This year’s Black Hat USA conference was bigger and badder than ever, with attendance up nearly 30% according to show organizers. Of all the security conferences, Black Hat has the most clear divide between the technical practitioner side and the security vendors, and the main themes varied depending on which side of the divide you were standing. From the practitioner side, these ranged from enhancing technical skills (excellent training) to strategies and threats, to leadership and alignment with the business. The instructors and presenters were world class, the content was superb, and thoughtfulness and creativity were everywhere.
All good for the practitioners and kudos to the organizers. On the vendor side, things were a little more nuanced.
When you looked past the games of Whack-Attack (think Whack-A-Mole), virtual reality DDOS attacks and artful body paint, two schools of thought seemed to be emerging. One is rooted in promising, high-potential technologies and the future. The second is rooted in pragmatic technologies and the present. Both acknowledge the problem of modern threats, but only one is practical and ready for enterprises, which need a technology framework today that will stand the test of time.
To illustrate the divide, here is the state of endpoint cyber security:
The endpoint is where the cyber action is; adversaries attack endpoints
- Unknown attacks – zero days, APT, Ransomware, EK attacks of unpatched systems – defeat defenses by using in- memory attack techniques
- Current tools are mostly based on file detection and are ineffective against these
- Patching is always behind; it is also disruptive and costly
- Prevention must be a larger part of the security mix
- Enterprises should think about an effective and efficient, optimized stack
- AV and whitelisting work well against non-memory attacks, but need augmentation
- The personnel cost of the detect and respond model is unsustainable
- The memory and exploit mitigation tools are too complex to be practical
So in-memory attacks are a central problem to solve.
The promise school’s solution is big data, AI, and next gen all-in-one tools to replace AV. They argue that the cost to operationalize and manage them, define rules, and integrate them into operations will pay off some day. They assume that the AV players are just sitting back doing nothing and that customers will readily dump them. Even if the technology will eventually improve enough for an ROI, we still disagree with this view: there is too much overlap, not enough focus on the really hard things to protect against, it is labor intensive and puts the burden of failure on the buyer.
The pragmatic school says the technologies for improvement already exist. The approach is effective and efficient. Don’t change what works, it is fit for purpose – i.e. catching the known run-of-the-mill stuff. Augment AV and Whitelisting with a tool that addresses unknown, evasive, file-less, persistent and non-persistent in-memory attacks. This will close the hard to solve in-memory gap, avoid disruptive changes, and improve the total security and operational picture. This is our school. Costs are low and vendors have skin in the game.
This is a modern form of an old question. Is it better to consolidate vendors and choose shotgun solutions that are mediocre, getting vendor and operational simplicity in return? Or select best of breed and face the challenge of managing multiple vendors, getting high performance in return?
But in security, performance rules. The best of breed solutions already exist – most enterprises already have several of them – and can easily be fit into the enterprise without changing policies or processes. And interestingly, they are more manageable than next gen tools.
Morphisec Moving Target defense is a good example. It is easy to add to pretty much any stack, prevents in-memory attacks including zero days, APT, Ransomware, and adds essentially no overhead on the endpoints or operating costs to the customer. Conceptually, a high performance lean and mean stack would consist of AV + Morphisec + App Control, closing the endpoint against both known and unknown, targeted, non-targeted, drive-by, file-based, file-less, viruses, malware and advanced attacks.
This offers the benefits of the next gen outcomes advertised by the promise school without waiting or vendor / technology risk. That is, use best of breed solutions available now and obtain better than next-gen-caliber security outcomes today. We thank Black Hat for the chance to learn from the best and watch the pragmatic, best-of-breed school capture more hearts and minds.