Companies today are exposed to many threats and incident response (IR) teams have to respond to both real or suspected breaches. Incidents can include credential compromise, phishing, malware in the network, Denial of Service (DoS) attacks, zero day threats, and unauthorized changes to the network, hardware or software to name a few. Many organizations will also hire a red team, which is specifically hired to try to create actual attack scenarios to expose attack surfaces and test for network vulnerabilities. This all keeps an IR team pretty busy.
A CISO recently told us that despite having an impressive array of cybersecurity solutions during their transition to the cloud, nothing was tying it all together from a threat standpoint. From her perspective, all the security tools at their disposal were great individually, but lacked visibility across all accounts and all platforms. Further, they didn’t have the ability to identify and respond to threats, as well as user access requests, in a consistent manner. It actually made the job harder and less effective. This vulnerable patchwork approach of disparate vendor solutions is all too common.
Two weeks ago I attended the Black Hat USA 2018 conference: As one of the largest cybersecurity events in the world, it’s always interesting to hear the key themes and trends the industry is buzzing about. Here are my observations on four actionable takeaways from the 2018 conference.
Preventing lateral movement and unauthorized domain access due to the misuse of network credentials - especially due to reconnaissance tools looking for weak spots - is a challenge plaguing many enterprises. In fact, it’s a decades-old security problem. A major issue for enterprises has been how to detect and contain the use of reconnaissance tools like BloodHound, authentication protocols such as NTLM, DCE/RPC, Kerberos and Lightweight Directory Access Protocol (LDAP), as well as other IT tools like PsExec and Powershell that are being misused or exploited by attackers.
It’s increasingly difficult and more complex to be an effective buyer of security products today. Messaging and content overlaps are everywhere, cloud platforms claim to do what endpoint solutions do, and all the while products are constantly pivoting in the middle of operation - often changing their identity and main purpose. At the same time, enterprise and personal priorities change, vendor awards are presented to whoever pays more, analysts are not always aligned, and the list goes on.
Over the past few years, we’ve observed significant changes in the types of conversations we’re having with CISOs. What used to be discussions about how to keep bad guys out has evolved to how to manage and address internal threats. Internal threats come in a variety of shapes and sizes. It could be an attacker who has already gotten in and waiting for the right moment to make a move. It could also be an insider threat. It could be a malicious insider looking to do harm to the organization. Or it could be employees who don’t mean any harm but may doing things (knowingly or unknowingly) that could put an organization at risk.
With the perimeter all but dissolved, and as enterprises transition to the cloud, it’s becoming clear that identity, and where there are points of access, is the new perimeter. The challenge for many organizations is how to understand their posture around identity. This requires understanding who is doing what, when, and where, and understanding it across all applications and platforms on prem, in the cloud and in hybrid environments. Having a holistic view of identity--all users, privileges, access patterns and accounts--is becoming more critical in order to be more proactive and to have proper controls over accounts (privileged, user, service, and more) and to being able to protect accounts from compromise.
A well-known CISO customer was recently telling me about his experience with implementing new security solutions. His consistent feeling? Dread – the security alerts and things that can suddenly break in the beginning can be overwhelming. “Everything goes red,” he said, referring to the immediate influx of red alerts and false positives that seem to accompany each new security deployment.
With Silicon Valley continuing to lead the nation in VC funding (source: Bloomberg), expectations are clear: invest that funding and deliver, deliver, and deliver some more for your customers (and investors, employees, partners and stakeholders).
My partner Jay Leek and I have decades of experience as CISOs. We’ve both literally spoken with hundreds of security companies and it’s easy to become jaded. It's rare that we get truly excited about a new security technology. Preempt sparked that sense of excitement in both of us. If we really prioritize based on risk we’ll find that many security priorities aren't about chasing "advanced APT ninjas." It is about focusing on the more mundane functions of vulnerability and access management.
Topics: Adaptive Threat Prevention
Preempt began with a basic premise: Effective security within an enterprise should combine threat detection and real time response within a single solution. As enterprises transition to the cloud and the perimeter disappears, identity is the new perimeter. If identity is the new perimeter, access management from a security standpoint can lead to effective threat prevention. That simple but powerful idea was the genesis of Preempt and has given us the opportunity to solve challenging security problems for our customers.