The Expert's View with Michael Novinson

Attack Surface Management , Black Hat , Events

Black Hat: Incident Recovery, Threat Hunts & Blockchain Woes

The Changes Security Leaders Expect to See in Technology and the Threat Landscape
Black Hat: Incident Recovery, Threat Hunts & Blockchain Woes
Photo: Michael Novinson

Nowhere did COVID-19 feel more in the rearview mirror than in the Black Hat USA 2022 Business Hall. Just a year ago, the surging Delta variant caused major sponsors to pull out of the show, but Business Hall this week was packed with more than 220 exhibitors and sponsors (see: Krebs to Vendors at Black Hat: No More 'Band-Aid' Approach).

See Also: 5 Requirements for Modern DLP

Companies such as BlackBerry and F5 resurrected their longtime show floor staple of giving out heat-pressed T-shirts, while black VMware backpacks popped up across the floor. To stand out from the crowd, Pentera turned its exhibit space into a boxing ring complete with referee, boxing gloves and staff wearing T-shirts that said, "We're In Your Corner." Unabashed attendees could sit with a caricature artist at the Tenable booth or visit Palo Alto Networks to get a free cup of coffee - and avoid the wait in a very long Starbucks line.

Hats, backpacks and heat-pressed T-shirts were back at Black Hat USA 2022.

The lively Las Vegas event offered a chance for security firms to share their latest innovations and business initiatives with the world. Information Security Media Group caught up with 11 security executives to discuss the latest trends, from confidential computing and unified threat hunting languages to attack surface management and recovery services, social engineering campaigns and blockchain vulnerabilities (see: Black Hat: Web3 Defense, Open-Source Intel & Directory Hacks).

Tenable Doubles Down on Analytics, OT to Help Secure Clients

Tenable has stepped up its analytics in areas such as attack path management so security practitioners can answer complex questions from management and the board, CEO Amit Yoran says. The company uses analytics to help customers determine which vulnerabilities are the most exploitable as well as identify the most efficient path for an adversary to access an organization's key assets.

And from an operational technology perspective, Tenable actively communicates with devices in native protocols to see what they are, how they're configured and what they're connected to along with passively monitoring the environment from an attack detection and network monitoring perspective, Yoran says. The size and growth rate of the OT market presents a big strategic opportunity for Tenable going forward.

"We've been helping people assess their exposure not just in traditional IT but also in cloud environments, cloud workloads, directory services, Active Directory deployments and operational technologies," Yoran tells ISMG. "People need to realize their attack surface is a lot larger and more complex than it used to be."

CEO of iboss: SSE Is Now Being Embraced by Mainstream Market

Implementation of security service edge technology has progressed over the past six months from early adopters to mainstream organizations, with requests for proposals around SSE projects now carrying tight deadlines rather than no deadline at all, says iboss co-founder and CEO Paul Martini. This signals that the mainstream market now sees the value in SSE, both financially and technically.

Mainstream buyers tend to be more pragmatic and are seeking an end-to-end transformation that will allow them to retire a lot of legacy proxies and legacy gear, such as VPNs, according to Martini. The mainstream market is also much less tolerant of the initial hiccups often seen around new technology related to latency or downtime, meaning that performance is even more important.

"We want to dominate the mainstream market when it comes to the true SASE version of connectivity and security," Martini says. "We started at the top of the pyramid. We want to get the largest, most complicated use cases because for us, I think it's easier to go downmarket."

Google Turns to Confidential Computing to Make Data Shareable

Google Cloud has since late 2020 rolled out confidential computing products for virtual machines, Kubernetes and analytics to help customers share data securely outside their organization, says Group Product Manager Nelly Porter. These confidential capabilities increase the service's cost by 20% and result in performance degradation of no more than 2% to 6% to minimize the impact on experience, Porter says.

Early adopters of confidential computing include industries such as finance, healthcare and government as well as more unconventional spaces including blockchain, Web3, telecom and manufacturing, with the latter two embracing it for end-to-end privacy, encryption and protection, Porter says. She expects confidential computing to move to the mainstream once it is natively supported by all the CPU, GPU and accelerator firms.

