BREAKING ANALYSIS by Dave Vellante
Black Hat 2022 was held in Las Vegas last week, at the same time as theCUBE’s supercloud event. Unlike AWS re:Inforce, where words are carefully chosen to put a positive spin on security, Black Hat exposes all the warts of cybersecurity and openly discusses its hard truths. It’s a conference attended by technical experts who proudly share some of the vulnerabilities they’ve discovered and of course by numerous vendors marketing their products and services.
In this Breaking Analysis, we summarize what we learned from discussions with several people who attended Black Hat and our analysis from reviewing dozens of keynotes, articles, videos, session talks, Dark Reading interviews and data from a recent Black Hat attendees survey conducted by Black Hat and Informa PLC. We’ll also share data from ETR in a recent post discussing how Zscaler Inc. became the last line of defense for a manufacturing firm.
We’ll end with a discussion of what it all means for the challenges around securing the supercloud.
We did not attend Black Hat, rather we spent days absorbing content from the event, which is renowned for its hundreds of sessions, breakouts and strong technical content that is unvarnished.
Featured keynote: Chris Krebs, the former director of the U.S. Cybersecurity and Infrastructure Security Agency, or CISA, spoke about the increasing complexity of tech stacks and its ripple effects on risk. Where re:Inforce tends to emphasize the positive state of cybersecurity, it can be said that Black Hat, as the name implies, focuses on the other end of the spectrum. Risk was a major theme of the show: lots of talk as always about the expanded threat surface and tons of emphasis on supply chain risk.
Hybrid work and the impact on risk: There was also plenty of discussion about hybrid work and how remote work has dramatically increased business risk.
Attack vectors: Data from both the Intel Corp. 471 Cyber Threat Report and the previously mentioned Black Hat attendee survey showed that compromised credentials posed the No. 1 source of risk, followed by infrastructure vulnerabilities and supply chain risk.
The future of war is here and it’s cyber-led: At an MIT cybersecurity conference earlier last decade, theCUBE had a conversation with former Boston Globe war correspondent Charles Sennott about the hypothetical future of war and the role of cyber. We had similar discussions with Dr. Robert Gates on theCUBE. At Black Hat, these discussions went well beyond the theoretical with data from the war in Ukraine. It’s clear that modern wars are and will be supported by cyber. But the takeaways are they will be highly situational and unpredictable, because in combat scenarios anything can happen.
AI in cyber is not all hype: The role of AI was discussed and somewhat dissed as overhyped. But though AI is not a panacea to cyber exposure, automation and machine intelligence can augment stressed-out security teams by recommending actions. Most of the defense will still be based on monitoring, telemetry data, log analysis, curating known signatures and analyzing consolidated data. But increasingly AI will help with the unknowns – the zero-day threats and threat actor behaviors post-infiltration.
Collaboration has to walk the talk: Finally, while much lip service has been given over the years to collaboration and public/private partnerships, especially after Stuxnet was revealed early last decade, the truth is that threat intelligence in the private sector is still evolving. In particular, the tech industry began to try to monetize proprietary intelligence in the middle part of last decade with private reporting. But attitudes toward collaboration are trending in a positive direction. Public private partnerships are being catalyzed by a stronger government push and there was a sentiment at Black Hat that customers are demanding their vendors to work together to fight an increasingly capable adversary.
Supercloud security requires standards: Without this type of collaboration, securing the supercloud will be more challenging and confined to narrow solutions.
Let’s look at some of the survey data from Black Hat. Just under 200 serious security experts took the survey. So, not enough to slice and dice by hair color, eye color, height, weight and favorite movie genre… but enough to extract high-level takeaways.
Surveys with strongly agree or disagree questions can sometimes give vanilla outputs. But if we look for the answers where very there’s an overwhelming cluster of consensus, at the edges of the spectrum you can make some conclusions that are probably more telling. To wit, the it’s clear from the graphic above that these survey respondents believe the following:
As we’ve reported extensively, COVID has permanently changed the cybersecurity landscape and chief information security officers’ playbook.
The chart above shows results that queried respondents on the pandemic’s most significant impacts on cybersecurity. They include new requirements to secure remote workers, more cloud, more threats from remote systems and users and a shift away from perimeter defenses that are no longer as effective – e.g. firewall appliances.
Note, however, the fifth response down highlighted in green. It shows a meaningful drop in the percentage of remote workers disregarding corporate security policy. Still too many, but 10 percentage points down from 2021’s survey.
