Black Hat 2019: 12 Cybersecurity Myths That Could Put You At Risk

CRN asks 12 executives, sales and technical leaders attending Black Hat 2019 what they see as the top oft-repeated beliefs about cybersecurity that are foolishly accepted as fact.

Getting The Wrong Impression

Winston Churchill’s famous line that a lie can get halfway around the world before the truth even has a chance to get its pants is one that holds true today in cybersecurit. Businesses, solution providers and vendors all accept oft-repeated beliefs as fact even though the fact wouldn't survive stricter scrutiny.

CRN asked a variety of C-suite executives, technical leaders and sales leaders attending Black Hat 2019 what they thought were the most harmful myths that businesses and solution providers continue to believe.

Some myths address misleading assumptions people have made about legacy technologies like firewalls, anti-virus software and SIEM (security information and event management) platforms, as well as assumptions around emerging tools like data lakes, automated response and endpoint detection and response.

Other myths speak to the role humans are (mistakenly) believed to play in areas like email security, risk assessment and asset management. Here are 12 cybersecurity myths that could put all companies at risk.

Compliance Equates To Effective Security

Compliance is necessary but completely insufficient on its own, according to Chris Day, Cyxtera's chief cybersecurity officer. Adversaries are intelligent and adaptive, Day said, and often behave in a creative and pernicious manner toward organizations that aren't doing unstructured hunting.

Penetration testing to satisfy compliance requirements is typically very light, and often just requires running an external scanner, Day said. But by the time organizations achieve compliance, Day said they've often gone through all the money set aside for security.

Organizations should approach security from the standpoint of an adversary and either employ or bring in humans to do comprehensive threat hunting, Day said. A seasoned threat hunter in a network running commands such as PowerShell is going to expose things that simply wouldn't come up in a penetration test, according to Day.

Data Models Can Identify Security Threats

Artificial intelligence today is really about automating the threat hunting process and training machines to look at data sets and identify potential risks within an organization that need to be addressed, said Mike Adler, vice president of the RSA NetWitness Platform. But the data models aren't mature enough today to definitely identify a security threat as opposed to merely pointing out suspicious activity, Adler said.

Many organizations don't share data well with vendors or with one another, which Adler said exacerbates the challenge around creating well-tuned models. Most organizations want these types of analytical calculations to run on-premises, but Adler said that takes a lot of computational resources and data storage space.

Resource availability issues as well as a lack of experience in building more accurate data models across the board have hampered their construction, Adler said. But Adler expects the analytical capabilities associated with AI and machine learning to evolve significantly over the next half-decade.

Putting Data Into A Single Repository Strengthens Security

Putting all of an organization's data into a one big bucket such as a SIEM platform doesn't advance security much since organizations still need to make sense of what to do with the data, according to Israel Barak, Cybereason's chief information security officer.

Once the data is in a bucket, Barak said companies will often then create rules as to when to take action based on the data that has been aggregated into the system. But for that to be effective, Barak said businesses must be sure that the right data is being collected, that the data is being updated constantly, and that the repository actually has visibility into relevant assets rather than simply collecting logs.

The Mitre framework can help organizations understand what types of data sources they need to have full visibility into, Barak said. Over time, Barak believes businesses will transition away from this outdated approach to fueling visibility and Security Operations Center automation.

Automation Competes With Solution Provider Services

Fully automating the manual penetration testing functions carried out by solution providers today won't leave the solution provider empty-handed, according to Leslie Bois, Veracode's vice president of global channel and alliances. There is a tremendous amount of services that create stickiness for partners beyond just doing vulnerability scans for customers, Bois said.

Bois expects automating pen testing will open up additional services opportunities for partners at higher levels around creating, maintaining, and teaching application security functions. DevSecOps transformation partners have some highly unique capabilities and can easily set themselves apart from the pack, Bois said.

One round of in-depth manual pen testing on an application simply isn't enough since that only captures the security of the app at a fixed point in time, Bois said. The best practice for businesses is to pursue hundreds of vulnerability scans for a single application at a variety of times, Bois said, and automation would be key to seeing through that type of initiative.

There's A Skills Shortage Gap In Cybersecurity

The skill shortage gap in cybersecurity is way overhyped to distract from the fact that vendors have designed such complex systems that customers or partners need highly advanced practitioners to run them, according to Mimecast Chief Operating Officer Ed Jennings.

Businesses should be able to cross-train intelligent technologists to work on the cybersecurity team, but Jennings said a fixation by vendors on building overly complex, bespoke systems has made that very difficult to pull off. That's because vendors too often layer in another technology to boost efficacy by 0.5 percent to help solve for an uber-sophisticated advanced persistent threat scenario, Jennings said.

In reality, though, Jennings said most breaches occur because of a known vulnerability, an unpatched server, a user clicking on a phishing link, or a door left open to a privileged account. Jennings said user awareness education and training and two-factor authentication can go a long way toward addressing the straightforward configuration issues most businesses face without having to reinvent the wheel.

