Black Hat 2018: 12 Executives On The Most Overhyped Cybersecurity Trends Today
CRN asked 12 executives and technical leaders attending Black Hat 2018 what cybersecurity concepts seem to be more about buzzwords than delivering meaningful protection.
More Bark Than Bite
Vendors at Black Hat 2018 did their best last week to stand out among 300 of their cybersecurity peers, but they sometimes ended up resorting to the same buzzwords to capture the audience's interest.
CRN asked a selection of CEOs and technical leaders attending the giant cybersecurity summit what they thought were the most overhyped cybersecurity trends in the recent past.
Some trends like artificial intelligence and machine learning trends made their way onto the list since they rarely describe what a company's technology actually does. Others like blockchain notched a spot due to its limited application in a cybersecurity context.
Perimeter-centric approaches, meanwhile, were called out for a lack of relevance in an increasingly mobile and cloud-centric world. And more cutting-edge areas like threat intelligence and deceptive technology can be too heavy a lift for smaller customers or run the risk of distracting organizations from core responsibilities such as patching and anti-virus.
Artificial intelligence is an immensely powerful technology, but the industry often misrepresents what it's capable of doing and doesn't call out its limitations, according to McAfee SVP and Chief Technology Officer Steve Grobman.
AI typically struggles with recognizing malicious situations, scenarios or content when it's dissimilar to anything seen in the past, Grobman said, including new classes of vulnerabilities such as Meltdown and Spectre. In addition, Grobman said many AI techniques are unable to explain why something has been flagged as malicious, which often limits what an organization is able to do in response.
Once an adversary understands how an AI-based defense has been built, Grobman said they can put evasion techniques in place to circumvent it. In addition, since both defenders and attackers are capable of using artificial intelligence, Grobman anticipates that AI will, in time, also result in more effective attacks by bad actors.
A huge gap exists between organizations using machine learning as a buzzword and those that have found a meaningful application for it, according to Veracode VP of Research Chris Eng. Businesses relying on machine learning should be able to state what they're using it for, how they're keeping the algorithm current, what the training process entails, and what level of false positives they encounter.
Machine learning excels at classifying large data sets of indicators, network bugs, and bug trackers and determining whether or not it looks similar to other categories of information, Eng said. But if an organization isn't constantly retraining its algorithm and the threat landscape shifts, Eng said the company will likely end up classifying data incorrectly.
Blockchain excels in a limited set of cybersecurity applications, but its impact will likely be incremental rather than revolutionary, according to Raffael Marty, Forcepoint's vice president of corporate strategy.
Organizations often want an irrefutable record of when a user accessed critical data, and that record could be stored in the blockchain to ensure it's verifiable by everyone and can't be altered, Marty said. But when it comes to smart contracts – a computer protocol intended to digitally enforce the negotiation or performance of a contract – he doesn't see the security benefit provided by blockchain.
In addition, organizations need to be mindful of what information is being stored via blockchain since it becomes immutable, according to Heath Thompson, Forcepoint's SVP and General Manager, Commercial Security. Therefore, Thompson said anything that could be viewed as personally identifiable information under regulations such as GDPR shouldn't be stored in blockchain.
Firewall and Breach Detection
Firewalls and breach detection systems are largely ineffective against today's mobile and cloud-centric threats, according to Carbon Black Chief Cybersecurity Officer Tom Kellermann. Firewalls have little effectiveness in the private or hybrid cloud, Kellermann said, and can often be circumvented through SaaS applications.
Meanwhile, Kellermann said an over-reliance on breach detection systems to detonate leads to organizations become excessively focused on malware and not enough on lateral movement and exfiltration.
Kellermann said neither firewalls nor breach detection systems do anything to address the two biggest shifts in a typical criminal's modus operandi: a desire to stay in a company's systems and maintain persistence, and an emphasis on using an organization's brand against their constituents through a secondary monetization scheme.
Organizations are slowly waking up to the deficiency of these technologies, Kellermann said, but most CIOs won't allow the CISO to rip and replace security capabilities unless the company has suffered a breach.
Humans are still able to make certain decisions on the analyst and cryptography side that machines are unable to carry out, according to Malwarebytes Lead Malware Intelligence Analyst Jerome Segura. Specifically, Segura said machines struggle to understand trends or motivation for an attacker.
Machines are better than humans at processing and automating large amounts of code, Segura said. But when it comes to figuring out how criminals think and change their tactics - along with anticipating their next move - Segura said machines typically come up short.
