Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

9/3/2019
02:00 PM
Jon Oltsik
Jon Oltsik
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

3 Promising Technologies Making an Impact on Cybersecurity

The common thread: Each acts as a force multiplier, adding value to every other security technology around it.

A few weeks ago, while attending Black Hat 2019, I was invited to participate in a Dark Reading technology panel hosted by editor Tim Wilson. The discussion focused on new types of technologies that can truly improve cybersecurity defenses.

My first instincts were to go with some of the product categories I research daily. For example, I could have described how machine learning algorithms can improve security analytics or vulnerability management. I might have expounded upon how SOAR (security orchestration, automation, and response) platforms can help organizations automate manual processes and streamline security operations. Similarly, I thought about breach and attack simulation tools that can help identify risk and lead to continuous assessment and security improvement.

Yup, these technologies show great promise, but there is also a lot of hype around each. Furthermore, while enterprise organizations are using them, processes and technologies themselves remain immature. CISOs can achieve benefits with these technologies, but most that I've talked to are proceeding slowly and cautiously.

Given this reality, I had to take a step back and really think about technologies I consider ground breaking. It wasn't easy, but I came up with three non-intuitive technologies that are truly making a difference to cybersecurity professionals.

Promising Technology 1: Apache Kafka. According to ESG research, 77% of enterprise organizations collect, process, and analyze more security data than they did two years ago. What kind of data? Everything: log data, network packets and flows, cyber threat intelligence, application data, cloud telemetry, and more. This makes sense for continuous security monitoring, but moving and processing real-time data streams requires a highly scalable data pipeline. Enter Apache Kafka, a community distributed event streaming platform (first developed by LinkedIn) capable of handling trillions of events a day.

Apache Kafka provides a publish/subscribe messaging bus for terabytes of security telemetry and then feeds it to numerous analytics engines in real time. Thus, Apache Kafka (and other tools, such as RabbitMQ) can help enable more rapid threat detection and response. When I first discovered Apache Kafka, it was being used in grassroots development efforts, but vendors have taken notice since then. In 2018, Splunk released a connector for Kafka to leverage the framework and other SIEM tools, and security analytics vendors are also getting involved. We can't collect, process, analyze, and act upon security telemetry without a high-performance, highly scalable, and well-managed data pipeline. Apache Kafka is making a real difference in this area.

Promising Technology 2: The MITRE ATT&CK Framework (MAF). Let's face it, MITRE has had some swings and misses over the years, producing complex technology frameworks that never gained acceptance outside of the US federal government. (FCAPS comes to mind.) Why is MAF different? As Sun Tzu stated, "If you know the enemy and know yourself, you need not fear the result of a hundred battles." In many cases, cybersecurity analysts knew a lot about themselves but not nearly as much about their enemy, so they tended to address each security incident individually rather than look for patterns of attack. Lockheed Martin helped change cybersecurity thinking in 2011 with its introduction of the "kill chain," but security teams needed advanced threat intelligence and security analysis skills to map security events into Lockheed's model.

MAF bridges this gap by acting as the "glue," allowing analysts to contextualize and visualize individual events along kill chains and giving them detailed instructions on where to look next to uncover broader cybersecurity attacks. With its growing user popularity, it's not surprising that MAF support is becoming ubiquitous across security analytics tools of all types. Following Sun Tzu's wisdom, MAF forces cybersecurity analysts to think like a cybersecurity adversary. No wonder it is having such a profound impact.

Promising Technology 3: OpenC2. This OASIS standard is a bit more esoteric than Apache Kafka or MAF, and in truth it really hasn't had an impact yet. However, in my humble opinion, it holds great potential. OpenC2 creates an abstraction layer for standardizing communications and instructions for security controls. For example, suppose an organization receives high-fidelity threat intelligence that a specific IP address is malicious. The immediate response would be to block this IP address across all security controls. With existing security technologies, this could mean translating this rule into vendor-specific syntax, which can get cumbersome in a large heterogeneous enterprise. This is why SIEM, SOAR, and TIP vendors (among others) spend so much time and effort developing connectors and building partner ecosystems.

OpenC2 could alleviate this translation problem through common standards. Rather than individual connectors, security controls such as endpoint security software, firewalls, proxies, DNS services, etc., would talk OpenC2, so analytics engines could issue a single rule for all relevant security controls. I believe this standardization could really help automate, accelerate, and scale data-driven security processes.

There's a common pattern with all three technologies: Each one acts as a force multiplier, adding value to every other security technology around it. This alone could make them extremely beneficial for CISOs and enterprise organizations.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "'It Saved Our Community': 16 Realistic Ransomware Defenses for Cities."

Jon Oltsik is an ESG senior principal analyst, an ESG fellow, and the founder of the firm's cybersecurity service. With over 30 years of technology industry experience, Jon is widely recognized as an expert in all aspects of cybersecurity and is often called upon to help ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
State of Cybersecurity Incident Response
State of Cybersecurity Incident Response
Data breaches and regulations have forced organizations to pay closer attention to the security incident response function. However, security leaders may be overestimating their ability to detect and respond to security incidents. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-9349
PUBLISHED: 2020-04-02
The CACAGOO Cloud Storage Intelligent Camera TV-288ZD-2MP with firmware 3.4.2.0919 allows access to the RTSP service without a password.
CVE-2020-11100
PUBLISHED: 2020-04-02
In hpack_dht_insert in hpack-tbl.c in the HPACK decoder in HAProxy 1.8 through 2.x before 2.1.4, a remote attacker can write arbitrary bytes around a certain location on the heap via a crafted HTTP/2 request, possibly causing remote code execution.
CVE-2020-11450
PUBLISHED: 2020-04-02
Microstrategy Web 10.4 exposes the JVM configuration, CPU architecture, installation folder, and other information through the URL /MicroStrategyWS/happyaxis.jsp. An attacker could use this vulnerability to learn more about the environment the application is running in.
CVE-2020-11451
PUBLISHED: 2020-04-02
The Upload Visualization plugin in the Microstrategy Web 10.4 admin panel allows an administrator to upload a ZIP archive containing files with arbitrary extensions and data. (This is also exploitable via SSRF.)
CVE-2020-11454
PUBLISHED: 2020-04-02
Microstrategy Web 10.4 is vulnerable to Stored XSS in the HTML Container and Insert Text features in the window, allowing for the creation of a new dashboard. In order to exploit this vulnerability, a user needs to get access to a shared dashboard or have the ability to create a dashboard on the app...