Black Hat - Cyber Security Trends and Investment
Dave Bittner: [00:00:03] The 2016 Black Hat conference is underway in Las Vegas this week. And in this special report from the show floor, we'll hear from industry leaders about industry trends and from venture capital funders about what they need to see before saying yes and why it's harder to get funding than it used to be. Stay with us.
Dave Bittner: [00:00:27] Time to take a moment to tell you about our sponsor Cylance. Are you looking for something beyond legacy security approaches? If you are - and who isn't? - you're probably interested in something that protects you at machine speed and that recognizes malware for what it is, no matter how the bad guys have tweaked the binaries or cloaked their malice in the appearance of innocence. Cylance knows malware by its DNA. Their solution scales easily, and it protects your network with minimal updates, less burden on your system resources and limited impact on your network and your users. Find out how Cylance is revolutionizing security with artificial intelligence and machine learning. It may be artificial intelligence, but it's real protection. Visit cylance.com to learn more about the next generation of anti-malware. And even better, if you're at Black Hat this year, swing by Booth 1124 and chat with the Cylance people. Cylance: artificial intelligence, real threat prevention. And we thank Cylance for sponsoring our show.
Dave Bittner: [00:01:29] I'm Dave Bittner. We begin this Black Hat Special Edition with a look at trends and hear from some industry leaders and experts about what they're seeing and where they think cybersecurity is headed. Vitali Kremez works in cybercrime intelligence for Flashpoint, a company that monitors the deep and dark webs.
Vitali Kremez: [00:01:47] So one of the most emerging trends was the recent DNC, Democratic National Committee, hack was - that it was allegedly perpetrated by Russian government. In light of that attack, we saw some certain - response from Russians. They opened up a new story about hacks from the FSB. And we've seen new trends of, for instance, government trying to use disinformation tactics or attacks to shift the blames or responsibilities for attacks to hacktivists, like Guccifer, the creation of identities as a way for them to obfuscate their intelligence operations. And how we would respond to that - there will be a very interesting response from the government sector and how the private industry with the government will combat that.
Vitali Kremez: [00:02:35] Number two, I would say health care institutions being compromised and the ransomware attacks on health care institutions. Those attacks bring actually physical damage and to - can bring physical damage to specific devices run in emergency rooms. So they can actually paralyze the hospital operations connected to the ICU units. So they have, like, really physical threat to patients. And another trend - the attacks against SWIFT, the bank attacks targeting the specific payment system as opposed to credit card data. So once the Russian actors that we think - like, Eastern European actors - were connected to - allegedly - the SWIFT attack, the Ukraine responsible for more than $10 million worth of loss - that type of attack was damaging to the whole country infrastructure that could lead to destabilization of the economy and people losing jobs and more - even, like, real-life frustration, especially in light of the Crimea annexation and the difficult situation between Russia and Ukraine, politically speaking.
Vitali Kremez: [00:03:47] And then also one last trend I want to highlight in cybersecurity perspective - the emergence of ISIS as being - as the users of encryption methods in technology. As we know, they are learning. And they're not too capable at this moment, but they are learning. And they - if they would apply the same kind of methods of encryption the InfoSec world uses now and they would apply the same motivation as physical threat and - to human lives and in the name of jihad, that would be damaging. And if they would transmit that to the cyberspace as they're doing now with the United Cyber Caliphate, which was alleged to be a faction of ISIS, that would be a concern to the all of InfoSec and how we'd respond to that.
Dave Bittner: [00:04:31] Lance Cottrell is chief scientist at Ntrepid, developers of secure virtual browser technology.
Lance Cottrell: [00:04:38] It seems like a lot of the problems are taking place in the basic blocking and tackling. You know, when we look at companies and, you know, they're bringing us in to solve this problem with the browser - but they're also having huge trouble just keeping track of, what are their systems? You know, where's the perimeter? - and having that dissolve on them, you know? And that's one of the things they like about having the software actually on the endpoint - is the endpoint isn't staying inside their perimeter, right? If you've got some sort of a gateway device, that works until the laptop goes to Starbucks, at which point, suddenly, that stops working. Well, how do you maintain that protection? We're thinking a lot about that extension of the perimeter, extension of responsibility. I think governments and corporations need to start thinking about, how can they protect their employees, even when they're using their own devices at home? And it can't be in a monitoring-heavy way because no one's going to put up with that.
