Rethinking The Approach to Cyber Security

Everyone knows that cyber security is a big problem and most of what we hear about in the media is just how big of a problem it truly is: the average cost of a breach is $4M (; the global economic impact of cyber crime is $450B (; there were 4B data records stolen in 2016 alone ( Those are definitely some big numbers! Now, rather than wringing our hands over the size of the problems and challenges, let’s spend a little time thinking about a solution.

As a starting point, let me say there are a significant number of brilliant people dedicating their careers to fixing the legal and policy issues, developing best practices, creating new, and cutting edge technologies; they should remain focused on their work as it is very important. As a nation, as a global economy, we need a long-term comprehensive cyber security solution, and I am in no way indicating that their work is not necessary.

With that out of the way, I propose we consider two fundamental questions:

1) Given the fact companies are spending more than ever on cyber security, why are we continuing to see cyber incidents occur at an increasing rate? (

2) If part of the solution to addressing cyber security is to hire talented technical experts AND there are currently about one million unfilled cyber security positions (, how can we ever hope to make progress?

First, when it comes to the increasing amount of money spent on cyber security and the rising number of incidents, we do have a problem. However, using the size of the market and the amount of money spent as an indicator of progress is a fatal assumption.

using the size of the market and the amount of money spent as an indicator of progress is a fatal assumption

It is true that SOME companies are investing more than ever (Google any major financial institution’s name and the term “cyber budget” for some indication of the staggering amount of money being spent). The dark little secret is that most companies have an extremely limited ability to invest in cyber security in any meaningful way by today’s standards; this will likely never change.

To illustrate this point, I collected data on three groups of companies: the fastest growing 5,000 companies from Inc., the Fortune 1000, and the MidMarket 1000. I then made some basic assumptions on IT and cyber security budgets based on SANS, Gartner, and other sources. This analysis revealed some fascinating numbers. While companies like Bank of America and JP Morgan Chase essentially have unlimited budgets for cyber security, the “real” average cyber security budget for companies outside the Fortune 100 (and not including small businesses) is likely less than $400K a year…to include people and technology. From a personnel perspective, these companies tend to have less than three or four people dedicated to cyber security and many only have one or two. This brings up an important discussion on resources, but more on that later.

The second question is a little harder. Retooling a workforce against a rapidly changing technology problem is very, very hard. There certainly has been an increasing focus on STEM within elementary schools, high schools, technical colleges, and traditional higher education institutions, but this may not be enough given the amount of time it takes to push skills through the pipeline. There has also been a focus on retraining the workforce through technical colleges, online curricula, code academies, and social activities such as meetups. This approach certainly has a faster turn around, but may not provide enough volume. The key challenge here is that employment opportunities within the cyber security market have a really long tail. Between the large organizations hiring hundreds — if not thousands — of cyber trained personnel and government contractors hiring another large percentage, there is a severe shortage of trained employees left over for all of the other organizations. It is especially hard to hire the right talent if you can’t match the salaries and benefits of the larger employers AND there is a negative unemployment rate. Again, this indicates a discussion on resources might be worthwhile.

we are thinking completely wrong about how to really solve the cyber security problems faced by almost every company in the world.

This brings us to the meat of my argument. I would like to suggest that we are thinking completely wrong about how to really solve the cyber security problems faced by almost every company in the world. We have been thinking about cyber security as a technology problem and are aligning solutions accordingly. For example, the Cyber Security Framework developed by NIST ( speaks heavily towards helping organizations understand and manage their cyber security risk. However, at the end of the day, this framework is based on the philosophy of “security controls” and the varied implementations thereof. Ultimately, the message comes through loud and clear: good cyber security requires an investment in people, processes, and most importantly, technology. In fact, almost every security standard or best practice has a similar focus. Whether it is COBIT, ISO, or NIST 800–53, they all trace back to the managing risk through implementation of security controls. Implementing security controls require what? Resources: time, money, and people.

Now, a quick digression is in order, but stay with me! One of my foundational beliefs in cyber security is “offense always wins and defense always loses.” Why do I believe this? Because an attacker doesn’t have to be good at everything, they just need to be successful one time. Staying on the topic of resources, this represents a huge resource imbalance. Think about the recent phishing attack against Gannett that compromised as many as 18,000 user accounts ( This attack was likely the work of one individual against an organization with an annual revenue of around $800M. As attacks like this prove, we are basically watching a modern day version of David and Goliath everyday. The difference here is that David wins so often that the story is no longer suspenseful. In fact, it is even worse than that! One attacker can target countless networks simultaneously while sitting on the beach drinking a margarita.

On the defensive side of the equation, there is a person or a team of people (hopefully) responsible for stopping every knucklehead trying to break into the network. Unfortunately, today’s network defenders are inundated with false positives and noise produced by their expensive security technologies, prohibiting them from actually finding and stopping real attacks. Or even worse, most of the time, defenders are stuck spending their limited time and energy configuring systems against a set of security controls designed to prevent an incident, but don’t actually work and just create more work for everyone. The result? Even with significant amounts of money spent, a fully trained workforce, and innovative technologies deployed, the most sophisticated defenses are consistently losing the cyber battle.

So, my proposition is as follows. What would happen if we thought about cyber security as a resource problem instead of a technology problem? Taking it one step further, what if we focused on ways to reduce the resources required for defense and increase the resources required for offense before we thought about implementing more security controls? How would this change our behavior? What would we even focus on to make a difference on resources? My answer: speed and scalability.

What would happen if we thought about cyber security as a resource problem instead of a technology problem?

