My Final Impressions of Black Hat 2014

I attended Black Hat 2014 in Las Vegas last week and wanted to write a post while I’m still feeling the buzz of the event. Here are just a few of my take-aways:

  1. Black Hat = High Energy. I attended Interop at the same venue (Mandalay Bay) for many years but I noticed that the event was getting stale and rather morose recently. It was quite invigorating then to witness the high-energy security crowd at Black Hat in comparison. There was lots of energy, great discourse, and plenty of knowledge transfer. Yes, there was commercialism and Vegas schmaltz, but Black Hat is more of a community get together than your typical stale trade show – and way more lively than Interop post the late 1990s.
  2. Black Hat vs. RSA. When I worked at EMC back in the late 1980s, one of the common sales mantras of the company was, “people who know how always work for people who know why.” This was a “solution selling” message intended to get the sales team to focus on the “why” customers who own business processes, financial results, and budgets, rather than the “how” customers who twiddle bits and bytes. With this analogy in mind, RSA is a “why” conference while Black Hat (and to some extent, (DEFCON) is a “how” conference. With this explained, there is also a difference as cybersecurity is a hardcore “how” discipline that revolves around the folks who know how to twiddle bits and bytes or can detect when someone else has twiddled bits and bytes in a malicious way. In my humble opinion, these two shows complement each other. Yes, we need extremely competent CISOs who know business, IT, and security technology but we must also have security practitioners with deep technical skills, devotion, and passion. RSA is focused on the former while Black Hat/DEFCON appeals to the latter.
  3. Security vendors should be at Black Hat. Many leading security vendors passed on Black Hat and allocated event budget dollars to RSA and shows like VMware instead. I get this but would suggest that they find ways to spread event investments around so they can attend Black Hat 2015. Why? Black Hat attendees may not be budget holders but they are the actual people who influence technology decisions and make up the majority of the cybersecurity community at large. These are the people who choose cybersecurity technologies that can meet technical requirements. Creative security technology vendors can also approach Black Hat as a recruiting opportunity, not just a sales and marketing event.
  4. I left Black Hat with even more cybersecurity concern. I’m in the middle of this world all the time so I hear lots more about the bad guys’ Tactics, Techniques, and Practices (TTPs) than most people do. Even so, I spent the week hearing additional scary stories. For example, Blue Coat labs reported on 660 million hosts with a 24 hour lifespan it calls “one-day wonders.” As you can imagine, many of these hosts are malicious and their rapid lifespan files under the radar of signature-based security tools and threat intelligence. I also learned more about the “Operation Emmantel,” (i.e., from Trend Micro) that changes DNS settings and installs SSL certificates on clients, intercepts legitimate One-time passwords (OTPs) and steals lots of money from online banking customers. Black Hat chatter served as further evidence that our cyber-adversaries are not only highly-skilled, but way more organized than most people think.
  5. Endpoint security is truly “in play.” A few years ago, endpoint security meant antivirus software and a cozy oligopoly dominated by McAfee, Symantec, and Trend Micro (and to some extent, Kaspersky Lab and Sophos as well). To use Las Vegas terminology, all bets are off with regard to endpoint security now. With the rash of targeted attacks and successful security breaches over the past few years, enterprise organizations are questioning the value of AV and looking for layered endpoint defenses. Given this market churn, Black Hat was an endpoint security nexus with upstarts like Bromium, Cisco, Crowdstrike, Digital Guardian (formerly Verdasys), Druva, FireEye, Guidance Software, IBM, Invincea, Palo Alto Networks, Raytheon Cyber Products, RSA, and Webroot ready to talk about “next-generation” endpoint security requirements and products. While the incumbents have an advantage, endpoint security is becoming a wide-open market as evidenced by the crowd at Black Hat.

Black Hat is a great combination of Las Vegas shtick, hacker irreverence, and a serious cybersecurity focus. Yup, it’s only a tradeshow but there is a serious undercurrent at Black Hat/DEFCON that is sorely missing from most IT events.