"Confidential computing is finally the light at the end of the tunnel that helps enterprises not only protect and store data, but also process it," Porter tells ISMG.

Pentera turned its exhibit space into a boxing ring with referees, pledging to customers, "We're in Your Corner."

Darktrace Embraces ASM to Stop Attacks Before They Start

Darktrace has moved into the attack surface management space through its February acquisition of Cybersprint, which aims to prevent attacks by giving organizations the same outside-in view a hacker would have, says Justin Fier, vice president of tactical risk and response. The technology doesn't need a list of IP addresses or scoping work to operate and can provide visibility with the brand name alone.

The technology will help organizations address the additional external exposure they've assumed since the onset of COVID-19 and think proactively about how to stop attacks rather than just reacting to abnormal activity that's been detected, Fier says. The attack surface management tool provides continuous monitoring and has a short sales cycle since it delivers value as soon as it's turned on.

The city of Las Vegas has up until now relied on annual pen testing and red-teaming exercises to evaluate its attack surface, but that approach fails to capture in real time new instances and systems that are being spun up over the course of the year, says CIO Michael Sherwood. Now, Sherwood says, the city can see beyond its network on a continuous basis and understand how to mitigate areas of risk.

"It's huge for us," he tells ISMG. "The ability to see our network from that kind of perspective is something that we hadn't been able to do."

IBM Security Wants Threat Hunters to Speak the Same Language

IBM Security has focused on helping clients improve the accuracy of their detection and address issues around data, identity and compliance as they embrace hybrid cloud, says CTO Sridhar Muppidi. Big Blue has focused on ensuring analysts are spending time on the right alerts so they're addressing credential stuffing attacks and not someone who locked themselves out of their account while attempting to log in.

The company has created a unified threat hunting language to make it easier for the industry at large to contribute to and consume information quickly, Muppidi says. The adoption of cloud has increased the attack surface and demonstrated where perimeter controls fall short, forcing organizations to embrace approaches that determine risk and trust based on what the user is doing and how they're doing it.

"How do I get all the vendors to talk to each other so that we speak the same language?" Muppidi tells ISMG. "The example that comes to my mind is a detective at a crime scene and you have 14 people in the crime scene speaking 14 different languages. It's difficult and takes a long time to piece together the puzzle."

Optiv Puts Resilience, Remediation and Detection in Spotlight

Optiv has created product and service bundles around resilience, remediation and API detection and response to address the most pressing needs of its customers, says CTO Rocky DeStefano. The company maintains a cold copy of the client's current IT environment as part of its recovery services package for large enterprises so that customers have something to recover to after a ransomware attack, he says.

Optiv is also putting together a set of services that quantify how much a customer has reduced risk not only from an incident and vulnerability standpoint but also from a remediation and outage perspective, DeStefano says. The company also wants to move beyond cloud SOAR and use integrations that allow companies to quickly understand their operating environment without humans having to evaluate logs.

"We don't have time to evaluate logs and wait for a human to make a decision about an API or in a cloud environment," DeStefano tells ISMG. "The systems themselves have to be designed to be robust enough to respond based on operating differences."

Why XDR Beats SIEM at Pinpointing Threats in Noisy Environments

SIEM can play a key role in aggregating log data for compliance or auditing purposes, but when it comes to identifying threat activity in an IT environment, nothing beats XDR, says Ryan Alban, senior manager of global solutions lead at Secureworks. XDR excels at using advanced techniques to pinpoint threats in high volumes of data, while SIEM lacks the horsepower or analytics to find the signal in the noise, Alban says.

Some organizations choose to have both a SIEM and XDR, with the former focused on reporting metrics and dashboards that aren't connected to urgent threats, Alban says. Customers should look for an XDR platform that has intimate knowledge of how threat actors work, what their TTPs are, what their motives might be, and what kind of tooling they use, according to Alban.

