentication will help minimize the damage. 

A staggering 4.8 million Americans describe themselves as digital nomads, a number that won’t be going down anytime soon. With remote work becoming the new norm, it’s more important than ever that we take these cybersecurity measures seriously—to protect not just ourselves, but also our businesses and clients. Are you a digital nomad making your way through the remote-work landscape? Let us know your top tips in the comments below! 

Cloud Services in the Crosshairs of Cybercrime

Reading Time: ~ 3 min.

It’s a familiar story in tech: new technologies and shifting preferences raise new security challenges. One of the most pressing challenges today involves monitoring and securing all of the applications and data currently undergoing a mass migration to public and private cloud platforms.

Malicious actors are motivated to compromise and control cloud-hosted resources because they can gain access to significant computing power through this attack vector. These resources can then be exploited for a number of criminal money-making schemes, including cryptomining, DDoS extortion, ransomware and phishing campaigns, spam relay, and for issuing botnet command-and-control instructions. For these reasons—and because so much critical and sensitive data is migrating to cloud platforms—it’s essential that talented and well-resourced security teams focus their efforts on cloud security.

The cybersecurity risks associated with cloud infrastructure generally mirror the risks that have been facing businesses online for years: malware, phishing, etc. A common misconception is that compromised cloud services have a less severe impact than more traditional, on-premise compromises. That misunderstanding leads some administrators and operations teams to cut corners when it comes to the security of their cloud infrastructure. In other cases, there is a naïve belief that cloud hosting providers will provide the necessary security for their cloud-hosted services.

Although many of the leading cloud service providers are beginning to build more comprehensive and advanced security offerings into their platforms (often as extra-cost options), cloud-hosted services still require the same level of risk management, ongoing monitoring, upgrades, backups, and maintenance as traditional infrastructure. For example, in a cloud environment, egress filtering is often neglected. But, when egress filtering is invested in, it can foil a number of attacks on its own, particularly when combined with a proven web classification and reputation service. The same is true of management access controls, two-factor authentication, patch management, backups, and SOC monitoring. Web application firewalls, backed by commercial-grade IP reputation services, are another often overlooked layer of protection for cloud services.

Many midsize and large enterprises are starting to look to the cloud for new wide-area network (WAN) options. Again, here lies a great opportunity to enhance the security of your WAN, whilst also achieving the scalability, flexibility, and cost-saving outcomes that are often the primary goals of such projects.  When selecting these types of solutions, it’s important to look at the integrated security options offered by vendors.

Haste makes waste

Another danger of the cloud is the ease and speed of deployment. This can lead to rapidly prototyped solutions being brought into service without adequate oversight from security teams. It can also lead to complacency, as the knowledge that a compromised host can be replaced in seconds may lead some to invest less in upfront protection. But it’s critical that all infrastructure components are properly protected and maintained because attacks are now so highly automated that significant damage can be done in a very short period of time. This applies both to the target of the attack itself and in the form of collateral damage, as the compromised servers are used to stage further attacks.

Finally, the utilitarian value of the cloud is also what leads to its higher risk exposure, since users are focused on a particular outcome (e.g. storage) and processing of large volumes of data at high speeds. Their solutions-based focus may not accommodate a comprehensive end-to-end security strategy well. The dynamic pressures of business must be supported by newer and more dynamic approaches to security that ensure the speed of deployment for applications can be matched by automated SecOps deployments and engagements.

Time for action

If you haven’t recently had a review of how you are securing your resources in the cloud, perhaps now is a good time. Consider what’s allowed in and out of all your infrastructure and how you retake control. Ensure that the solutions you are considering have integrated, actionable threat intelligence for another layer of defense in this dynamic threat environment.

Have a question about the next steps for securing your cloud infrastructure? Drop a comment below or reach out to me on Twitter at @zerobiscuit.