Black Hat 2019 has come and gone and I am still recovering from the sensory overload caused by the 19K+ attendees of this big conference amidst the backdrop of Las Vegas. My focus going into the conference was mainly on meeting startups… I was looking for something new – a solution that attacks the cyber problem from a new angle. I was also in the hunt for capabilities that are addressing a cyber problem that hasn’t been well addressed in the past – like third party risk management, or dynamically marshalling cyber talent to address surging needs, or secure collaborative environments. Finally, I was also looking for security technology that addressed the special needs of OT environments. So you can see I had a lot of things to search out.
My schedule leading up to the conference was busy reviewing the exhibitor list, setting up interviews, rescheduling interviews, and reviewing some of the session briefs. I also had the opportunity to set up pre-conference briefings with a couple of companies. All of the company leaders I met showed that special intensity and passion for their products and solutions that you find with start-ups. And I thought all of them were making a significant impact in the cybersecurity business. I thought the PR folks for several of the companies did a good job in helping their companies find media opportunities. Special shout-outs to Michelle Yusupov, Danielle Ostrovsky, Shannon Cieciuch, and Cole Christy for their hard work in helping me schedule these interviews.
So here are some snapshots of the interviews and presentations with these innovative leaders from the conference.
Black Hat 2019 Day 1
First up was Joel Wallenstrom. CEO of Wickr since Nov 2016, Joel has been at the forefront of cybersecurity since the beginning, having co-founded iSEC Partners, one of the world’s leading information security research teams, later acquired by the NCC Group. Joel also served as the Director for Strategic Alliances for ATstake, one of the very first computer security companies, which was acquired by L0pht Heavy Industries and was itself later purchased by Symantec. Wickr has been known for instant messaging apps that allow users to exchange end-to-end encrypted and content-expiring messages, including photos, videos, and file attachments and place end-to-end encrypted video conference calls. Since he took over Wickr, Joel has pivoted the offering from being consumer-based to delivering enterprise level capabilities, tying in adminstrative flexibility and regulatory compliance for this nex gen secure collaboration platform. His customers now extend to governments, law firms, and professional services, to enterprises with strict compliance requirements (HIPAA, GDPR, FINRA, FRA, etc). I liked his description of the user-friendly and admin-supported features and interface. Wickr allows for a configurable ephemerality to ensure that no sensitive information is accessible beyond its useful life and intended recipients – for example, you can set time thresholds for how long to keep a message. Wickr also maintains a Privacy by Design approach, employing perfect forward and backward secrecy by generating a new key for every message. Messages can also be wiped from the servers, enabling extra privacy protection. Wickr offers secure rooms for collaboration and is delivered as a SaaS or on premise offering.
Next I met with Fred Kneip – CEO of CyberGRX. We sat down to discuss risk exchanges. I find the exchange concept behind this to be quite interesting. Seems that the majority of data breaches these days are linked to third parties and less than 20% of companies have confidence in their 3rd party vendor risk management program. Most vendor risk management programs burden their suppliers with compliance requirements that require completion of risk assessment questionnaires. This can become quickly redundant for a supplier that has many customers. Generally, these self-assessments provide little visibility into the actual risk posture of the company. CyberGRX was designed to provide rapid insights into the cyber risk exposure across a corporate ecosystem. Standardized and structured third-party risk assessments quickly identify and prioritize risk. By using a cloud-based exchange to publish the assessments, suppliers complete one assessment, share with many. You can also add your vendors into the CyberGRX Exchange and quickly see the likelihood and potential impact of third-party cyber events across your portfolio to determine the appropriate level of assessment. CyberGRX adds advanced analytics on top of the assessments to provide actionable mitigation insights across the corporate portfolio. Suppliers can update their information as their mitigations are completed or as their threat level changes, Such dynamic data provides current visibility with ongoing threat intelligence and mitigation updates. As you can imagine, Internet risk insurance providers are also key users of the exchange.