"I would talk to customers that - they would exhaust their SIEM license or they'd struggle to keep the SIEM up and running," Alban tells ISMG. "And it would become a distraction to helping to detect threats in their environment. We'd see folks continue to miss the threat, even if their SIEM was in operation.

Zscaler Focuses on Supply Chain, Developer and Cloud Security

Supply chain attacks have evolved from going after OEMs to infiltrate their downstream customers to breaching suppliers in hopes of compromising the upstream OEM, says Zscaler CISO Deepen Desai. Firms can stop supply chain attackers in their tracks by having a whitelist of what the server is allowed to talk to on the internet and operating a mature third-party risk management program for suppliers, he says.

Desai says users and applications should be kept on different networks to ensure users aren't directly exposed to insider threats and limit the blast radius of what threat actors can do. Businesses also must ensure public cloud accounts aren't over-entitled or over-privileged and create a map of the internal attack surface to understand what assets will be exposed in the event of compromise, Desai says.

"Threat actors are going after your end user when they're working remotely in a relatively insecure environment," Desai tells ISMG. "A lot of organizations struggle to enforce consistent security policy unless they have an architecture where the policy is following the user."

Tanium Shifts to the Cloud, Unveils Risk Assessment Offering

Tanium rolled out a cloud-based version of its endpoint visibility and management platform in the cloud a year ago to strengthen its presence among customers with fewer than 10,000 endpoints, says Chief Marketing Officer Steve Daheb. The on-premises version of Tanium's product requires expertise and manpower to deploy and maintain on servers, while the cloud version is more accessible to the masses.

The company recently introduced a cloud-based risk assessment that gives customers a detailed view of what their device security looks like based on the version of software they're using, Daheb says. Tanium has visibility into both traditional workstations and mobile devices as well as less conventional endpoints, including OT and IoT devices, sensors and cloud containers. Tanium also helps customers devise a remediation plan.

"We're seeing adoption across all of our modules," Daheb tells ISMG. "Customers who are choosing Tanium may have begun deploying us for client management or visibility but end up adopting many of our modules."

Smart Contract Vulnerabilities Lead to Huge Blockchain Theft

Insecure development of applications that reside on top of blockchain technology creates vulnerabilities that adversaries can exploit to access the blockchain network and control the asset, says Oded Vanunu, head of products vulnerability research at Check Point. The security woes are tied to the smart contract, which serves as the engine for blockchain transactions and is based on source code that can contain errors.

One small vulnerability in a smart contract can lead to threat actors hijacking all associated assets and user accounts, potentially resulting in the loss of millions of dollars, according to Vanunu. If people or companies are building smart contracts, they need to hire the right developers who have knowledge and understanding of how security can best be applied in this context, he says.

"It's easy to make mistakes, and the consequences are very, very severe," Vanunu tells ISMG. "Because with one vulnerability, someone can hijack your smart contract and use that to take control of all your assets."

Social Engineering Surges, Ransomware Brokers Shift Gears

Threat actors have started leveraging automated means to make customized social engineering lures, and one group is using malware to scrape current headlines from The New York Times and make them the subject lines of emails, says Sherrod DeGrippo, vice president of threat research and detection at Proofpoint. The current headlines add a layer of legitimacy and take advantage of human vulnerability.

In addition, threat actors who had previously been selling initial access for ransomware have shifted to selling access to banking Trojans and information stealers, as hackers get cold feet around launching massive ransomware attacks. DeGrippo expects more hackers to effectively fly under the radar by launching smaller ransomware attacks in which a handful of machines are locked down for ransoms in the hundreds of dollars.

"Threat actors are going to try to go smaller because they're scared," DeGrippo tells ISMG. "And they should be."

About the Author

Michael Novinson

Michael Novinson

Managing Editor, Business, ISMG

Novinson is responsible for covering the vendor and technology landscape. Prior to joining ISMG, he spent four and a half years covering all the major cybersecurity vendors at CRN, with a focus on their programs and offerings for IT service providers. He was recognized for his breaking news coverage of the August 2019 coordinated ransomware attack against local governments in Texas as well as for his continued reporting around the SolarWinds hack in late 2020 and early 2021.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.