Lessons Learned From Protecting the 2016 Republican Convention

Last month I spent the week in Cleveland, Ohio – the home of the Rock and Roll Hall of Fame, Great Lakes Brewing Company, and LeBron James.  I wasn’t there to enjoy the sights, rather, Dark Cubed had been provided the opportunity to demonstrate our technology at the Republican National Convention as a member of the Cyber Security Operations Center.  Here are some of my thoughts resulting from supporting this historic event, regardless of your political leanings.

EVENT-BASED CYBER SECURITY IS HARD

The network supporting the convention was large and complex. Nearly a year of effort was required to build the infrastructure for the convention and provide network access to an extensive professional volunteer force, campaign staffers, official visitors, and all attendees. Success required the installation of over 300 wireless access points to support nearly 10,000 users, spanning locations across the downtown area of Cleveland such as the Progressive Field (where the Indians play), the Quicken Arena (where the Cavaliers play), and the Cleveland Convention Center.  If you really think about it, this activity is like building a corporate enterprise network that will only be operational for a week, yet will likely be targeted aggressively by a wide variety of actors.

This experience made me realize that the factors I see as contributing to our lack of security in the broader market (products are too expensive, too complex, and too noisy) are amplified within large events such as the convention.  For example, the value proposition of spending millions of dollars on cyber security for a one-week event just doesn’t work.  Focusing on recruiting and deploying armies of analysts for such a short period of time just isn’t feasible.  Events such as both political conventions, the Olympics, the Super Bowl, and countless others force us to rethink our approach to cyber security on a broad perspective in order to drive change and test innovation within the sector.

MINDSET MATTERS IN CYBER SECURITY OPERATIONS

There are plenty of sports metaphors about keeping your head in the game and focusing, but the key strategy in cyber security operations is to focus on the RIGHT thing.  During the week of the convention, and for the month following the event, I have had the chance to participate in numerous interviews with reporters and other folks in the media to speak about cyber security issues that are plaguing this election cycle.  One of the key questions consistently asked is “Did the convention get hacked?”.

My answer is very unexciting but starts to reveal a mindset that I think is critical for the larger cyber security community to adopt. My answer is “We didn’t see evidence of a hack, but that doesn’t mean it didn’t happen.”  In a world where people look for finite and concrete answers, that response is very unappealing.  Why did I respond that way? My fundamental philosophy in cyber security is that “Offense always wins and defense always loses…period…end of the story.”  This means that if a hacker wants to target a network and they have enough time, money, and focus, they will be successful. 

The mindset that all cyber security personnel must have is quite simple: “I know the bad guys are on the network, I just haven’t found them yet.”  We must accept that we are starting from a position of weakness and focus our energy on technology that will creatively identify the bad guys in a network. With this approach, we will be much more effective in detecting and stopping attacks than if we purely focus on keeping them out and building up a false sense of confidence.

CYBER SECURITY IS A TEAM SPORT

As previously mentioned, the network at the convention was large and complex, however, security operations only really ramped up several days prior to the convention. There were, of course, protections around spearphishing attacks, technology for malware scanning, and extensive firewalls and sandboxing capabilities in place well before our team arrived on the ground.  We were also fortunate to have installed Dark Cubed about eight months prior to our arrival, so we had a very good baseline of the risk associated with the traffic on the network. 

During the week of the convention, with a relatively small, but highly experienced team of security experts, we were able to use Dark Cubed to score and prioritize response and analytics against every new connection to the convention network, in real time… if you have ever worked cyber operations this is a mind-blowing concept.  In collaboration with other convention partners like ForeScout and Cisco, We were able to stop botnets, malware command and control communications, and maintain close to 100% visibility on network traffic (see mindset discussion above for why I won’t say we saw everything). 

The most exciting part about operations was the dynamic of the collective team and how quickly the analysts within the SOC were able to settle into our roles and begin the hunt for bad actors.  If you have never had the experience of monitoring a network for 14 or 15 hours a day, seven days straight, let me tell you, the only thing that gets you through this experience is the team. The other thing that left me awestruck was the creativity of the folks in the room in terms of testing new approaches to discovering threats. 

For example, Dark Cubed and ForeScout engineers realized very quickly that the perspective that ForeScout provides on endpoints, rogue devices combined with Dark Cube's real-time visibility into the threat of inbound and outbound network connections created a combined perspective that would be very valuable. While managing security operations, our teams worked together and rapidly deployed in integration between our two products that resulted in the ability to correlate external threat activity with specific machines on the network in real time. At the end of the day, if we are ever really going to be successful in cyber security we need to find ways to help people work together in ways that were not a consideration in the past. While a company or individual may be a unique target for the attackers, we can only fight back by working together.

LEARN MORE.

At Dark Cubed, we have designed a cyber-security platform that is elegant and effective. We empower your company to quickly identify and block high-risk traffic on your network through Dark Cube's community driven model. Our patented algorithm works behind the scenes to turn the tables on attackers and to stop them before your network is compromised. Do you want to experience how Dark Cubed will help you stop cyber threats in a way that will actually work for your business? Learn more by clicking the button below!