Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

6/22/2021
01:00 PM
Paul Shomo
Paul Shomo
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Identity Eclipses Malware Detection at RSAC Startup Competition

All 10 finalists in the Innovation Sandbox were focused on identity, rather than security's mainstay for the last 20 years: Malware detection.

At the recent RSA Conference, malware detection got the cold shoulder among the 10 Innovation Sandbox finalists, illustrating how differently security looks after the pandemic cloud migration. It also indicates the investor community may consider malware a lower priority.

Related Content:

2020 Changed Identity Forever; What's Next?

Special Report: Assessing Cybersecurity Risk in Today's Enterprises

New From The Edge: Is an Attacker Living Off Your Land?

RSAC's Innovation Sandbox is a Shark Tank-like competition for cybersecurity startups, where entrepreneurs present dueling pitches to a panel of investors. SecDevOps startup Apiiro took the top prize with its single pane of glass for reporting threats and automating review, testing, and remediation. A second SecDevOps startup, Wabbi, also touted a broad risk management approach and boasted this year's only female founder. 

The scramble to secure the new cloud infrastructure dominated the competition, which led to some controversy. Finalists were announced in April, a month before historic ransomware attacks against American oil and the global food supply chain. In light of this awkward timing, one wonders if the judges regret not allowing a malware detection startup into the finals.

Malware is the digital spear disrupting and damaging infrastructure. Yet there's an underlying truth about malware's diminishing role in the cloud that these judges know all too well.

Installing native software agents across the cloud to remotely control it has been an industry failure. Cloud VMs, containers, and their IP addresses may be recreated up to thousands of times per hour, creating a brutally ephemeral environment. Malware's difficulties in the cloud are quite analogous to the agent problem. Like software agents, malware must install natively across the cloud and maintain connectivity for command and control.  

Compounding the problem, the public cloud and serverless technologies often lack a true runtime environment, allowing the installation of agents or malware.

Furthermore, malware spreads itself by discovering and infecting adjacent systems. Consider how few lateral movement opportunities there are in the cloud, as a Fortune 500 company's assets span disparate cloud vendors, segmented and ephemeral networks, and software-as-a-service (SaaS) apps.

For all these reasons, vendors embrace "agentless" approaches, controlling the cloud via APIs, now a favorite of hackers as well. Along with APIs, the human interface shell (think command line or the Web browser) are the only ways to reliably access cloud components. 

Both API and shell access require authentication through the identity layer produced by secure access service edge (SASE) zero-trust products. Finalist Axis Security is a good example. From its cloud, it authenticates users, even from unmanaged devices, brokering a secure session to a company's many cloud components. In true zero-trust fashion, Axis monitors and continuously reauthorizes accounts throughout a session, as long as they remain compliant and well behaved.

One can see why after years of defending Azure, Microsoft CISO Bret Arsenault told me in 2019, "Hackers don't break in, they log in," and to defend the cloud he says, "Identity is the new perimeter."

Yinon Costica, co-founder and VP of products at Wiz, another finalist, pointed out that identity is even more than a perimeter. "Identity is the new vehicle in order to get from one place to the other," he said.

After the SASE identity layer is pierced and credentials are stolen, Costica described hacking the cloud through the eyes of threat actors, "I get a shell on a machine that's running in a cloud environment somewhere. Now I can use [Amazon Web Services] APIs. I can use a role that's assigned to the machine. I can scan the filesystem for secrets," he said. "I don't need any malware."

Instead of malware, Wiz focuses on identities, the secrets they access, the networks they touch, and vulnerabilities. In its Innovation Sandbox pitch, Wiz claimed 10% of the Fortune 500 purchased its product within its first six months of sales.

A competitor, Deduce, provides identity intelligence to spot risky logins. Finalist Strata migrates legacy applications to the identity layer, abstracting away details with orchestration.

The advertising tech industry also made a mark on Innovation Sandbox. Often dubbed "surveillance capitalism" by privacy advocates, ad tech produces sophisticated human intelligence. Startup Abnormal Security brings seasoned ad tech experts to email security. It believes providers such as Microsoft or Google already have excellent email threat detection, and focuses its behavioral analytics on the most advanced attacks. 

Innovation Sandbox's final three competitors secure emerging DataOps. This new attack surface is arising as data vendors such as Snowflake migrate information to specialized data clouds. Open Raven identifies and classifies data. Satori is a low-latency gateway that masks sensitive information before forwarding it. Cape Privacy helps organizations share data with outside AI experts, something Cape accomplishes by exposing an encrypted version of data that hides secrets but still preserves usefulness. 

The malware vs. identity debate illustrates why Innovation Sandbox is a favorite among trend watchers. For years to come, malware will continue compromising endpoints, as well as the Internet of Things and operational technology (OT) devices. Malware is still king for ransom and disruption, and for these reasons, 2021's choice of finalists was controversial. 

In 2021, Innovation Sandbox was also a teaching moment. Malware can still be used against specific targets in the cloud. Yet the cloud is heterogeneous, ephemeral, and a peculiar runtime environment. All of which are eroding malware's reign as the universal hacking tool. With the SASE identity layer, increasingly hackers don't break in, they log in.

Prior to becoming an independent analyst, Paul Shomo was one of the engineering and product leaders behind the forensics software EnCase. In addition to his work in the digital forensics and incident response (DFIR) space, he developed code for OSes that power many of today's ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Enterprises are Attacking the Cybersecurity Problem
Concerns over supply chain vulnerabilities and attack visibility drove some significant changes in enterprise cybersecurity strategies over the past year. Dark Reading's 2021 Strategic Security Survey showed that many organizations are staying the course regarding the use of a mix of attack prevention and threat detection technologies and practices for dealing with cyber threats.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-38562
PUBLISHED: 2021-10-18
Best Practical Request Tracker (RT) 4.2 before 4.2.17, 4.4 before 4.4.5, and 5.0 before 5.0.2 allows sensitive information disclosure via a timing attack against lib/RT/REST2/Middleware/Auth.pm.
CVE-2021-41611
PUBLISHED: 2021-10-18
An issue was discovered in Squid 5.0.6 through 5.1.x before 5.2. When validating an origin server or peer certificate, Squid may incorrectly classify certain certificates as trusted. This problem allows a remote server to obtain security trust well improperly. This indication of trust may be passed ...
CVE-2021-42565
PUBLISHED: 2021-10-18
myfactory.FMS before 7.1-912 allows XSS via the UID parameter.
CVE-2021-42566
PUBLISHED: 2021-10-18
myfactory.FMS before 7.1-912 allows XSS via the Error parameter.
CVE-2021-36097
PUBLISHED: 2021-10-18
Agents are able to lock the ticket without the "Owner" permission. Once the ticket is locked, it could be moved to the queue where the agent has "rw" permissions and gain a full control. This issue affects: OTRS AG OTRS 8.0.x version: 8.0.16 and prior versions.