Let’s start with speed. We need to find ways to accelerate the speed at which information is collected, distributed, and acted upon for companies of all sizes. If an attacker targets any organization, the infrastructure utilized for the attack must immediately be rendered useless. While this won’t stop attacks from occuring, it will certainly increase the resources required by the attacker. How would it be rendered useless? Let’s assume a virtual server from a hosting provider is stood up for the express purpose of targeting a network. The attacker kicks off a SSH brute force attack against a company’s server. Today, this is activity is likely not even noticed by the company being targeted. Even worse, this sort of attack works more often than we would like to think.

What if instead, the knowledge of that attack triggered an alarm and that source IP was instantly known by all networks to be malicious at that moment in time and then blocked by all networks. What if this happened over the course of seconds? In this scenario, we didn’t necessarily implement any new security controls. We didn’t require any defense resources to engage the threat, but we did increase the resource requirements on the attacker. The bad guy will now have to stand up a new server or get a new IP address, which will then also get blocked. It is also important to note that there will be an impact on resources for the hosting provider, and this may not be a bad thing. They now have an IP address that is unusable for some period of time (say 24 hours) which will affect their ability to assign it to another user. Wouldn’t that hosting provider now be better incentivized to prevent those activities from occurring in the first place? Now, certainly there is an opportunity here for false positives and manipulation of the system to basically cause a DDOS to occur, but I think we can resolve those concerns if we spend a little time on them.

With respect to scalability, I am talking about horizontal scalability. How can we quickly and easily deploy a safety net to support organizations of all sizes, without imposing significant resource requirements? I don’t have the perfect answer here, but I do have some thoughts. We need to start thinking along the lines of other initiatives that scale capabilities across communities where an imbalance of resources exists. Think about social programs, taxes, and public schools. These are all models for balancing resources for the public good. How could we apply this to cyber security? Well, it might be easier than you think. I am certainly not suggesting we take a Robin Hood-like approach where we have the large companies pick up the tab for the smaller ones and I am not sure that tax incentives would be enough. However, what if we had the ability to distribute learnings of cyber attacks and bad actors at speed (see above) and at scale AND we were able to scale those learnings across all organizations? What if we could deploy a capability across all organizations big and small in a way that didn’t impose a large resource burden on the smaller organizations? What if this system could be designed to protect the privacy and anonymity of all organizations, but still allow us to shut the door on an attacker as soon as their infrastructure is known? Just imagine how a capability such as this could change the landscape in favor of defenses. While this may sound like a far off concept, information sharing is a common theme in public discourse today (see: Unfortunately, we aren’t yet thinking big enough. We aren’t thinking about a capability that achieves such a speed and scale and will actually be effective given the resources that actually exist in companies today.

In closing, I would like to challenge the cyber security community as a whole to start thinking about how we reorient our thinking around cyber security as a resource problem first, and a technology problem second. Let’s start focusing on how we protect companies of all sizes, not just those with unlimited resources. Gone are the days where individual networks can survive on its own island and leave everyone else to the wolves. If we don’t learn the lesson now that cyber security is not just about implementing new technology, but it is actually about solving for the resource challenge that exists today, we are heading for some very challenging times.

Expanded Threat Information is Almost Live!!

Friday is a big day for Dark Cubed!  We are preparing to launch a new feature that has been in the works for quite a while, and I couldn’t be more excited!  As I approach my one-year anniversary at Dark Cubed, I have enjoyed taking a few minutes to look back over time and see the incredible progress we have made.  From the rapid growth of customers, the new features implemented in the product, to the features requested by our amazing customers such as automated notifications, one-click blocking, and multi-level reporting.

On Friday we will add another highly requested feature. We call it Expanded Threat Information.

On Friday we will add another highly requested feature. We call it Expanded Threat Information. We will include this capability as part of our monthly subscription cost. No forms to fill out. No new fees!

Our customers love that we help them monitor their network and alert them to new cyber threats in real time, without requiring expensive, complex tools.  However, we often hear this question:

It is great that your UI makes it so easy to identify a risky IP on my network, but I wish I could see what that IP is doing, and who is making the connections?

Before this update, the only way to get this data was to either point the customer to firewall logs that they may have been collecting or turning on a logging tool integration to a product such as Splunk.  Now, while setting up this integration is fast and easy, it still required some additional steps.  Integration is a good solution, but here at Dark Cubed we aren't satisfied with "good enough," we are going for great!  So we put our heads together and voila! Expanded Threat Information became a reality!  Now, any of our customers who have Dark Cubed deployed off of a Span Port/Port Mirroring or have the Inline Appliance will automatically have access to this information from within Dark Cubed; without having to lift a finger!

Integration is a good solution, but here at Dark Cubed we aren't satisfied with "good enough"

Let's be clear here; we are not trying to replace a full-featured logging infrastructure. There are plenty of tools on the market in that space already, and we integrate with many of them. Rather, our goal is to provide our customers with fast and easy access to actionable and timely information.

This IP has hit my network 254 times, but it is only inbound SSH traffic.  Stupid bot...let's block it and move on.

10GB of outbound, encrypted FTP traffic to the Antarctica?? Uh oh! Let's block this IP right now and figure out what is happening!

Check out the following screen shots for a sneak peak of how this is going to look! 

Here you can see the additional details provided within "Connection Overview" and a link to "View Connections"

Here you can see the additional details provided within "Connection Overview" and a link to "View Connections"

Within "Connection Details" you can see where those connections originated from on your internal network.  This is really helpful information when it comes to tracking down which computer is talking to a threat!

Within "Connection Details" you can see where those connections originated from on your internal network.  This is really helpful information when it comes to tracking down which computer is talking to a threat!

Friday, April 29th, is the Big Day!

We are pushing this release on Friday; we hope you love it!

Please call or e-mail me anytime if you would like to learn more about Dark Cubed and our Cyber Security Platform.