For instance, if a hacker sent ransomware as part of a politically-motivated cyberattack, Segura said the machine would just see ransomware, while a human would understand why the bad actor might be attacking certain companies and incorporate geopolitical thinking into their threat analysis.
In order to successfully leverage threat intelligence, a company must develop resources internally to collect, digest and analyze threat information, correlate it with broader risk factors, and understand how to mitigate the issue, according to Cybereason Co-Founder and CEO Lior Div.
The government has a big enough team to frequently engage in the threat intelligence process, Div said, but most companies today are barely able to hire a sufficient security analyst, much less an entire threat intelligence team.
Running a successful intelligence office typically requires more than 40 people to collect and analyze the data, and Div said fewer than five private sector companies are able to do it effectively. Div encourages customers to engage in a far more automatic approach to obtain intelligence information.
Deception technology faces a critical mass challenge, specifically that once the technology hits a market saturation point, it's no longer too deceptive, according to Charles Henderson, global managing partner at IBM X-Force Red.
Deception technology counts on the attacker being unfamiliar with what they're going up against, but by the time the deception technique becomes worthwhile, Henderson said the attacker is familiar with it. This technology can obscure problems and make an attack more difficult, but Henderson said deceptive technology is primarily an attack nuisance, not a form of attack prevention.
The mileage organizations obtain from looking through logs and combing through events varies greatly, according to Optiv Incident Response Practice Director Jeff Wichman.
When threat hunting is done correctly, it can be of huge benefit to clients since they become trained and are able to stay abreast on how to handle different types of threats, Wichman said. But many organizations lack the market talent or technical sophistication to effectively carry out threat hunting, according to Optiv Chief Services & Operations Officer Chad Holmes.
Organizations should take a least a week to prepare before engaging in a threat hunting exercise to get a stronger sense of what their logs and infrastructure look like, Wichman said. A successful threat hunting service needs not only access to an organization's environment, Wichman said, but also a deep understand of all the potential threats that are out there.
A lack of understanding exists around what Zero Trust security means, what it looks like from a consumer perspective, and what organizations looking to adopt such an approach should be looking for from vendors and solution providers, according to Jonathan Goldberger, Vice President and General Manager of Unisys Security.
As the perimeter dissolves, Goldberger said organizations need to find a new approach to security. But too many vendors simple discuss the need for Zero Trust security and then attach their offering to the buzzword, Goldberger said, without describing how their product truly does away the idea of a trusted network inside a defined corporate perimeter.
For starters, Goldberger said products promoting a Zero Trust approach should have additional levels of identity verification beyond user ID and password. From there, Goldberger said consumers should push vendors to detail the tangible outcome of their Zero Trust approach such as less phishing activity or faster time to detection and response.
Nation-state hacking of the grid or election process is important for the government as well as people that operate critical infrastructure, but the rest of us aren't able to do anything about it and would be better off focusing on how our companies could be attacked, according to Sophos Principal Research Scientist Chester Wisniewski.
"They're distracted about what's in the news as opposed to what's happening in their environment," Wisniewski said.
Keeping track of the latest threat posed by nation-state actors is a "sick form of entertainment," Wisniewski said, but not relevant to a company's work. Most organizations would be far better off ensuring their anti-virus and patching are up to date, and monitoring the integrity of their publishing systems, source code and customer information to protect against threats like ransomware, he said.
Many companies think that firewalls and agents will make them secure, but don’t seem to realize that bad guys aren’t looking to break cables to get into an organization's ecosystem, according to Bhagwat Swaroop, Proofpoint's executive vice president and general manager of email security.
Breaking into an organization's infrastructure is hard, Swaroop said, and often requires a convoluted approach. It's much easier – and more profitable – for bad actors to impersonate an executive and send a credential phishing email, according to Swaroop.
Only 7 percent of security spending is focused around email, Swaroop said, even though it is the vector used for 93 percent of ransomware attacks. The traditional view of putting something in a silo and ensuring through a firewall that only authorized people have access to it is outdated given the pervasiveness of data in the cloud, according to Swaroop.
Everyone is focused on stopping threats from coming in, but most of those technologies are unable to understand which data is sensitive and which isn't, according to Marcus Brown, vice president of global channels for Digital Guardian.
A defense strategy focused purely on building walls to stop threats from getting in will eventually falter against a well-resourced enemy, Brown said. And once a bad actor gets through the perimeter, Brown said they would have carte blanche to take whatever they want.
It's therefore vital, as a last line of defense, to have something watching the crown jewels of the enterprise, understanding what data or information is sensitive, and protecting it, said Brown, who expects new compliance mandates will drive organizations to allocate more of their budget for the protection of data.