CyberWire Daily - Black Hat - Cyber Security Trends and Investment [Special Edition]
Episode Date: August 4, 2016The 2016 Black Hat conference is underway in Las Vegas this week, and in this special report from the show floor we’ll hear from industry leaders about industry trends, and from venture capital fund...ers about what they need to see before saying yes, and why it’s harder to get startup funding than it used to be. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. stay home with her young son. But her maternal instincts take a wild and surreal turn as she
discovers the best yet fiercest part of herself. Based on the acclaimed novel, Night Bitch is a
thought-provoking and wickedly humorous film from Searchlight Pictures. Stream Night Bitch January
24 only on Disney+. The 2016 Black Hat Conference is underway in Las Vegas this week,
and in this special report from the show floor, we'll hear from industry leaders about industry trends
and from venture capital funders about what they need to see before saying yes,
and why it's harder to get funding than it used to be.
Stay with us.
I'm Dave Bittner.
We begin this Black Hat special edition with a look at trends
and hear from some industry leaders and experts about what they're seeing
and where they think cybersecurity is headed.
Vitaly Kremez works in cybercrime intelligence for Flashpoint,
a company that monitors the deep and dark webs.
So one of the most emerging trends was the recent DNC, Democratic National Committee,
hack that was allegedly perpetrated by Russian government.
In light of that attack, we saw some certain response from Russians.
They opened up a new story about hacks from the FSB.
And we've seen new trends of, for instance, government trying
to use disinformation tactics or attacks to shift the blames or responsibilities for attacks
to hacktivists like Guccifer, the creation of identities as a way for them to obfuscate
their intelligence operations.
And how we would respond to that would be very interesting response from the government sector and how the private industry
with the government will combat that. Number two, I would say healthcare
institutions being compromised and the ransomware attacks on
healthcare institutions. Those attacks bring physical damage to specific devices running in emergency rooms.
So they can actually paralyze the hospital operations connected to the ICU units.
So they can be a really physical threat to patients.
And another trend, the attacks against SWIFT, the bank attacks targeting the specific payment
system as opposed to credit card data.
So once the Russian actors that we think like Eastern European actors were connected to
allegedly the SWIFT attack in the Ukraine, responsible for more than $10 million worth
of loss, that type of attack was damaging to the whole country infrastructure
that could lead to destabilization of the economy and people losing jobs
and more even like real-life frustration,
especially in light of the Crimea annexation
and the difficult situation between Russia and Ukraine, politically speaking.
And also one last trend I want to highlight in cybersecurity perspective, the emergence of ISIS as being
the users of encryption methods and technology. As we know, they are
learning and they're not too capable at this moment but they are learning and
if they would apply the same kind of methods of encryption that the InfoSec world uses now
and they would apply the same motivation as physical threat to human lives
and in the name of jihad, that would be damaging.
And if they would transmit that to the cyberspace,
as they're doing now with the United Cyber Caliphate,
which was alleged to be a faction of ISIS,
that would be a concern to the old
InfoSec and how we'd respond to that. Lance Cottrell is chief scientist at Entrepid,
developers of secure virtual browser technology. It seems like a lot of the problems are taking
place in the basic blocking and tackling. When we look at companies and they're bringing us in to
solve this problem with the browser,
but they're also having huge trouble just keeping track of what are their systems,
where's the perimeter, and having that dissolve on them.
And that's one of the things they like about having the software actually on the endpoint
is the endpoint isn't staying inside their perimeter.
If you've got some sort of a gateway device that works until the laptop goes to Starbucks, at which
point suddenly that stops working.
Well, how do you maintain that protection?
We're thinking a lot about that extension of the perimeter, extension of responsibility.
I think governments and corporations need to start thinking about how can they protect their employees
even when they're using their own devices at home.
And it can't be in a monitoring-heavy way because no one's going to put up with that.
But anything they can do to make the person safer when they're using their own computer at home
and accessing corporate email, which they do, is going to be critical.
And that email is the huge failure. If I can get your endpoint and get
in and get access to your email client, I get huge amounts of data and everything I need to launch
the perfect spear phishing attack against everyone else in the company. I can impersonate you
perfectly. We're seeing a unique signature on almost every endpoint target. These virus and malware are morphing continuously.
So we, and many others in other parts of the security space, are now starting to look at
how do you build the tool so that it automatically is secure. Even if it gets infected, it cleans up.