 I am looking forward to talking with you!  - Matt

The Hidden Costs of Cyber Security

There’s no denying that modern business is conducted increasingly online. That being said, the safekeeping of customer data, financial information and other confidential materials has become important for ensuring customer loyalty and business success.

Take Mike, for example. Mike runs a family-owned car dealership in a small town in Wisconsin. Every day, Mike helps his fellow community members - in addition to close friends and family - apply for loans to to buy cars, which requires personal information from each customer. Mike knows he should do more to protect his customer’s information. But Mike is overwhelmed with choices. Every company out there is trying to scare him into buying products he can not afford, install or operate. It is hard enough running and growing his business… Mike does not have time to wade through the noise and hype.

The problem is, the current cyber security marketplace is expensive, and full of hidden costs.

If your company - much like Mike’s car dealership - can’t afford to employ an army of analysts or spend millions of dollars on cyber security, then it’s easy to feel lost in the marketplace.

When small to mid-size companies look for solutions within the cyber security marketplace, they’re typically met with three very poor choices:

  1. Buy and integrate expensive security software in-house
  2. Outsource cyber security to a third-party vendor
  3. Do nothing and hope for the best

For companies who choose to take an in-house approach, not only do they need to purchase the expensive technology, but they also need employees to operate the products, which means lengthy hiring processes, extensive salaries, and ongoing training.

On the other hand, third-party vendors can be just as expensive. Quality cyber security companies tend to be expensive - like, $10,000 - $30,000 per month expensive. While that budget isn’t out of the question for large corporations, it’s a solution that smaller businesses just can’t afford.

While there are many hidden costs of cyber security solutions, no option is worse than sitting back, doing nothing, and hoping for the best.

Thankfully, there’s good news.

The problem isn't nearly as difficult as certain people want to make you believe, and a fourth option is emerging.

To get quality cyber security services without breaking the bank, many small to mid-sized companies are beginning to turn to a new solution that monitor networks in real-time, provide accurate alerts and information, provide the tools necessary to take action, and follow through with monthly reporting.

Yes, cyber security is complicated. But it doesn't have to be.

SMBS and Cyber Security: A Real Challenge

Make no mistake: a proper cyber security strategy is essential for all companies that deal with intellectual property, customer data, financial information, and other sensitive materials. However, all too often small and mid-sized companies can feel lost in the marketplace since the majority of mainstream cyber security companies only offer services with a hefty price tag attached.

Yes, cyber security solutions can be expensive. But so are cyber attacks.

According to a cyber security study conducted in association with the experts at IBM and the Ponemon Institute, the average cost of a single security breach rose to $4 million in 2016.

If you're a large business, you might be able to weather a storm that ends up costing you $4 million. If you're a small business, we’re guessing that’s money you just don’t have.

So, being a small to mid-sized company is a bit like being between a rock and a hard space: you can’t afford the most obvious current cyber security solutions on the market, but you also can’t afford a potential attack. The situation's looking a bit desperate, no?

According to Cybersecurity Ventures, cyber crime is predicted to cost the world $6 trillion annually by 2021. Additionally, the marketplace is growing; Business Insider Intelligence predicts $655 billion will be spent on cybersecurity initiatives to protect PCs, mobile devices, and Internet of Things (IoT) devices between 2015 and 2020.

With costs and competition both on the rise, the cyber security marketplace is frazzled, especially for small to mid-sized companies. However, there is still good news. Although the threat is seemingly bigger than ever before, the core issues have remained the same. To optimize security and ensure peace of mind, small to mid-sized companies need only to take a pragmatic approach.

So, how can SMB’s take a pragmatic approach?

Basic tools that offer solid firewall protection and email filtering are sold at multiple price points for businesses on a budget. More sophisticated tools such as real-time monitoring, logging, correlated threat intelligence, predictive analytics, workflow and active blocking are also available.

In order to properly utilize all resources available and cut through the noise of the current cyber security market, small to mid-sized companies need technology solutions that aren’t built for Fortune 500 companies. With that approach, businesses still get access to innovative solutions to remain protected, but at a fraction of the cost.

Surprise!  The marketplace is not one-size-fits-all

The marketplace - although complicated - isn’t only reserved for the richest of companies, especially if you know where to look. For small to mid-sized businesses, the trick is doing your research on the current landscape and looking beyond the traditional options to find a solution that makes the most sense for you and your company’s finances.

Remember, just because the big kids are doing it, doesn't mean it’s right. Same goes for business and cyber security solutions.

What is Grizzly Steppe? Dark Cubed Explains Russian Hackers, Elections, and Data-Driven Analytics

Two days before New Years, something interesting happened in the world of cyber security. The Department of Homeland Security released a report on hacking activities by Russian Intelligence Services related to activities against the U.S. Government. The report was somewhat interesting, however DHS also released a set of indicators in a .csv file with 956 lines of data. As the CEO of a new cyber security startup focused on using data in smarter, more interesting ways, this data tugged and pulled at me in a way that I did not expect. Over the next two days, in between (and through) family events, football games, and dogs grabbing food off of the counters, I sat on a stool in my in-law’s kitchen and tuned out the world. There was something about this analysis that I could not ignore.

On October 7, 2016, the Department Of Homeland Security (DHS) and the Office of the Director of National Intelligence (DNI) issued a joint statement on election security compromises. DHS has released a Joint Analysis Report (JAR) attributing those compromises to Russian malicious cyber activity, designated as GRIZZLY STEPPE.

This posting is meant to summarize some of the findings of the more detailed report that Dark Cubed published on New Year’s eve 2016 titled, “A Brief Analysis of the Cyber Indicators Related to GRIZZLY STEPPE.

