Black Hat USA: Former CISA Director Says Cybercrime to Get a Lot Worse Before Better
Black Hat attendance is back to pre-pandemic levels.
The federal government has struggled with the balancing of market interventions with the desire of a capitalist economy to foster innovation, Chris Krebs said.
“If you ask the financial services industry, they say we’re regulated six days to Sunday,” he said. “But then it drops off.”
Even when the government regulates, they don’t do it right, Krebs said. More outcome-based regulation is needed when it comes to strengthening cybersecurity.
Congress also needs to get more actively involved in cybersecurity regulation, he said.
In terms of industry, leaders aren’t leading when it comes to cybersecurity, Krebs said.
“The CEO that understands cyber risk is few and far between,” he said.
Other issues impacting cybersecurity include workforce challenges and the lack of a technology-oriented curriculum in schools, Krebs said.
Krebs said he’s perplexed by the shortage of cybersecurity talent. According to a recent Fortinet report, the cybersecurity skills shortage continues to have multiple challenges and repercussions for organizations, including the occurrence of security breaches and subsequently loss of money.
“This career, it’s fun, it’s lucrative, we get paid pretty well in this industry, and it’s durable, we are going to be dealing with these challenges for the rest of our lives and perhaps the rest of human history,” he said. “It’s also really interesting stuff. The last six months alone of geopolitical risk colliding with cyber risk is fascinating. It’s also of national interest. Its important what we do. We have to talk about that.”
With technology, there are going to be more things connected to the internet, Krebs said. In addition, there will be more things around you collecting and generating data, and becoming more complex, not less.
“The unthinkable complexity of cyberspace, we’re there right now,” he said. “So things are getting more complex, generating more data … but I’ll say this. We have a maturing industry producing and generating products that are solving problems, solving problems at the infrastructure. But are we solving at the pace needed?”
When discussing state actors, the conversation usually centers on China, Russia and North Korea, Krebs said. But every country on the planet is looking for capabilities for disruption.
And supply chain attacks like SolarWinds are going to continue to happen, he said.
There is improvement taking place on the government side, Krebs said. For example, CISA is being funded and given priority.
On the people side, leaders are getting smarter and increasingly tech native, he said.
“On the tech side, businesses have to have a set of principals, establish values of who you are as a company and how you accomplish that,” Krebs said. “If you are core to the fabric of the internet, which is core to the economy, you’re part of the national security community and you have to take security seriously. It has to be a board issue. And these are increasingly midmarket companies. You have to be thinking differently about your threat model.”
Additionally, companies need to continue to develop products that solve the hard problems that continue to persist, he said.
“And yes, it may impact the bottom line of security, but it’s more important,”Krebs said.
And last, business leaders need to plan beyond the next two quarters, he said. For example, a Chinese conflict with Taiwan is going to come to a head.
“So if you want to physically segment your networks in Taiwan, you need to do it now,” Krebs said.
Ultimately, it will come down to the “people in this room … to make the changes we want to see,” he said.
Jeff Moss is Black Hat’s founder and CEO. He said after 25 years, “you’d think most of security would be baked.”
“They figured out how to launch rockets and go to the moon, and we’re still trying to figure out — did you try turning it off and on,” he said.
Black Hat is focused on keeping the cybersecurity community growing, Moss said.
“How do we bring up the next generation, and encourage more inclusion and diversity?” he said. “And now we’re dealing with misinformation, disinformation and social impact. We need a lot more people in the room trying to explain what’s going on.”
Black Hat has been giving scholarships to encourage a more diverse population to pursue careers in cybersecurity, Moss said.
“We survived the first quarter century, and now where do go from here?” he said.
Also during Black Hat …
Cybereason launched its new managed detection and response (MDR) mobile app that gives defenders the abilities of a security operations center (SOC) at their fingertips. With the Cybereason app, defenders can further reduce the mean time to remediation by suspending an attack’s lateral movement directly from their mobile device.
Mobile app features include:
Visibility anywhere/everywhere into detections.
Anytime access to dashboards and the ability to initiate responses from any mobile device, plus shared reporting/industry news to stay abreast of the latest tactics, techniques and procedures used by nation-state threat actors and cybercriminal ransomware gangs.
The ability to identify compromised machines in order to remediate and minimize downtime and workflow disruptions.
Around-the-clock contact with the Cybereason Global SOC to address potential threats and the ability to remotely initiate response actions with confidence.
Abigail Maines is Cybereason‘s vice president of commercial and channel sales for North America.
“The mobile app is really a reaction to what we’ve been hearing both from our customers and our partners,” she said. “Basically what it does is affectuate efficacy and efficiency positioning of our MDR product, whether it’s delivered by our partners or ourselves. And basically this means instead of a CISO or a senior SOC personnel having to be in front of their system in the event of an incident, they will have visibility 24/7/365 on their phone, which is something they have not had from Cybereason before today.”
