Two CISO Priorities from Black Hat: Endpoint Security and Cloud DLP

Blackhat_USA_2015With the frenzy of the largest Black Hat to date in the review mirror there is much to reflect upon. The range of hacks demonstrated highlight the massive expanse of the attack surface area with mobile and IoT exploits front and center including the now famous car hack of 2015. While the sheer scope of IoT vulnerabilities is staggering, CISOs and practioners I spoke with cited the endpoint attack vector and preventing the loss of data via the use of unauthorized cloud apps as two of their more immediate concerns. The high level of competition between vendors in the advanced endpoint threat protection and cloud access and control security markets correlate to this demand; their markets have indeed arrived.

A CEO I worked for a few companies back kicked off a strategy planning session with just the letters “SMOT” on a PowerPoint slide. After some wise-ass guesses from the team, he explained that SMOT stands for Startup Moment of Truth and represents the inflection point for gauging market timing and thus deciding when to “Go” as in dialing up the go-to-market spend. For the players in these segments, the answer is clearly “Now!” But customers need more clarity of proven differentiation between the offerings. Let’s take a closer look at some of the dynamics in each product category.

Advanced Endpoint Threat Protection Takeaways:

  • Operational Efficiency: We all know signature-based antivirus alone is ineffective against advanced threats, but adding another endpoint security product drives up operational cost. The larger the company – measured in the number of endpoints - the more scalability and operational efficiency is critical, a point of differentiation cited by Invincea, as well as CounterTack with their Hadoop backend.
  • The Role of Antivirus: As the “AV is Dead” drum beat continues, I’m reminded we still have mainframes and tape libraries. Customers I spoke with don’t want to pay much, if anything, for AV, noting they are redirecting those dollars to advanced endpoint threat protection offerings. And while the promise of a single agent and management console will help with the aforementioned operational cost issue, customers won’t ditch AV until someone delivers a solution proven to detect and block both known and unknown malware. Enter Cylance and SentinelOne who are now positing that their heuristics obviate the need for signature-based AV altogether. Webroot is another single-source solution utilizing a hybrid solution doing static and dynamic analysis.
  • Roots and DNA: Vendor roots are a leading indicator of where their product strengths lie along the prevent-detect-respond continuum. Tanium, for example, is leveraging a highly scalable search platform that lends itself well to the hunt and investigate part of response. Guidance Software has deep roots in forensics also highly applicable for response. Vendors are working on beefing up features for all phases of the malware lifecycle. In the interim, customers should mind the gap.
  • Which Noun are we Protecting?: Some vendors such as Trend Micro and Symantec are rightfully framing the endpoint security issue as one of user protection, a point well taken given today’s multi-device, mobile knowledge worker.
  • Integrations Hit the Scene: My colleague Jon Oltsik has been talking about the need for the ERP equivalent in security, but with faster Time to Value (TTV) and without the need for a massive professional services engagement. Given this need for advanced security controls to work in concert, even the first phase of the integrations I saw at Black Hat are of high value with their ability to speed time to detection and expedite response from endpoint to network and vice-versa. BlueCoat customers can now leverage integrations with a number of advanced endpoint threat protection vendors enabling a best of breed approach while Bit9 was demonstrating the value of IP-level coordination vis-a-vis their integration with Infoblox. There are compelling next phase integrations in the queue, so get that NDA in place with your vendor to get smart about where they are along the good-better-best path. 

Cloud Access and Control Security Takeaways:

  • Two Use Cases: Because visibility into the use of unauthorized cloud apps is a CIO level concern and the potential for data loss vis-a-vis the usage of said apps is a CISO concern, there are two use cases and business drivers for buying these product offerings, one reactive, the other proactive. IT is often playing catch up with shadow IT and needs an inventory of cloud services to assess consolidating licenses to move to, for example, a corporate standard file sharing and collaboration service. A more proactive use case is employing cloud access and control as part of rolling out a new, sanctioned cloud app. Customers should never stop at use case 1 as use case 2 provides the cloud DLP functionality to control data access and prevent leakage.
  • Beyond the Pretty Pixels: Someone recently made the comment that a bad user inerface is the enemy of security - I apologize--I can’t provide proper attribution, but the point is so spot on that it warrants repeating. But good news in this product category – the products I’ve seen thus far have fantastic user interface designs. Beyond the appeal of today’s flat UI design, customers should evaluate for feature discoverability and workflows that will directly impact TTV and operational cost.
  • References to Validate Differentiation: Vendors such as Elastica, Netskope, and Skyhigh Networks have compelling offerings in this space, referencing similar differentiation. Unlike products from other vendors, these solutions use both a network-based architecture and the native APIs of the cloud apps for the requisite combination of breadth and depth to enable both use cases noted above. There is, however, a differing perspective on whether encryption belongs in such a product or in the cloud app itself. The proof is in the pudding and customers evaluating cloud access and control solutions should seek the opinion of their trusted advisor and talk to some customers who have deployed in production.
  • Gateways to Blur the Lines: Larger vendors are taking note of this market attracted to driving growth with a cloud play. As a result, there will be some blurring of the lines between pure play cloud access and control security offerings and secure gateways and proxies, which are not mutually exclusive, of course, given existing integrations between the two – it’s a question of supplier. And we’ve already seen some vendors buy their way into this market.

With the backdrop of the technical nature of Black Hat, these are two cybersecurity market segments top of mind with customers and in which there is notable competition. In a world where we need to keep the bad out and the good in, advanced controls for the endpoint and the use of cloud apps is a here and now imperative.


Endpoint Security Infographic

Topics: Cybersecurity Black Hat Cloud Services & Orchestration