Black Hat , Cloud Security , Cybercrime as-a-service
Krebs to Vendors at Black Hat: No More 'Band-Aid' ApproachKeynote Speaker Chris Krebs and Top Execs on Overcoming Industry Challenges
The opening day of Black Hat USA 2022 made it clear: This year's show has far more in common with the raucous, buzzing event of 2019 than the quiet, scaled-down 2021 show that took place in COVID-19's shadow.
See Also: LIVE Webinar | Stop, Drop (a Table) & Roll: An SQL Highlight Discussion
While attendance likely won't hit the 20,000 mark reached in 2019, people converged on Las Vegas from 120 countries this week, and the registration line Wednesday morning snaked around the first floor of the Mandalay Bay Convention Center. Seats in the main stage area were packed, while hundreds of attendees milled around in the hallways (see: Black Hat: Web3 Defense, Open-Source Intel & Directory Hacks).
After a very abnormal Black Hat USA 2021, it feels as if the 25th anniversary show has found its post-COVID normal. Or at least it's as normal as Black Hat is ever going to get. The business of cybersecurity, however, is anything but normal, cautioned keynote speaker Chris Krebs
The former CISA director kicked off Black Hat on a somber note, saying things are going to get worse before they get better. Today, he says, the barriers to entry for cybercriminals are nearly gone, and they are now accessing exploits that used to be the domain of nation-state threat actors.
"Bad actors are profiting, and it's not costing them anything," Krebs told the standing room-only crowd. "They're not feeling pain."
COVID-driven changes such as accelerated adoption of cloud have reduced visibility and added complexity, he says, adding that many corporate functions that reside on cloud infrastructure - including HR, payroll and business management - are insecure by design. The expanded attack surface makes it easier for threat actors to get what they want, according to Krebs.
"We're producing and generating products that are solving problems," Krebs says. "We have technology vendors that are working to solve core problems in the infrastructure. But it's not happening at the pace that we need it to."
Software developers still view security as a source of friction that could prevent them from being first to market with new products, or at least a close second. As a result, Krebs says, organizations end up integrating insecure products with their IT ecosystems, which makes risk management even more complicated.
"Software remains vulnerable because the benefits of insecure products far outweigh the downsides," Krebs says. "Once that changes, software security will improve - but not a moment before."
But there is a silver lining. Krebs predicts the industry will respond to these challenges in the next three to five years. Much of the onus falls on technology vendors, who need to get back to developing products that address core security problems, Krebs says. Vendors have made a lot of money coming up with solutions for edge use cases, Krebs says, but they must get back to addressing the most frequent and persistent security issues.
"We have to solve the hard problems that continue to persist," Krebs says. "And yes, it may impact the bottom line of your security services business. But it's more important rather than to put a Band-Aid on the edge."
Krebs also laid some blame at the feet of the U.S. government, where multiple agencies such as the FBI, Energy Department and Treasury Department are each responsible for interfacing with private sector following a cyberattack. It's hard for the private sector to figure out how to work with the federal government, especially given that the value of cooperating isn't very clear.
"We need to make it easier and less complex for organizations to work with the government and get value out of it," Krebs says. "So instead of going to five or six different agencies, make the front door clearly visible. And as I see it, that's CISA."
But in practice, Congress is likely to slow down its funding of CISA and lose interest in providing the agency with the additional authority needed for more effective market interventions, he says. Serious thought should be given to pulling CISA out of the Department of Homeland Security and making it a sub-cabinet agency that's allowed to operate on its own, he says.
"We have to take a hard look at the way we're organized and make a smarter, more efficient, more organized government," Krebs says. "And I'm ready to lead that charge."
Throughout the day, security company executives shared new innovations introduced at Black Hat such as DNS visibility tools, cloud workload security, patch management and defenses against supply chain and APT attacks.
The Rise of Cloud Security
Interest in cloud security is high. In fact, cloud security has become the fastest-growing part of SentinelOne's business, and it even appeals to customers who might have chosen a different vendor for endpoint security, says co-founder and CEO Tomer Weingarten. SentinelOne focuses on cloud workload protection and bests its rivals when it comes to performance and deployment since it doesn't tap into the kernel or require an intrusive integration, Weingarten says.