You don't necessarily need to be trying to remediate. You're re-imaging your servers
automatically every couple of
minutes because by the time you send a guy out and chase it down it's usually labor intensive
and they've had a chance to move on.
So I think that's going to be over the next couple of years one of the big trends is more
of a sort of self-healing proactive kind of security rather than trying to clean up after
you detect things.
Leon Ward is Senior Director of Product Management at ThreatQuotient,
developers of threat intelligence platforms.
It's so hard to predict the future, right?
It feels like that time of year is blackout or it's the end of the year
and everyone's looking for predictions, what's going to happen next year?
But ultimately, the only predictions you can make is it's going to be more of the same.
The things that are being successful now will continue to be successful until they change.
And the only reason an approach or methodology ever changes
is because the defenders become more sophisticated at preventing that method from being successful.
So what is the new method, the next method?
Well, we don't know what it is until the attacker is actually going to be forced
to change their methods because their current methods aren't being successful.
Brian Glancy is chief technology officer at Optio Labs, developers of mobile
security architectures. People are now starting to understand a lot more about
phones and their powers and kind of the problems, everything from chipset fundamental problems to, you know, encryption issues like came up with Apple, you know, last year.
They are starting to understand the implications of, you know, the packages and things that are going into a device and how, you know, it's a complex problem and there is no one simple solution usually.
So we're starting to see, you know, more people choose to do, you know, the migrate back from potentially BYOD.
Think about for things that are actually regulated or have audit audit fines or compliance
fines think about corporate owned devices and issuing their own devices
for those things we're seeing you know you're seeing a rise of things like the
seer and phone very high-end secure phones with you know high level of
evaluation and compliance to new international standards.
International standards on this side have actually been changing quite a bit too.
There's now a new international standard for security that validates the security of phones,
different phones, to a known given standard.
One of the things that's fundamentally changing is the diversity, right? It used to be years ago
there were three or four or five on the outside phone manufacturers that were the big manufacturers
of phones, right? We've seen that cycle several times. Those older members of us have seen Palm
come in and go out and other devices come and go
right throughout the years. But now that turnout is becoming even worse because it used to be that
Samsung was the major provider and Apple was the major provider. But now we're even seeing
players like Huawei crack the top five for most devices made. And when you look at just the number of sheer providers
that are building phones now, mainline phones,
it used to be a dozen.
Now it's a thousand, right?
So this is fundamentally changing the market
and kind of how the number of devices,
the types of things that you see on the market,
and also that fundamental kind of insecurity problem becomes bigger.
I think that we're going to continue to see many, many more vulnerabilities.
There's a lot of companies out there that are making devices
that are going to have our personal information,
are going to have our banking information, are going to have our email.
our personal information, are going to have our banking information, are going to have our email.
And, you know, they don't have the expertise usually to do the security implementation.
And it's not usually something that they can just get off the shelf. So I think we're going to see many more vulnerabilities coming in the next year, two years,
particularly out of the same library used again, over and over again,
in an IoT device, in a cell phone, and all over the place,
just because there's not that expertise usually in the marketplace.
So I think we're going to see a lot more.
Hamilton Turner is the Senior Director of Research and Engineering at Optio Labs.
We used to always laugh about the fear and uncertainty in the media,
but in the context of mobile phones, it's not as fake as we would like to believe. There is a really long tail of vulnerabilities,
and most devices are vulnerable. The device you have in your pocket probably has at least
four or five CVEs that are unpatched on it, and it's an interesting world. It really used
to be that you'd get all this crazy headlines about things are scary, your phone will blow up any minute, but maybe the vulnerability vector didn't really keep up with the marketing vector.
All of a sudden, they really are starting to keep up. So we're going to keep seeing demand for these devices to rise, and so we're going to get more and more and more of them, and we're going to keep seeing the security vulnerabilities go up more and more.
Vikram Fatak is CEO of NSS Labs, an IT security product testing lab.
Well, so obviously you've heard about the ransomware, right?
We started seeing that about a year ago in our systems where the attacks started shifting
from the type of malware being, you know, looking for credentials, which you're still looking for, like login password stuff or credit card data,
to ransomware, CryptoLotter, and things like that.
I think we're going to see a lot more of that, and the reason is this.
