CyberWire Daily - Black Hat, Part 2 - Trends and Insights from Industry Leaders [Special Edition]
Episode Date: August 9, 2016The 2016 Black Hat conference is in the books, and we wrap up our coverage with more insights from industry leaders on what trends they’re seeing, and where they think the industry is headed. Learn... more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. stay home with her young son. But her maternal instincts take a wild and surreal turn as she
discovers the best yet fiercest part of herself. Based on the acclaimed novel, Night Bitch is a
thought-provoking and wickedly humorous film from Searchlight Pictures. Stream Night Bitch January
24 only on Disney+.
It's going to become the machines versus the machines sooner than later.
And I think it's something we have to be prepared for.
And we have to be prepared for the fact that we are building the tools that can make the machines work the way we want them to versus trying to train a better security analyst.
The 2016 Black Hat Conference is in the books.
And we wrap up our coverage with more insights from industry leaders.
Stay with us.
I'm Dave Bittner in Baltimore with another Black Hat Special Edition.
Throughout the course of the show, we were on the floor gathering insights from industry leaders on what trends they're seeing and where they think the industry is headed. Stephen Grossman is Vice
President for Program Management at Bay Dynamics, a cyber risk analytics
company.
Being able to really bring the full picture of data together, I think, is key from an
analytics point of view.
And then being able to apply machine learning and other models on top of that is key.
And so as the industry evolves, I think you'll see more and more maturity,
but I think you're starting to see a lot more around analytics and then associated with that
orchestration to be able to automate some of the more, I'll call it mundane and straight ahead
kind of actions that could be actioned off of the analysis you're doing on the analytics platform.
I think you've certainly seen more of a trend towards credential based threats. A few years ago everybody was talking about APTs.
APTs are still important and malware is still important and very often that's
the entry point into the organization. Compromising credentials is a lot more
dangerous because A it's a lot harder to detect and B you can do a lot more damage when you've compromised credentials
that have access to really important data.
And you're seeing that access, you see it in the Swift heist recently.
You've seen it in many other heists where Target, you pick your heist, right?
No matter how they got into the organization, ultimately they got somebody's credentials and then they bounced around the organization either changing transactions
in the case of SWIFT, stealing data in the case of Target or Wendy's or again many other
examples but I think being able to protect and monitor those credentials as well as the
transactions that go along with them is something we've been told by many of our financial services clients is that
the insider threats we find are great and they're valid,
but very often it's the tip of the iceberg when they start investigating those people on the cyber side.
They find on the financial side they've done a lot worse as well.
So it's important to connect those dots between fraud and between cyber.
Dan Cornell is chief technology officer at Denim Group, a software security company.
It's interesting. I'm coming off of recently being at the OWASP AppSec EU conference in Rome.
And what is interesting is that what I haven't seen here on the peer security side and the perception of application
security, I think that the security practitioners, or at least in the Black Hat crowd, are still
viewing application security very much in the bug finding mode. We've got this scanner,
we've got that scanner, we've got services that do testing. And so we haven't actually seen a lot
of change there. And I would contrast that with some of the things I saw at OWASP AppSec EU, which are still security practitioners but centered around applications.
And the really interesting things that came out of that conference was really that the teams, the app security teams that are successful are the ones that are reaching out to development groups.
They're focused on putting tools in the hands of developers and are focused on how do we actually drive these vulnerabilities through to remediation. And I think that message or that view into how people are making progress, I don't know that that's percolated over to the black hat crowd, of which there are certainly application security practitioners, but ones that come more out of the pure security or
networking infrastructure space.
And so that's an interesting contrast that I've seen is I don't know that that message
has made it over here, whereas in the OWASP side of things, we have seen or I have seen
a lot more progress where people are talking a lot more about how do you get security into
developers, continuous integration, continuous deployment pipelines?
How do we get champions, security champions on the development teams so that we have someone to talk to when we find this stuff?
So I think the programs that are really making progress are the ones that are adopting that type of view.
And it's interesting to me that I just haven't seen a lot of that communicated here yet. And so what that tells me is there are certain segments of the industry.