Involvement of Tor-Related Infrastructure

The first thing that stood out to me was the prevalence of infrastructure related to the Tor network. I stumbled on this as something significant during my reverse DNS analysis of the IPs released. Many of the DNS entries that came back included tor-exit or tor… this was intriguing to me. I then quickly jumped over to a popular list of Tor-related IP addresses maintained at

Of the 876 IP addresses released by DHS, 211 of them appear on the list of all Tor nodes, that is right around 24% of the indicators. Looking at it from the other direction, as of the time of writing, there were 6,909 IP addresses on that list of Tor nodes. So, the DHS list of IP addresses contained approximately 3% of all of the Tor nodes… while a small percentage, this is still a significant number.

Now, numbers and statistics are interesting, but visualization lets this really sink in. Much of the time I spent analyzing the data released in the JAR was in building graph visualizations using Gephi. The image below shows the result of the reverse DNS analysis and the influence of Tor:

On the left hand side, we see the reverse DNS data set visualized. The items are grouped by the associated TLD (e.g. .com, .net, .ru). The relationships in the graph flow from TLD -> Domain Name -> Fully Qualified Domain Name -> IP -> JAR. On the right hand side we have colored Tor-related IPs, domain names with Tor in them, and their parent nodes red. It is shocking to see in one glance how heavily the data is influenced by the Tor network. The bottom line from this analysis is a simple question: Even if an attack is routed through TOR, should the Government (or anyone else for that matter) be releasing the related TOR nodes as a part of a data set such as this without qualifying that release as noisy?

Analysis of Geolocation

In the released .csv file, DHS identified the countries associated with each IP. This lead me down the road of exploring what insights could be gleaned from a geolocation-based analysis. The first step of course was to simply map the IP addresses on Google Maps using the MaxMind database. The result was not necessarily helpful, but interesting nonetheless.

A quick glance shows that this data set covers quite a bit of territory and was rather expansive. For a more detailed analysis, I jumped back into building out some visualizations in Gephi, a painstaking, methodical process.

“These cyber operations have included spearphishing campaigns targeting government organizations, critical infrastructure entities, think tanks, universities, political organizations, and corporations leading to the theft of information” — JAR-16–20296

The result was fascinating and in some ways looks like daisy. Like the map above, the graph reveals that this is a pretty diverse data set, but there are a few very intriguing nuggets:

The first thing that stood out to me immediately was China and the Republic of Korea. Both of those countries were featured, yet only were tied to infrastructure that was identified by the JAR as being Command and Control (C2). Looking at Russia, there was of course a significant number of nodes, however only one was identified as C2. We see the same effect in countries represented by a smaller number of nodes such as Puerto Rico (3), Thailand, and Hong Kong. What this means exactly is not clear, but it is definitely an interesting result and worth more consideration.

Analysis of Organizations

A different way to look at the data set involves evaluating the organizations that are related to the IP addresses themselves. Again, this took a significant amount of time to build out the visualizations in a way that made them worthwhile, but the result was fascinating:

This view provides us with insight into organizations that have more IP addresses than others featured in the data set. Groups like the Russian Broadband provider Scartel Ltd. are very prominent. We also see the influence of cloud providers such as Online S.A.S. ( and Ovh Systems ( We go into more detail in the paper, but the other interesting finding here is the three organizations associated with China that appear to be related to the C2 infrastructure discussed above.

Dark Cubed Analysis

The final, and most detailed section of our analysis was related to proprietary data that Dark Cubed has been collecting for almost a year now. A unique part of our offering is that we provide a real-time, fully anonymous information sharing network capability to our customers that enables shared analytics without revealing customer identities. This provides us with a very unique and interesting data set that lets us compare real network activity with sets of indicators like those released with GRIZZLY STEPPE.

This data provides a significant benefit when evaluating such data sets due to the fact that it lets us mash up suspected bad activity with real activity to see where indicators might be too noisy. The graph below highlights the organizations related to GRIZZLY STEPPE when influenced by that volume that Dark Cubed customers observed those indicators:

By using real-world data to analyze these data sets, we can instantly see the introduction of unwanted noise. Why are indicators associated with Yahoo, Twitter, Google, Microsoft, EdgeCast (Verizon) included as something that network administrators should be looking for? At best, this creates a rabbit hole with no value. At worst, noisy threat intelligence companies might introduce these indicators into their data sets and create a world of headaches for companies both large and small.

The second analysis has to do with sizing the nodes based on the number of customers that observed the indicator. This provides us with a different perspective on “noisy” indicators.

We see above a relatively tight grouping in the middle associated with a group of C2 and non-C2 nodes that were seen on a large number of Dark Cubed customer networks. We also see a majority of the indicators were scattered across customers in a relatively balanced fashion.

In our report we dig into more detail on the most broadly seen indicators, but (spoiler alert) they just appear to be noise.

Based on our initial look into the data, this is the result of broad, unfocused scanning activity that occurs from these IP addresses on a regular basis. In our report we dig into more detail on the most broadly seen indicators, but (spoiler alert) they just appear to be noise. In fact, four of the largest “C2” nodes in the graph above are simply Yahoo servers.

The third and final analysis worth sharing outside of our more detailed report is when we overlay scores that we calculated for our customers when they observed these indicators on their own networks. Our scores range from low risk, high confidence to high risk, high confidence. The graph below shows the results of that analysis.

As we can quickly see, most of the infrastructure associated with the JAR was already known to be suspicious for a number of reasons. The items in the middle that are scored neutral (yellow) or low risk (green) are Yahoo and Google servers, by the way.

This is important to note because it indicates how noisy this data set really is. We can not make a determination on whether the infrastructure was or was not used by the Russian Intelligence Services (RIS), because we have not seen the incident response data. However, we can say with certainty that of the infrastructure related to GRIZZLY STEPPE AND observed by Dark Cubed customers was not used exclusively by RIS threat actors.


