Cybersecurity & Networking

About this time every year, the cybersecurity industry heads to “summer camp” in Las Vegas, heading to BSides, Black Hat, and/or DefCon. I attended Black Hat last week along with many members of the ESG cybersecurity team. Here are a few of my takeaways:

1. The “vibe” has changed. There used to be a clear difference between Black Hat and its larger cousin, the RSA Conference. RSA has become an industry show where you talk about business relationships, M&A activities, and VC investments. Alternatively, Black Hat was always a practitioners’ show where the buzz centered on exploits, IoCs, and defensive tactics. Alas, billions of security dollars are taking its toll on poor Black Hat – there was a definite “hurray for the industry” vibe, fraught with banal cocktail parties, Merlot-drinking VCs, and ambulance-chasing vendors. The industry needs a cold shower to remember that its job is protecting critical digital assets, not celebrating 10-baggers. (more…)

Judging by this week’s Capital One breach and Equifax settlement, cybersecurity remains a topical if not ugly subject. The timing couldn’t be better for these unfortunate events. Why? Because the cybersecurity community will get together next week in Las Vegas for Black Hat and Defcon to discuss how to better deal with security vulnerabilities and improve threat prevention, detection, and response. 

I’ll be there along with an assortment of my ESG colleagues. Here are some of the things we’ll be looking for: 

• Network security platforms. While security appliances are far from dead, network security goes well beyond perimeter-based packet inspection of ingress/egress traffic. Alternatively, network security is evolving into a pervasive service inspecting and filtering traffic across physical data centers, virtual servers, and cloud-based workloads of all types. Think central management and distributed enforcement. Vendors like Check Point, Cisco, Forcepoint, Fortinet, Juniper, and Palo Alto Networks get this and are innovating in this direction. That said, how far along are they? Furthermore, are customers buying in or do they continue to look for “best-of-breed” network security technologies of various form factors? We’ll be asking these questions in Vegas conference rooms all week.
• Endpoint security consolidation? Like network security, endpoint security tools are going through a similar amalgamation trend. Endpoint protection platform (EPP) vendors are integrating their endpoint capabilities into more capable platforms and expanding functionality into areas like device coverage, asset management, and EDR. As many EPP vendors innovate to differentiate themselves, the profile of EPP is changing rapidly. Leading vendors have level-set on providing integrated, cloud-delivered multi-layer prevention, detection, and response capabilities combined with managed detection and response (MDR) services, but new services and capabilities are rapidly emerging. We’ll be watching for new announcements about deeper integrations with other security tools, new capabilities for protecting cloud workloads, mobile, and IoT, and extended risk management capabilities.
• Managed detection and response – it’s all about the people. I know I sound like a broken record, but the cybersecurity skills shortage continues to impact every decision CISOs make. Case in point, detecting and responding to threats like Ransomware, phishing, and exploits. Now a lot of the discourse around threat detection will center on threat intelligence synthesis, artificial intelligence, and machine learning (AI/ML) baked into products and services but all the TI in the world and the best ML doesn’t reduce the funnel or accelerate threat detection alone. What does? Experience, processes, and automation. In other words, the human stuff. Yup, humans can reason, see anomalous behaviors that are not apparent to the machines, and then program technology brains for future detection and response actions. Service providers can also work with the cybersecurity staff to map the adversary goals in a way that structures our thinking and response – as in, to the MITRE ATT&CK Framework (MAF), for example. Finally, humans must manage other humans. In this case, enterprise cybersecurity professionals must have the right structure and skills to manage third-party MDR providers effectively. ESG loves technology as much as anyone, but we’ll be looking to find the smartest and most helpful MDR services people next week. 
• Serverless security – the new frontier. Cloud: Serverless functions, or function-as-a-service (FaaS), such as AWS Lambda, Azure Functions, and Google Cloud Functions are becoming more prevalent components of modern cloud-native applications built on a microservices architecture. Because serverless itself is an abstract concept, the associated threat model and security approaches are ambiguous. So, what’s different about serverless? Serverless shifts more of the security responsibility to two parties – the external cloud service provider (CSP) and the internal developer. This changes the shared responsibility model where CSPs are now on the hook for securing the server instances that run the functions, as temporal as they may be. The consumers of these services, absent access to a network tap or the ability to install an agent, needs to gain visibility and control over their use of serverless functions. By shifting left into the development stage, DevOps teams must continuously discover API calls in source code and assess how those APIs are being used at build-time (i.e., with respect to authentication, authorization, encryption of data in motion and more). Logging an audit trail of service-to-service activity and the use of Runtime Application Self-protection (RASP) closes the continuous loop to protect the entire serverless API lifecycle. Do cybersecurity professionals and security technologies get this? We’ll be poking around at Black Hat to find out.
• Security analytics innovation and confusion. A few years ago, security analytics was synonymous with SIEM (security information and event management), but no longer. Security analytics now includes areas like network traffic analysis (NTA), security data lakes, UEBA, threat intelligence platforms (TIPs), etc. Savvy CISOs are playing with many of these but they also want cooperative security analytics where technologies interoperate, complement, and add value to one another. Once security analytics provide high-fidelity data (i.e., alerts, risk scores, etc.) organizations also want to act upon this data through security operations platforms. This is the essence of ESG’s SOAPA (security operations and analytics platform architecture). Yes, there’s tremendous investment and innovation in this area but users are royally confused by the pace of change and market hyperbole. Do they go with a one-stop shop like IBM or Splunk? Do they use open-source software like BRO/Zeek, the ELK stack, or Hadoop? Do they deploy SOAPA on-premises or seek out a cloud-based alternative from the likes of Devo, Google (Chronicle/Backstory), Microsoft (Azure Sentinel), or SumoLogic? I’ll be talking to a lot of SOC analysts at Black Hat to research and help answer these questions.