Lance Cottrell: [00:05:36] But anything they can do to make the person safer when they're using their own computer at home and accessing corporate email - which they do - is going to be critical. And that email is, you know, the huge failure. If I could get your endpoint and get in and, you know, get access to your email client, I get huge amounts of data and everything I need to launch the perfect spear phishing attack against everyone else in the company. I can impersonate you perfectly. We're seeing a unique signature on almost every endpoint target. You know, these virus and malware are morphing continuously. So we - and many others in other parts of the security space - are now starting to look at, how do you build the tools so that it automatically is secure? Even if it gets infected and cleans up, you don't necessarily need to be trying to remediate. You're reimaging your servers automatically every couple of minutes because by the time you send a guy out and chase it down, it's hugely labor-intensive. And they've had a chance to move on. And so I think that's going to be, over the next couple of years, one of the big trends - is more of a sort of self-healing, proactive kind of security rather than trying to clean up after you detect things.
Lance Cottrell: [00:06:46] Leon Ward is senior director of product management at ThreatQuotient, developers of threat intelligence platforms.
Leon Ward: [00:06:53] It's so hard to predict the future, right? It feels like that time of year. It's Black Hat or it's the end of the year, and everyone's looking for predictions. What's going to happen next year? But ultimately, the only predictions you can make is it's going to be more of the same. The things that have been successful now will continue to be successful until they change. And the only reason an approach or methodology ever changes is because the defenders become more sophisticated at preventing that method from being successful. So what is the new method, the next method? Well, we don't know what it is until the attacker is actually going to be forced to change their methods because their current methods aren't being successful.
Dave Bittner: [00:07:37] Bryan Glancey is chief technology officer at Optio Labs, developers of mobile security architectures.
Bryan Glancey: [00:07:44] People are now starting to understand a lot more about phones and their powers and kind of the problems - everything from chipset fundamental problems to, you know, encryption issues like came up with Apple, you know, last year. They are starting to understand the implications of, you know, the packages and things that are going into a device and how, you know, it's a complex problem, and there is no one simple solution usually. So we're starting to see, you know, more people choose to do - you know, the migrate back from potentially BYOD. Think about for things that are actually regulated or have audit fines or compliance fines - think about corporate-owned devices and issuing their own devices for those things. We're seeing - you know, you're seeing a rise of things like the Sirin phone - very high-end, secure phones with, you know, high level of evaluation and compliance to new international standards.
Bryan Glancey: [00:08:52] International standards on this side have actually been changing quite a bit, too. There's now a new international standard for security that validates the security of phones - different phones - to a known given standard. One of the things that's fundamentally changing is the diversity, right? It used to be, years ago, there were three or four or five - on the outside - phone manufacturers that were the big manufacturers of phones, right? We've seen that cycle several times. Those older members of us have seen Comm come in and go out and, you know, other devices come and go - right? - throughout the years. But now that turnout is becoming even worse because there - it used to be that the, you know, Samsung was the major provider. And Apple was a major provider. But now we're even seeing players like Huawei crack the top five for most devices made. And when you look at, you know, just the number of sheer providers that are building phones now - mainline phones - it used to be a dozen. Now it's a thousand, right?
Bryan Glancey: [00:10:01] So this is fundamentally changing the market and kind of how the number of devices, the types of things that you see on the market and also that fundamental kind of insecurity problem becomes bigger. I think that we're going to continue to see many, many more vulnerabilities. There's a lot of companies out there that are making devices that are going to have our personal information, are going to have our banking information, are going to have our email. And, you know, they don't have the expertise usually to do the security implementation. And it's not usually something that they can just get off the shelf. So I think we're going to see many more vulnerabilities coming in the next year, two years, particularly out of the same library used again - over and over again - in IoT device, in a cell phone, in - all over the place - just because there's not that expertise usually in the marketplace. So I think we're going to see a lot more.
Dave Bittner: [00:10:58] Hamilton Turner is the senior director of research and engineering at Optio Labs.
Hamilton Turner: [00:11:03] We used to always laugh about the fear and uncertainty in the media. But in the context of mobile phones, it's not as fake as you would like to - as we would like to believe. There is a really long tail of vulnerabilities, and most devices are vulnerable, you know? The device you have in your pocket probably has at least four or five CVEs that are unpatched on it. And it's an interesting world. It really used to be that, you know, you'd get all these crazy headlines about - things are scary. Your phone will blow up any minute. But maybe the vulnerability vector didn't really keep up with the marketing vector. All of a sudden, they really are starting to keep up, so we're going to keep seeing demand for these devices to rise. And so we're going to get more and more more of them. And we're going to keep seeing the security vulnerabilities go up more and more.
Hamilton Turner: [00:11:47] Vikram Phatak is CEO of NSS Labs, an IT security product testing lab.