Topics: IBM Cybersecurity Palo Alto Networks Cisco Information and Risk Management FireEye Security and Privacy Guidance Software Crowdstrike bromium RSA Invincea Digital Guardian Webroot

Advanced Malware Detection and Response and Other Cybersecurity Services on the Rise

Think about all of the cybersecurity industry activity with advanced malware detection and response and what comes to mind? Most people would probably focus on technology vendors like Bromium, Cylance, Damballa, FireEye, and Palo Alto Networks since these firms have garnered headlines, raised vast fortunes of VC funding, and even pushed through successful IPOs.

Topics: IBM Cloud Computing Cybersecurity Palo Alto Networks Cisco Information and Risk Management FireEye HP Dell Security and Privacy Security Mandiant Lockheed DHS Barracuda Booz Allen Hamilton bromium Leidos nsa Cylance cybercrime CSC Damballa NIST BT NSF mssp

Are Enterprise Organizations Ready to Use Free AV Software?

Last year, ESG published a research report titled, Advanced Malware Detection and Protection Trends, based upon a survey of 315 security professionals working at enterprise organizations (i.e., more than 1,000 employees). In one question, ESG asked security professionals whether they agreed or disagreed with the following statement: “Commercial host-based security software (i.e., AV) is more or less the same as free security software.”

It turns out that 36% of security professionals either “strongly agree” or “agree" with this statement, while another 25% are sitting on the fence (i.e., they neither agree nor disagree with the statement).

Topics: Microsoft Endpoint & Application Virtualization Cisco Information and Risk Management Sourcefire McAfee Security and Privacy Security Bradford Networks Malwarebytes Kaspersky Lab Juniper Networks freeware ForeScout Avast trend micro bromium Symantec security intelligence Great Bay Software antivirus Cylance Bit9 Anti-malware APT

Hot Topics at the RSA Conference

It’s the calm before the storm and I’m not talking about the unusual winter weather. Just a few days before the 2014 RSA Security Conference at the Moscone Center in San Francisco.

In spite of this year’s controversy over the relationship between the NSA and RSA Security (the company), I expect a tremendous turnout that will likely shatter the attendance records of last year. Cybersecurity issues are just too big to ignore so there will likely be a fair number of first-time attendees.

Topics: Cloud Computing Check Point Fortinet Cisco Networking Information and Risk Management FireEye mobile Security and Privacy endpoint security SIEM Cybereason Good Technology bromium 21CT CloudPassage Firewall Cylance click security Bit9 Carbon Black IDS/IPS Firewall & UTM Hexis Cyber Solutions Public Cloud Service

How Antivirus Continues to Compete

Despite well over a decade of sales success, antivirus technology has never been beloved in the security marketplace. Security professionals do not have immense faith in antivirus (AV) products to stop modern malware, and average users have never enjoyed the notifications, scans, and updates that go along with protecting a computer from roughly 6,000 new malware variants per day.

Topics: Information and Risk Management Security and Privacy Security malware Mandiant bromium antivirus Cylance Bit9 AV Guidance antivirus software

Enterprise CISO Challenges In 2014

I’m sure lots of CISOs spent this week meeting with their teams, reviewing their 2013 performance, and solidifying plans for 2014. Good idea from my perspective. The CISOs I’ve spoken with recently know exactly what they have to do but aren’t nearly as certain about how to do it.

At a high level, here’s what I’m hearing around CISO goals and the associated challenges ahead this year:

  1. Improve risk management. This translates into threat/vulnerability measurement, threat prevention, and ongoing communication with the business mucky mucks. The problem here is that their networks are constantly changing, scans are done on a scheduled rather than real-time basis, and the threat landscape is dangerous, sophisticated, and mysterious.
Topics: IBM Palo Alto Networks Cisco Information and Risk Management FireEye HP Security and Privacy Security risk management Centrify Malwarebytes LogRhythm bromium 21CT Leidos RSA Invincea Accenture ISC8 Blue Coat CloudPassage click security Bit9 CSC Hexis HyTrust

Addressing advanced malware in 2014

In the cybersecurity annals of the future, 2013 may be remembered as the year of advanced malware. Yes, I know that malware is nothing new and the term “advanced” is more hype than reality as a lot of attacks have involved little more than social engineering and off-the-shelf exploits. That said, I think it’s safe to say that this is the year that the world really woke up to malware dangers (advanced or not) and is finally willing to address this risk.