And when I talk about industry, I talk about people, practitioners of application security and companies that are engaging in application security programs.
I see certain corners where the light has come on and they're starting to make that progress.
I haven't, again, haven't seen that as much here yet,
but I think it'll be interesting to see if that's something that comes through more next year.
John Dixon is a principal at Denim Group.
There's a broader realization now that most security teams
are still ill-equipped to deal with software security.
So the problem is most CISOs have a network security
background. Most security people have network security backgrounds, myself included. But
virtually every organization out there has a issue around security owning the software risk
component. Software risk, that function still doesn't live in the dev teams. So you have the security guys with that background that puts them in a position where they're ill-equipped to really force that, let alone encourage.
And there's five of them.
So if you look at a security team, virtually every major app team out there in the Fortune 500 has anywhere from one or two to ten people on it versus the dev teams that have 2,000 if you go to any financial
institution they've got 12 they got seven or five apps that people the guys
that measure the risk of software against 70 different dev teams and 3,000
developers so there is a I think a more acute awareness of that business problem and how does what you know how do you do that with frameworks
with you know training all those different things and that's so that's
kind of what we're one of the affirmations and one of the
confirmations we've heard here is that it's like still a problem the one trend
I would also say from a security standpoint is how does an organization deal
with DevOps and agile and we're seeing this come to the security team, to the software
risk people, not from the IT group but from the business itself.
Like we got to go a million miles an hour and we're saying wait a second we haven't
figured this out, we haven't solved this problem yet you're wanting me to go faster. So I think that's kind of a theme in our heads and a trend that we're saying, wait a second, we haven't figured this out. We haven't solved this problem, yet you're wanting me to go faster.
So I think that's kind of a theme in our heads and a trend that we're trying to figure out with others.
It's like, how are you dealing with it?
It's very driven off of culture, very driven off of the business vertical.
If you're Netflix or Etsy or one of the entertainment companies,
you probably can have a set of activities and practices. you are Bank of America that may play less well there.
Here's the other one.
What do examiners do?
You're like, oh yeah, we don't do any of those requirements,
any of that stuff.
We just put in production and then tear it down.
That doesn't work with the FFIEC or OCC examiners
who are all in their 20s
and know virtually nothing about any of this stuff.
It's just like, well, it says here you're supposed to do this gateway check.
Like, what?
Yeah, so doing DevOps and CICD and Agile and all that stuff in regulated worlds,
there's going to be a clash of cultures that we have yet to encounter.
Ryan Hoheimer is Chief Technology Officer of Champion Technology, whose Darklight product
they describe as a next-generation cybersecurity automation and orchestration platform.
Big trends that we're seeing is the sophistication of the CISOs in the world, right? I mean, the private sector and government sector
has been hit pretty hard recently. You know, we've had lots of compromises. We've had lots of
issues over the last couple of years. Fortunately, you know, corporate America,
government America, we're stepping the game up. We're becoming more sophisticated in our defenses.
We're stepping the game up.
We're becoming more sophisticated in our defenses.
We're definitely facing a strong, creative, adversarial groups.
We know that.
But I'm seeing a trend where people are stepping up.
They're stepping up to the plate.
Casey Corcoran is with 4V Systems,
where they specialize in quantifying risk and assessing defense effectiveness.
The ability to hide behind technology doesn't exist anymore.
It has become a business management function to manage cyber risk as a business risk. So I think that is probably the most profound change
in the face of exponentially changing surface area in your company, more
and more data being created, the threats becoming more sophisticated, and there being now an
ability for the regulators to reach through to the board members and to the executives
and hold them accountable for the protections they're putting in place over privacy and
security for their organizations, I think is driving the entire industry towards managing cybersecurity
as a business risk versus a technology risk.
Derek Gabbard is president of 4V Systems.
I think there's some fatigue, some product fatigue in a lot of organizations.
They've bought a lot of things, and they're trying to do the best they can with those,
and there's a constant stream of new, slightly different,
sometimes very different applications that are hitting the market.
I think there's going to be a lot of movement.
