Scaring up enterprise cybersecurity innovation at a pandemic-constrained Black Hat
The cybersecurity conference Black Hat roared back to Las Vegas last week in spite of a renewed mask mandate and a virtual event alternative. My mission: Uncover what’s next in the world of enterprise cybersecurity.
I spoke to a handful of promising vendors, asking each of them one basic question: “WTF?” As in: “Vendors have been delivering innovative cybersecurity solutions to enterprises for decades, but it seems that the situation is worse than ever. So: WTF?”
My interviewees had three basic answers to my provocative question. First, given the desperate cybersecurity skills shortage, it’s essential to rely even more on automation to address basic cybersecurity challenges.
Second, lateral movement within target victims’ networks is still a problem, but existing solutions such as microsegmentation are too difficult or inflexible. Third, artificial intelligence has to step up to the plate in a big way to address some of the basic cybersecurity challenges facing organizations today.
Here’s a look at how the cream of the crop of innovative vendors at Black Hat address these challenges.
Automating tasks that are impossible to handle manually
Combine the cyber skills shortage with the increasingly complex and dynamic enterprise information technology environments and automation becomes increasingly important.
AppOmni: Continuous security monitoring of the enterprise SaaS environment
AppOmni provides automation-based solutions that help enterprises that rely upon software-as-a-service applications to run their businesses. Apps such as Salesforce, ServiceNow, Workday, Slack and hundreds of others are mission-critical, and such enterprises will typically have thousands or tens of thousands of user accounts on each.
Each of these user accounts, in turn, has its own permissions. Similarly, every object, screen and table belonging to each SaaS apps has its own permissions and configurations. AppOmni keeps track of all of these permissions and configurations on behalf of its customers – even when they change.
Customers rely upon AppOmni to automatically handle such changes by ensuring conformance to their business intent. For example, the vendor can automate deprovisioning former employees, setting up and tearing down sales demos, handling promotions and reassignments, and dealing with mergers and acquisitions.
Spirion: Find and protect sensitive data wherever they may be
Spirion provides sensitive data discovery and automated compliance.
The company discovers data in all the nooks and crannies of the organization, from databases to emails to files on employees’ computers and phones. It can even use AI to discover data in images, and is shrewd enough to look inside log files, temp files, and other places data might be hiding.
The goal of such data discovery is regulatory compliance. Organizations must know what personally identifiable information they have and where it’s located in order to comply with a range of different regulations from PCI to HIPAA to GDPR.
Spirion can automatically manage and enforce policies regarding the data it finds, for example, routing files with credit card numbers to the appropriate obfuscation tool or perhaps a human analyst for remediation.
Spirion is particularly useful for data subject access requests, for example, GDPR’s right to be forgotten, a requirement that appears in many U.S. state regulations as well.
If a consumer asks a company to forget everything about them, the company must find all relevant data, delete the data (without deleting anything else), and maintain an auditable record of the deletion. Spirion handles all of these tasks for its customers automatically.
Next-generation compartmentalization to stop lateral movement
Lateral movement is a critical attack tactic that both the Cyber Kill Chain and MITRE ATT&CK call out. Preventing it has always been easier said than done.
Airgap Networks: Stopping ransomware propagation and other lateral movement in real time
Airgap Networks stops lateral movement via agentless, zero-trust isolation. In other words, it operates like automatic doors on a submarine. If one compartment is breached (say, by ransomware), the doors automatically close, protecting the rest of the network.
According to Airgap, today’s devices and servers are far too open to lateral movement. Obsolete virtual local-area network protocols provide access to malware in clouds and data centers. Computers and mobile devices fall prey to a variety of weak protocols from remote access to printing. The list of potential vulnerabilities is staggering.
Airgap provides several approaches to identify and shut down application spoofing, including compromised MAC addresses, DHCP requests and more.
In this way it provides “virtual airgapping” for devices and servers, as well as a ransomware “kill switch” that can limit the effects of a ransomware attack.
vArmour: Discovering and visualizing application and identity relationships among data
Ten-year-old cybersecurity firm vArmour takes an “inside out” approach to zero trust, focusing on each individual application and asking which people, services or other applications are in fact accessing it, and then comparing the answer to what should be accessing it and when.
In this way, vArmour is able to compartmentalize each application on the hybrid network by using AI to identify patterns of behavior that indicate suspicious lateral movement between the application and something else on the network.