Vikram Phatak: [00:11:53] Well, so obviously, you've heard about the ransomware, right? That's - we started seeing that about a year ago in our systems where the attacks started shifting from the type of malware being - you know, looking for credentials - which they're still looking for - like your login/password stuff or credit card data to ransomware, Cryptolocker and things like that. But I think we're going to see a lot more of that. And the reason is this. So if you put yourself in the bad guys' shoes - and I'll get into the detection in a minute. If you compromised 100,000 systems five years ago, you probably had 90,000 new credit card data, 90,000 new, you know, personal identifiable information - so your social security information and so on - a lot of new stuff. Now in 2016, they pretty much have everybody's data, OK? So you get 100,000 people. Maybe you have - what? - 5,000 new. So your return on your investment is much, much lower, OK? And so they need to find different ways to monetize their capabilities.
Vikram Phatak: [00:12:57] So the first way was to sell your data to other people who were going to, you know, use your credit card. OK, that's sort of - that line of business is not peaking out. There's diminishing returns. So what are you going to go after? So you - ransomware is a natural thing. The thing is about ransomware, though, is it's not going to be - you'll have some for you and me. But the big things are going to be - you know, you've heard about the hospital network and so on that got hit. Those are the types of attacks that are going to be happening moving forward because that's where the money is. It's a hard problem for somebody - if you're a hospital administrator and executive, what's your choice going to be? I mean, what are you going to do, right? In the short run, there's probably a lot of folks who are going to end up paying because, you know, just - the equation doesn't make sense. And you don't want it to get out that you were hit because there's reputational risk. There's all kinds of other issues, right? So that's a big one.
Vikram Phatak: [00:13:49] And I do think that, you know, Internet of Things is going to be tied to ransomware. Now, not my garage door opener - right? - not my pool or anything like that - or my thermostat. OK, they could make me miserable by making it really hot, but they're not going to make any money off of it, right? But when you start talking about supply chain. So let's just say - fast-forward five years. Everybody has their refrigerator that is Internet of Things that can tell when your milk is low. If they could mess with the setting that makes it look like the milk is empty for everybody at once, you could cause a huge surge in supply to go to the grocery stores. What happens then? Nobody wants the milk. You're going to have a lot of spoiled milk, right? Similarly, you know, what happens if you say it's all full? You could cause shortages, right? So then it becomes a question to the supply chain. How much is it worth to the supply chain? It's kind of like the old protection money. We're talking about from gangsters. You know, it would be shame if that window got broken. It would be a shame if your supply chain got messed up. That's where Internet of Things really gets tricky, right? So - and that's not to mention, you know, water treatment facilities and other things that are more obvious, high-profile SCADA-type of environments.
Dave Bittner: [00:14:56] Alberto Yepez is co-founder and managing director at Trident Capital Cybersecurity, a venture capital firm.
Alberto Yepez: [00:15:03] Everybody always wants to talk about feature, function. I have the better endpoint. I have the better trap that gives you the incited threat. The two biggest issues that we see in this industry is - number one, there's not enough qualified cybersecurity professionals to deal with the problem, OK? The threat is real. The criminals - they're well-funded. They're state-sponsored. They're sophisticated. They have access to a lot of things. So in our industry that is trying to safeguard information for business, individuals and governments, there are not enough qualified professionals.
Alberto Yepez: [00:15:34] The second trend that is very important and is very late even in these conferences - there are so many solutions that don't work with each other. Everybody's the best endpoint. I'm the best intrusion detection. I'm the best vulnerability assessor. So the customer ends up having to pay for integrating all that. The cost of integration is very high. And what happens is the large companies can afford it. The middle market and the smaller businesses - health care or, you know, mid-market companies - cannot afford to do this. So big picture, big issues - there's not enough professionals to solve the problem. The second is the cost of integration. So what makes a really good company is a company that creates an integrated solution, a unified solution, that brings a number of tools together that can be easily deployed, easily consumed, easily, you know, gain value in a matter of minutes - not days, not months, not years - to get the value out of that.
Dave Bittner: [00:16:32] Bob Ackerman is founder and managing director of Allegis Capital, a seed and early-stage venture capital firm.
Bob Ackerman: [00:16:39] Well, I think you have to be - pragmatically, you have to realize that that cyberthreats are here. They're a clear and present danger. There's no way to run. There's no place to hide. So I think companies have to embrace the challenge of, how do they secure their business operations? - whatever that means. There's a couple of things that come to mind for me. You know, number one, the growing importance of encryption. There's been a lot of public discussion about encryption. And is encryption a good thing or a bad thing? I will say, emphatically, it is one of the most effective tools available to industry to reduce the value of data to a adversary who would secure that data. And the thought that we should not have encryption or we should have limitations on encryption when, in fact, it's the most effective tool we have for protecting the target of many breaches, the data, is totally absurd on the surface. So once you get past how do you secure the data and the encryption? - I think you need to look at the - how do you gain situational awareness of your infrastructure? And that may be your enterprise. It may be your enterprise and your supply chain.
