Special Editions 8.9.16
Ep 7 | 8.9.16

Black Hat, Part 2 - Trends and Insights from Industry Leaders


Casey Corcoran: [00:00:03] It's going to become the machines versus the machines sooner than later. And I think it's something we have to be prepared for. And we have to be prepared for the fact that we are building the tools that can make the machines work the way we want them to versus trying to train a better security analyst.

Dave Bittner: [00:00:18] The 2016 Black Hat conference is in the books. And we wrap up our coverage with more insights from industry leaders. Stay with us.

Dave Bittner: [00:00:33] Time to take a moment to tell you about our sponsor Cylance. Are you looking for something beyond legacy security approaches? If you are - and who isn't? - you're probably interested in something that protects you at machine speed and that recognizes malware for what it is, no matter how the bad guys have tweaked the binaries or cloaked their malice in the appearance of innocence. Cylance knows malware by its DNA. Their solution scales easily, and it protects your network with minimal updates, less burden on your system resources and limited impact on your network and your users. Find out how Cylance is revolutionizing security with artificial intelligence and machine learning. It may be artificial intelligence, but it's real protection. Visit cylance.com to learn more about the next generation of anti-malware. Cylance - artificial intelligence, real threat prevention. And we thank Cylance for sponsoring our show.

Dave Bittner: [00:01:29] I'm Dave Bittner in Baltimore with another Black Hat Special Edition. Throughout the course of the show, we were on the floor, gathering insights from industry leaders on what trends they're seeing and where they think the industry is headed. Steven Grossman is vice president for program management at Bay Dynamics, a cyber risk analytics company.

Steven Grossman: [00:01:48] Being able to really bring the full picture of data together, I think, is key from an analytics point of view. And then being able to apply machine learning and other models on top of that is key. And so as the industry evolves, I think you'll see more and more maturity. But I think you're starting to see a lot more around analytics, and then associated with that, orchestration, to be able to automate some of the more - I'll call it - mundane and straight-ahead kind of actions that could be actioned off of the analysis you're doing on the analytics platform.

Steven Grossman: [00:02:24] I think you've certainly seen more of a trend towards credential-based threats. A few years ago, everybody was talking about APTs. APTs are still important, and malware is still important. And very often, that's the entry point into the organization. Compromising credentials is a lot more dangerous because, A, it's a lot harder to detect, and, B, you could do a lot more damage when you've compromised credentials that have access to really important data.

Steven Grossman: [00:02:48] And you're seeing that access. You see it in the SWIFT heist recently. You've seen it in many other heists where - Target - you pick your heist, right? No matter how they got into the organization, ultimately, they got somebody's credentials. And then they bounced around the organization either changing transactions, in the case of SWIFT; stealing data, in the case of Target or Wendy's or - again, many other examples.

Steven Grossman: [00:03:15] But I think being able to protect and monitor those credentials, as well as the transactions that go along with them - that's something we've been told by many of our financial services clients - is that the insider threats we find are great, and they're valid. But very often, it's the tip of the iceberg. When they start investigating those people on the cyber side, they find that on the financial side, they've done a lot worse, as well. So, you know, it's important to connect those dots between fraud and between cyber.

Dave Bittner: [00:03:45] Dan Cornell is chief technology officer at Denim Group, a software security company.

Dan Cornell: [00:03:50] It's interesting. You know, I'm coming off of recently being at the OWASP AppSec EU conference in Rome. And what is interesting is that what I haven't seen here on the pure security side and the perception of application security - I think that the security practitioners - or at least in the Black Hat crowd - are still viewing application security very much in the bug-finding mode. Let's - you know, we've got this scanner. We've got that scanner. We've got services that do testing. And we haven't actually seen a lot of change there.

Dan Cornell: [00:04:21] And I would contrast that with some of the things I saw at OWASP AppSec EU, which are still security practitioners, but centered around applications. And the really interesting things that came out of that conference - really, that the teams - the app security teams that are successful are the ones that are reaching out to development groups and that are focused on putting tools in the hands of developers and are focused on, how do we actually drive these vulnerabilities through to remediation? And I think that message or that view into how people are making progress - I don't know that that's percolated over to the Black Hat crowd, of which there are certainly application security practitioners, but ones that come more out of the pure security - or network and infrastructure space.

