Home Podcasts Videos Guest Posts Q&A My Take Bio Contact
 

Black Hat Podcasts

 

NEW TECH: LogicHub introduces ‘virtualized’ security analysts to help elevate SOAR

By Byron V. Acohido

One of the promising cybersecurity trends that I’ve been keeping an eye on is this: SOAR continues to steadily mature.

Security orchestration, automation and response, or SOAR, is a fledgling security technology stack that first entered the cybersecurity lexicon about six years ago.

Related: Here’s how Capital One lost 100 million customer records

SOAR holds the potential to slow – and, ultimately, to help reverse – the acute and worsening cybersecurity skills shortage. SOAR vendors purport to do this by leveraging automation in more sophisticated ways to help enterprises and MSSPs cull the vast data flows that inundate modern business networks.

One SOAR innovator that has been gaining steady traction is Mountain View, Calif.-based LogicHub. I first spoke to Kumar Saurabh, LogicHub’s co-founder and CEO, not long after the company launched in 2016. Saurabh spent 15 years leading product development at ArcSight, the SIEM management company acquired by HP for $1.5 billion, and later co-founded SumoLogic.

Saurabh told me he developed a passion for helping organizations improve the efficiencies of their security operations. And this inspired him to co-found LogicHub. I had the chance to meet with him again at Black Hat 2019 in Las Vegas. He told me about recent breakthroughs LogicHub has made putting smarter tools into the hands of cyber analysts.

For a full drill down on our discussion give a listen to the accompanying podcast. Here are my takeaways:

Skills deficit

Over the past 20 years, enterprises have shelled out small fortunes in order to stock their SOCs with the best firewalls, anti-malware suites, intrusion detection, data loss prevention and sandbox detonators money can buy. But that hasn’t been enough.

Today there exists a widening shortage of security analysts talented and battle tested enough to make sense of the rising tide of data logs inundating their SIEM systems. This skills deficit has been the top worry of IT pros for several years, according to tech consultancy ESG’s annual survey of IT pros; some 53% of the organizations participating in ESG’s 2018 -2019 poll reported a “problematic shortage” of cybersecurity skills. …more

NEW TECH: Baffin Bay Networks takes a ‘cloud-first’ approach to securing web applications

By Byron V. Acohido

Hear about the smart toaster that got attacked three times within an hour after its IP address first appeared on the Internet?

That experiment conducted by a reporter for The Atlantic crystalizes the seemingly intractable security challenge businesses face today.

Related: How 5G will escalate DDoS attacks

Caught in the pull of digital transformation, companies are routing ever more core operations and services through the Internet, or, more precisely, through IP addresses, of one kind or another. This trend has greatly expanded the attack surface for malicious botnets to automatically probe and infiltrate company networks, at scale. And in a double-whammy, the efficacy of legacy cybersecurity defenses — which were deployed, at great expense, mainly to protect on-premises data centers – by many measures is rapidly eroding.

I had the chance to discuss this with Joakim Sundberg, founder and CEO of a cybersecurity startup, Baffin Bay Networks, based in Stockholm, Sweden. We met at Black Hat USA 2019,  where Baffin Bay touted its cloud-first, full-stack suite of threat protection services.  For a full drill down on our conversation, give a listen to the accompanying podcast. Here are my key takeaways:

Formula for poor practices

Launched in 2017, Baffin Bay has attracted VC funding of $6.4 million and grown to 42 employees, winning customers in leading media firms, financial services companies and government agencies in the Nordics.

“We’ve been in production about 19 months and we have a 100 percent retention rate,” Sundberg told me. “We’re protecting about 220 different brands, everything from companies with two people and an app, to big European banks.”

There’s room for Baffin Bay’s cloud-first approach to security because in today’s cyber threat landscape, low hanging fruit – like the smart toaster — does not go unnoticed by threat actors for very long. The business equivalent of the toaster probe might well be two categories of automated attacks: Distributed Denial of Service (DDoS) attacks and SQL injection (SQLi) hacks. Both DDoS and SQLi have been around for quite some time, are well understood and, by now, should be well defended. …more

MY TAKE: How advanced automation of threat intel sharing has quickened incident response

By Byron V. Acohido

Threat intelligence sharing is such a simple concept that holds so much promise for stopping threat actors in their tracks. So why hasn’t it made more of an impact stopping network breaches?

Related: Ground zero for cybersecurity research

Having covered the cybersecurity industry for the past 15 years, it’s clear to me that there are two primary reasons. One is the intensely competitive nature of organizations, and the other has to do with the escalating digitalization of commerce.