Bob Ackerman: [00:17:49] Target clearly demonstrated the vulnerability of a large enterprise with state-of-the-art investment in cybersecurity when one of its small supply chain partners was compromised in the HVAC supplier. So I think one of the things we see a lot of talk about today are organizations grappling with how do they come to understand their situational awareness, their exposure and their risk? So I think that's an area where we're going to see a lot of discussion and a lot of activity in cybersecurity, particularly as cybersecurity moves up to become a board-level conversation which, post-Target, it clearly has become.
Bob Ackerman: [00:18:23] Number three, I guess, would be how do you make the necessary investments in cyber defense technologies - whether that's situational awareness or active defense - with limited budgets and limited technical resource? So you know, there's a tremendous amount of thinking that's going into, you know, number one, how do small- or medium-sized businesses defend themselves? I think we're going to see a lot of activity around security as a managed service for small- and medium-sized businesses. And in enterprises where they may have the technical expertise and they have the financial resources, they don't have enough bandwidth. And so we're going to see a lot of discussion around - what people today - what the conference will be talking about around automation and orchestration, the fact that we need to increase the productivity of our threat intelligence engineers to be able to respond to ever-increasing levels of threat intelligence, accelerated velocity of attacks and breadth of attacks. And automation's going to play a critical role. And how do we respond to those attacks?
Dave Bittner: [00:19:25] So what about funding? We asked our two venture capital executives what they look for when investing in cybersecurity companies. Here's Trident Capital's Alberto Yepez.
Alberto Yepez: [00:19:35] So having been an entrepreneur on the other side before I came into venture capital, I would say there's a very defined criteria of getting funded. There are five fundamental items that we look at. Number one, we look at the market. Number two, we look at that technology. Number three, we look at the go-to-market strategy. Number four, we looked at the team. And number five, we look at the investor syndicate. So market - it has to be a growing market. It has to be a large market that is growing. For instance, Symantec is in a large market, but it's not growing. It's shrinking. Therefore, we go after a large market, which may be companies doing mobile security that is expanding and is large in doing so. That's the difference. So we look toward markets that are large in the opportunity and then growing.
Alberto Yepez: [00:20:22] Secondly, when we talks - we talk about the offering that the - how hard it is to replicate what you do? So intellectual property, at the end of the day, is very key. And the solutions have to be differentiated. Differentiation is not just - comes in the way you create the solution, how you deploy the solution, what problem you're trying to solve, patents that you can defend. And oftentimes, smaller companies are targets of established companies. Then they sue them, and sometimes takes them out of the market just because anybody can sue anybody in the U.S. But therefore, it has to be highly differentiated and a very high bar of entry.
Alberto Yepez: [00:20:57] Number three, go-to-market is perhaps the most critical component of being a successful company because how are you going to deploy this solution? Are you going to do it by yourself by adding salespeople and creating a customer by themselves? Or do you create an ecosystem of complementary partners that will help you get to a global market? - because the opportunity is not the U.S. market. It's the global market. And so you look for a relationship like co-marketing, co-selling, reselling, OEMing, white label where you create - and create partners. Instead of you putting a lot of money in your sales or marketing, where you create strategic relationships that are going to let you grow. Therefore - but that's the strategy. Not only how you price it, how you sell it, but what is the ecosystem you're creating for success?
Alberto Yepez: [00:21:45] The fourth item is the team. The team - sometimes, we expect entrepreneurs not necessarily to know everything. And sometimes, they're first-time CEOs or first-time entrepreneurs. What we look is the DNA, where they started, the problem set. We were talking earlier in one of the companies we invested. When you understand a problem set differentiated, then that way you solve the problem. Like when you have an architect, I'm trying to build something, and they build something amazing. That's - what we look for is that DNA of the entrepreneur trying to have complementary skills to create something of value that can be easily consumed in the market. So it is very important to give the team - not only the CEO or the CTO or the BPO market and BPO - it's a whole team.
Alberto Yepez: [00:22:27] But as a good investor, once we invest, we help influence the go-to-market in the team. And the co-investors are important, just from - even if they are angel investors or even - they are seed investors, they are also people that have domain expertise in the market and validate that and help you make the right decision. So we always determine that as - the only companies we invest are the companies that have a large market opportunity with a differentiated solution with a good go-to-market strategy with the right team and the right ecosystem. So we always look at those five items. If you cannot align the five, we don't invest.