The company doesn’t actually provide the microsegmentation, since there are already plenty of vendors that offer it. Instead, vArmour orchestrates third-party microsegmentation capabilities in order to manage and lock down suspicious lateral movement.
ColorTokens: Achieving cloud-native zero trust via contextual information about the application, microservice or protected resource
There are many microsegmentation vendors on the market, but the fact remains that enterprises have struggled to adopt this basic approach to limiting malicious lateral movement on the network. The reason: Microsegmentation is difficult to set up and manage in practice.
ColorTokens targets this challenge by offering AI-based policy recommendation based upon the level of risk. In particular, it helps organizations understand what assets they are protecting in order to create risk profiles that can drive the relevant cybersecurity configurations.
Threat actors are certainly after each organizations’ crown jewels – privileged access to financial transactions, exfiltration of valuable information, ransomware targets that will encourage the payment of ransom and the like.
ColorTokens takes a cloud-native zero-trust approach to securing such valuable targets based on their risk profile. By “cloud-native,” we mean that ColorTokens provides an abstracted, policy-based control plane that secures endpoints that might be users, devices, services or microservices that have no fixed IP address.
Using AI to augment cybersecurity team
Vendors have leveraged AI, machine learning in particular, in cybersecurity solutions for several years now, but the results have been underwhelming. It’s time to step up the game.
Bolster.ai: AI-based anti-phishing and fraud prevention platform
Bolster can identify malicious links in phishing emails by using AI to analyze the destination page of those links.
In particular, Bolster uses multiple techniques to recognize fake login pages. For example, it can tell if the company logo on such a page is not quite right. It can also identify spoof domains via sophisticated “typosquatting” recognition.
Bolster also parses the HTML on the suspicious page. It can identify malicious mobile app stores, a problem for Android in particular. In addition to fake login pages, Bolster also recognizes gift card and cryptocurrency scams.
Battling phishing is a nonstop problem, so Bolster provides ongoing, automated takedown support. It is continually following links in its customers’ emails, looking for malicious pages and then notifying the hosting provider with those pages’ takedown requests.
Such requests are one big game of “Whac-A-Mole,” which Bolster is only too happy to play on behalf of its customers.
StrikeReady: Offering a “digital cybersecurity analyst” that offers institutional knowledge and learns from the practical experiences of cybersecurity professionals
StrikeReady offers CARA, an AI-driven digital cybersecurity analyst – essentially, a pre-trained conversational virtual assistant that is an expert in many cybersecurity actions and processes.
StrikeReady has trained CARA with cybersecurity best practices that cover several different product categories – and in fact, can even replace such products if the customer prefers. CARA can handle most common cybersecurity situations, providing expert advice to security analysts, or if the customer prefers, it can take action automatically.
StrikeReady has also patented an approach for running simulated attacks that behave like a real attack except that they do no damage. Using this capability, StrikeReady customers can verify that CARA’s advice is correct.
CARA also offers a conversational interface, and continues to learn each customers’ particular environment as it operates.
Any organization of any size would find CARA indispensable – but in particular, organizations with insufficient senior-level cybersecurity staff will benefit from the built-in expert-level cybersecurity capabilities that CARA offers out of the box.
Are we there yet?
Mitigating the risks inherent in the global cybersecurity skills shortage is an obvious priority. Leveraging increasingly sophisticated AI to improve automation and increase organizations’ real-time cybersecurity response is another.
Keep in mind, however, that threat actors continue to have the edge. All it takes is a few malicious experts who disseminate their wares, enabling numerous bad actors to wreak havoc on their targets. And of course, these attackers are perfectly adept at using AI to mount their attacks as well.
The bottom line: We’re really not that close to shutting down the attacks. But that doesn’t mean that cybersecurity innovation isn’t important. As the vendors at Black Hat show, it’s alive and well, and making determined if slow progress.
Jason Bloomberg is founder and president of Intellyx, which publishes the Cloud-Native Computing Poster and advises business leaders and technology vendors on their digital transformation strategies. He wrote this article for SiliconANGLE. (Disclosure: None of the organizations mentioned in this article is an Intellyx customer. Cyber Kill Chain is a registered trademark of Lockheed Martin. MITRE ATT&CK is a registered trademark of MITRE.)
A message from John Furrier, co-founder of SiliconANGLE:
Show your support for our mission by joining our Cube Club and Cube Event Community of experts. Join the community that includes Amazon Web Services and Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger and many more luminaries and experts.
We really want to hear from you, and we’re looking forward to seeing you at the event and in theCUBE Club.