Despite the heat, crowds, and miles of walking each day, Black Hat is one of my favorite weeks of the year. By the end of the event, I feel like I’ve just gotten a graduate degree in cybersecurity – each year. If you see me or one of my ESG colleagues at Black Hat, make sure to say hello and let us know what you’re up to. Cybersecurity is a collection activity – even in Sin City, it takes a village. 

As Black Hat 2019 quickly approaches, I couldn’t help but think back to the tail-end of my previous life attending industry conferences as an analyst covering network security. By 2014, you couldn’t get a conversation with a user on the show floor if you were a firewall vendor that didn’t offer robust application control. Palo Alto Networks had successfully shifted the industry focus to application layer inspection and next-generation firewalls had all but been accepted as the default standard for network protection. This transition addressed the fundamental shift in internet usage affecting the way we live and work. Traditional Layer 3 and 4 scanning could not provide the visibility and control over Layer 7 traffic required to protect the modern enterprise. Of course, at the time it was the need for control over applications like Facebook, Twitter, and YouTube driving the change. But it clearly foreshadowed the upcoming transition to cloud application usage.

(more…)

Over the past five years, we’ve seen an explosion in security data collection, processing, and analysis. As part of a recent security analytics research project, ESG found that 28% of organizations claimed that they were collecting, processing, and analyzing significantly more security data than they did 2 years ago, while another 49% were collecting, processing, and analyzing somewhat more data during the same timeframe.

(more…)

Black Hat has gotten a lot bigger over the past few years, so many security insiders now compare Black Hat to the RSA Security Conference circa 2012 or so.

This is an accurate comparison from an attendance perspective but there is still a fundamental difference between the shows. In my humble opinion, RSA is an industry event, while Black Hat is more of a cybersecurity professional gathering. The focus is on cyber-adversary tactics, techniques, and procedures (TTPs), threat intelligence, and defensive playbooks. Rather than host lavish cocktail parties, vendors who participate in Black Hat must roll up their sleeves and demonstrate their technology acumen to gain street cred with this crowd.

In the past, a vendor’s technology prowess was usually used as an introduction to some type of security hardware or software. Technically savvy vendors would bond with security analysts as a means for pitching the latest products. In 2019, however, security technical gurus are looking for more than cool security technology alone – they are looking for help.