So if you put yourself in the bad guy's shoes, and I'll get into the detection in a minute,
if you compromised 100,000 systems five years ago, you probably had 90,000 new
credit card data, 90,000 new personal identifiable information, so your social security information,
and so on. A lot of new stuff. Now in 2016, they pretty much have everybody's data, okay? So you
get 100,000 people, maybe you have, what, 5,000 new. So your return on your investment
is much, much lower. Okay. And so they need to find different ways to monetize their capabilities.
So the first way was to sell your data to other people who are going to, you know, use your credit
card. Okay. That's sort of, that line of business is now peaking out. There's diminishing returns.
So what are you going to go after?
Ransomware is a natural thing.
The thing about ransomware, though, is it's not going to be you'll have some for you and me.
But the big things are going to be, you know, you've heard about the hospital network and so on that got hit.
Those are the types of attacks that are going to be happening moving forward because that's where the money is.
It's a hard problem for somebody if you're a hospital administrator or an executive. What's your choice going to be? I mean, what are you going to do, right? In the short run, there's probably a lot of folks who are going to end up
paying because, you know, the equation doesn't make sense. You don't want it to get out that
you were hit because there's reputational risk. There's all kinds of other issues, right? So
that's a big one. And I do think that, you know, Internet of Things is going to be tied to ransomware. Now,
not my garage door opener, right? Not my pool or anything like that or my thermostat. Okay,
they could make me miserable by making it really hot, but they're not going to make any money off
of it, right? But when you start talking about supply chain, so let's just say fast forward five
years, everybody has their refrigerator
that has internet of things. You can tell when your milk is low. If they could mess with the
setting that makes it look like the milk is empty for everybody at once, you could cause a huge
surge in supply to go to the grocery stores. What happens then? Nobody wants the milk. You're going
to have a lot of spoiled milk, right? Similarly, you know, what happens if you say, you know,
going to have a lot of spoiled milk, right? Similarly, you know, what happens if you say,
you know, it's all full, you could cause shortages, right? So then it becomes a question to the supply chain. How much is it worth to supply chain? It's kind of like the old protection money
talking about from gangsters, you know, it would be a shame if that window got broken. It'd be a
shame if your supply chain got messed up. That's where internet of things really gets tricky,
right? So, and that's not to mention
water treatment facilities and other things that are more obvious, high-profile SCADA type of
environments. Alberto Yepes is co-founder and managing director at Trident Capital Cybersecurity,
a venture capital firm. Everybody always wants to talk about feature functions. I have the better
endpoint. I have the better trap that gives you the inside threat.
The two biggest issues
that we see in this industry
is number one,
there's not enough
qualified cybersecurity professionals
to deal with the problem.
Okay?
The threat is real.
The criminals,
they're well-funded.
They stay sponsored.
They're sophisticated.
They have access to a lot of things.
So in our industry
that is trying to safeguard information for business,
for individuals and governments, they're not qualified professionals.
The second trend that is very important and is very latent even in these conferences,
there's so many solutions that don't work with each other.
Everybody is the best endpoint.
I'm the best in intrusion detection.
I'm the best vulnerability assessment.
So the customer
ends up having to pay for integrating all that. The cost of integration is very high. And what
happens is the large companies can't afford it. The middle market and the smaller businesses,
healthcare or mid-market companies cannot afford to do this. So big picture, big issues is not
enough professionals to solve the problem. Second is the cost of integration.
So what makes a really good company is a company that creates an integrated solution,
a unified solution that brings a number of tools together
that can be easily deployed, easily consumed, easily gained value
in a matter of minutes, not days, not months, not years to get the value out
of that. Bob Ackerman is founder and managing director of Allegis Capital, a seed and early
stage venture capital firm. Well, I think you have to be, pragmatically, you have to realize that
cyber threats are here. They're a clear and present danger. There's no way to run. There's
no place to hide.
So I think companies have to embrace the challenge of how do they secure
their business operations, whatever that means. There's a couple things that come to mind for me.
You know, number one, the growing importance of encryption. There's been a lot of public
discussion about encryption and is encryption a good thing or a bad thing? I will say emphatically it is one of the most effective tools available to industry to
reduce the value of data to a adversary who would secure that data.
And the thought that we should not have encryption, we should have limitations on encryption,
when in fact it's the most effective tool we have for protecting the target of many breaches.
The data is totally absurd on the surface.
