12 Most Exciting Cybersecurity Technologies To Watch At Black Hat 2019

CRN asks 12 executives, sales and technical leaders attending Black Hat 2019 which cybersecurity technologies they're most excited to see come to fruition and how customers and solution providers will benefit.

Best Of The Bunch

C-suite executives, technical leaders and sales leaders attending Black Hat 2019 are most excited about technology innovations that enable customers to get more out of their existing security investments, increase visibility or reduce the size of the attack surface, or address challenges around securing non-IT based devices.

Cybersecurity leaders told CRN they're particularly focused on how machine learning, analytics and automation can be used to detect and remediate threats, as well as how embracing APIs and bridging the gap between structured and unstructured data can be used to facilitate greater orchestration.

From detecting anomalies in applications to probing privacy questions around artificial intelligence to ensuring viral content can't be weaponized, here's a look at 12 cybersecurity technologies Black Hat 2019 attendees are most excited to see come to fruition.

Infusing Privacy Into Artificial Intelligence

The cybersecurity industry needs to put in guardrails for artificial intelligence so that organizations can fully trust it as a tool in their arsenal, according to Darren Shou, Symantec's vice president of strategy and head of research.

If an AI model is trained using personally identifiable information or personally sensitive data, Shou said it will still remember the private data even if the database is purged. Companies need to find a way to remove the influence of a problematic data point or data points without losing functionality or having to retrain the entire model, according to Shou.

In addition, AI models need to have a way to better communicate the factors that influenced them to make a particular decision, as well as the ability to say “I don't know” if the models are uncertain. AI models use co-occurrence far more frequently (i.e., if there's a ball of yarn near an animal, the animal is probably a cat) than humans when making classification decisions, Shou said.

Integrating Different Data Types, Sources

Bringing structured and unstructured data together is very difficult because machines designed to synthesize computer-generated telemetry such as logs typically struggle with parsing human-generated data such as Word documents, according to Christopher Day, Cyxtera's chief cybersecurity officer.

Similarly, Day said IoT devices tend to behave very differently than IT systems when it comes to the type or data emitted from industrial control or manufacturing-based systems, Day said. In fact, Day said attack surfaces are often getting bigger rather than smaller.

As the use of encryption becomes increasingly ubiquitous, Day said network-based detection systems are struggling to figure out how to act because all they see is a bunch of encrypted traffic. These systems need to get telemetry and instrument action out of the environment, Day said, and are looking to tie the existing data to users, applications and behaviors, according to Day.

Broader Uses For Analytics

Over the past two years, machine learning and analytics have evolved from being done in niche verticals or being included as part of a bigger offering to having broad uses and applications and being a core element, according to Paul Calatayud, Palo Alto Networks' chief security officer for the Americas.

Analytics makes it possible for technologies to be self-responsive and improve on their own without any human intervention or updates required. For instance, Calatayud said analytics can be coupled with automation to detect and respond to anomalies with high levels of efficacy.

The biggest greenfield Calatayud sees for analytics is around operational technology and the Internet of Things where traditional infrastructure has struggled to understand these proprietary or unique systems. Analytics can be particularly helpful in allowing companies to understand the disruption that's happening outside IT in areas such as IoT, medical devices, BYOD and 5G, Calatayud said.

Orchestrating Across Clouds

Customers are in need of a neutral party to orchestrate across their multi-cloud and hybrid cloud models to strengthen and operationalize their monitoring, visibility and inspection capabilities, said Haiyan Song, Splunk's senior vice president and general manager of security markets. As the APIs used by the industry get more mature and expansive, Song said more granular and in-depth automation and orchestration have become possible.

In an API-less world, Song said organizations would have to customize integration through scripts or manual processes. APIs are therefore the true enabler in allowing for orchestration and automation to happen because they make it possible to inquire about the status of what's going on and issue commands to take action, Song said.

Although opening up APIs and cloud logs is rarely a developer's first thought, Song said public cloud providers such as Amazon Web Services are increasingly realizing that they need to provide logs and events for what's happening in their systems so that businesses are able to monitor it.

Bot Identity Protection

Non-security organizations in the consulting space have built chatbots to automate their customer support process, but also end up broadening their attack surface and creating a natural weak point, according to Chad Holmes, Optiv's chief services and operations officer.

Digital identity tools need to be able to manage bot IDs more proactively and should ultimately treat them the same way as human identities, putting access controls, authentication procedures, anomaly detection and tripwires into place.

Bot identities are considered trusted, Holmes, and therefore have access and approval on the localized system as well as master controllers, which could lead to widespread damage in the event of a compromise. At the same time, Holmes said most organizations want bots to have access to data that wouldn't be necessary for a human to access.

Simplified Threat Remediation

The cybersecurity industry has focused too much on cutting-edge detection capabilities and has largely overlooked basic hygiene tasks such as patching known vulnerabilities and addressing the risk posed by phishing, according to Mimecast COO Ed Jennings.