I had an illuminating discussion about this with Jonathan Couch, senior vice president of strategy at ThreatQuotient. We spoke at Black Hat USA 2019. ThreatQuotient is a Reston, Virg.-based security vendor in the thick of helping companies make more of their threat feeds.

The company launched in 2013, the brainchild of Ryan Trost and Wayne Chiang, a couple of buddies working as security analysts in a U.S. military complex, who got frustrated by their inability to extract actionable intel from a deluge of threat feeds. For a full drill down of my conversation with Couch, give a listen to the accompanying podcast. Here are key takeaways:

Ripe for badness

Let’s face it, for-profit enterprises, and even public agencies, are geared to keep their rivals in the rearview mirror. Sharing proprietary information, even from one in-house department to the next, is simply not in their DNA. At the same time, digital transformation has redoubled the complexity of company networks, catapulting us from Big Data to Very Big Data.

Consider that 90% of the data that exists in the world was created in two years — 2017 and 2018 — and that our digital universe is on track to swell from 3.2 zettabytes to 40 zettabytes, as the Internet of Things and 5G networks take hold. …more

SHARED INTEL: Mobile apps are riddled with security flaws, many of which go unremediated

By Byron V. Acohido

The convergence of DevOps and SecOps is steadily gaining traction in the global marketplace. Some fresh evidence of this encouraging trend comes to us by way of shared intelligence from WhiteHat Security.

Related: The tie between DevOps and SecOps.

Organizations that are all-in leveraging microservices to speed-up application development, on the DevOps side of the house, have begun acknowledging the importance of incorporating SecOps along the way. The most forward-thinking among them are increasingly checking for vulnerabilities in new apps – and finding them, big time.

That’s one of the key revelations in the 2019 WhiteHat Application Security Statistics Report, which I’d place in the category of reports that bear close scrutiny because it is based on the actual in-the-field experiences of WhiteHat’s global customer base. Also, WhiteHat has been generating this report annually since 2006.

Based on 17 million application security scans carried out in 2018, WhiteHat found a 20% increase in vulnerabilities found in the applications that organizations tested for security flaws.

What’s more, based on WhiteHat’s partner, NowSecure’s insight, some 70% of mobile apps were found to leak sensitive data.

The fact that more companies are participating in the hunt for security flaws in new apps is a good thing. However, WhiteHat also found many app vulnerabilities are, today, going unaddressed. Remediation rates actually fell in 2018, as compared to 2017. At the moment, the effort required to secure existing and new apps appears to be overwhelming already short-staffed security teams.

The Dawn of DevSecOps

This field report tells us that, yes, SecOps is gaining traction, with more and more security teams beginning to contribute to the delivery of secure apps. However, many security teams lack the skills, and/or have not yet won corporate backing to bring in the engineering support needed to mitigate the vulnerabilities.

These applications flaws were always there, mind you – WhiteHat found that more than one-third of all application security risks are inherited rather than written – but now they are being flushed out as DevOps and SecOps merge into DevSecOps.

The more progressive security teams are, indeed, tackling remediation. For those teams, the benefits associated with paying a bit of attention to security, up front, have sunk in. Not only can they take pride in contributing to a better experience for end users, they’re also reducing the headaches that go along with having to patch vulnerabilities that turn up, post production. …more

MY TAKE: Six-figure GDPR privacy fines reinforce business case for advanced SIEM, UEBA tools

By Byron V. Acohido

Europe came down hard this summer on British Airways and Marriott for failing to safeguard their customers’ personal data.

The EU slammed the UK airline with a $230 million fine, and then hammered the US hotel chain with a $125 million penalty – the first major fines under the EU’s toughened General Data Protection Regulation, which took effect May 25, 2018.

Related: Will GDPR usher in new age of privacy?

It’s no wonder security analysts toiling in security operations centers (SOCs) are depressed. There’s a widening security skills shortage, the complexity of company networks is going through the roof, cyber attacks continue to intensify and now regulators are breathing down their necks.

More than half of the 554 IT and security pros recently polled by the Ponemon Institute consider their SOCs to be ineffectual and some 66% indicated they are considering quitting their jobs.

I had an evocative discussion about this with Sam Humphries, senior product marketing manager for Exabeam. We spoke at Black Hat USA 2019. Exabeam, which sponsored the Ponemon study, is a San Mateo, Calif.-based supplier of advanced security management systems.

Fortunately, there is a cottage industry of cybersecurity vendors, Exabeam among them, engaged in proactively advancing ways for SOC analysts to extract more timely and actionable threat intelligence from their security information and event management (SIEM) and user and entity behavior (UEBA) systems. For a full drill down on our meeting, give a listen to the accompanying podcast. A few key takeaways:

Sticks & carrots

Poor security practices at British Airways resulted in hackers pilfering credit card information, names, addresses, travel booking details and logins for some 500,000 airline customers. Marriott, meanwhile, failed to notice a breach that persisted for four years, exposing some 339 million customer records, of which about 30 million belonged to European residents.