Partners and customers were also actively involved in the development of the app, Maines said.
“If you’ve seen any of our recent research … 50% of our customers that we surveyed don’t feel like they have the greatest capabilities for weekend/holiday/off-hours support,” she said. “So this is kind of our way of trying to empower them more with our tool. And all partners will all equally benefit because that same alerting, visibility and flexibility afforded to customers will be afforded to them as well.”
Keeper Security was on hand at Black Hat to discuss it’s latest developments. It’s about to be certified FedRAMP moderate, which will open new sales opportunities for it and its partners.
The Federal Risk and Authorization Management Program (FedRAMP) is a compliance program established by the U.S. government that sets a baseline for cloud products and services regarding their approach to authorization, security assessment and continuous monitoring. Any service providers that wish to offer products and services to the U.S. government must establish FedRAMP compliance.
Craig Lurey is Keeper Security‘s CTO and co-founder.
“We already have our authority to operate (ATO) for certain departments of the government, but full authorization is coming any day,” he said. “We’ll be the only password manager that has this. It’s going to open the floodgates there. There are partners that focus on federal government, so they’re waiting on that. There are opportunities like a government agency or a public-sector company can still sign with us now; they can certify us and authorize our product, but it’s a lot simpler when the GSA marks you as certified. There are different statuses. This will be FedRAMP Moderate, and we’re going to then immediately go for FedRAMP High, which takes another year and that will be for classified levels and things like that.”
Keeper Security’s MSP market is rapidly growing, Lurey said.
“We have several thousand mostly small MSP partners where they’re mostly reselling to mom-and-pop businesses or where businesses are outsourcing their IT,” he said. “That’s growing.”
BreachQuest plans to roll out its Priori Platform later this year and gave us a sneak peek at Black Hat. The platform provides enhanced visibility and leverages defenders to proactively search for attackers before they gain a foothold.
BreachQuest was founded 17 months ago, and is focused on minimizing breach cost and reducing containment time.
Shaun Gordon is BreachQuest’s co-founder and CEO.
“We’ve done a few deployments with some design partners, and ultimately our goal is to redefine and transform the incident response process,” he said.
When BreachQuest started working on the Priori platform, it took apart what actually happens during an incident response, Gordon said.
“So if you take ransomware as the type of threat that we’re responding to, we looked at what has to happen, what are all the different steps,” he said. “And one of the biggest steps is actually sending a bunch of people to go and respond. And what we saw was a big opportunity to inject speed and scale in automation. Priori basically provides a bunch of different capabilities throughout that life cycle
to accelerate the speed. So right now, according to 2022 IBM data, the containment time is 70 days. If you speak with large enterprises as we have, they tell you it’s actually much longer if you’ve got a large enterprise. That’s the average. And of course, the cost for responding to a breach is quite significant. So we think we can reduce that containment time by about 90%. So we’re excited about how that fight is going to go, but we haven’t yet introduced the product so limited to an extent on what I can say.”
MSPs, cyber insurance carriers and many other channel partners will be key to introducing Priori to the marketplace, Gordon said.
“With respect to MSPs, they’re delivering service, and they’re monitoring and responding to threats,” he said. “But what we find often — and it depends on which specific channel partner or MSP you’re speaking about — is many of them are more focused on the prevention and detection. And when it comes to response, if they saw it, then they can respond to it. But if they missed it, if it’s now an exploited attack that’s been successful, often you bring in either their internal digital forensics incident response team or you call in a third party, whether it’s Mandiant, CrowdStrike or Microsoft, somebody else. We’re really excited about bringing some of that capability … that provides speed. And in basically all of our conversations when it comes to post-exploitation, there is very limited automation capability that we’ve seen.”
Also at Black Hat, a coalition of cybersecurity and technology providers announced an open-source effort to break down data silos that impede security teams. The Open Cybersecurity Schema Framework (OCSF) project aims to help organizations detect, investigate and stop cyberattacks faster and more effectively.
Amazon Web Services (AWS) and Splunk conceived and initiated the OCSF project. It includes contributions from 15 additional initial members. Those include Cloudflare, CrowdStrike, IBM Security, IronNet, JupiterOne, Okta, Palo Alto Networks, Rapid7, Trend Micro, Zscaler and more. All members of the cybersecurity community are invited to utilize and contribute to the OCSF.
Patrick Coughlin is Splunk’s security market vice president.
“Security leaders are wrestling with integration gaps across an expanding set of application, service and infrastructure providers, and they need clean, normalized and prioritized data to detect and respond to threats at scale,” he said. “This is a problem that the industry needed to come together to solve. That’s why Splunk is a proud member of the OCSF community. Security is a data problem and we want to help create open standard solutions for all producers and consumers of security data.”