Dan Cornell: [00:05:05] And so that's an interesting contrast that I've seen - is, I don't know that that message has made it over here, whereas in the OWASP side of things, we have seen - or I have seen a lot more progress, where people are talking a lot more about how you get security into developers, continuous integration, continuous deployment pipelines. How do we get security champions on the development teams so that we have someone to talk to when we find this stuff? So I think the programs that are really making progress are the ones that are adopting that type of view. And it's interesting to me that I just haven't seen a lot of that communicated here yet. And so what that tells me is there are certain segments of the industry - and when I talk about industry, I talk about people, practitioners of application security and companies that are engaging in application security programs - I see certain corners where they - the light has come on, and they're starting to make that progress. I haven't - again, haven't seen that as much here yet. But I think it'll be interesting to see if that's something that comes through more next year.

Dave Bittner: [00:06:08] John Dickson is a principal at Denim Group.

John Dickson: [00:06:11] There is a broader realization now that most security teams are still ill-equipped to deal with software security. So the problem is most CSOs have a network security background. Most security people have network security backgrounds, me - myself included. But virtually every organization out there has a issue around security owning the software risk component. Software risk - the - that function still doesn't live in the dev teams.

John Dickson: [00:06:42] So you have the security guys with that background that is - puts them in a position where they're ill-equipped to really force that, let alone encourage. And there's five of them. So if you look at a security team, virtually every major AppSec team out there in the Fortune 500 has anywhere from one or two to 10 people on it versus the dev teams that have 2,000. If you go to any financial institution, they've got 12, or they've got seven or five AppSec people - the guys that measure the risk of software against 70 different dev teams and 3,000 developers.

John Dickson: [00:07:20] So there is a - I think, a more acute awareness of that business problem. And how does - you know, how do you do that with frameworks, with, you know, training and all those different things? And that's - so that's kind of what we're - one of the affirmations or one of the confirmations we've heard here is that it's, like, still a problem.

John Dickson: [00:07:39] The one trend, I would also say, from a security standpoint is, how does an organization deal with DevOps and Agile? And we're seeing this come to the security team - or to the software risk people - not from the IT group, but from the business itself of, like, we got to go a million miles an hour. And we're saying, wait a second. We haven't figured this out. We haven't solved this problem yet. You're wanting me to go faster? So I think that's kind of a theme in our heads and a trend that we're trying to figure out with others - is, like, how are you dealing with it? It's very driven off of culture, very driven off of the business vertical. If you're Netflix or Etsy or one of the, you know, entertainment companies, you probably can have a set of activities and practices. If you are Bank of America, that may play less well there, you know?

John Dickson: [00:08:29] So, you know, here's the other one. What do examiners do? Like, you're like, oh, yeah. We don't do any of those requirements, any stuff - like, we just put it in production and then tear it down if it's, you know, like - that doesn't work with the FFIEC or other CC examiners who are all, like, in their 20s and know virtually nothing about any of this stuff. It's just like, well, it says here you're supposed to do this gateway jacket. Like - you know, like, what? Yeah, so doing DevOps and CICD and Agile and all that stuff in regulated worlds is going to - there's going to be a class of - clash of cultures that we have yet to encounter.

Dave Bittner: [00:09:02] Ryan Hohimer is chief technology officer of Champion Technology, whose Dark Light product they describe as a next-generation cybersecurity automation and orchestration platform.

Ryan Hohimer: [00:09:14] Big trends that we're seeing is the sophistication of the CSOs in the world, right? I mean, they - the private sector and government sector has been hit pretty hard recently. You know, we've had lots of compromises. We've had lots of issues over the last couple of years. Fortunately, you know, corporate America, governed America - they're - we're stepping the game up. We're becoming more sophisticated in our defenses. We're definitely facing a strong, creative, adversarial groups. We know that. But I'm seeing a trend where people are - they're stepping up. They're stepping up to the plate.

Dave Bittner: [00:10:00] Casey Corcoran is with FourV Systems, where they specialize in quantifying risk and assessing defense effectiveness.

Casey Corcoran: [00:10:08] The ability to hide behind technology doesn't exist anymore. It has become a business management function to manage cyber risk as a business risk. So I think that is probably the most profound change. In the face of exponentially changing surface area in your company, more and more data being created, the threats becoming more sophisticated, and there being now an ability for the regulators to reach through to the board members and to the executives and hold them accountable for the protections they're putting in place over privacy and security for their organizations - I think is driving the entire industry towards managing cybersecurity as a business risk versus technology risk.

Dave Bittner: [00:10:51] Derek Gabbard is president of FourV Systems.