In closing, this project was a fascinating deep dive into the power of data analytics and re-enforced to me the necessity of using real network data to help remove noise from data sets such as that released in association with GRIZZLY STEPPE. It also re-enforced our vision of delivering threat intelligence and predictive analytics at scale to companies of all sizes in a vehicle they can actually afford and use.

As we continue to build and grow our early stage startup, we hope to be able to continue to contribute more data-driven analytics to help filter out the noise and allow organizations to protect what matters most.

This article was originally published on

How An Information Sharing Environment Can Better Predict Cyber Threat Trends

With sophisticated hacking schemes gaining velocity, maintaining an organization's cyber security can feel demanding. Few know that reality better than the federal government. In response to the events of September 11, 2001, the Department of Homeland Security, together with Congress, began to develop methods by which to gather crucial information on illicit cyber activity and disseminate it to other government agencies within the national security enterprise and private networks considered as critical infrastructure. Known as the Information Sharing Environment (ISE), DHS endeavored to boost inter-agency cooperation and reduce attitudes clinging to parochial interests in order to better protect the country from future cyber peril.

According to the ISE blog, "It also sets the stage for the automated sharing of not just technical indicators, but the context under which that event took place. This will provide decision makers across organizations with the much-needed situational awareness they need to develop a sense for how to respond. The Cyber Threat Framework is gaining adoption across the Intelligence Community; the next step will be to expand adoption across the federal government and throughout the state, local, tribal, and territorial, and private sector communities."

Private Sector ISE

Taking its cue from DHS, The National Institute of Standards and Technology (NIST) developed guidelines for private sector formulation of ISEs. Of course, private industry, being highly competitive, faces different challenges when creating information sharing environments. However, as all are vulnerable, they recognize the value in generating a system of trust-based networks where an attack on one company can be the prevention of the others. Today, it may be company A under attack. But if Company A shares its information so Companies B through Z avoid the threat, then Company A will enjoy the same benefit another time.

Situational Awareness

An information sharing environment, especially when an organization is tied into several ISEs, can help defend against an external attack. When businesses, big and small, tap into ISEs, their situational awareness in the cyber realm expands exponentially. Companies, alerted at the first sign of an attack somewhere in the network, can assume a defensive posture immediately and prepare to elude the aggressors.

Real Time Monitoring and Automation

The larger the enterprise, the more likely it is to have IT staff monitoring for suspicious activity. Smaller establishments can benefit from the resources of larger ones within the ISE, or they may contribute to real time monitoring themselves by implementing software that can automatically detect threats, analyze them and send alerts without any expensive humans glued to an array of screens. With a machine-to-machine exchange system in place, the automated environment can relieve much of the human effort to detect, identify, track and destroy cyber intrusions.

Artificial Intelligence or Machine Learning

Machine learning can analyze threat trends based on the shared information from the ISE. Like IBM's Watson, artificial intelligence has the capacity to determine what activity constitutes a potential threat, what is likely to be a hack and what is an attack in progress. The program itself, acting on established protocols, can then instantly spring the trap on the perpetrators. The data from the event then cycles into the program so cyber assaults of the same nature will fail at the outset across the ISE. Computer data will be more secure as AI predicts attacks and counters them automatically.

As the Internet of Things (IoT) continues to grow, even simple consumer devices can be hijacked and used for cyber crimes. Private companies, already suffering data insecurity, should travel in packs to protect themselves. By joining information sharing environments, enterprises can stay a pace or two ahead of the problem.

Dark Cubed Makes Cyber Security Even More Simple With Release 12.0

Here at Dark Cubed, we're excited to announce release 12.0 of our Cyber Security Platform.

We generally release updates of our simplified cyber security platform each month. Since launching with release 1.0 in April of 2016, we've made strategic progress and we're especially proud of this release.

The biggest feature in release 12.0 is Multi-Level Reporting.

Before today, if a customer had multiple locations, we would deploy Dark Cubed Appliances (physical hardware, virtual, or cloud-based) at each location.

Each Appliance would serve a Dashboard to allow the customer to monitor and manage threats on that network.

That meant if a customer had multiple locations and wanted to get a complete picture across their company, they would have to look at multiple Dashboards.

Today's release introduces the ability to deploy an unlimited number of devices across locations and to then monitor and manage cyber-risk on a single screen. Customers can create groups (stores, warehouses, east-coast, west-coast, U.S., international) and monitor risk for a single device, a group, or all devices from one screen, with one login.

This feature is especially important to two types of customers:

  • Companies with multiple physical locations that want to manage risk from a centralized location.
  • MSSPs that want to deploy our Platform to multiple customers with the ability to monitor risk at a single customer, or across their customer base.

To find out more about the Dark Cubed platform and the features in release 12.0, contact us today!

Cyber Security Monitoring In 15 Minutes? Really???

If you've read anything about Dark Cubed, you know that we pride ourselves on being different. We have built a powerful cyber security platform that is easy to install and use.

"no way." It's too simple.

Most people hear claims like that and think, “no way.” It's too simple. They are jaded. I don’t blame them. Most people discount those claims as marketing hype… if it is powerful, it cannot be easy to install or use. It has to be hard and expensive.

Well, I want to share an experience we recently had with a customer in New York.

We shipped their appliance via FedEx, so I know that it arrived safely in its box at 2:49 p.m.

To get our appliance running, the customer had to make three connections.

  1. First, he had to plug the appliance in.
  2. Second, he had to connect the appliance to his network so it could get an IP address and connect to the Internet. As soon as this happens, the appliance connects to our data center to download the software it needs to do its job.
  3. The third connection was from his switch to our appliance. The customer configured his switch to mirror all inbound and outbound traffic to a specific port, and he connected that port to our appliance.

