Anticipating Black Hat 2019

GettyImages-106623032Judging by this week’s Capital One breach and Equifax settlement, cybersecurity remains a topical if not ugly subject. The timing couldn’t be better for these unfortunate events. Why? Because the cybersecurity community will get together next week in Las Vegas for Black Hat and Defcon to discuss how to better deal with security vulnerabilities and improve threat prevention, detection, and response. 

I’ll be there along with an assortment of my ESG colleagues. Here are some of the things we’ll be looking for: 

  • Network security platforms. While security appliances are far from dead, network security goes well beyond perimeter-based packet inspection of ingress/egress traffic. Alternatively, network security is evolving into a pervasive service inspecting and filtering traffic across physical data centers, virtual servers, and cloud-based workloads of all types. Think central management and distributed enforcement. Vendors like Check Point, Cisco, Forcepoint, Fortinet, Juniper, and Palo Alto Networks get this and are innovating in this direction. That said, how far along are they? Furthermore, are customers buying in or do they continue to look for “best-of-breed” network security technologies of various form factors? We’ll be asking these questions in Vegas conference rooms all week.
  • Endpoint security consolidation? Like network security, endpoint security tools are going through a similar amalgamation trend. Endpoint protection platform (EPP) vendors are integrating their endpoint capabilities into more capable platforms and expanding functionality into areas like device coverage, asset management, and EDR. As many EPP vendors innovate to differentiate themselves, the profile of EPP is changing rapidly. Leading vendors have level-set on providing integrated, cloud-delivered multi-layer prevention, detection, and response capabilities combined with managed detection and response (MDR) services, but new services and capabilities are rapidly emerging. We’ll be watching for new announcements about deeper integrations with other security tools, new capabilities for protecting cloud workloads, mobile, and IoT, and extended risk management capabilities.
  • Managed detection and response – it’s all about the people. I know I sound like a broken record, but the cybersecurity skills shortage continues to impact every decision CISOs make. Case in point, detecting and responding to threats like Ransomware, phishing, and exploits. Now a lot of the discourse around threat detection will center on threat intelligence synthesis, artificial intelligence, and machine learning (AI/ML) baked into products and services but all the TI in the world and the best ML doesn’t reduce the funnel or accelerate threat detection alone. What does? Experience, processes, and automation. In other words, the human stuff. Yup, humans can reason, see anomalous behaviors that are not apparent to the machines, and then program technology brains for future detection and response actions. Service providers can also work with the cybersecurity staff to map the adversary goals in a way that structures our thinking and response – as in, to the MITRE ATT&CK Framework (MAF), for example. Finally, humans must manage other humans. In this case, enterprise cybersecurity professionals must have the right structure and skills to manage third-party MDR providers effectively. ESG loves technology as much as anyone, but we’ll be looking to find the smartest and most helpful MDR services people next week. 
  • Serverless security – the new frontier. Cloud: Serverless functions, or function-as-a-service (FaaS), such as AWS Lambda, Azure Functions, and Google Cloud Functions are becoming more prevalent components of modern cloud-native applications built on a microservices architecture. Because serverless itself is an abstract concept, the associated threat model and security approaches are ambiguous. So, what’s different about serverless? Serverless shifts more of the security responsibility to two parties – the external cloud service provider (CSP) and the internal developer. This changes the shared responsibility model where CSPs are now on the hook for securing the server instances that run the functions, as temporal as they may be. The consumers of these services, absent access to a network tap or the ability to install an agent, needs to gain visibility and control over their use of serverless functions. By shifting left into the development stage, DevOps teams must continuously discover API calls in source code and assess how those APIs are being used at build-time (i.e., with respect to authentication, authorization, encryption of data in motion and more). Logging an audit trail of service-to-service activity and the use of Runtime Application Self-protection (RASP) closes the continuous loop to protect the entire serverless API lifecycle. Do cybersecurity professionals and security technologies get this? We’ll be poking around at Black Hat to find out.
  • Security analytics innovation and confusion. A few years ago, security analytics was synonymous with SIEM (security information and event management), but no longer. Security analytics now includes areas like network traffic analysis (NTA), security data lakes, UEBA, threat intelligence platforms (TIPs), etc. Savvy CISOs are playing with many of these but they also want cooperative security analytics where technologies interoperate, complement, and add value to one another. Once security analytics provide high-fidelity data (i.e., alerts, risk scores, etc.) organizations also want to act upon this data through security operations platforms. This is the essence of ESG’s SOAPA (security operations and analytics platform architecture). Yes, there’s tremendous investment and innovation in this area but users are royally confused by the pace of change and market hyperbole. Do they go with a one-stop shop like IBM or Splunk? Do they use open source software like BRO/Zeek, the ELK stack, or Hadoop? Do they deploy SOAPA on-premises or seek out a cloud-based alternative from the likes of Devo, Google (Chronicle/Backstory), Microsoft (Azure Sentinel), or SumoLogic? I’ll be talking to a lot of SOC analysts at Black Hat to research and help answer these questions.

Despite the heat, crowds, and miles of walking each day, Black Hat is one of my favorite weeks of the year. By the end of the event, I feel like I’ve just gotten a graduate degree in cybersecurity – each year. If you see me or one of my ESG colleagues at Black Hat, make sure to say hello and let us know what you’re up to. Cybersecurity is a collection activity – even in Sin City, it takes a village. 

Topics: Cybersecurity Black Hat