You've seen it in some of the analyst reports
toward more centralized service offerings
on the managed security services side,
and there's even new quadrants being covered by Gartners and the like
that are really around delivering some of these old core enterprise functionalities
as an outsource service.
Because the other moving part in all this is we have 2 million,
if you believe some folks, a 2 million person gap
in trained and capable security operations professionals just in the U.S.
And we're not going to be able to get there to catch up to where we need and stay ahead of it
with having to first overcome that two million person gap.
So there's a ton of good things that happen as you consolidate and get economies of scale on the managed security service side.
I think we're seeing a lot of customers start to adopt that,
which is encouraging because it allows for bringing a lot of talent together
and having a big impact across a lot of organizations.
The combination and compilation of complementary technologies into blended offerings,
blended managed offerings, is going to go through the roof soon.
And there will be winners and losers in that.
If you're a small product company and you get put in the right,
with the right partners in that kind of a framework,
I think the sky's the limit.
I think if you're out trying to sell directly to
each individual enterprise and get them to want a new product and to care and feed for a new product
and to staff for a new product and all that, it's a tough time for that right now.
A.J. Shipley is vice president of product management at Looking Glass Cyber Solutions,
where they offer threat intelligence-driven cybersecurity products.
Rapidity, right, the rate of how the adversaries are changing their tactics continues to increase.
I think that the good guys, if you will, who are playing defense against those tactics
continue to struggle with just how quickly the bad guys are able to adapt their
tactics.
The number of breach packages that show up in underground forums, so just to give you
a perspective, we have gone from roughly 100 million unique username and password combinations
that we've been able to curate from different breach packages and you know being traded in the dark web and in
underground forums to just over a billion records in the course of a year
right so that's a billion unique usernames and passwords that are
sitting out there floating around for sale that bad guys can use in order to
try to compromise organizations and I think you know if organizations aren't
again you know aware of that or even doing business with people who are able use in order to try to compromise organizations. And I think if organizations aren't, again,
aware of that or even doing business with people who are able to provide that level
of visibility, and that's one of the services that we give to our customers, right? Hey,
we've noticed that 50 of your employees' usernames and passwords have shown up in an
underground form. We'll alert our customers, they'll go in and change it, and then we'll
go in and provide them a whole host of other products and solutions in order to address that.
So I think that's the big trend that I'm noticing is just the sheer volume of breach packages
that are available with credentials that can be used to be exploited and just again the
continuing increase in the rate of change of tactics and techniques and procedures that
bad guys are using to target organizations.
It seems like this year there's kind of been a pivot towards hunting.
And I've asked a couple of customers and I've asked a couple of analysts about that.
You know, hey, what do you think about this whole trend around hunting?
It sounds pretty sexy, right?
They're like, yeah, it sounds sexy.
And I'll quote one person who said, but hunting is for the 1%, right?
Because the fact of the matter is, the rest of us, we're just so we're still so reactive we don't have time
to actually go out there and start hunting and looking for things and being proactive
so while hunting is arguably kind of maybe one of the trend terms this year at the conference and
it's real sexy it's kind of interesting to to hear both analysts and large customers say yeah
it's it's fancy but but at the end of the, I need you to help me solve a problem that I'm dealing with today, which is I don't have enough people to do the job, and I need you to help
me make those people more efficient, reactively dealing with the threats that are targeting our
organization, not help them go better hunt new threats. That's A.J. Shipley from Looking Glass
Cyber Solutions. Our thanks to all of our experts for taking time from their busy schedules
at Black Hat to talk with The Cyber Wire,
to our sponsors for making this show possible,
and to you for listening.
If you enjoy our show,
we hope you'll help spread the word
and leave a review or rating on iTunes.
It's the easiest way you can help us grow our audience.
To subscribe to our daily podcast or news brief,
visit thecyberwire.com.
The Cyber Wire is produced by Pratt Street Media.
Our editor is John Petrick.
Social media editor is Jennifer Iben.
Technical editor is Chris Russell.
Executive editor and junior interviewer is Peter Kilby.
And I'm Dave Bittner.
Thanks for listening.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization
runs smoothly and securely. Visit ThreatLocker.com today to see how a default deny approach can keep
your company safe and compliant.