With this final connection, the appliance begins sending requests for threat scores.

Incoming Data Being Processed

Incoming Data Being Processed

By 4 p.m., when we had a training call with the customer, the appliance had already requested and received scores for over 4,000 unique IP addresses.

In Just an Hour From Dark Cubed Arriving at our Customer's data Center, we had already processed and received scores for over 4,000 unique IP addresses.

I know that I'm a geek… but let that sink in for a minute. In a little over an hour we had a customer unpack our appliance, connect it to their network, configure and connect their switch. The appliance connected to our data center, downloaded the software it needed, requested and received threat scores for more than 4,000 unique connections to and from his network.

Then remember… for each of those 4,000 IP addresses, we compared them to more than 60 sources of threat intelligence. We used predictive analytics to assign a threat score to those IP addresses that were not found in our intelligence sources. And we did this all in real-time.

This customer went from zero visibility to real-time, correlated threat intelligence in an hour. One person. No onsite support. No consulting or integration services. Our product documentation fits on a 3x5 card.

No other company can deploy such a powerful, comprehensive solution so quickly and simply.

If you want to learn more about how Dark Cubed is simplifying cyber security, or if you want to try the product FREE for 30 days, schedule a demo with us today!

I have a Firewall, so I am protected, right??

Mike owns a financial advisory firm. He helps people save for life’s big events like college and retirement and knows each one of his clients personally. His team consists of 15 employees with a range of responsibilities, from providing investment advice to making trades and other administrative activities. As a result, Mike's company collects some really important personal information like social security numbers, bank account numbers, balances and transaction instructions. 

Mike's company collects some really important personal information like social security numbers, bank account numbers, balances and transaction instructions. 

Mike’s business isn't on an island, as he is part of a national organization, a larger brand that he fits underneath. The national organization runs his email and provides him with the IT system to track customer transactions and generate monthly, quarterly and annual statements.

Mike counts on the national firm to protect his customers’ information, and they do a great job. However, Mike understands that in his office, he is responsible. He buys the computers, printers, fax machines, and telephones.

As his business has grown over the past decade, he has hired more people and bought the necessary equipment to keep the office running.

A few weeks ago Mike's voice over IP-based phone system failed, and the company that sold it to him provided sub-par service. His employees were without phones for a week.

Mike’s business does not have a dedicated IT department. As the owner, fixing this problem fell completely on his shoulders. 

As he attempted to clean up the IT mess, he realized that his company had become too large for him to be the only IT resource... and he was reminded just how important technology had become to his day-to-day operations.

Mike retained the services of an IT consulting firm. They did a good job correcting the problem and re-architecting his network. He is really happy that someone else can support the technology in his office.

You may wonder, what does Mike's story have to do with Dark Cubed?

Here you go:

Mike represents a real customer that has been evaluating the Dark Cubed Platform. He mentioned Dark Cubed to his IT consulting firm. In response, they shared their thoughts:

“You have a firewall, your customers’ data is stored in the cloud, you have nothing to worry about.”

A firewall is important. It provides an essential layer of protection against attacks through signatures or rules to bock and allow traffic. However, it offers no protection against many of the types of attacks that could cause Mike's business to go out of business overnight.

I asked Mike a few questions:

  1. ow often do your employees plug USB drives into their computers?
  2. How often do they store a backup copy of customer data on their hard drive?
  3. How often do they bring their personal laptops into your office and connect to your network?
  4. How often do they browse to sites on the Internet and download information, or watch video?

This is the real world. Mike runs a real business, and he answered, “all the time,” to each question. 

These normal, everyday activities introduce risk that a firewall does not and can not control.. 

The reality is, there are hundreds of ways your network can be compromised, and most small to mid-sized companies cannot afford to defend against all possible threats. You need a platform that monitors traffic in real time and can identify and block threats on your network. You need Dark Cubed!

The Value of Shared Data Analytics

Here at Dark Cubed, we are focused on a new approach to cyber security that works for companies of all sizes. A key part of our mission is to use elegant engineering to simplify the deployment and use of sophisticated security capabilities. One key component behind Dark Cubed is our ability to provide enhanced protection for our customers through near real-time data analytics and predictive algorithms. As we continue to deploy Dark Cubed to more customers, we are ramping out our data science and analytics capabilities, both in-house and through partnerships. Two of the partnerships we are excited about are with the University of New Haven (focusing on IoT and Mobile Malware applications, and George Mason University (focusing on data analytics and visualization,

Needless to say, we are very excited to be working with such awesome folks at these educational institutions!

One of the key functionalities of Dark Cubed is the ability for our customers to monitor traffic on their networks in a way that is prioritized against a threat. How these threat scores are calculated, and the benefit to our customers, is what makes the Dark Cubed approach truly unique.

At the most basic level, we score the risk of that traffic using what we call a three legged stool algorithm. First, we look at the world of known threats. This world has to do with massive amounts of threat intelligence, block lists, and other insights into malicious infrastructure that we have been collecting for well over a year. Second, we are able to be predictive about new threats using statistical analysis against the known threat data set we have collected to determine if certain traffic may be malicious even if it has not been identified before. Finally, we look at a real-time data set of anonymous data from our community of users to determine interesting trends and patterns in the threats to those networks.

While the benefit in the first two processes is significant (and would cost significant amounts of time and money for each of our customers to build out individually), it's this third area that excites us the most. The power behind Dark Cubed is the ability to use data analytics to observe threats to our customers in real time while allowing our customers complete privacy through anonymity. To give you a peak into what this looks like, check out the network graph below produced from the Dark Cubed data set.