Companies with smaller or less sophisticated security teams primarily need help with simplifying remediation and getting the fundamentals right, Jennings said. Endpoint and email gateways need to have their own automated remediation functions, he said, so that companies can carry out tasks like removing malware from hundreds of desktops and addressing PowerShell scripts in a less clumsy manner.

More sophisticated evasion techniques and new identity-based threats using zero-day models have made rapid remediation paramount so that the pernicious threats don't linger, Jennings said.

Anomaly Detection For Applications

Anomaly detection for the application layer is likely to become the next billion-dollar cybersecurity market because it's very challenging from a technology perspective to baseline app behavior and identity app-based threats by using prior knowledge and machine learning, according to Steve Quane, Trend Micro's executive vice president of enterprise and hybrid cloud solutions.

The bread and butter of DevOps tools is identifying and calling out lines of incorrect code because, from a configuration and vulnerability question, an insecure piece of code makes the whole organization liable, Quane said.

The rapid pace of change has made this difficult, Quane said, because businesses are attempting to automate in a rapidly changing infrastructure. The challenges have brought practitioners from different parts of the IT organization together, Quane said, with container developers and microservices users now able to talk more freely about business logic and security experts now talking about OSes.

Endpoint Detection And Response For Midmarket

Endpoint detection and response (EDR) technology makes it possible to stream data from each endpoint and make access determinations on more of a real-time basis, according to Malwarebytes CEO Marcin Kleczynski. By coupling detection and response capabilities together, Kleczynski said organizations are able to block whatever threats they can and understand the threats they can't.

Strong EDR tools provide threat hunting and process graphing while isolating threats such as reverse shell, Kleczynski said. But conventional EDR tools were designed for large enterprises that have personnel on-site to respond to complex queries, according to Kleczynski.

End users shouldn't have to run custom SQL queries against their own data, which Kleczynski likened to attempting to stuff five-pound columns into a backpack. Midmarket companies need EDR capabilities that can be managed as well as automatically generated alerts for items that appear suspicious, he said.

Cloud-Native Security

As more data moves to the cloud, there's an increased need for sophisticated techniques such as encryption and tokenization to safeguard it, according to John Delk, general manager of Micro Focus' security and information management and governance product groups.

Key management will be a big piece of the puzzle, Delk said, with organizations needing to decide if they trust their cloud providers to also manage and hold the keys, making them the single source of truth. That means, however, that the user's keys are at the cloud provider's mercy if they're hacked, Delk said.

Businesses will need to determine how much control over security they're willing to relinquish in the cloud, and if there are configurations or ways to maintain the level of control they'd like to have, Delk said. Delk expects to see quite a bit of development in the near future around what best practices for native cloud security and key management look like.

Speed Bump For Viral Content

The potential of large-scale viral applications to impact human behavior is scary, as evidenced by the millions of people who were willing to surrender rights to their likeness in perpetuity to use FaceApp's image aging feature, according to Sean Convery, ServiceNow's vice president and general manager of security and risk.

The interaction of human psychology with rapidly proliferating apps could be very dangerous in the hands of a determined adversary, Convery warned. For instance, a viral app might be able to briefly sneak into an app store despite behaving maliciously when capturing user data, passwords or other user-generated inputs.

A speed bump to pause or slow down the rapid downloading of a viral application until the security implications are fully fleshed out could be very beneficial from a protection standpoint, Convery said. Such a feature would be used in a very limited number of cases, Convery said, where the app has come out of nowhere to become incredibly popular and the origins of said application are unclear or murky.

Quantifying Risk In Business Terms

Most cybersecurity professionals still aren't talking about risk being built correctly because they're not considering the actual loss associated with certain events taking place, according to RSA CTO Dr. Zulfikar Ramzan. CISOs are often asked by their board of directors which assets are the most important to protect, but Ramzan said this can be a difficult question for them to answer because the CIOs own the data.

The problem has become even more complex, Ramzan said, as the notion of an asset changes to include more ephemeral objects such as a container that disappears after 17 seconds. Organizations should be leveraging automation to track critical assets, Ramzan said, with a focus on identifying any threats against critical assets that would be expected to result in a high-loss event.

The most successful CISOs tie security capabilities to business requirements or concepts such as exposure to loss, brand reputation and return on investment, according to Ramzan. Boards have been far more interested in breaches over the past half-decade, Ramzan said, as regulatory authorities began holding directors accountable for massive breaches rather than just the CIO.

Autonomous Security Operations Center

The current state of analysis for detection and response tools forces the customer or solution provider to triage the incident and ultimately understand and decide on a remediation action, according to Israel Barak, Cybereason's chief information security officer. But in the future, Barak anticipates that the vast majority of triage, response and remediation work will be done autonomously.

This should make a huge difference in how organizations scale, enabling managed service providers to serve a much larger set of customers and reverse the adversary advantage at the base. "We need technology that can respond more quickly to an incident that a hacker can hack," Barak said.

Businesses should adopt detection and response technology that can make sense of the data, understand it from an enterprisewide perspective, and take action on its own to remediate an attack, Barak said. At the same time, EDR tools should keep the human at the center of the nexus for the deal, and make it so that humans can intervene if the level of entrants exceed a certain threshold, Barak said.