Dave Bittner: [00:23:00] Here's Allegis Capital's Bob Ackerman.
Bob Ackerman: [00:23:03] We're looking for new paradigms of thinking in terms of how to either secure a critical infrastructure or defend against attacks. I think one of the challenges that we face is there's a lot of very interesting, innovative point solutions, particularly in the cybersecurity industry, that while they are important and while they add value, they're not fundable as a standalone company. They fall into the category of being a feature and maybe being a product but, in fact, not providing the foundation to build a company. So we're looking for visions of solution that have long-term scalability, that have the ability to evolve as cyberthreats evolve. Those types of ideas turn out to be very, very difficult to find. But that's - if you're looking for venture capital, you know, venture capital needs those size of opportunities to be able to generate the returns that we expect to balance off against the risk.
Bob Ackerman: [00:24:02] The other thing, quite frankly, we look for are proven teams. And what I mean by that is cybersecurity is an area where the market moves so quick, and it's so complex that you can't begin learning about cybersecurity the day you take in capital. You already have to understand the domain. You understand the dynamics in the marketplace, you know, the threat vectors in the marketplace. So our own investment thesis is heavily focused on former operating executives, you know, proven operators, whether they come out of the intelligence community, whether they come out of industry, who have stood on the wall and have gone toe-to-toe successfully with the bad guys for a number of years. And that's really the starting point that we have when we find a platform that we think is compelling.
Dave Bittner: [00:24:46] There's been much talk lately that VC funding for cybersecurity is harder to come by. Bob Ackerman explains.
Bob Ackerman: [00:24:53] The broader market for venture capital today has cooled materially over the last nine months. It's not just cybersecurity, but cybersecurity is not excluded from that cooling phenomenon either. Translating that to an entrepreneur, it means it's going to be harder to raise capital. You're going to need more validation or proof points to raise that capital. And it will take longer to raise that capital. And frankly, companies that don't have a clear point of differentiation, you know, with that long-term vision to be able to build value over an extended period of time are going to struggle.
Bob Ackerman: [00:25:28] So you know, what I would, you know, advise entrepreneurs to do is understand how valuable capital is today, how long it's going to take to raise additional capital. But they're really going to have to prove the value proposition in the marketplace in order to attract outside capital. And, you know, if you're an early-stage cybersecurity company, you know, maybe a year ago, if you had three customers, that would validate the use of your technology. Today you better have 10. And it's just a reflection of sort of the broader concerns in the marketplace about where the investment community is in the overall cycle. And with that concern, people have a natural bias towards being more risk-averse, which means the hurdles that you need to get over in order to secure capital have gone up materially.
Alberto Yepez: [00:26:18] The threat is real. It's here to stay. As a cybersecurity professional, it's a career that if you have a niece, a son or somebody recommended to go here, it's not just the engineer. It's the analyst. It's the operator. And more importantly, the most successful chief information security officer - chief information risk officers are the ones that can really translate very complex technology problems into business issues. Board directors are starving for people that understand the complexities in how to defend, how to invest into this area. And the amount of jobs that will exist at a high premium in terms of - you know, I would say because of the scarcity of resources, the salaries in cybersecurity are going up to the roof.
Alberto Yepez: [00:27:04] So, you know, either take it upon yourself, be more broad, try to understand business and drive your decisions from the business perspective. Don't get enamored with the technology. Make sure that, you know, you could actually - this is an industry that you can grow in many areas. At the end of the day, it's human factors that make sure that the end - what you build, what you do as a human being is trying to protect that information, trying to keep their privacy, trying to keep their company's information or their government's secrets safe.
Dave Bittner: [00:27:33] That's Alberto Yepez from Trident Capital Cybersecurity.
Dave Bittner: [00:27:37] Our thanks to all of our experts for taking time from their busy schedules at Black Hat to talk with the CyberWire, to our sponsors for making this show possible and to you for listening. If you enjoy our show, we hope you'll help spread the word and leave a review or rating on iTunes. It's the easiest way you can help us grow our audience. To subscribe to our Daily Podcast or news brief, visit thecyberwire.com.
Dave Bittner: [00:27:58] The CyberWire is produced by Pratt Street Media. Our editor is John Petrik. Social media editor is Jennifer Eiben. Technical editor is Chris Russell. Senior editor and junior interviewer is Peter Kilpe. And I'm Dave Bittner. Thanks for listening.