So how will enterprise organizations (i.e., more than 1,000 employees) change their security strategies over the next year to mitigate the risks associated with advanced malware threats? According to ESG research:

  • 51% of enterprise organizations say they will add a new layer of endpoint software to protect against zero day and other types of advanced malware. Good opportunity for Kaspersky, McAfee, Sophos, Symantec, and Trend Micro to talk to customers about innovation and new products but the old guard has to move quickly to prevent an incursion by new players like Bit9, Bromium, Invincea, and Malwarebytes. The network crowd (i.e., Cisco, Check Point, FireEye, Fortinet, and Palo Alto Networks, etc.) may also throw a curveball at endpoint security vendors as well. For example, Cisco (Sourcefire) is already selling an endpoint/network anti-malware solution with a combination of FireAMP and FirePOWER.
  • 49% of enterprise organizations say they will collect and analyze more security data, thus my prediction for an active year in the big data security analytics market – good news for LogRhythm and Splunk. Still, there is a lot of work to be done on the supply and demand side for this to really come to fruition.
  • 44% of enterprise organizations say they will automate more security operations tasks. Good idea since current manual security processes and informal relationship between security and IT operations is killing the effectiveness and pace of security remediation. Again, this won’t be easy as there is a cultural barrier to overcome but proactive organizations are already moving in this direction. If you are interested in this area, I suggest you have a look at Hexis Cyber Solutions’ product Hawkeye G. Forward thinking remediation stuff here.
  • 41% of enterprise organizations say they will design and build a more integrated information security architecture. In other words, they will start replacing tactical point tools with an architecture composed of central command-and-control along with distributed security enforcement. Good idea, CISOs should create a 3-5 year plan for this transition. A number of vendors including HP, IBM, McAfee, RSA Security, and Trend Micro are designing products in this direction with the enterprise in mind.
Topics: IBM Check Point Palo Alto Networks Fortinet Cisco IT Infrastructure Information and Risk Management Sourcefire FireEye HP McAfee Security and Privacy Security endpoint security Kaspersky LogRhythm trend micro bromium Symantec Invincea antivirus RSA Security Sophos Bit9 Anti-malware Hexis Splunk

ESG Research Report Describes a Major Transition Coming to Endpoint Security

ESG just published a new research report titled, Advanced Malware Detection and Prevention Trends. The publication follows up on a 2011 research report on APTs and is based upon a survey of 315 security professionals working at enterprise organizations (i.e. more than 1,000 employees) in North America.

Topics: Information and Risk Management Security and Privacy Malwarebytes bromium Invincea Bit9

The Pressing Need to Improve Endpoint Visibility for Information Security

In a recent ESG research project, 315 security professionals working at enterprise organizations (i.e., more than 1,000 employees) were asked to identify their organizations’ endpoint security monitoring weaknesses. Thirty percent said they were unsure about, “applications installed on each device,” 19% had difficulty monitoring “downloads/execution of suspicious code,” 12% struggled when tracking, “suspicious/malicious network activity,” and 11% had a hard time tracking “current patch levels.”

Why is it so difficult to monitor endpoint activities? An old saying comes to mind: “Water, water, everywhere but not a drop to drink.” There are records about endpoints all over the place – asset databases, CMDBs, network monitoring tools, vulnerability scanners, patch management tools, etc. – but when security analysts need up-to-the-minute information for critical remediation activities, they have to scramble around through a myriad of management systems to retrieve it.

Topics: Information and Risk Management Sourcefire McAfee Security and Privacy Security endpoint security big data security analytics Bradford Networks Mandiant ForeScout Guidance Software bromium Invincea Great Bay Software RSA Security

What’s Old Is New Again In Information Security

For many years, the RSA Conference was all about the new new thing. New threats, new compliance mandates, new technologies, etc. At the same time, the industry intelligentsia dismissed staple security technologies like endpoint security and firewalls as boring commodities.

Topics: Check Point Palo Alto Networks Fortinet Cisco Information and Risk Management Juniper Sourcefire FireEye Dell Security and Privacy endpoint security Malwarebytes Barracuda bromium antivirus Damballa APT