In today’s installment of “It’s April May and I’m still catching up on RSA 2020,” I wanted to explore a theme that I encountered repeatedly during the conference: the analysis of data to detect otherwise invisible threats and vulnerabilities. The industry has moved well past the detection of known threats. That’s a given, “table stakes,” as some might put it. What matters now is the ability to see things that are not easily seen.
The whole enterprise brings to mind a popular Cold War insult that I’m old enough to remember. When you worried that that Soviet influence was pervading seemingly innocent area of American life, you’d be dismissed with the remark, “You’re seeing reds under the bed.” It was a paranoid time, so we can be forgiven for thinking KGB agents were spiking the ketchup at the local hamburger joint. Yet, that’s where we are, more or less, with cyber threats today. They’re everywhere and potentially anywhere.
It takes some pretty sophisticated technology to detect the presence of hackers who wish to remain out of view. Many vendors are doing this, but a few stand out for innovation and effectiveness. Corelight, for example, has developed ways of enriching network traffic data to detect “tells” in encrypted data that suggest that malicious behavior is underway.
“Data encryption is at once totally necessary and a huge nuisance, at least for the purpose of detecting hackers,” said Gregory Bell, Corelight’s CEO. “Yet, even in encrypted form, you can spot bad things happening on your network if you can train the system to look for suspicious patterns. We think of this as shining a light onto the core of your network. Hence, our name.”
“Data encryption is at once totally necessary and a huge nuisance, at least for the purpose of detecting hackers,” said Gregory Bell, Corelight’s CEO.
Corelight refers to this as “opinionated data.” Their solution can identify cryptomining and port scanning, for example, using this technique. “We can usually tell if a human being is interacting with a machine during an encrypted session, or if it’s another machine,” Bell added. “That’s a useful thing to know.” Corelight also allows third parties to design solutions for further detection capabilities. “We’re a community that’s continually amazed by the inventiveness of our members. It’s astonishing what you can accomplish if you invite smart people to join your efforts.”
XM Cyber, whom I have written about previously, approaches threat detection from a different direction. Their solution is essentially a continuous red/blue team attack simulator. They constantly scan the client’s infrastructure, looking for hard-to-spot vulnerabilities like cached credentials on servers and unpatched applications. They also work continually on identifying evidence of Advanced Persistent Threats (APTs) hiding inside the infrastructure.
Now, however, XM has expanded its reach into the cloud. As commentators at this year’s Cloud Security Alliance conference noted, cloud security is challenging—and gets more difficult the deeper you get into the cloud. XM is applying its continuous attack simulation process to cloud assets. It looks further than the basic misconfiguration issues like the AWS S3 deficiencies that allowed Capital One customer data to leak.
“How are you going to tell if an attacker steals your S3 access key?” asked Menachem Shafran, XM’s VP of Product. “They can get root and move across your cloud environment, from dev to production before you have the faintest clue about what’s going on. That’s the kind of thing we can detect.” XM is also able to tackle threat detection in serverless cloud architectures, which is particularly difficult. “How can you scan a server that isn’t there? It can be done. You have to understand how attackers make themselves invisible. Then, you can look for little telltale signals that there’s an invisible man, so to speak, wandering around your cloud instances.”
“How can you scan a server that isn’t there? It can be done. You have to understand how attackers make themselves invisible.” – Menachem Shafran, VP of Product at XM Cyber
Cyberint takes yet another approach in threat detection. Their solution augments basic internal threat hunting with analysis of third-party risk and publicly available information. “What we’ve found is that even a disciplined security team can struggle to spot third-party or public risks,” said Daniela Perlmutter, Cyberint’s VP of Marketing. “There are only so many eyeball-hours a day, if you will. Without some AI-driven help, you’re going to miss some potential issues.”
“There are only so many eyeball-hours a day, if you will. Without some AI-driven help, you’re going to miss some potential issues.” – aniela Perlmutter, VP of Marketing at Cyberint
Open web interfaces are one example, Perlmutter explained. Supplier-based risks are another. Abandoned domains are also an emerging area of vulnerability, according to Perlmutter. “Let’s say your business is called Acme, Inc. For Mother’s Day, you buy a URL called AcmeMothersDaySale.com. After Mother’s Day has come and gone, everyone forgets about it and the URL goes up for sale—and a hacker buys it. All of a sudden, they have this seemingly legitimate, readymade platform for stealing your customer data and committing fraud in your name. Our solution scans the universe looking for these sorts of threats and vulnerabilities.
These solutions are not magic bullets. They each have to be adapted to their customers’ use cases and tuned according to unique parameters in each setting. Their goals are to make security operations more efficient and effective by reducing false positives and identifying the most serious issues for the fastest response. There may indeed be “reds under the bed” in today’s cyberspace. Finding them is a critical aspect of maintaining a security posture.