theDocumentId => 1341324 Identity Eclipses Malware Detection at RSAC Startup ...

Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

6/22/2021
01:00 PM
Paul Shomo
Paul Shomo
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Identity Eclipses Malware Detection at RSAC Startup Competition

All 10 finalists in the Innovation Sandbox were focused on identity, rather than security's mainstay for the last 20 years: Malware detection.

At the recent RSA Conference, malware detection got the cold shoulder among the 10 Innovation Sandbox finalists, illustrating how differently security looks after the pandemic cloud migration. It also indicates the investor community may consider malware a lower priority.

Related Content:

2020 Changed Identity Forever; What's Next?

Special Report: Assessing Cybersecurity Risk in Today's Enterprises

New From The Edge: Is an Attacker Living Off Your Land?

RSAC's Innovation Sandbox is a Shark Tank-like competition for cybersecurity startups, where entrepreneurs present dueling pitches to a panel of investors. SecDevOps startup Apiiro took the top prize with its single pane of glass for reporting threats and automating review, testing, and remediation. A second SecDevOps startup, Wabbi, also touted a broad risk management approach and boasted this year's only female founder. 

The scramble to secure the new cloud infrastructure dominated the competition, which led to some controversy. Finalists were announced in April, a month before historic ransomware attacks against American oil and the global food supply chain. In light of this awkward timing, one wonders if the judges regret not allowing a malware detection startup into the finals.

Malware is the digital spear disrupting and damaging infrastructure. Yet there's an underlying truth about malware's diminishing role in the cloud that these judges know all too well.

Installing native software agents across the cloud to remotely control it has been an industry failure. Cloud VMs, containers, and their IP addresses may be recreated up to thousands of times per hour, creating a brutally ephemeral environment. Malware's difficulties in the cloud are quite analogous to the agent problem. Like software agents, malware must install natively across the cloud and maintain connectivity for command and control.  

Compounding the problem, the public cloud and serverless technologies often lack a true runtime environment, allowing the installation of agents or malware.

Furthermore, malware spreads itself by discovering and infecting adjacent systems. Consider how few lateral movement opportunities there are in the cloud, as a Fortune 500 company's assets span disparate cloud vendors, segmented and ephemeral networks, and software-as-a-service (SaaS) apps.

For all these reasons, vendors embrace "agentless" approaches, controlling the cloud via APIs, now a favorite of hackers as well. Along with APIs, the human interface shell (think command line or the Web browser) are the only ways to reliably access cloud components. 

Both API and shell access require authentication through the identity layer produced by secure access service edge (SASE) zero-trust products. Finalist Axis Security is a good example. From its cloud, it authenticates users, even from unmanaged devices, brokering a secure session to a company's many cloud components. In true zero-trust fashion, Axis monitors and continuously reauthorizes accounts throughout a session, as long as they remain compliant and well behaved.

One can see why after years of defending Azure, Microsoft CISO Bret Arsenault told me in 2019, "Hackers don't break in, they log in," and to defend the cloud he says, "Identity is the new perimeter."

Yinon Costica, co-founder and VP of products at Wiz, another finalist, pointed out that identity is even more than a perimeter. "Identity is the new vehicle in order to get from one place to the other," he said.

After the SASE identity layer is pierced and credentials are stolen, Costica described hacking the cloud through the eyes of threat actors, "I get a shell on a machine that's running in a cloud environment somewhere. Now I can use [Amazon Web Services] APIs. I can use a role that's assigned to the machine. I can scan the filesystem for secrets," he said. "I don't need any malware."

Instead of malware, Wiz focuses on identities, the secrets they access, the networks they touch, and vulnerabilities. In its Innovation Sandbox pitch, Wiz claimed 10% of the Fortune 500 purchased its product within its first six months of sales.

A competitor, Deduce, provides identity intelligence to spot risky logins. Finalist Strata migrates legacy applications to the identity layer, abstracting away details with orchestration.

The advertising tech industry also made a mark on Innovation Sandbox. Often dubbed "surveillance capitalism" by privacy advocates, ad tech produces sophisticated human intelligence. Startup Abnormal Security brings seasoned ad tech experts to email security. It believes providers such as Microsoft or Google already have excellent email threat detection, and focuses its behavioral analytics on the most advanced attacks. 

Innovation Sandbox's final three competitors secure emerging DataOps. This new attack surface is arising as data vendors such as Snowflake migrate information to specialized data clouds. Open Raven identifies and classifies data. Satori is a low-latency gateway that masks sensitive information before forwarding it. Cape Privacy helps organizations share data with outside AI experts, something Cape accomplishes by exposing an encrypted version of data that hides secrets but still preserves usefulness. 

The malware vs. identity debate illustrates why Innovation Sandbox is a favorite among trend watchers. For years to come, malware will continue compromising endpoints, as well as the Internet of Things and operational technology (OT) devices. Malware is still king for ransom and disruption, and for these reasons, 2021's choice of finalists was controversial. 

In 2021, Innovation Sandbox was also a teaching moment. Malware can still be used against specific targets in the cloud. Yet the cloud is heterogeneous, ephemeral, and a peculiar runtime environment. All of which are eroding malware's reign as the universal hacking tool. With the SASE identity layer, increasingly hackers don't break in, they log in.

Prior to becoming an independent analyst, Paul Shomo was one of the engineering and product leaders behind the forensics software EnCase. In addition to his work in the digital forensics and incident response (DFIR) space, he developed code for OSes that power many of today's ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-32790
PUBLISHED: 2021-07-26
Woocommerce is an open source eCommerce plugin for WordPress. An SQL injection vulnerability impacts all WooCommerce sites running the WooCommerce plugin between version 3.3.0 and 3.3.6. Malicious actors (already) having admin access, or API keys to the WooCommerce site can exploit vulnerable endpoi...
CVE-2021-32791
PUBLISHED: 2021-07-26
mod_auth_openidc is an authentication/authorization module for the Apache 2.x HTTP server that functions as an OpenID Connect Relying Party, authenticating users against an OpenID Connect Provider. In mod_auth_openidc before version 2.4.9, the AES GCM encryption in mod_auth_openidc uses a static IV ...
CVE-2021-32792
PUBLISHED: 2021-07-26
mod_auth_openidc is an authentication/authorization module for the Apache 2.x HTTP server that functions as an OpenID Connect Relying Party, authenticating users against an OpenID Connect Provider. In mod_auth_openidc before version 2.4.9, there is an XSS vulnerability in when using `OIDCPreservePos...
CVE-2021-25801
PUBLISHED: 2021-07-26
A buffer overflow vulnerability in the __Parse_indx component of VideoLAN VLC Media Player 3.0.11 allows attackers to cause an out-of-bounds read via a crafted .avi file.
CVE-2021-25802
PUBLISHED: 2021-07-26
A buffer overflow vulnerability in the AVI_ExtractSubtitle component of VideoLAN VLC Media Player 3.0.11 allows attackers to cause an out-of-bounds read via a crafted .avi file.