Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

9/3/2019
02:00 PM
Jon Oltsik
Jon Oltsik
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

3 Promising Technologies Making an Impact on Cybersecurity

The common thread: Each acts as a force multiplier, adding value to every other security technology around it.

A few weeks ago, while attending Black Hat 2019, I was invited to participate in a Dark Reading technology panel hosted by editor Tim Wilson. The discussion focused on new types of technologies that can truly improve cybersecurity defenses.

My first instincts were to go with some of the product categories I research daily. For example, I could have described how machine learning algorithms can improve security analytics or vulnerability management. I might have expounded upon how SOAR (security orchestration, automation, and response) platforms can help organizations automate manual processes and streamline security operations. Similarly, I thought about breach and attack simulation tools that can help identify risk and lead to continuous assessment and security improvement.

Yup, these technologies show great promise, but there is also a lot of hype around each. Furthermore, while enterprise organizations are using them, processes and technologies themselves remain immature. CISOs can achieve benefits with these technologies, but most that I've talked to are proceeding slowly and cautiously.

Given this reality, I had to take a step back and really think about technologies I consider ground breaking. It wasn't easy, but I came up with three non-intuitive technologies that are truly making a difference to cybersecurity professionals.

Promising Technology 1: Apache Kafka. According to ESG research, 77% of enterprise organizations collect, process, and analyze more security data than they did two years ago. What kind of data? Everything: log data, network packets and flows, cyber threat intelligence, application data, cloud telemetry, and more. This makes sense for continuous security monitoring, but moving and processing real-time data streams requires a highly scalable data pipeline. Enter Apache Kafka, a community distributed event streaming platform (first developed by LinkedIn) capable of handling trillions of events a day.

Apache Kafka provides a publish/subscribe messaging bus for terabytes of security telemetry and then feeds it to numerous analytics engines in real time. Thus, Apache Kafka (and other tools, such as RabbitMQ) can help enable more rapid threat detection and response. When I first discovered Apache Kafka, it was being used in grassroots development efforts, but vendors have taken notice since then. In 2018, Splunk released a connector for Kafka to leverage the framework and other SIEM tools, and security analytics vendors are also getting involved. We can't collect, process, analyze, and act upon security telemetry without a high-performance, highly scalable, and well-managed data pipeline. Apache Kafka is making a real difference in this area.

Promising Technology 2: The MITRE ATT&CK Framework (MAF). Let's face it, MITRE has had some swings and misses over the years, producing complex technology frameworks that never gained acceptance outside of the US federal government. (FCAPS comes to mind.) Why is MAF different? As Sun Tzu stated, "If you know the enemy and know yourself, you need not fear the result of a hundred battles." In many cases, cybersecurity analysts knew a lot about themselves but not nearly as much about their enemy, so they tended to address each security incident individually rather than look for patterns of attack. Lockheed Martin helped change cybersecurity thinking in 2011 with its introduction of the "kill chain," but security teams needed advanced threat intelligence and security analysis skills to map security events into Lockheed's model.

MAF bridges this gap by acting as the "glue," allowing analysts to contextualize and visualize individual events along kill chains and giving them detailed instructions on where to look next to uncover broader cybersecurity attacks. With its growing user popularity, it's not surprising that MAF support is becoming ubiquitous across security analytics tools of all types. Following Sun Tzu's wisdom, MAF forces cybersecurity analysts to think like a cybersecurity adversary. No wonder it is having such a profound impact.

Promising Technology 3: OpenC2. This OASIS standard is a bit more esoteric than Apache Kafka or MAF, and in truth it really hasn't had an impact yet. However, in my humble opinion, it holds great potential. OpenC2 creates an abstraction layer for standardizing communications and instructions for security controls. For example, suppose an organization receives high-fidelity threat intelligence that a specific IP address is malicious. The immediate response would be to block this IP address across all security controls. With existing security technologies, this could mean translating this rule into vendor-specific syntax, which can get cumbersome in a large heterogeneous enterprise. This is why SIEM, SOAR, and TIP vendors (among others) spend so much time and effort developing connectors and building partner ecosystems.

OpenC2 could alleviate this translation problem through common standards. Rather than individual connectors, security controls such as endpoint security software, firewalls, proxies, DNS services, etc., would talk OpenC2, so analytics engines could issue a single rule for all relevant security controls. I believe this standardization could really help automate, accelerate, and scale data-driven security processes.

There's a common pattern with all three technologies: Each one acts as a force multiplier, adding value to every other security technology around it. This alone could make them extremely beneficial for CISOs and enterprise organizations.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "'It Saved Our Community': 16 Realistic Ransomware Defenses for Cities."

Jon Oltsik is an ESG senior principal analyst, an ESG fellow, and the founder of the firm's cybersecurity service. With over 30 years of technology industry experience, Jon is widely recognized as an expert in all aspects of cybersecurity and is often called upon to help ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
44% of Security Threats Start in the Cloud
Kelly Sheridan, Staff Editor, Dark Reading,  2/19/2020
Zero-Factor Authentication: Owning Our Data
Nick Selby, Chief Security Officer at Paxos Trust Company,  2/19/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-17229
PUBLISHED: 2020-02-24
includes/options.php in the motors-car-dealership-classified-listings (aka Motors - Car Dealer & Classified Ads) plugin through 1.4.0 for WordPress has multiple stored XSS issues.
CVE-2020-9374
PUBLISHED: 2020-02-24
On TP-Link TL-WR849N 0.9.1 4.16 devices, a remote command execution vulnerability in the diagnostics area can be exploited when an attacker sends specific shell metacharacters to the panel's traceroute feature.
CVE-2019-12510
PUBLISHED: 2020-02-24
In NETGEAR Nighthawk X10-R900 prior to 1.0.4.26, an attacker may bypass all authentication checks on the device's "NETGEAR Genie" SOAP API ("/soap/server_sa") by supplying a malicious X-Forwarded-For header of the device's LAN IP address (192.168.1.1) in every request. As a resul...
CVE-2019-12511
PUBLISHED: 2020-02-24
In NETGEAR Nighthawk X10-R900 prior to 1.0.4.26, an attacker may execute arbitrary system commands as root by sending a specially-crafted MAC address to the "NETGEAR Genie" SOAP endpoint at AdvancedQoS:GetCurrentBandwidthByMAC. Although this requires QoS being enabled, advanced QoS being e...
CVE-2019-12512
PUBLISHED: 2020-02-24
In NETGEAR Nighthawk X10-R900 prior to 1.0.4.24, an attacker may execute stored XSS attacks against this device by supplying a malicious X-Forwarded-For header while performing an incorrect login attempt. The value supplied by this header will be inserted into administrative logs, found at Advanced ...