This year I was privileged to be part of the team that facilitated the 20th annual Ntegra Greenside United States Research Tour . During the week long event we received presentations from thirty-nine start-up companies, three Venture Capital firms (Intel Capital, Andreessen Horowitz and Sequoia Capital) as well as Microsoft and Splunk.
This short post follows-on from my previous blog, Data, big and small, which describes a number of emerging trends the tour identified in the Data domain. The tour also provided a great opportunity for me to learn more about the latest Security developments and innovations coming out of Silicon Valley.
New InfoSec and cyber security companies highlighting a broader spectrum of concerns that should be considered holistically. Multiple layers of security aimed at managing specific risks are needed, and these should overlap to provide strength, depth and dependability. Ways of working are continually changing, leading to more opportunities for data to be targeted.
Organisations cannot assume they have enough security in place to prevent them from being compromised. They must continue to defend themselves and assume they’re about to be breached, and have appropriate controls in place to manage the aftermath of a security incident. Most organisations are struggling to understand the risks they face and to take appropriate steps to be able to respond if and when they are compromised.
Security teams are struggling to keep up with the new ways that individuals, good and bad, can access, use and interact with organisational data and information. New devices, new apps and new services all pose additional cumulative risks, and many do not have security controls built-in. Development of new services and apps by small companies on tight budgets often mean security is poorly implemented, if thought about at all. This complex and diverse threat landscape is growing and IT security teams simply do not have the time, resources or awareness to keep up.
Some organisations resort to using “red teams” to test their IT systems and provide the insights needed to update and improve their security controls (technology, people and process). Organisations can also create fake, network connected, machines (such as the TrapX honeypots) to divert hackers away. These approaches help to provide some confidence and can be effective. However, as well as protecting data, organisations need to ensure that the right people can access the right information, when they need it, often from external environments where there are many unknowns. These contradictory requirements have led to a number of big data and analytics companies, for example Prelert, to re-purpose their capabilities and concentrate on individual usage patterns and behaviours. The ability to understand and baseline normal behaviour enables detection of abnormal activities and anomalies.
Hacker journeys are identifiable, in the same way that customer and employee journeys are, within time series data collected and logged across all the potential touch-points and routes through the corporate IT landscape. SS8 showed us how this can help to highlight risks from “suspects of interest” or “devices of interest” and illuminate areas where different security layers must interact and flex to form an appropriate defensive barrier which is only permeable to appropriate (normal) users and usage.
To harden and help improve the quality and lineage of new software products, start-ups such as BlackDuck and Tinfoil have developed automated scanning mechanisms that can be integrated into development pipeline processes. BlackDuck is able to detect open source components and libraries, that are commonly included in builds, and hence provide developers or end-users with an assessment of their licence exposure and risk. Tinfoil scans newly compiled executables to identify all known security vulnerabilities and then raises defect reports in the developers’ bug tracker (complete with instructions on how to debug the code and eliminate the vulnerability). Asserting Tinfoil into the Continuous Integration development cycle is like having an infallible security expert with coding skills in the development team.
Outside of key mission critical areas such as defence, in reality IT is currently largely uncontrolled due to the proliferation of uncontrolled devices and regular use of uncontrolled networks. Employees have little or no training and their knowledge of IT security is, at best, poor. They move between organisations, cross-pollinating careless behaviours that lead to contagion in process vulnerabilities that, in turn, provide huge opportunities for hackers to exploit. For these reasons, security needs to be considered and planned at all levels: from employee identity; to building security into bespoke applications; to managing devices; to tracking intrusions.
The top, and most obvious, vulnerability layer is no longer an individual’s ID and password, but his or her identity itself. From just the name of an employee, a hacker can gain an entry point (for example, making use of social media to access personal details combined with a knowledge of an organisation’s remote access solutions can often provide enough detail to gain initial entry into corporate systems). Once “inside the lobby”, brute force password attacks can be completed in less than a few second due to the immense computing power that is now available, on demand, in the cloud.
One innovative approach that reduces the chances of an employee making basic mistakes was demonstrated by Menlo Security. They protect against cyber-attacks from the web and e-mail by providing an ‘Isolation Platform’ which insulates content and eliminates malware in the cloud. Users’ web sessions, and all active content whether good or bad, is fully executed and contained within the Isolation Platform. Only safe malware-free rendering information is delivered to users’ browsers. No active content leaves the platform, so malware has no path to reach an endpoint, and legitimate content does not need to be blocked in the interest of security.
This year, we’ve seen that already overstretched security teams are also having to think about, previously unforeseen threats and new technology responses from outside their traditional domain and skillsets. SkySafe provided an interesting description of their anti-drone systems which can be used to protect airspace and detect, and bring down, drones that may be eavesdropping corporate secrets by listening in on conversations, or photographing industrial or military installations. Pindrop described their anti-fraud and authentication solutions for enterprise call centres. Within 10 seconds their technology can generate a risk score by simply “listening” to the background noise on a telephone connection and assessing whether the call is really coming from where it purports to be from. DeltaID made a good case for the use of iris recognition as a better bio-metric than face and fingerprint. Face recognition is a challenging technology, with changes in lighting, hair style/colour and other looks resulting in a variable user experience. Fingerprints are a better and more popular bio-metric but they can be problematic as they may be effected by weather, age, work and many other factors. Using the iris as the bio-metric results in a much better accuracy.
The above examples and many other interesting insights, from new companies, helped to illuminate the broad extent and continuing growth of the cyber-threat surface. This can be seen as a proxy for, and measured proportionally with, the rate at which new innovations and ever more complex IT solutions are being delivered.