As we’ve said many times, bad user behavior will trump good security technology every time. The following diagram from the survey results underscores this reality:
Consistent with commentary from Mark Arena on the Intel 471 threat report, the Black Hat attendee survey also shows phishing for credentials is the No. 1 concern of cyber professionals. This is a people and process problem more than a technology issue. Using multifactor authentication, changing passwords, unique passwords, password managers, etc., are all great things, but if it’s too hard for users to implement, they won’t and they’ll remain exposed.
The No. 2 concern on the graphic above — Sophisticated attacks exposing vulnerabilities in the security infrastructure — is also consistent with the Intel 471 data and;
The No. 3 concern, no surprise, is supply chain risk — again, consistent with Mark Arena’s commentary and the Intel 471 report.
Ask most CISOs their No. 1 problem and lack of talent will top the list.
So it’s no surprise that 63% of survey respondents believe they don’t have the security staff necessary to defend against cyberthreats. This speaks to the rise of managed security service providers that we’ve talked about previously on Breaking Analysis. We’ve seen estimates that less than 50% of organizations in the U.S. have a security operations center, and we see those firms as ripe for MSSP support, as well as larger firms augmenting staff with managed service providers.
It is somewhat of a surprise that one-third of the respondents indicate they have adequate staff. However, note that figure is down noticeably from last year’s survey (44%).
After re:Inforce we put forth the conceptual model shown in the diagram below. It depicts how the cloud is becoming the first line of defense for CISOs and DevOps is being asked to do more, like secure the runtime and the containers and the platform, etc. And audit becomes the last line of defense.
Two notable trends we picked up from Black Hat that are consistent with this shift shown above:
To the point above about the cloud being the first line of defense, let’s turn to a story from Enterprise Technology Research that came out of our colleague Erik Bradley’s Insight one-on-one with a senior information technology person at a manufacturing firm. In a piece called “Saved by Zscaler,” check out this comment below from a senior technology leader at a manufacturing firm:
As the last layer, we are filtering all the outgoing internet traffic through Zscaler. When an attacker is already on your network, and they’re trying to communicate with the outside to exchange encryption keys, Zscaler is already blocking the traffic. It happened to us. It happened and we were saved by Zscaler.
So not only is the cloud the first line of defense… here’s an example where it’s the last line of defense as well.
Let’s end on what this all means to supercloud. At our event last week in the Palo Alto CUBE studios, we had a session called Securing the Supercloud. We had three technical experts, Gee Rittenhouse of Skyhigh Security (Musarubra US LLC), Piyush Sharma, founder of Accurics (acquired by Tenable Inc.), and Tony Kueh, former head of product at VMware Inc.
A key takeaway was that security is going to be one of the most important and difficult challenges for the idea of supercloud to become real.
We reviewed in last week’s Breaking Analysis a detailed discussion we had at Supercloud 22 with Snowflake Inc. co-founder and President of Products Benoit Dageville. The conversation focused on how his company approaches security in their data cloud – what we call a super data cloud. But what if you don’t have the focus, engineering depth and bankroll that Snowflake has? Does that mean superclouds will only be developed by those companies with enormous resources?
John Furrier asked each of the panelists, what is missing? That is, what has to happen to secure the supercloud? Here’s what they said:
Listen to three security experts articulate what’s missing that’s needed to secure the supercloud.
I think we need a consortium. We need a framework that defines that if you really want to operate in supercloud, these are the 10 things that you must follow. It doesn’t matter whether you take AWS or GCP, or you have all [three], and you will have the on-prem also, which means that it has to follow a pattern. And that pattern is what is required for supercloud, in my opinion. Otherwise security is going everywhere. [SecOps] will have to fix everything, find everything, and so on. It’s not going to be possible. So they need a framework. They need a consortium. And this consortium needs to be, I think, led by the cloud providers, because they’re the ones who have these foundational infrastructure elements. And the security vendor should contribute on providing more severe detections or severe findings. So that, in my opinion, should be the model.
I think [what’s missing] is a business model. We’ve seen in cloud that scale matters. And once you’re big, you get bigger. We haven’t seen that coalesce around either a vendor, a business model, or whatnot to bring all of this and connect it all together yet. So that value proposition in the industry, I think, is missing, but there’s elements of it already available.
I think there needs to be a mindset. If you look again, history repeating itself. The internet sort of came together around set of IETF, RSC standards. Everybody embraced and extended it. But still there was at least a baseline. And I think at that time, the largest and most innovative vendors understood that they couldn’t do it by themselves, right? And so I think what we need is a mindset where these big guys like Google, let’s take an example. They’re not going to win at all, but they can have a substantial share. So how do they collaborate with the ecosystem around a set of standards so that they can bring their differentiation and then embrace everybody together?