Companies Can Keep Out Adversaries By Securing The Perimeter

Companies are still investing a lot of money into trying to build a digital fence around the perimeter of their organization with technologies like firewalls and antivirus software, according to Tina Stewart, Thales' vice president of market strategy. But adversaries are often able to penetrate the perimeter by going after third parties such as contractors and IT partners that already have permission to enter, Stewart said.

Instead, Stewart urged customers to get closer to the asset that adversaries are actually attempting to steal. In particular, Stewart said CISOs should bone up on their knowledge of where sensitive data is stored and how it's used, shared or transferred.

Once that's understood, Stewart said businesses can turn to locking down the sensitive data via encryption and key management regardless of whether it's stored on-premises or in the cloud. Enterprises should have their own access to the cloud as well as the keys, Stewart said.

Endpoint Detection And Response Is Difficult

Analyst reports from organizations like Gartner and Forrester often claim that customers need a high degree of expertise to use an endpoint detection and response product, according to Dan Larson, CrowdStrike's vice president of product marketing.

This perception exists due to poorly implemented EDR tools that only collect data and then ask customers to find threats in the data by feeding in indicators of compromise or building hunts for scheduled data types, Larson said. If the burden is on the customer to find the data, Larson acknowledged it's going to be hard.

Good EDR products, though, will know how to automatically find threats in a data set by analyzing data and automating the detection and prevention of threats, according to Larson. "EDR doesn't have to be a science experiment," Larson said.

Companies Are Unable To Defend Against Sophisticated Attacks

Security novices tend to think of the dark web or underground economy as a cabal of shadowy actors with perfect security skills, according to John Wetzel, Recorded Future's head of threat intelligence and product training. But adversaries can be forced to resort to more complicated processes or systems or give up on the target altogether based on the actions of the defender, Wetzel said.

Companies often underestimate their capacity to defend against a sophisticated attack simply by putting themselves into a stronger defense posture, Wetzel said. By doing so, Wetzel said businesses can drive up the cost of an attack to the point where it's no longer tenable for the attacker.

Advanced actors and groups up to and including nation-states often opt to use commodity malware to save money and complicate attribution, Wetzel said. Well-designed commodity malware is easy for adversaries to use, scale and exploit as part of a network attacks, according to Wetzel.

More Products Mean Better Security

Over the past two decades, customers have often gotten enamored with hot new technologies ranging from sandboxing and hosted intrusion prevention systems to endpoint detection and response and container security, according to Steve Quane, Trend Micro's executive vice president of network defense and hybrid cloud security.

But customers that chase after hot new things in endpoint, network, container, server and cloud security eventually find themselves stuck with a bunch of different point products that struggle to correlate activity, Quane said. This also forces solution providers and customers to become experts in dozens of different vendors and technologies, which Quane said it difficult to do.

As businesses pursue better visibility and greater interoperability, Quane expects they'll instead opt for better integrated, more broadly scalable platforms from a much smaller set of vendors.

Risks And Threats Are The Same Thing

Security practitioners have for years equated threats with risks, causing them to focus intently on the former to the detriment of the latter, according to RSA CTO Dr. Zulfikar Ramzan. Conversations about threats focus exclusively on vulnerabilities in an asset that can be exploited, but conversations about risk must take into account the degree of loss a successful breach or intrusion would cause, Ramzan said.

Security practitioners are identifying vulnerabilities all the time, but in order to determine which vulnerabilities should be prioritized and triaged, Ramzan said businesses must focus on risk. Risk-based thinking would likely determine that vulnerabilities impacting critical assets that have been exploited in the wild by well-known toolsets pose the greater danger, and should therefore be prioritized.

SOC analysts need to think about risk from a business impact perspective when classifying which events the IT department should treat as a priority, Ramzan said. "Unless we talk about risk properly, nobody will know what they should focus on," Ramzan said.

End Users Can Manage Security Entirely On Their Own

Internal IT departments often operate under the illusion they can manage everything on their own, but in reality lack the dollars and bodies to meet the cybersecurity demands in real time, according to Greg Cobb, Digital Guardian's vice president of global channels.

Security as a Service through MSPs has a lot of intrinsic value both from a corporate IP perspective around desktops and laptops as well as to address the consumerization of IT, Cobb said. Organizations that try on their own to manage both corporate-owned and BYOD devices—as well as ensure that patches and OS updates are applied in real time—often find it to be relatively impossible, Cobb said.

MSPs can take advantage of economies of scale to have people on staff specializing in patch management, threat hunting and policy enablement since they're able to leverage that expertise across all of their customers, according to Cobb. But internal IT officials are sometimes reluctant to outsource out of fear that their jobs could be threatened or automated, Cobb said.

Technology Alone Can Combat Email Security Threats

People rely excessively on technology for email security and think that the software will successfully label every external email address, making employee impersonation or spoofing next to impossible, according to Richard Hummel, manager of threat intelligence at NetScout. Organizations need to have training in place so that employees can detect and identify malicious emails coming in, Hummel said.

More than 90 percent of intrusions in the world happen as the result of phishing or spearphishing, Hummel said, but a good cyber awareness program can reduce intrusions by up to 70 percent. Given that email is still the primary attack vector for cybercrime or advanced persistent threats, Hummel said that having a solid security awareness program remains very important.