As cybersecurity solution providers incorporate OCSF standards into their products, security data normalization will become simpler and less burdensome for security teams. OCSF adoption will enable security teams to increase focus on analyzing data, identifying threats and defending their organizations from cyberattacks.
Mark Ryland director of AWS’ office of the CISO.
“Having a holistic view of security-related data across tools is essential for customers to effectively detect, investigate and mitigate security issues,” he said. “Customers tell us that their security teams are spending too much time and energy normalizing data across different tools rather than being able to focus on analyzing and responding to risks. By increasing interoperability between tools, the OCSF aims to greatly accelerate our customers’ ability to understand and respond to cybersecurity concerns. Security is our top priority at AWS, and we are excited to work with the OCSF community to drive industry standards that make it easier for customers to operate more securely.”
Also at Black Hat, a coalition of cybersecurity and technology providers announced an open-source effort to break down data silos that impede security teams. The Open Cybersecurity Schema Framework (OCSF) project aims to help organizations detect, investigate and stop cyberattacks faster and more effectively.
Amazon Web Services (AWS) and Splunk conceived and initiated the OCSF project. It includes contributions from 15 additional initial members. Those include Cloudflare, CrowdStrike, IBM Security, IronNet, JupiterOne, Okta, Palo Alto Networks, Rapid7, Trend Micro, Zscaler and more. All members of the cybersecurity community are invited to utilize and contribute to the OCSF.
Patrick Coughlin is Splunk’s security market vice president.
“Security leaders are wrestling with integration gaps across an expanding set of application, service and infrastructure providers, and they need clean, normalized and prioritized data to detect and respond to threats at scale,” he said. “This is a problem that the industry needed to come together to solve. That’s why Splunk is a proud member of the OCSF community. Security is a data problem and we want to help create open standard solutions for all producers and consumers of security data.”
As cybersecurity solution providers incorporate OCSF standards into their products, security data normalization will become simpler and less burdensome for security teams. OCSF adoption will enable security teams to increase focus on analyzing data, identifying threats and defending their organizations from cyberattacks.
Mark Ryland director of AWS’ office of the CISO.
“Having a holistic view of security-related data across tools is essential for customers to effectively detect, investigate and mitigate security issues,” he said. “Customers tell us that their security teams are spending too much time and energy normalizing data across different tools rather than being able to focus on analyzing and responding to risks. By increasing interoperability between tools, the OCSF aims to greatly accelerate our customers’ ability to understand and respond to cybersecurity concerns. Security is our top priority at AWS, and we are excited to work with the OCSF community to drive industry standards that make it easier for customers to operate more securely.”
Former Cybersecurity and Infrastructure Agency (CISA) director Chris Krebs says when it comes to cybercrime, things are going to get a lot worse before they get better.
Krebs was the keynote speaker on the first day of Black Hat USA 2022. The event, which marks the 25th year for Black Hat USA, has drawn attendees from 111 countries. The event is back to pre-pandemic levels with tens of thousands of attendees.
In his keynote, Krebs focused on three questions when it comes to cybercrime: “Why is it so bad right now? What do you mean it’s going to get worse? And what are we able to do to contribute to solve the problems in front of us?”
“There are four main reasons why it’s so bad,” he said “That’s the technology, bad actors, the government and us as people.”
Regarding technology, the business benefits of insecure products outweighs those of secure products, the former CISA director said.
“Businesses are focused on efficiency,” he said. “They see us as slowing them down. Security is seen as a friction.”
In addition to the ever-proliferation of insecure products is increasing complexity, particularly in the cloud, Krebs said.
Some Good News
Krebs said there is some good news. “We have a vibrant, robust ecosystem, and vendors are addressing some of the underlying vulnerabilities,” he said. But it’s not enough.
In terms of attack surface, there are opportunities for the bad guys to come in and get what they want, he said.
“Over the last couple of years, the biggest falling down of government and industry is ransomware,” Krebs said. “The bad guys figured out how to monetize vulnerabilities.”
If you’re on the internet or email, you’re “on the playing field” for cybercriminals, he said.
“The threat actors at the top understand the shifts in our business,” Krebs said. “They understand we’re making things more complex, relying on software updates. Companies that are shipping products are the target. If you’re hosting, you’re the target.”
And adversaries are targeting the supply chain because that’s where the access is, he said.
Scroll through our slideshow above for more from Krebs and more from Black Hat.
Want to contact the author directly about this story? Have ideas for a follow-up article? Email Edward Gately or connect with him on LinkedIn. |
About the Author(s)
You May Also Like