Under GDPR, Europe has the authority to fine organizations up to 4 percent of their annual global revenue if they violate any European citizen’s privacy rights, for example, by failing to secure their personal data. What’s more, organizations that run afoul of the GDPR’s new data loss reporting requirements could face additional fines up to 2 percent of annual global revenue. …more

NEW TECH: ICS zero-day flaws uncovered by Nozomi Networks’ analysis of anomalous behaviors

By Byron V. Acohido

Andrea Carcano’s journey to co-founding a security company in the vanguard of defending critical infrastructure began at a tender age.

Related: Why the Golden Age of cyber spying is here

Carcano hacked a computer screen at age 14, and that got him intrigued by software controls. He went on to earn a masters degree in cybersecurity, during which time he won a scholarship from the European Commission to craft a proof of concept attack against an industrial control system (ICS.)

“I said at the time, ‘OK, this is cool, someone is paying me to develop malware,” Carcano told me. “So I decided to keep going. I saw a huge gap, and I got really passionate about this topic. I started on my PhD, and at the very beginning focused on the offensive side. But I quickly moved to the defensive side and spent all of my academic career focused on how to protect critical infrastructure.”

PhD in hand, Carcano spent three years in the field helping a large oil-and-gas company tighten ICS security for operations in different corners of the world. In 2013, he co-founded Nozomi Networks aiming to deliver a more holistic and efficient way to defend industrial controls of all types.

I had the chance to visit with Carcano at Black Hat USA 2019. For a full drill down, give a listen to the accompanying podcast. Here’s what I came away with:

Ready-made attack tools

Vulnerability research and outright attacks on industrial controls has shifted dramatically over the past 10 to 15 years ago. When Carcano first began working in the field, only a handful of the top nation-states were actively involved in sponsoring this type of activity, and they tried to do it  as quietly as possible.

Today, for a variety of reasons having to do with geo-political affairs and the evolving cyber underground, things are much different. The state-sponsored hacking groups are still in business. But they are part of a thriving cottage industry that has arisen around finding, selling and testing fresh ICS vulnerabilities. And not just of power plants and utilities, but also in the firmware and software that run manufacturing plants of all types and sizes, Carcano told me. …more

MY TAKE: Here’s how ‘bulletproof proxies’ help criminals put compromised IoT devices to work

By Byron V. Acohido

Between Q1 2019 and Q2 2019, malicious communications emanating from residential IP addresses in the U.S. – namely smart refrigerators, garage doors, home routers and the like – nearly quadrupled for the retail and financial services sectors.

Related: How botnets gave Trump 6 million faked followers

To put it plainly, this represented a spike in cyber attacks bouncing through ordinary Internet-connected devices humming away in homes across America. These attacks were carried out by cyber criminals leveraging an insidious new attack tool: bulletproof proxies.

What were they up to? IoT devices are proving to be an integral element for cyber criminals to launch automated attack campaigns to manipulate social media likes, create fake accounts, take over existing accounts, execute credential stuffing, content scraping, click fraud and carry out other cyber villainy.

This stunning intel comes in a study from Cequence Security, a Sunnyvale, CA-based vendor focused on helping companies defend against such attacks. These findings have huge implications, not just highlighting what a huge drain botnets have become to our Internet-centric economy, but also underscoring how botnets have become a disruptive force in political discourse, globally.

I had a deep discussion about this with Cequence’s Will Glazier, head of research, and Matt Keil, director of product marketing, at Black Hat USA 2019. For a full drill down, give a listen to the accompanying podcast. My big takeaways:

Bulletproof weaponry

Back in 2007, a noted fellow journalist, Brian Krebs, exposed how the Russian Business Network had pioneered something called “bulletproof hosting.” RBN provided web hosting services to one-and-all, and then looked the other way as spammers, fraudsters and even child pornography distributors did their thing, operating their botnets with impunity.

Just the other day, Krebs broke another story about what he’s calling “bulletproof residential VPN services.” And Cequence has done deep analysis on “bulletproof proxies” — the latest, greatest iteration of bulletproof hosting. Instead of building out and hosting a server farm that can be isolated and potentially shut down by law enforcement, bulletproof proxy providers today assemble millions of globally distributed IP addresses and make those available to one-and-all.

Crucially, the availability of an endless supply of IP addresses reinforces the viability of botnets. (A bot is a computing nodule, and a botnet is a network of nodules under control of the botnet master.) The fact that botnet nodules today increasingly spin out of residential IP addresses is significant for two reasons: …more