SentinelOne can give visibility into and protect cloud, Linux and Kubernetes environments without requiring a cumbersome deployment. The firm is pursuing expansion opportunities for critical capabilities such as cloud security posture management and cloud infrastructure entitlement management. Weingarten says workload protection and workload mapping should become a single offering.
"Given the technological superiority we have on our platform today, some of the biggest cloud consumers out there have been adopting our workload protection platform," Weingarten tells Information Security Media Group.
Fusing Vulnerability and Patch Management
Organizations continue to struggle with prioritizing which vulnerabilities present the greatest risk to a business and need to be remediated first. Vulnerability scoring today is based on a static set of what could happen if a flaw is exploited. In addition, security teams need to know to what extent the vulnerability is actually being exploited in the wild and what mitigating controls are available, says Qualys President and CEO Sumedh Thakar.
Businesses need to eliminate the vulnerabilities that are introducing the greatest amount of risk first and automatically remediate detected vulnerabilities whenever possible, he says, adding that Qualys has pioneered the integration of vulnerability management and patch management to reduce the time between detection and patching. Qualys has already deployed 130 million patches.
"We continue to work toward getting vulnerability management in a place where all the elements that you need are integrated into more of a seamless platform, so we can go from detecting to actually fixing things rather than just reporting on it," Thakar tells ISMG.
Spotting Threats Sooner With DNS Visibility
Infoblox has invested in shifting left in the cybersecurity kill chain with on-premises, cloud and hybrid versions of its BloxOne Threat Defense tools, which help security practitioners find and identify threats earlier and mitigate risks, says President and CEO Jesper Andersen. A DNS-centric strategy is effective since the first sign of malware being on a network is often a call to the command-and-control center.
The company integrates with customers' existing vulnerability scanners, endpoint protection and intrusion detection tools to notify security operations when an IP address queries the command-and-control center, Andersen says. Infoblox knows the whole chain of DNS queries and the IP address that it came from its networking tools.
"Over the last few years, especially as we have invested more in cybersecurity solutions, we increasingly are also selling into the security function within an organization all the way up to the CISO level," Andersen tells ISMG. "Increasingly, the people we are spending the most time talking to are the leaders of the security operations center."
Identity, Cloud and Observability
Identity, observability, log management and cloud security have been CrowdStrike's biggest areas of investment during 2022, says CTO Michael Sentonas. The company's approach to identity builds off its 2020 acquisition of Preempt Security and protects against the abuse of identities through a stand-alone capability embedded on the Falcon sensor, which has become a rapidly growing module, Sentonas says.
CrowdStrike's observability strategy, meanwhile, builds off the company's 2021 acquisition of Humio and provides log management and log storage along with powering the company's XDR platform. As for cloud, the company began with an agent-based strategy focused on protecting the host, container and workloads and then pushed into agentless protection around CSPM, Sentonas says.
"We started in cloud security 10 years ago before cloud was fashionable," Sentonas tells ISMG. "Everything that CrowdStrike does leverages the cloud."
Asset Vulnerability Management Takes Center Stage
Armis has gone all-in on asset vulnerability management to help clients manage the vulnerabilities and prioritize what's most critical, says co-founder and CTO Nadir Izrael. The tool brings together the tools companies already have for generating vulnerabilities, handles the de-duplication and ties everything to assets and owners - work that typically would be done on Excel spreadsheets.
Automated vulnerability management has quickly become the fastest-growing area within Armis and has become an entry point for many financial services firms that struggle with identifying what's susceptible to the latest vulnerability, Izrael says. Armis continues to evolve the tool with more focus on vulnerabilities that are actually being exploited in the wild, he says.
"The more we progress, the more we'll get into managing the patching process and remediation process ourselves," Izrael tells ISMG.
1Password Rebuilds Client Apps to Accelerate Feature Rollout
1Password has used the $620 million it raised in January to rebuild its client applications from scratch. With a common foundation, new features can be built once and applied simultaneously to Mac, Windows, Android, iOS and Linux environments, says Adam Caudill, director of security at 1Password. Client applications are now built in Rust to get better memory management and avoid possible vulnerabilities.
The company has rolled out a number of new features that improve search, biometrics and performance across the board, including one that makes sharing as easy as copying and pasting a password in Slack, Caudill says. The new client applications have been subjected to third-party pen testing every three months and will allow 1Password to evolve its product much faster than before.
"Making the safe thing the easy thing is a very difficult thing to do," Caudill tells ISMG. "It is a substantial technical challenge. And that's something that we've been investing in for years."
Trend Micro Pursues Deeper US Government, Commercial Ties
Trend Micro wants to expand its relationships in the U.S. government from the operations level to the CIO and CISO level across civilian, military and intelligence agencies, says Chief Technology Strategy Officer David Chow. The company isn't well known in the federal space due to a lack of collaboration with large systems integrators such as Accenture, Deloitte and GDIT, which Chow is looking to change.
On the commercial side, he would like to see Trend Micro do more in regulated sectors such as critical infrastructure, financial services and transportation. Chow will establish a commercial sector advisory board that features representation from the healthcare, manufacturing and financial industries. Gaining more traction in the U.S. commercial and public sector will have a downstream affect globally, he says.
"Trend Micro has historically been known as an antivirus company, but we've evolved in recent years through acquisitions and innovation to bring XDR capabilities to the table," Chow says. "We're presenting information in a dashboard format and in a way that's easily consumable by decision-makers to reduce the overall cyber risk to agencies."
Analytics, Intel and SOAR Anchor Splunk's Strategy
Splunk has identified three areas of its security portfolio that are vital to future growth: security analytics, integrated intelligence and SOAR, says Patrick Coughlin, global vice president of security market strategy. From an analytics standpoint, Splunk wants to help customers accelerate their speed to detection through risk-based alerting without throwing additional human capital at the problem, Coughlin says.
The company also integrated its threat intelligence management offering and cloud-based behavioral analytics product with other security tools to accelerate speed of detection for customers, Coughlin says. And Splunk moved Phantom's on-premises SOAR product to the cloud to simplify integrations, gain visibility into cloud-to-cloud transactions and meet orchestration needs.
"Splunk at its core is a security company that is focused on security as a data challenge," Coughlin tells ISMG. "And we are focused on expanding into resiliency challenges across the enterprise."
APT Groups Stepping Back From Developing Zero-Day Exploits
Extreme levels of technical wizardry appear to be slowing among APT groups. A number of long-standing APT groups haven't been deploying zero-days or stepping up from a technical sophistication perspective, says Kaspersky Principal Security Researcher Kurt Baumgartner. Zero-day vulnerabilities aren't being used in the typical "flying under the radar" scenarios in which targets and deployment mechanisms are meticulously selected.
APT groups may have turned their attention to abusing the supply chain to compromise targets of interest or are targeting poorly monitored network routers and IoT platforms to evade detection, Baumgartner says. At the same time, ransomware groups are making much larger improvements by coordinating with others, increasing their professionalism and developing relationships to nurture new talent.
"In some parts of the world, the borders between APT and ransomware have blurred," Baumgartner says. "Certain groups will embody characteristics of APT one week and they'll embody characteristics of ransomware the next."
Preparing for Future Supply Chain Attacks
Contracts with third-party vendors now provide tools for more aggressive audits and mandate security reviews in a way that that can't be bypassed, says Cybereason Chief Security Officer Sam Curry. Pen tests can simulate how companies respond to threats that attempt to enter an organization's ecosystem through unconventional sources such as CRM systems, development tools, finance tools or build systems.
Curry says the success of a software bill of materials hinges on the activities, processes and tools that spring up around it, so there's more telemetry around builds, indications if malicious code is injected, and a list of who to call or alert downstream in the event of a compromise. While the SBOM standards being generated are key, Curry said the innovations springing up around them are more important.
"Most supply chain vulnerabilities are in exploited networks," Curry says. "They're not visible yet. But whether the other shoe falls or it becomes more predictable remains to be seen. The awareness is there, and the activity is there. But we still don't have a way to measure the results."