This graph visualizes over 20K of the highest threats observed within the Dark Cubed data set across 44 different customer deployments over the last year. At the center of the groupings are green dots that represent anonymous Dark Cubed customers. These customers are then connected to the threats that have been targeting their networks. The red circles indicate the highest threats, while the yellow are the next highest. Finally, the size of the dot corresponds to the number of unique networks that saw each malicious IP address or Domain… so, the bigger the colored dot, the more networks it targeted.

The more commonly seen items are grouped to the middle of the graph, while the unique items are pushed to the edge. Using these forms of graph analysis, Dark Cubed analysts can perform advanced analytics to identify new and emerging threats to help our customers protect what matters most.

While this is very, very cool, what does it mean to our customers?

It means that our customers are protected by cutting edge data analytics that rival what even the largest of enterprises can deliver. By realizing the power of community and real-time analytics, we are finally able to envision a future where defense can start to move at the speed of attack!

As you can tell, we are really geeking out on this stuff and are so excited to be able to share with a community of people like you that are excited about finally doing something new in cyber security! We are working on several new blog postings for the coming weeks with more detailed data analysis, so please stand by!

Reflections on Last Week

I was on the road last week and had plenty of airplane time to catch-up on some overdue reading and reflection.  The conclusion of the week was marked by a rather interesting event that caused a relatively significant event on the Internet with the DDoS attack against the Dyn’s architecture.  Now, just to warn you, this isn’t a posting about how we could have fixed it and how we are the magic bullet for cyber security…we aren’t that obtuse (although many other cyber security companies are seizing this as a marketing opportunity).  Anyway, while at home this weekend and in between baseball games and kid birthday parties, I had a chance to reflect on the week and our vision at Dark Cubed, I was struck by the impact of three events from the week.

First, on one flight I came across an article in Wired titled “Hackers are not as sophisticated as they think they are.”  In this article, the reporter talks with Ian Levy, the technical director of the National Centre for Cyber Security (NCSC) in the UK.  One sentence stood out to me like a beacon and comes when Mr. Levy is talking about the blame that should be placed on the cyber security industry,

“There is no other bit of public policy where the tone is set by a group of massively incentivized people.” 

This article inspired me to look into the NCSC a little more and I found the text of a speech by Ciaran Martin, the CEO of NCSC, that he gave to the Billington Cyber Security Summit.  His speech was great… but one point really stood out...and is totally aligned with our vision...

"So let me make a point we believe to be fundamentally true, and therefore critical to our strategy. The great majority of cyber attacks are not terribly sophisticated. They can be defended against. And even if they get through, their impact can be contained." 

 The full text of his speech is here, I highly recommend you read it.  (

Second, one of the reasons for my travels was to spend a day talking with a newly minted CISO from a company in a highly regulated industry. This was a relatively large, publicly traded company with employees spread across the country. 

As our discussion progressed throughout the day, I was in awe of how much this person had accomplished with such a limited budget and staff.  This CISO is operating in a company that is being bombarded with fear, uncertainty, and doubt about cyber security attacks, yet they are taking a no-nonsense approach to managing risk. 

Time and time again… our conversation wandered down a well-worn path… “I would love to use that product… but the cost is too high,” or, “We kicked the tires of that product… but it generated so many alerts that I would have had to hire more staff to get any benefit. 

I was so impressed with their commitment to securing the data of the company and their customers, but I could not help but think that today’s cyber security products simply do not work for companies like this.  The challenge is that many of the products on the market today are built against a fictitious model of what an organization SHOULD be from a security perspective versus the reality that real companies are facing every day. 

The challenge is that many of the products on the market today are built against a fictitious model of what an organization SHOULD be from a security perspective versus the reality that real companies are facing every day. 

Finally, my third reflection, in between growing a company, raising three kids, and other events in life, I always try to make time to read.  Currently, I am making my way through a book titled “The Contrarian’s Guide to Leadership.”  There are some fascinating points in this book, but one section that I read last week focused on balancing the reality of how humans behave and operate against how we wished people were.  In this book, the author makes a fascinating point.  “I am reminded here of a book on child rearing by Dr. Hiam Ginott which my wife and I read many years ago.  Dr. Ginott advised parents to teach their children the supreme importance of discerning and accepting reality, in order to either make peace with it or attempt to change it.  In other words, don’t let children dilude themselves about how the world and its people really work.”  Given what we have been working on for the past two and a half years to change the future of cyber security, this passage struck me.  We have built a cyber security market based on how we think companies should operate versus how they actually do.  If we have any hope of making things better, we need to change the way we think about these problems and try something new.

We have built a cyber security market based on how we think companies should operate versus how they actually do. 

Now, the culmination of these events against the backdrop of the DDoS attack created a rather stark realization for me.  “We got ourselves into this mess, now how are we going to get out of it??”  What I mean by this is that we - cyber security professionals - have ignored the reality of what companies are really facing for too long and have instead chosen to focus on some of the hardest problems in security.  For example, how can we get better at behavioral detection of zero day threats, how can we build a cyber security framework that provides hundreds of controls for companies to follow, how can we get better at hunting Nation-State threats within corporate networks, how can we get better threat intelligence on specific threat actors, and the list goes on and on. 

Balance those questions against the mind boggling reality that most companies today are not only NOT trying to solve these issues, rather they are simply trying to figure out how they can survive given such limited security budgets and the inability to hire cyber security professionals. 

It is incomprehensible to me that an overwhelming majority of companies today have ZERO visibility into what is happening on their networks.  This is not a “hard” problem, rather it is a different problem.   The problem has to do solving the cost, scale, and complexity associated with cyber security capabilities.  Why are we so focused on helping companies find zero day threats when they can’t even answer the question “were devices on my network part of this attack?”