What’s going on? A global cybersecurity skills shortage, that’s what. ESG research indicates that 53% of organizations say they have a problematic shortage of cybersecurity skills. Furthermore, the recently published research report from ESG and the information systems security association (ISSA) indicates that 73% of organizations have been impacted by the cybersecurity skills shortage. Sixty-six percent of those impacted say the cybersecurity skills shortage has increased the workload on the infosec team, 47% say the cybersecurity skills shortage has led to the inability to learn or use cybersecurity technologies to their full potential, and 41% have had to hire and train junior employees rather than hire more experienced staff.

There’s one more implication around the cybersecurity skills shortage – nearly one-third (32%) of organizations have had to increase their use of professional/managed services because they remain understaffed and lack advanced cybersecurity skills. Like I said, organizations can no longer toe the cybersecurity line alone – they need help.

This brings me back to Black Hat. Yes, there will still be plenty of geeky technologies on display in areas like security analytics and threat detection/response. That said, I predict that managed services will be one of the main themes at Black Hat 2019.

It’s worth noting that managed security services are already making a big inroad at enterprise organizations. According to ESG research, 51% of large firms are already using some type of managed threat detection and response service (MDR) today, while another 42% will do so in the next 12 to 18 months or are interested in doing so. The research also points to the top reasons for adopting MDR:

• 32% of organizations needed a rapid improvement in threat detection and response and thought an MDR service would be more expeditious than deploying threat detection and response technologies.
• 29% of organizations were already working with a managed security service provider so it was easy to add MDR services as part of their contract.
• 28% of organizations admit that MDR services can do a better job at threat detection and response than they can.
• 27% of organizations say that they tried to deploy some type of threat detection and response technology but found that operating this technology was beyond their ability.

Black hat has always been a bully pulpit for security vendors known for their strong technology and threat intelligence knowledge – CrowdStrike, FireEye, Kaspersky Lab, Palo Alto Networks, Trend Micro, etc. These and other firms will maintain a staring role, but given the rapid adoption of managed services, look for others like Accenture, Booz Allen Hamilton, IBM, KPMG, SecureWorks, and Unisys to elbow their way into the spotlight. The new vendor mantra at Black Hat may be, “how can we help?”

Security professionals must resist the temptation to limit their Black Hat focus to security technology bits and bytes. Rather, they should prepare for this transition by bolstering their ability to qualify and manage third-party security service providers and coming to terms with the fact that they need help. As former President Barack Obama said, “Don’t be afraid to ask for help when you need it. Asking for help isn’t a sign of weakness, it’s a sign of strength. It shows you have the courage to admit when you don’t know something, and to learn something new.”

When it comes to threat detection and response, understanding network behavior really matters. According to ESG research, 87% of organizations use network traffic analysis (NTA) tools for threat detection and response, and 43% say that NTA is a “first line of defense” for detecting and responding to threats.  

(more…)

According to ESG research, 74% of cybersecurity professionals believe that cyber-risk management is more difficult today than it was two years ago. Respondents point to an expanding attack surface, an increase in software vulnerabilities, and more sophisticated tactics, techniques, and procedures (TTPs) from cyber-adversaries.

Okay, so there’s a cyber-risk management gap at most organizations–so what are they going to do about it? The research indicates that:

(more…)

Jerry Garcia once said the Grateful Dead is like black licorice—you either love them or hate them. Well, I have finally been able to make a connection between the Dead and cybersecurity as it sure seems to me that “DevSecOps” is the Grateful Dead of cybersecurity—you either love it or hate it.

(more…)

Early in my high-tech career, SUN Microsystems was thought of as a computing visionary. SUN coined an intriguing company tagline early on, “the network is the computer.” What did this mean? That IT infrastructure was linked together in a loosely coupled architecture, tied together via networking technologies like Ethernet cables and the TCP/IP protocol. Thus, it was critical to engineer the network correctly to maximize network availability, performance, and business benefits.

(more…)