Casey Ellis – CEO of bugcrowd – was an unscheduled interview who fortuitously was in the media room when I had an opening so we sat down and started talking. Casey is quoted as saying “Cybersecurity isn’t a technology problem — it’s a human one — and to compete against an army of adversaries we need an army of allies.” So he has built a company around a SaaS crowdsourced security platform for on-demand, continuous, and next gen pen testing. His approach, while not unique, has been highly successful due to his customized approach towards diffusing concerns of risk associated with crowdsourced security. Over time, his platform helps to identify highly vetted, trusted and successful researchers. Customers of the SaaS service define the attack surfaces they are interested in hardening – like web application front ends or a mobile application. Then these specs get published to the crowd. Depending on the type of program, customers either publish the program broadly to the researcher community, or engage a more limited set of researchers in a private “invite only” program. As vulnerabilities are uncovered by the researchers, they are triaged to determine validity and severity. Customers pay a bounty (or grant public “kudos”) to the researcher for finding the problem, patch the vulnerability, and verify that the attack vector has been closed. The first hacker to find a vulnerability is rewarded, encouraging each hacker to work quickly, thereby improving speed to value. The more critical the vulnerability found, the bigger the reward to the hacker, driving better overall value. I was very impressed by the rapidity by which the number of researchers participating on the platform has grown. He is also finding federal government customers, which I find intriguing given the usual government bureaucratic procurement processes. I would be interested in more statistics about the spread of rewards among researchers – are 80-90% of the rewards won by a small fraction of the researchers? I intend to follow-up with Casey to find out.
Jonathan Couch, the SVP of Strategy for ThreatQuotient was my next scheduled interview of the day. He described his previous experience in targeting and defensive/offensive operations while in the military as an ideal background for leading the strategic development of a threat intel platform. The ThreatQ platform has taken a threat-centric approach to security operations. This approach allows security teams to prioritize based on threat and risk, collaborate across teams, automate actions and workflows and integrate point products into a single security infrastructure. Some key elements of the solution include an integrated, self-tuning Threat Library™, Adaptive Workbench™, Open Exchange™ and ThreatQ Investigations. A key outcome is the ability to understand an attacker’s tactics, techniques and procedures (TTPs) and how they might move laterally when inside the environment. The platform is based on an extensive structured data management and ETL capability to handle threat feeds and other event data. It is also built to scale and to integrate, and has captured a really large set of Open Exchange integration partners to date. A custom threat framework, that also maps to Mitre ATT&CK framework, provides the foundation for the presentation of risk level and priorities. It makes sense that such a well-designed and effective platform also has a highly experienced and successful leadership team behind it – many with Symantec and Cisco [Sourcefire] pedigrees.
I was delighted to interview Brian Contos next, CISO and VP of Technology Innovation of Verodin, as a follow-up to my interview with the Verodin Chief of Strategy, MG Earl Matthews, earlier this month. Brian emphasized that Verodin is a business platform that provides organizations with the evidence needed to measure, manage, and improve their cybersecurity effectiveness, providing the insight needed to determine if you are getting your money’s worth from your portfolio of security tools. Verodin classifies itself as a security instrumentation tool. It tests and measures the effectiveness of network, endpoint, email and cloud controls. It continuously executes tests and analyzes the results to proactively alert on drift from a known-good baseline and validate control configuration. You can also proactively test defenses against MITRE ATT&CK™ and other industry standard models to prove that business objectives are being met. Brian also commented on Verodin’s recent acquisition by FireEye. He explained that Verodin will maintain flexibility to work with its existing and any new partners while also benefiting from the extensive resources that FireEye can supply.
My final interview of Day 1 was with Anu Yamunan – Vice President Product Management and Research of Exabeam. According to Anu, the key features to Exabeam’s success so far is their ability to scale, price-sensitivity, contextual enrichment of events, ML, and integrations for automation. The Exabeam Security Management Platform (SMP), as Anu explained, combines features of UEBA, SIEM and SOAR. It works on top of Splunk; makes extensive use of behavioral modeling and ML; and, is built to scale. SMP is recognized as a leader by Gartner for SIEM. It has approximately 300 integrations with IT and security products to facilitate filtering, analysis, and prioritization of events – providing inbound integrations with data sources from vendors to easily ingest as much data as possible; and SOAR integrations with 3rd party vendors to help automate and orchestrate security responses. I view Exabeam as a vendor to watch as they continue to innovate as the industry focus on security solutions continues to evolve and change.
Black Hat 2019 Day 2
Day 2 of the conference was my day to work the Exhibitor floor and catch some presentations. On the floor I was on the look out for breach and attack simulation tools. This tool category interests me since it seems to provide a new approach to understanding your risk posture (hence a new angle to me), and seems to be growing fast. I spotted four companies at the conference and I know there are more.
At the top of the heap is Safebreach. Prior to the conference I spoke with Itzik Kotler, Co-Founder & CTO of this SV-based start-up with links to Israel and named BlackHat Most Innovative Startup in 2016. He explained that the company’s groundbreaking platform provides a “hacker’s view” of an enterprise’s security posture to proactively predict attacks, validate security controls and improve a SOC analyst’s response. According to Itzik, SafeBreach automatically executes thousands of breach methods from an extensive and growing Hacker’s Playbook of research and real-world investigative data. It offers cloud, network and endpoint simulators that can detect infiltration, lateral movement and data exfiltration. SafeBreach is known for their research of hacker techniques to add to their hacker’s Playbook, and this BlackHat conference they presented some new research in the area of memory injection techniques. When SafeBreach researchers started researching the area of process injection in Windows in 2018, they thought there were only 6-7 fundamental techniques. It turns out they were way off the mark. SafeBreach now counts 20 techniques, so far, which they had to collect, extract, and analyze from websites, blogs, and papers. They showed in their presentation a mix-and-match library of all write primitives and execution methods that allow process injection users to generate “tailor-made” process injections.