Derek Gabbard: [00:10:55] I think there is some fatigue - some product fatigue in a lot of organizations. You know, they've bought a lot of things. And they're trying to do the best they can with those. And there's a constant stream of new, slightly different, sometimes very different applications that are hitting the market.

Derek Gabbard: [00:11:10] I think there's going to be a lot of movement - you've seen it in some of the analyst reports - toward more centralized service offerings on the managed security services side. And there's even new quadrants being covered by Gartner's and the like that are really around delivering some of these old core enterprise functionalities as an outsource service because the other moving part in all this is we have 2 million - if you believe some folks - a 2 million person gap in trained and capable security operations professionals just in the U.S. And we're not going to be able to get there to catch up to where we need and stay ahead of it with having to first overcome that 2 million person gap.

Derek Gabbard: [00:11:55] So there's a ton of good things that happen as you consolidate and get economies of scale on the managed security service side. And I think we're seeing a lot of customers start to adopt that, which is encouraging because it allows for bringing a lot of talent together and having a big impact across a lot of organizations.

Derek Gabbard: [00:12:16] The combination and compilation of complementary technologies into blended offerings - blended managed offerings is going to go through the roof soon. And there will be winners and losers in that. If you are part of - if you're a small product company and you get put in the right - you know, with the right partners in that kind of a framework, I think the sky's the limit. I think if you're out trying to sell directly to each individual enterprise and get them to want a new product and to care and feed for a new product and to staff for a new product and all that, it's a tough time for that right now.

Dave Bittner: [00:12:56] AJ Shipley is vice president of product management at LookingGlass Cyber Solutions, where they offer threat-intelligence-driven cybersecurity products.

Aj Shipley: [00:13:04] Rapidity - right? - the rate of how the adversaries are changing their tactics continues to increase. I think that, you know, the good guys, if you will, who are playing defense against those tactics continue to struggle with just how quickly the bad guys are able to adapt their tactics.

Aj Shipley: [00:13:25] The number of breach packages that show up in underground forums - so just to give you a perspective, we have gone from roughly a hundred million unique username and password combinations that we've been able to curate from different breach packages and, you know, being traded in the dark web and in underground forums to just over a billion records in the course of the year, right? So that's a billion unique usernames and passwords that are sitting out there, floating around for sale that bad guys can use in order to try to compromise organizations.

Aj Shipley: [00:14:01] And I think, you know, if organizations aren't - again, you know, aware of that or even doing business with people who are able to provide that level of visibility - and that's one of the services that we give to our customers, right? Hey, we've noticed that 50 of your employees', you know, usernames and passwords have shown up in an underground forum. We'll alert our customers. They'll go in and change it. And then, you know, we'll go in and provide them a whole host of other products and solutions in order to address that. So I think that's the big trend that I'm noticing - is just the sheer volume of breach packages that are available - right? - with credentials that can be used to be exploited and just - again, the continuing increase in the rate of change of tactics and techniques and procedures that bad guys are using to target organizations.

Aj Shipley: [00:14:41] It seems like this year, there's kind of been a pivot towards hunting. And I've asked a couple customers, and I've asked a couple analysts about that. You know, hey, what do you think about this whole trend around hunting, right? It sounds pretty sexy, right? And they're like, yeah, it sounds sexy. And I'll quote - one person said, but hunting is for the 1% - right? - because the fact of the matter is the rest of us - we - we're just so - we're still so reactive. We don't have time to actually go out there and start hunting and looking for things and being proactive. So while hunting is arguably kind of maybe one of the trend terms this year at the conference - and it's real sexy - it's kind of interesting to hear both analysts and large customers say, yeah, it's fancy. But at the end of the day, I need you to help me solve a problem that I'm dealing with today, which is, I don't have enough people to do the job. And I need you to help me make those people more efficient reactively dealing with the threats that are targeting our organization, not help them go better hunt new threats.

Dave Bittner: [00:15:37] That's AJ Shipley from LookingGlass Cyber Solutions. Our thanks to all of our experts for taking time from their busy schedules at Black Hat to talk with the CyberWire, to our sponsors for making this show possible and to you for listening. If you enjoy our show, we hope you'll help spread the word and leave a review or rating on iTunes. It's the easiest way you can help us grow our audience. To subscribe to our daily podcast or news brief, visit thecyberwire.com.

Dave Bittner: [00:16:01] The CyberWire is produced by Pratt Street Media. Our editor is John Petrik; social media editor is Jennifer Eiben; technical editor is Chris Russell; executive editor and junior interviewer is Peter Kilpe. And I'm Dave Bittner. Thanks for listening.