London’s premier cybersecurity conference took place this week at Earl’s Court and I was happy to attend once again to get some face time with some of the people behind the security firms. There’s a definite trend this year that is moving quickly towards the offensive side of security. ‘Intelligence’ has featured much more prominently than last year. It’s a nice catch-all because it covers a growing area of solutions that fit nicely under this umbrella term without necessarily competing in the same space. In a way, it is indicative of the saturation of the current security vision that is ‘defend and react’. Intelligence is being applied both outwardly into hostile attack territory and inwardly on a proactive, preemptive basis.
Threat intelligence is clearly leading the pack. Originally of most interest to big tech, defense contractors and financial institutions, information about groups and complex attack campaigns required time and resources. Now intelligence is becoming more readily available and affordable to SMEs. A number of interesting startups, notably issuing from the innovative Israeli cybersecurity scene, are playing into this new cyber intelligence market.
SenseCy sources its intel directly from underground markets by their infiltrated analysts and can be provided as feeds tailored to specific demands (technical, regional, group, industry). Cybertinel analyzes internal threats on agent endpoints to pull information such as behavior, source, history and creator; a mix between the traditional antivirus approach and forensics science. Cupertino-based Bromium also tackles the endpoint protection market but has focused on micro-virtualization technology to create hardware-isolated micro-VMs for the various user tasks. This feature is coupled with its live attack and visualization analysis application to scrutinize malware in real-time.
As intelligence is increasingly turned inwards, the next step has been to offer an actionable analysis of attack patterns and vectors within organizations in order to improve defensive and responsive mechanisms. This has become particularly popular with the vexing issue of zero days. The idea is to dissect an attack to extract that relevant information that can then be acted upon in a timely fashion. If the entourage of an attack is better understood, then security can be fine-tuned dynamically to improve defense posture and mitigate fall-out.
Interestingly, the intelligence prized at the moment is all about internal processes - networks, databases, applications, users - and primarily on how they operate and interact with each other. Network visibility and management play into this intelligence space. Understanding what’s going on within an organization is key with the current cloud/BYOD rage. A lot of the security offerings touted at Infosec addressed precisely this issue. The aim is to see, discover, monitor, track, log, score, rank, react to and learn from both static and dynamic processes. Profiling and risk scoring are popular features within these types of solutions.
CipherCloud for example offers a risk scoring mechanism for cloud applications. When combined with its machine-learning algorithm for monitoring and analyzing user profiles, it can effectively track interactions with applications and alert for suspicious or unauthorized behavior. Tripwire offers a broader vulnerability scoring metric in its vulnerability and risk management solution to prioritize remediation. This risk analysis feature is a legacy asset from the nCircle acquisition which Tripwire is continuing to integrate at the data level into its existing product base. Similarly, Firemon offers a scoring mechanism for its compliance framework through audits, checks and assessments.
The idea is to provide organizations with a holistic picture of where the most critical vulnerabilities lie with the aim of enabling better risk management. This will be particularly important as new cybersecurity legislation comes into force in the near-future, particularly in Europe, for the protection of critical infrastructure. Audits and compliance with various standards and regulations will need to be addressed by security vendors if they want their products to stay relevant to a changing regulatory landscape. On track with this is Lancope which offers compliance mechanisms for a wide range of standards and regulation alongside its network visibility and security intelligence solutions. Incident response mechanisms can only profit from better integration with the security solutions, analytics and forensics technologies.
In order to tame this amalgamation of differing tools, two approaches are competing for attention. Professional consulting services are increasingly on the radar. NTT Com Security offers managed security services to address information security and risk management. Reverse-engineering hardware specialist IOActive offers similar security services and incident response solutions, with an interesting focus on niche areas such as smart grids, medical devices and industrial control systems.
The other approach involves automation and machine learning. Automation is important with the volume increase in data, endpoints, traffic, applications, appliance, and even intelligence. As vendors look beyond signature-based solutions to behavioral based analytics, machine-learning becomes a key focus of automation. AccessData is a nice example as it looks to automate incident response procedures in a cost and time efficient manner. The firm’s CIRT team focuses not only on compromise assessment and remediation, but also on root cause analysis and reverse engineering malware.
This also highlights another trend at the conference: big data is great, but small data is better. The new foray is to use automation to break down that intelligence into byte-sized pieces of information that can be more easily processed by admins and C-levels. For both groups, the idea is the same: to prioritize intelligence in an orderly fashion in order to highlight the most valuable data. This helps to support better risk management decisions at the operational level.
I also want to highlight two other trends of import: DDoS protection and multi-factor authentication. Companies such as DOSArrest, Corero Network Security and Arbor Networks are focusing on fighting volumetric attacks that can be so damaging to web-facing applications and servers (think not only NTP amplification but also attacks at the app layer). Importantly these solutions target both the enterprise and the service provider space. This will be important for ISPs and MNOs if they want to shed the ‘dumb pipe’ stigma and add security value at the infrastructure level.
In terms of authentication, the likes of SMSPasscode and SafeLayer are definitely offering highly interesting products. SMSPasscode is pushing the clientless value of its multi-factor authentication solution, while SafeLayer has thrown itself into rolling out a mobile PKI for seamless and user-friendly authentication procedures. Both companies represent the pioneering drive of European companies in the MFA space.
On a final note I want to highlight a couple of firms that don’t really sit in the previous categorization: AppRiver and Arxan. AppRiver focuses on email and web protection services, using a weighted test system for content scanning and web filtering and running five antivirus engines, one of which is proprietary. Arxan looks at protecting software applications with a set of runtime protection ‘guards’ that essentially harden the application against attacks. Popular with the gaming and entertainment industries (typically against reverse engineering), the guards can vary in type: encryption, obfuscation, checksum, authentication, etc. Certainly such mechanisms will be increasingly of interest to sensitive sectors such as finance and healthcare.
Overall, Infosec provided a valuable platform for vendors to showcase their potential in Europe. While it may not yet match the vibrancy of North American conferences, the dynamism of the vendors is a testament to the highly innovative and fast growing market that is cybersecurity. Next year hopefully the security players will be joined by more diverse industry representatives in automotive, industrial control systems, financial services and healthcare.