At Dark Cubed we believe it is time for a different approach to cyber security that focuses on delivering results, not hyperbole.  We are delighted to see organizations such as the NCSC joining the increasing choir of security experts that are pushing people to think differently about solving some of the systemic security challenges facing the world today.  If you want to learn more about what we are working on and how we can help you, please drop us a line at  We would love to talk with you

Lessons Learned From Protecting the 2016 Republican Convention

Last month I spent the week in Cleveland, Ohio – the home of the Rock and Roll Hall of Fame, Great Lakes Brewing Company, and LeBron James.  I wasn’t there to enjoy the sights, rather, Dark Cubed had been provided the opportunity to demonstrate our technology at the Republican National Convention as a member of the Cyber Security Operations Center.  Here are some of my thoughts resulting from supporting this historic event, regardless of your political leanings.


The network supporting the convention was large and complex. Nearly a year of effort was required to build the infrastructure for the convention and provide network access to an extensive professional volunteer force, campaign staffers, official visitors, and all attendees. Success required the installation of over 300 wireless access points to support nearly 10,000 users, spanning locations across the downtown area of Cleveland such as the Progressive Field (where the Indians play), the Quicken Arena (where the Cavaliers play), and the Cleveland Convention Center.  If you really think about it, this activity is like building a corporate enterprise network that will only be operational for a week, yet will likely be targeted aggressively by a wide variety of actors.

This experience made me realize that the factors I see as contributing to our lack of security in the broader market (products are too expensive, too complex, and too noisy) are amplified within large events such as the convention.  For example, the value proposition of spending millions of dollars on cyber security for a one-week event just doesn’t work.  Focusing on recruiting and deploying armies of analysts for such a short period of time just isn’t feasible.  Events such as both political conventions, the Olympics, the Super Bowl, and countless others force us to rethink our approach to cyber security on a broad perspective in order to drive change and test innovation within the sector.


There are plenty of sports metaphors about keeping your head in the game and focusing, but the key strategy in cyber security operations is to focus on the RIGHT thing.  During the week of the convention, and for the month following the event, I have had the chance to participate in numerous interviews with reporters and other folks in the media to speak about cyber security issues that are plaguing this election cycle.  One of the key questions consistently asked is “Did the convention get hacked?”.

My answer is very unexciting but starts to reveal a mindset that I think is critical for the larger cyber security community to adopt. My answer is “We didn’t see evidence of a hack, but that doesn’t mean it didn’t happen.”  In a world where people look for finite and concrete answers, that response is very unappealing.  Why did I respond that way? My fundamental philosophy in cyber security is that “Offense always wins and defense always loses…period…end of the story.”  This means that if a hacker wants to target a network and they have enough time, money, and focus, they will be successful. 

The mindset that all cyber security personnel must have is quite simple: “I know the bad guys are on the network, I just haven’t found them yet.”  We must accept that we are starting from a position of weakness and focus our energy on technology that will creatively identify the bad guys in a network. With this approach, we will be much more effective in detecting and stopping attacks than if we purely focus on keeping them out and building up a false sense of confidence.


As previously mentioned, the network at the convention was large and complex, however, security operations only really ramped up several days prior to the convention. There were, of course, protections around spearphishing attacks, technology for malware scanning, and extensive firewalls and sandboxing capabilities in place well before our team arrived on the ground.  We were also fortunate to have installed Dark Cubed about eight months prior to our arrival, so we had a very good baseline of the risk associated with the traffic on the network. 

During the week of the convention, with a relatively small, but highly experienced team of security experts, we were able to use Dark Cubed to score and prioritize response and analytics against every new connection to the convention network, in real time… if you have ever worked cyber operations this is a mind-blowing concept.  In collaboration with other convention partners like ForeScout and Cisco, We were able to stop botnets, malware command and control communications, and maintain close to 100% visibility on network traffic (see mindset discussion above for why I won’t say we saw everything). 

The most exciting part about operations was the dynamic of the collective team and how quickly the analysts within the SOC were able to settle into our roles and begin the hunt for bad actors.  If you have never had the experience of monitoring a network for 14 or 15 hours a day, seven days straight, let me tell you, the only thing that gets you through this experience is the team. The other thing that left me awestruck was the creativity of the folks in the room in terms of testing new approaches to discovering threats. 

For example, Dark Cubed and ForeScout engineers realized very quickly that the perspective that ForeScout provides on endpoints, rogue devices combined with Dark Cube's real-time visibility into the threat of inbound and outbound network connections created a combined perspective that would be very valuable. While managing security operations, our teams worked together and rapidly deployed in integration between our two products that resulted in the ability to correlate external threat activity with specific machines on the network in real time. At the end of the day, if we are ever really going to be successful in cyber security we need to find ways to help people work together in ways that were not a consideration in the past. While a company or individual may be a unique target for the attackers, we can only fight back by working together.


At Dark Cubed, we have designed a cyber-security platform that is elegant and effective. We empower your company to quickly identify and block high-risk traffic on your network through Dark Cube's community driven model. Our patented algorithm works behind the scenes to turn the tables on attackers and to stop them before your network is compromised. Do you want to experience how Dark Cubed will help you stop cyber threats in a way that will actually work for your business? Learn more by clicking the button below!

Great Press For Dark Cubed!!

We want to send a  huge thank you to a number media outlets for highlighting the hardworking team behind the scenes at the Republican National Convention (RNC) this past week. Rarely do we hear a success story woven into media coverage around cyber security. Instead, we read about data breaches, millions of dollars lost and encroaching Russian hackers. Advancements to the security measures at the RNC this year allowed the collective team to weave a story of success into the more common cyber security narrative.

I’ll share a blog post soon with thoughts on my experience at the convention until then, read some of the great media spotlights for cyber security at the RNC: