Black Hat: Web3 Defense, Open-Source Intel & Directory HacksAn ISMG Overview of the Technology Buzz Leading Up to Black Hat Conference 2022
Thousands of threat researchers, CISOs and vendor executives poured into Las Vegas for the 25th anniversary of "Hacker Summer Camp," which officially kicked off today at the Mandalay Bay Convention Center. The more vendor-focused Black Hat USA 2022 event continues into the weekend with the hacker-centric DEF CON convention.
Many attendees were already on the ground Tuesday to attend training sessions or network with peers. Information Security Media Group caught up with 11 security executives in Las Vegas to discuss everything from open-source intelligence and Web3 security to training new security analysts and responding to directory attacks.
Here's a look at some of the most interesting things we heard from industry leaders.
Kudelski Flexes Cryptography Muscle in Web3, Blockchain Space
Kudelski Security has made a big investment into the blockchain and Web3 security spaces, leveraging a team of 25 to help translate the company's expertise around cryptography and application security into the nascent market, according to CEO Andrew Howard. Many customers in this space need security audits for compliance purposes, which Howard says resembles code reviews Kudelski has done in the app space.
Larger players are increasingly trying to integrate core security capabilities into their ecosystem from the start, and Kudelski is well positioned to assist tactically and strategically thanks to its longstanding history in cryptography, he says, adding that the company's extensive history helping web application developers develop secure capabilities has also translated well into the Web3 space.
"We are starting to see some of our Web3 business and our cybersecurity business converge a little bit, which is quite nice and opens up some opportunities for some cross-sell of technology and capability," Howard says.
Mimecast Fuels Email Security, Collaboration With X1 Platform
Mimecast has debuted its next-generation X1 platform, built on Amazon Web Services, to simplify providing customers with intelligence. X1 features a new data analytics platform that can ingest massive amounts of telemetry and sensory data at scale and use that to sift through benign abnormalities and those that need to be blocked, says David Raissipour, chief technology and product officer at Mimecast.
The platform also will build a risk profile for each individual user based on the individual's behavior and role within the organization, he says. Having a risk score for each user should give companies a better sense of who can access what and make it easier for customers to detect inbound threats using Mimecast, according to Raissipour.
"It's a very significant investment for us to do this because it's a foundation for products that we will be building for years," he tells ISMG. "It's an investment really in the future of Mimecast."
Existing customers using Mimecast secure email gateway will benefit from a new, granular way of measuring incoming risks and threats as well as a single, common infrastructure on the back end for collecting telemetry and sensory data, Raissipour says. X1 aims to simplify integration through easier-to-build APIs with robust functionality and user experience on top of the platform, Raissipour says.
"The cornerstone of our protection capabilities are around communication and collaboration," he says. "It goes beyond just email security."
Flashpoint Embraces Open-Source Intel with Echosec Purchase
Flashpoint last week acquired Echosec to give organizations more visibility into geographically specific social media communications taking place in both public and obscure channels, says President Donald Saelinger. Echosec's platform is intuitive for security analysts, regardless of experience level, and it captures words, images and videos on social media related to security risks or threats within seconds, he says.
The deal will allow Flashpoint to capitalize on tremendous advances in open-source intelligence over the past year that can fundamentally change how physical security teams do their work, Saelinger says. The push for open-source intelligence is taking place in military and civilian U.S. government agencies as well as commercial organizations that see use cases for protecting key executives and the brand at large.
"It's been an exciting narrative that we felt like we needed to invest in," Saelinger tells ISMG.
VMware to Bring Network Threat Visibility to Endpoint Sensors
VMware plans to build in network detection and response capabilities from its NSX network security platform into the next version of its Carbon Black endpoint sensors to provide a more unified view of intelligence, says Rick McElroy, principal cybersecurity strategist. This approach will provide higher-fidelity data at a lower cost than peers whose network and endpoint security tools operate separately (see: How Broadcom Acquiring VMware Would Shake Up Cybersecurity).
Delivering network visibility through an endpoint sensor that everyone already uses and then feeding that information into the vSphere hypervisor will ensure that security is embedded into workloads as they're being developed, McElroy says. The new approach will result in shorter time to detect and respond to threats, a smaller number of false positives and less effort needed to pull data together.
Being able to take a sensor from the network that looks at and inspects network traffic and distributing that out to every endpoint in the environment is a fundamental game changer," McElroy tells ISMG. "I don't think anybody else in the industry has a unified sensor that provides both endpoint detection and network detection."
Cybrary Wants New Security Analysts to Get Their Hands Dirty
Cybrary has investing in providing SOC analysts with hands-on practice and instruction around very realistic scenarios so learners can prove out their skills, CEO Kevin Hanes says. The most pressing security need for most organizations is frontline analysts, and Hanes hopes Cybrary's new initiative will strengthen the talent pipeline given that most analysts last for just 18 months before moving on.
The platform is meant to simulate working the first shift in a SOC for a security analyst, with alerts coming through the SIEM and learners deciding whether the alert should be escalated, dismissed or solved using their own skills, Hanes says. The exercise is intended to demonstrate not only hands-on keyboard skills but also how to handle a SOC or incident workflow in real time, he says.
The platform will provide a baseline for analysts’ skills with demonstrable exercises and practices and routines that seem very real, he says.
"This will really shape where people need to spend more time," Hanes says.
Acronis Pushes Beyond Data Protection, EDR Tool Coming Soon
Acronis plans to enter the crowded endpoint detection and response market late this year or in early 2023 with an organically built offering that's simpler for midmarket service providers to use, according to vice president of cyber protection research Candid Wüest. Many of Acronis' customers have focused on the firewall or appliance side with Sophos or Fortinet and still don't have an EDR tool in place.
Many smaller Acronis customers find well-known EDR brands such as CrowdStrike or SentinelOne too confusing or technical for them since they lack a security operations center of their own, says Wüest. Acronis has tapped into its heritage so that customers suffering a cyberattack automatically have any affected files restored from backup without requiring the organization to take any manual action.
"Customers don't have the time to do root-cause analysis and go really deep," Wüest says. "They want to know: Did it come in by email, or was it a vulnerability that they should patch? But after that, it's about how to get back to normal operation as quick as possible."
The new EDR platform is part of an effort by Acronis to broaden its technology stack, which includes data loss prevention technology acquired from DeviceLock as well as email security technology through a partnership with Perception Point. As threats get more complex and sophisticated, clients are increasingly looking for technology that provides a holistic view across their entire IT environment, Wüest says.
"You can have single-point solutions, but if you need to combine them individually. It usually makes things a lot more complex and harder," he says. "So that's why we said, 'Hey, why don't we generate a complete solution with one agent and one platform?'"
ReliaQuest Gets Threat Intel Boost With Digital Shadows Buy
ReliaQuest has capitalized on its June acquisition of Digital Shadows to effectively detect, investigate and respond to alerts on an automated basis without bombarding security analysts, says Chief Product Officer Brian Foster. The deal builds on ReliaQuest's nascent digital risk protection efforts and led to Digital Shadows' threat intel feeds being fed into ReliaQuest's detection and investigation workloads (see: ReliaQuest Buys Threat Intel Firm Digital Shadows for $160M).
In the coming months, the Digital Shadows reference intelligence platform, which enables customers to look up threat actors, malicious code, indicators of compromise and malware campaigns, will be shifted inside ReliaQuest's GreyMatter platform for a unified look and feel, Foster says. The Digital Shadows and ReliaQuest back-end infrastructures also will be merged to save money and improve performance.
"The visibility we've always had from an inside-out perspective fits nicely with their visibility from an outside-in perspective," Foster says.
Semperis Centers on Preparing, Responding to Directory Attacks
Semperis has entered the new Identity Threat Detection and Response technology category on the ground floor, which is focused both on protecting directory services as well as ensuring there's a recovery plan in place if everything gets encrypted and has to be rebuilt from scratch, says CEO Mickey Bresman. The company closed a $200 million Series C funding round over the spring (see: Semperis Raises $200M to Extend AI, ML to Identity Security).
Bresman said Semperis has been laser-focused on reducing the recovery time from days or weeks to minutes or hours, developing playbooks for specific directory compromise scenarios. From a preparation perspective, Bresman says Semperis has developed tabletop exercises to ensure customers know where their offsite backups are located and what the policy is governing the approvals needed to use them.
"How do we make it not an extinction type of an event, but basically, 'We've been down, but we were able to bounce back in a couple of hours?'" Bresman tells ISMG. "The resiliency can help us to continue to survive."
Cloudflare CISO Turns Attention to Detecting, Logging at Scale
Cloudflare has turned its attention to detecting abnormalities at scale after spending much of the past two years standing up a robust zero trust offering for customers, says Deputy Chief Information Security Officer Susan Chiang. As companies increasingly power their tech stack with cloud and SaaS products, detection will require deriving context across multiple logs.
Organizations must invest in resilience and strengthen their ability to detect threat in real time or as soon as possible, Chiang says. As cloud and SaaS adoption reduces line of sight, organizations need to consolidate around vendors with a wide lens of visibility and sufficient data threads and insights flowing through their platforms.
"When we look at any problem we see, we think about, 'How do we solve it in a way that is also beneficial to our customers?'" Chiang tells ISMG. "There's a variety of both products and features that our customers use today that were born out of our security team."
Obsidian Wants More Visibility Around SaaS App Communication
Obsidian Security has in recent months invested in giving enterprises more visibility into how their SaaS applications are talking to other SaaS applications so that supply chain compromise can be more easily recognized, CEO Hasan Imam says. This has required Obsidian to gain a better understanding on how SaaS applications are connected as well as the threat vectors related to those integration points, he says (see: Obsidian Security Raises $90M to Safeguard More SaaS Apps).
This requires organizations to understand both what is normal in terms of data movement between SaaS applications and the source of that access so typical behavior can be modeled out, Imam says. From there, it becomes much easier to detect what a potential attack might look like in a scenario where a valid token is being used but the behavior or activity around that token is very unusual.
"We believe it's very important to build out depth of coverage around the core SaaS applications because that represents 90% of the risk and threat to enterprises," Imam tells ISMG.
KnowBe4 Fuels Move From Security Awareness to Security Culture
Organizations should move beyond a basic security awareness mindset in which organizations dictate from on high how users should be behaving and how they comply, according to KnowBe4 Chief Strategy Officer Perry Carpenter. Businesses must understand the reality of how employees work and ensure they're not putting security policies in place that inhibit the effectiveness of users, he says.
Carpenter urges companies to embrace surveys to get a better sense of employee mindsets and understand why they engage in particular behaviors. From there, Carpenter says, companies should identify the security metrics that matter most to executive teams and boards based on what's causing the most breaches and then find ways to discretely measure those variables and assess risk.
"Telling people to do things doesn't work," Carpenter tells ISMG. "It never has, and it never will. It may influence them a little bit, but in the moment, human nature and behavior and habits and the fire of the day take over. So you have to break out of that mindset of thinking that awareness actually fixes something."
Many organizations have been stuck for the greater part of a decade doing basic security awareness training with a little bit of phishing simulation and behavior modification mixed in, Carpenter says. But to sustainably reduce risk across the entire organization, the messaging must become more context-driven so that users are getting the right message at the right time in the right way, Carpenter says.
"We really need to understand how to work with human nature rather than against it," he says.