Gee’s point about a business model missing is broadly true. But perhaps Snowflake serves as the model where they’ve just gone out and done it… setting (or trying to set) the de facto standard by which data can be shared and monetized, but accomplished within a proprietary framework that is a controlled environment. Snowflake uses the powerful metaphor of a data clean room. Perhaps that is one answer.
Tony lays out a scenario where there’s a collaboration mindset around a set of standards with an ecosystem. Intriguing is this idea of a consortium or a framework that Piyush was talking about. It speaks to the collaboration (or lack thereof) that we addressed earlier and was a key topic at Black Hat. Piyush’s and Tony’s proposal that the cloud providers should lead with the security vendor ecosystem playing a supporting role is compelling.
Can you see AWS, Azure and Google in a kumbaya moment getting together to make that happen and harmonize security standards? It seems unlikely, but maybe government could be a catalyst. Perhaps public policy could play a role and provide both carrot and stick incentives versus today’s solely adversarial posture toward big tech. It could drive large tech companies to take a leading role, as the panelists suggested, to drive collaboration in the interest of national security.
This would take a long-term vision that focuses government energies on partnering with big tech on national security versus trying to micromanage the behavior of big tech companies. History echoes, and the anti-big tech agenda currently being put forth by the FTC will likely end the same way it always has, with markets, not governments, determining competitive outcomes.
Thanks to all the folks who created content from Black Hat and those who shared feedback on the event with us for this post: Becky Bracken, the editor in chief at Dark Reading, Kelly Jackson Higgins and the entire team at the Dark Reading News Desk. Mark Arena, Garret O’Hara, Nash Borges, Curt Franklin from Omdia, Roya Gordon, Robert Lipovsky, Chris Krebs and many others: Thanks for the great commentary and content you put out there.
Alex Myerson does the production, podcasts and media workflows for Breaking Analysis. Special thanks to Kristen Martin and Cheryl Knight who help us keep our community informed and get the word out, and to Rob Hof, our editor in chief at SiliconANGLE.
Remember we publish each week on Wikibon and SiliconANGLE. These episodes are all available as podcasts wherever you listen.
Email david.vellante@siliconangle.com, DM @dvellante on Twitter and comment on our LinkedIn posts.
Also, check out this ETR Tutorial we created, which explains the spending methodology in more detail. Note: ETR is a separate company from Wikibon and SiliconANGLE. If you would like to cite or republish any of the company’s data, or inquire about its services, please contact ETR at legal@etr.ai.
Here’s the full video analysis:
All statements made regarding companies or securities are strictly beliefs, points of view and opinions held by SiliconANGLE media, Enterprise Technology Research, other guests on theCUBE and guest writers. Such statements are not recommendations by these individuals to buy, sell or hold any security. The content presented does not constitute investment advice and should not be used as the basis for any investment decision. You and only you are responsible for your investment decisions.
Disclosure: Many of the companies cited in Breaking Analysis are sponsors of theCUBE and/or clients of Wikibon. None of these firms or other companies has any editorial control over or advanced viewing of what’s published in Breaking Analysis.
Click here to join the free and open Startup Showcase event.
We really want to hear from you, and we’re looking forward to seeing you at the event and in theCUBE Club.
Click here to join the free and open Startup Showcase event.
VMware Explore 2022 will mark the start of a supercloud journey
T-Mobile partners with SpaceX to provide satellite-powered network connectivity
Enterprise software maker OpenText to acquire Micro Focus for $6B
LastPass source code stolen by hackers in security breach
Alchemy acquires Ethereum education platform ChainShot
Elastic delivers strong revenue growth and beats expectations, but its stock is down
VMware Explore 2022 will mark the start of a supercloud journey
CLOUD - BY GUEST AUTHOR . 1 MIN AGO
T-Mobile partners with SpaceX to provide satellite-powered network connectivity
EMERGING TECH - BY MARIA DEUTSCHER . 20 HOURS AGO
Enterprise software maker OpenText to acquire Micro Focus for $6B
CLOUD - BY MARIA DEUTSCHER . 22 HOURS AGO
LastPass source code stolen by hackers in security breach
SECURITY - BY KYT DOTSON . 22 HOURS AGO
Alchemy acquires Ethereum education platform ChainShot
BLOCKCHAIN - BY KYT DOTSON . 1 DAY AGO
Elastic delivers strong revenue growth and beats expectations, but its stock is down
CLOUD - BY MIKE WHEATLEY . 2 DAYS AGO
Like Free Content? Subscribe to follow.