So once you get past how do you secure the data and the encryption,
I think you need to look at how do you gain situational awareness of your infrastructure,
and that may be your enterprise, it may be your enterprise and your supply chain.
of your infrastructure and that may be your enterprise, it may be your enterprise and your supply chain.
Target clearly demonstrated the vulnerability
of a large enterprise with state-of-the-art investment
in cybersecurity when one of its small supply chain partners
was compromised in the HVAC supplier.
So I think one of the things we see a lot of talk
about today are organizations grappling with
how do they come to understand their situational awareness,
their exposure and their risk?
So I think that's an area where we're going to see a lot of discussion and a lot of activity in cybersecurity,
particularly as cybersecurity moves up to become a board-level conversation, which post-Target it clearly has become.
Number three, I guess, would be how do you make the necessary investments in cyber defense technologies,
whether that's situational awareness or active defense, with limited budgets and limited
technical resource. So, you know, there's a tremendous amount of thinking that's going into,
you know, number one, how do small and medium-sized businesses defend themselves. I think we're going
to see a lot of activity around security as a
managed service for small and medium-sized businesses. And at enterprises, where they
may have the technical expertise and they have the financial resources, they don't have enough
bandwidth. And so we're going to see a lot of discussion around what people today, what the
conference will be talking about around automation and orchestration, the fact that we need to increase the productivity of our threat intelligence engineers to be able
to respond to ever-increasing levels of threat intelligence, accelerated velocity of attacks,
and breadth of attacks. And automation is going to have to play a critical role
in how do we respond to those attacks. So what about funding? We asked our two
venture capital executives what
they look for when investing in cybersecurity companies. Here's Trident Capital's Alberto
Yepes. So having been an entrepreneur and on the other side before I came into venture capital,
I always say there's a very defined criteria of getting funded. There's five fundamental
items that we look at. Number one, we look at the market. Number two, we look
at the technology. Number three, we look at the go-to-market strategy. Number four, we look at
the team. And number five, we look at the investor syndicate. So market has to be a growing market.
It has to be a large market that is growing. For instance, Symantec is in a large market,
but it's not growing, it's shrinking.
Therefore, we go after a large market, which may be companies doing mobile security that is expanding, is large and doing.
So we look for markets that are large in the opportunity and then growing.
Secondly, we talk about the offering, how hard it is to replicate what you do.
So intellectual property, at the end of the day, is very key.
And the solutions have to be differentiated.
Differentiation is not just comes in the way you create the solution,
how you deploy the solution, what problem you're trying to solve,
patents that you can defend.
And oftentimes, the smaller companies are targets of established companies that they sue them and sometimes takes them out of the market
just because anybody can sue anybody in the U.S.
But therefore, it has to be highly differentiated and a very high barrier of entry.
Number three, go-to-market is perhaps the most critical component of being a successful company
because how are you going to deploy the solution?
Are you going to do it by yourself by adding salespeople
and creating the customers by themselves?
Or do you create an ecosystem of complementary partners
that will help you get to a global market?
Because the opportunity is not the U.S. market, it's a global market.
And so you look for relationships like co-marketing, co-selling, reselling,
OEMing, Y-label,
where you create and create partners
that instead of you putting a lot of money
in your sales or marketing,
where you do create a strategic relationship
that's going to let you grow.
Therefore, but that's the strategy,
not only how you price it, how you sell it,
but what is the ecosystem you're acquiring for success.
The fourth item is the team.
The team, sometimes we expect entrepreneurs not necessarily to know everything and sometimes they're first-time
CEOs or first-time entrepreneurs. What we look is the DNA, where they started, the
problem set. We were talking earlier in one of the companies we invested. When
you understand a problem, set, differentiate it, then the way you solve
the problem, like when you give an architect, I'm trying to build something
and they build something amazing,
what we look for is that DNA of the entrepreneur.
They're trying to have complementary skills to create something of value that can be easily consumed in the market.
So it's very important to get the team, not only the CEO, the CTO, the VPO market and VPO.
So it's a whole team.
But as a good investor, once we invest, we help influence the go-to-market in the team.
And the co-investors are important just from, even if they are angel investors or even they are seed investors,
they are also people that have domain expertise in the market that validate that and help you make the right decision.
