You are here

9 disruptive security plays from RSAC 2019

Jason Bloomberg, President, Intellyx

Bad actors have always had the edge in cybersecurity. After all, the good guys have to secure everything, while the bad guys need find only one vulnerability.

Given the appalling number of breaches over the years, it's clear that the established crop of cybersecurity products isn't up to the task of changing this equation and putting the good guys on top.

When I attended this year's RSA Conference, therefore, I looked for those exceptionally disruptive technologies that promise to turn the tide. Here are my top picks.

The State of Security Operations: Go Inside World SOCs

AI everywhere

Perhaps the hottest buzzword at RSA was artificial intelligence (AI). It seems every vendor has some AI angle or another, and it's hard to tell which ones are providing differentiated value and which are simply blowing smoke.

Where AI is beginning to make a difference in the cybersecurity world is in helping to identify malicious behaviors. Bad actors may come in various shapes and sizes, but their goals all conform to a rather short list—steal valuable data, take control of systems, or even cause sabotage.

Several vendors are now leveraging AI to identify such behaviors—or more precisely, to separate them from the normal, day-to-day behaviors that characterize business as usual, and also to differentiate malicious behaviors from benign anomalies that lead to false positives.

The AI-based vendor that stood out from the pack is Blue Hexagon. Unlike most other cybersecurity vendors that leverage machine learning, Blue Hexagon has figured out how to use deep learning to identify threats in near real time.

Just as with image recognition—where showing the AI enough pictures of cats enables it to recognize cats it has never seen—Blue Hexagon has trained its deep-learning tech to recognize threats based on goals. And this is regardless of the actions the threat actor takes to achieve such objectives.

Blue Hexagon is thus able to identify even the most slippery of polymorphic threats and zero-day attacks that find their way through more conventional technologies and promises to set the standard for the role that AI should play in cybersecurity.

[ Special Coverage: RSA Conference 2019 ]

Next-gen authentication

Everybody knows that passwords don’t work. What to replace them with, however, is an open question.

Unsurprisingly, passwordless authentication was a hot topic at RSA this year. Not simply biometrics—although that is certainly part of the story—but, rather, increasingly sophisticated approaches to identify individuals when they attempt to access a device. Tells can range from the pressure they apply to a keyboard to the ambient noise that reaches their phones.

A number of vendors leverage such behavioral fingerprinting to skip the password step, but one vendor stands out for its ability to go well beyond such fingerprinting. Acceptto leaves other passwordless approaches in the dust with an end-to-end approach it calls "cognitive continuous authentication."

Cognitive continuous authentication not only takes user behavior into account, but can also incorporate environmental characteristics such as ambient noise or the magnetic signature of a building to recognize authorized users. And more important, the system uses these factors to generate tells that a user is suspicious, even after that user has obtained access to a system.

The goal of Acceptto's technology is to use behavioral modeling to reduce friction for authorized users, thus improving the customer experience, while stopping the bad guys in their tracks.

[ Webinar: SecOps Innovation—A Look Into the Future of Security Insights ]

Zero-trust computing

Acceptto's approach falls into the category of zero-trust computing, another hot buzzword at RSA this year. With zero-trust computing, an organization assumes every actor is malicious until proven otherwise.

While Acceptto focuses on users, the Paranoid technology from Nyotron, with its operating system-centric positive security, acts as the last line of defense for endpoints. This positive security model defines what constitutes good behavior and rejects everything else.

As a result, Nyotron is both threat- and user-behavior-agnostic, and it prevents zero-day attacks as well as familiar threat vectors, taking a zero-trust approach to application behavior.

Virsec follows a similar zero-trust model to Nyotron's, but at a much deeper level. Virsec understands how applications are supposed to behave at the CPU instruction and memory level—the lowest level of computing.

As a result, Virsec can detect and prevent any malicious behavior from any source, including interpreted and compiled binary code to application processes, file systems, and even the microcode that sophisticated malware such as Spectre and Meltdown target.

Essentially, Virsec provides trusted execution of all types of code, ensuring safe execution regardless of the nature of the threat. In fact, Virsec can even protect against code running with unpatched vulnerabilities, thus offering a type of "virtual patching" that compensates for such weaknesses until the organization can apply a formal patch.

Behavior analytics

While Acceptto looks at user behavior, and Nyotron and Virsec analyze application behavior, vendors such as Securonix do both.