Cymulate is another breach and attack simulation start-up with Israeli connections. I spoke with Tim Horigan, Director of Channels, who was manning the booth at the conference. Tim explained how Cymulate automatically identifies security gaps in one click and tells you exactly how to fix them. It covers several use cases for your SOC environment including a capability – Cymulate’s Immediate Threats Intelligence service – which alerts you automatically to test your security posture against the very latest threats detected in the wild by the Cymulate Research Lab and other industry sources. By running a simulation of the newest threats, you can check if you’re protected and apply the recommended actions. Cymulate also includes a Risk Score and report that details your up-to-the-moment security posture. Cymulate uses proven methodologies to evaluate cyber risk such as NIST RMF, CVSS V3, and Microsoft DREAD. I particularly liked the use case presented where Cymulate can be used to easily test and validate your company’s security posture after any sort of change, be it a software update, a policy change or newly-deployed technology.
ThreatModeler – I also stopped by the ThreatModeler booth. ThreatModeler offers an automated threat modeling solution that fortifies an enterprise’s SDLC by identifying, predicting and defining threats, empowering security and DevOps teams to make proactive security decisions. ThreatModeler ™ provides a holistic view of the entire attack surface, enabling enterprises to minimize their overall risk.
AttackIQ – AttackIQ was also at the conference. I had seen them before at other conferences and got excited about their open approach. AttackIQ built the industry’s first platform enabling red and blue teams to test and measure the effectiveness of their security controls. With an open platform, AttackIQ supports the MITRE ATT&CK framework, used for planning security improvements and verifying defenses work as expected.
As I explained earlier, I was also in the hunt for innovative OT / IoT security solutions, especially ones that can cover the breadth of unique protocols and safety requirements found in OT environments. So part of Day 2 was devoted to this search. Two that stood out to me included Nozomi Networks and Wootcloud.
Nozomi Networks – I attended a presentation by a few of their researchers. The researchers outlined some of the key challenges of OT environments such as insecure by design, limited asset health visibility, IT/OT convergence, and shortage of security skills in this space. They also asserted that many OT devices today expose SNMP interfaces. Therefore, standards like IEC 62351 which define network and system management data object models can be used to monitor the health of networks and systems, to detect possible security intrusions, and to manage the performance and reliability of the information infrastructure. This makes it possible for industrial security systems to increase their environment awareness by introducing an active interaction with the devices deployed inside the network. This new approach, according to the Nozomi researchers, opens an unprecedented number of detection scenarios not possible before, increasing the detection rate, providing better visibility during an incident and offering a cost-effective solution for distributed scenarios. Nozomi currently offers such a solution centered around its Guardian technology. Guardian monitors network communications and behavior for risks that threaten the reliability of your systems, and provides the information you need to respond quickly. Available as a passive monitoring solution, or a low-impact active solution with the Smart Polling™ add-on [SNMP], Guardian allows you to choose the asset discovery approach that best fits your organization.
WootCloud – One of my last stops of the day was at the Wootcloud booth. The name alone brought me into the booth. There I met Srinivas Akella, Founder and CTO, who described Wootcloud’s novel approach to asset discovery and security management for the OT/IoT environment. WootCloud is the only enterprise IoT security solution provider to leverage both the radio and network characteristics to identify assets and neutralize IoT threats. WootCloud HyperContext Platform provides actionable insights by combining device context, network data and threat intelligence. It enables companies to understand risks from unmanaged, transient devices and enforce a unified policy across all their campuses. WootCloud is the industry’s only full spectrum visibility and analytics platform. The company’s scalable, agentless deployment capabilities, covering 100 percent of a network, enables actionable insights to detect behavioral anomalies faster at a lower cost. WootCloud was one of the select companies to win the prestigious 2017 Tie Silicon Valley Top 50 Startups Award.
So that completes my review of the innovative technology I found at Black Hat. I am sure there were lots more to find if I had more time so I will be looking for new capabilities again next year. And for my best in show? I am going to give that honor to bugcrowd. I was really impressed by its approach and quick growth as well as its concern over trustworthiness of its researchers. The fact that there is an endless supply of vulnerabilities will likely make it a long run for this company as well. Til next time… Active Cyber™