So we always determine that the only companies we invest are the
companies that have a large market opportunity with a differentiated solution, with a good
go-to-market strategy, with the right team and the right ecosystem. So we always look at those
five items. If you cannot align the five, we don't invest. Here's Allegis Capital's Bob Ackerman.
We're looking for new paradigms of thinking in terms of how to either secure critical infrastructure
or defend against attacks.
I think one of the challenges that we face is there's a lot of very interesting, innovative
point solutions, particularly in the cybersecurity industry, that while they are important and
while they add value, they're not fundable as a standalone company. They fall into the category of being a feature and maybe being a product,
but in fact not providing the foundation to build a company.
So we're looking for visions of solution that have long-term scalability,
that have the ability to evolve as cyber threats evolve.
Those types of ideas turn out to be very, very difficult to find.
But if you're looking for venture capital, you know,
venture capital needs those size of opportunities to be able to generate the returns
that we expect to balance off against the risk.
The other thing, quite frankly, we look for are proven teams.
And what I mean by that is cybersecurity is an area where
the market moves so quick and it's so complex that you can't begin learning about cybersecurity
the day you take in capital. You already have to understand the domain. You understand
the dynamics in the marketplace, the threat vectors in the marketplace. So
our own investment thesis is heavily focused on former operating executives,
you know, proven operators, whether they come out of the intelligence community, whether they come
out of industry, who have stood on the wall and have gone toe-to-toe successfully with the bad
guys for a number of years. And that's really the starting point that we have when we find a
platform that we think is compelling. There's been much talk lately that VC funding for cybersecurity is harder to come by.
Bob Ackerman explains.
The broader market for venture capital today has cooled materially over the last nine months.
It's not just cybersecurity, but cybersecurity is not excluded from that cooling phenomenon either.
Translating that to an entrepreneur, it means it's going to be harder
to raise capital, you're going to need more validation or proof points to raise that capital,
and it will take longer to raise that capital. And frankly, companies that don't have a clear
point of differentiation, you know, with that long-term vision to be able to build value over
an extended period of time are going to struggle.
So what I would advise entrepreneurs to do is understand how valuable capital is today,
how long it's going to take to raise additional capital, that they're really going to have
to prove the value proposition in the marketplace in order to attract outside capital. And, you know, if you're an early stage cybersecurity company,
you know, maybe a year ago if you had three customers
that would validate the use of your technology,
today you better have 10.
And it's just a reflection of sort of the broader concerns
in the marketplace about where the investment community is
in the overall cycle.
And with that concern, people have a natural bias towards being more risk-averse,
which means the hurdles that you need to get over in order to secure capital have gone up materially.
The threat is real. It's here to stay.
As a cybersecurity professional, it's a career that you have a niece, a son, or somebody recommending to go here.
It's not just the engineer. It's the analyst. It's a career that if you have a niece, a son, or somebody recommending to go here, it's not just the engineer, it's the analyst, it's the operator,
and more importantly, the most successful chief information security officer,
chief information risk officer are the ones that can really translate
very complex technology problems into business issues.
Borough directors are starving for people that understand the complexities
and how to defend, how to invest into this area
and the amount of jobs that will exist
at a high premium in terms of, you know,
I would say because of the scarcity of resources,
the salaries in cybersecurity are going up to the roof.
So, you know, either take it upon yourself,
be more broad, try to understand business
and drive your decisions from the business perspective. Don't get enamored with that
technology. Make sure that, you know, you could actually, this is an industry that you can grow
in many areas. At the end of the day, it's human factors to make sure that the end of what you
build, what you do as a human being is trying to protect that information, trying to keep their
privacy, trying to keep their company's information or their government's secrets safe.
That's Alberto Yepes from Trident Capital Cybersecurity.
Our thanks to all of our experts for taking time from their busy schedules at Black Hat
to talk with the Cyber Wire, to our sponsors for making this show possible, and to you
for listening.
If you enjoy our show, we hope you'll help spread the word and leave a review or rating on iTunes. It's the easiest way you can help us grow our audience.
To subscribe to our daily podcast or news brief, visit thecyberwire.com. The Cyber Wire is produced
by Pratt Street Media. Our editor is John Petrick. Social media editor is Jennifer Iben. Technical
editor is Chris Russell. Senior editor and Junior Interviewer is Peter Kilby.
And I'm Dave Bittner. Thanks for listening.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses
worldwide. ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.