Securonix offers a Hadoop-based, next-generation security information and event management (SIEM) platform that collects and enriches data, detects unknown threats via machine learning, and then provides incident response via automated mitigation.

The way Securonix enriches event data is at the core of the vendor's user and entity behavioral analytics (UEBA). It takes raw log information and adds user and asset context to the event, regardless of whether a user or an automated action generated the event.

Securonix then creates event chains that provide even greater context to suspicious events by linking them together over time. In this way, security analysts can better identify and prioritize true risks while avoiding the false positives that plague first-generation SIEM tools.

Automated, adaptive intention

Manually configuring a complex enterprise IT environment requires the constant attention of a team of people. As such environments grow in complexity, the chances of human error, out-of-date policy configurations, or simple oversights increase.

This problem is especially prevalent with enterprise cloud deployments, as it becomes humanly impossible to properly configure all of the policies and controls across a diverse, ever-changing cloud landscape manually.

ShieldX addresses this situation with its "adaptive intention engine," microservices-based technology that can automatically define and enforce a comprehensive cloud security strategy.

ShieldX automatically updates policies and controls whenever security policies or the environment changes, making it effective for achieving secure cloud migration and in hybrid, multi-cloud scenarios. It also offers "elastic security" that automatically applies security policies, regardless of data and application movement or scaling.

Protecting data in use

Encryption is wonderful for protecting data, but it has always had an Achilles' heel: You need to decrypt data to do anything with them, and thus they become vulnerable at that point in time.

Encryption can secure data at rest and data in motion, but Enveil has figured out how to protect data in use as well.

Enveil leverages homomorphic encryption, a mathematics-heavy technique that allows processing of encrypted data while leaving it in its encrypted form.

Homomorphic encryption has been an academic curiosity for a number of years now. Enveil's core innovation is making it practical and scalable.

Enveil's technology is of particular interest among data aggregators, since the technology allows users to perform both simple and complex searches on encrypted data without the need to decrypt them. This protects the security of the information while simultaneously allowing users to extract value from it.

Offensive cybersecurity

Finally, vendors and security professionals alike are coming to realize that the best defense is likely to be a good offense—battling the adversaries on their own turf. Deception technologies are among the most mature of these offensive cybersecurity approaches.

Today's deception technologies such as that from Attivo Networks are coming into their own, moving beyond simplistic honeypots that seek to lure attackers to bogus targets. Instead, they provide fully realistic environments—from the browser down to the network—to lure attackers in, minimizing damage while gathering intel on their identities and modus operandi.

Honeypots fool attackers into falling into simple traps. In contrast, there is nothing simple about Attivo's deceptions. Customers can deploy Attivo to mimic any part of their infrastructure, from their endpoints to applications to databases and more.

An attacker with a stolen credential, for example, might believe it has accessed a server, but in reality, Attivo caught it at the login step with a fake Active Directory instance—and tracked the attacker's behavior from there.

Eventually, attackers get wise that they have been detected, but they are typically unaware that they have fallen for deception technology. Meanwhile, their target victim has mitigated any potential damage, and, for good measure, logged all their interactions for forensic purposes.

While deception does fall into the offensive category, some approaches are more clearly in-your-face offensive. XM Cyber falls into this category.

XM Cyber essentially runs attack simulations that uncover vulnerabilities in its customers' live environments. Thanks to this vendor, red teams are moving beyond traditional, one-off penetration testing to AI-driven, continuous vulnerability discovery. (Red teams are independent or semi-independent groups who take on the role of adversary to probe an organization's defenses.)

The vendor combines this automated red team technology with blue team (defensive) approaches. This creates a purple team approach that both identifies vulnerabilities and then puts together a remediation plan.

Enterprises still require red and blue teams, but XM Cyber acts as a force multiplier, empowering such teams to focus on high-value activities around the protection of critical assets.

Have we turned the tide?

What's absent from this review of key cybersecurity innovations is any mention of the innovations on the other side. When will the bad actors begin to leverage AI in earnest? Can they turn behavior analytics against their targets to better understand how the good guys' behavior still leaves them vulnerable?

It's difficult to say. Bad actors have many of the cards stacked in their favor, but enterprises can at least count on the fact that attackers are usually trying to achieve the same set of objectives.

Despite their advantages, therefore, our adversaries have a weakness that today's most disruptive cybersecurity vendors are only too happy to capitalize on.

[ Get Report: How to Get the Most From Your App Sec Testing Budget ]