Beyond the Cyber Basics: A Recap From Black Hat USA 2023
Cybersecurity has evolved. Vendors are quickly adjusting their go-to-market plans, focusing on digital transformation strategies, cloud adoption, aligning with new regulations, compliance mandates, and the proliferation of applications and APIs in the digital era. Oh yeah, and we can't forget about Artificial Intelligence.
Buzzwords, new features, and integrations were announced, yet every solution remains merely a piece of the puzzle in cybersecurity. Regardless of buyer persona, it boils down to people and a vendor's ability to deliver secure business outcomes quickly and efficiently. Business leaders are focused on innovation and differentiating themselves in the market, while faced with decreasing budgets, a looming recession and regulatory compliance. Complexity and the acceleration of cloud adoption are cause for concern around the imbalance between risk and innovation.
People first, but why?
If the focus is shifted toward overcoming challenges or concerns that keep a CISO, engineer, and SOC (Security Operations Center) analyst up at night, or preventing them from enjoying vacation with their family, we would all be in a better place. FUD (Fear, Uncertainty and Doubt) is everywhere – it's distracting, and it creates so much ancillary noise in the market.
At WWT, our culture and core values always put people first. We are here to help solve problems, regardless of size or complexity, and accelerate business decisions through our ATC. Consumer buying decisions are heavily influenced by emotion and the overall experience a consumer has with a product. While our ATC is arguably the best way to get hands-on experience with a tool before using it, you can quickly compare UX design and the overall user experience on the showroom floor.
A common problem we're seeing with modern tools is around a customer's ability to operationalize the day-to-day tasks.
Why aren't vendors focusing on operations? Perhaps it's not flashy, or perhaps it is harder to market. This is where WWT's ATC, our presales support, consulting and integration services matter. Vendors who remain focused on specific business challenges and consider "day two" operations a priority will win long-term. If a customer can't operationalize a tool, they'll move on to something else, but as is often said, "grass isn't always greener on the other side."
Shining a light
There were 400+ booths representing security vendors in the Business Hall and roughly 80 of those were new startups. I was more surprised by the number of vendors (80+) who highlighted one or more of the following capabilities in their booth:
- Application security or AppSec
- DDoS or WAF
- API security
- Code security
- Pen testing
- Software supply chain security
Why do I point this out?
Web applications remain the top attack vector in both disclosed breaches and incidents. (Source: Verizon DBIR 2023) However, APIs deserve special mention here since most modern web and mobile applications are derived from APIs. The proliferation of APIs and open sharing of data is cause for concern and warrants attention. Risk = vulnerability by design
Cybersecurity experts and business leaders must come together and form a common balance between innovation and risk.
A new dawn in cyber defense: cyber warriors in code
While inarguably necessary, existing perimeter, network and endpoint security solutions often are not fully capable of protecting applications and APIs. Security visibility is commonly lost at the application layer, or sometimes ignored due to the sheer volume of log traffic. Security teams therefore can struggle to tie incidents and business logic abuse to actual threats.
As mentioned, web applications are the top attack vector. We're starting to see a shift in the vendor market; it's only a matter of time before it's prioritized by organizations across the globe. It starts at the top and you don't want to be late to the party. Government leaders, CISA, NSA and others are all rallying around the need for a secure software supply chain and secure-by-design standards for both hardware and software.
We all know that attackers are looking for financial gain. We know what they're after, so why are we so focused on the perimeter, where security mitigations are already in place? Assess what you have, improve it, identify gaps, remediate them and improve your overall security posture to defend against modern threat actors.
What if we approach security from the inside out and go beyond the basics?
We must look at the bigger picture. Consider the entire attack surface and acknowledge what we've been doing hasn't stopped the most advanced attackers. Visibility and control are key – and enabling those in the proper locations is significant to your overall success.
- Minimize false positives
- Correlate data from a plethora of tools
- Prioritize incidents and mitigations by risk
- Tie risk scores and metrics to business logic, assets and dependencies
Investing time and money in solutions that give you the biggest bang for your buck. In nearly every investment document you'll see, "Past performance is no guarantee of future results." Things change quickly and unexpectedly and sometimes without reason. As experts, we must move beyond the FUD and get down to brass tacks…
What can I do to put myself and others in a better place tomorrow than they are today?
Many vendors want to be on every piece of the puzzle, I call this "Me-too-itis" – we commonly find the most successful vendors are the ones who focus on helping overcome a specific business challenge, which drives a secure business outcome, versus the vendors who try to do it all.
Digital transformation is forcing cybersecurity leaders to better understand their environments and all the assets of the technical estate, including applications, APIs and an increasing software supply chain riddled with open-source and AI-generated code. In order to effectively reduce risk and accelerate innovation, leaders need visibility and control across the entire attack surface, but many times leaders are being asked to do more with less.
Cybersecurity leaders have been focused on securing legacy environments with infrastructure security controls for years. Now the attack surface is expanding, we're opening doors to our data, and delivering digital solutions faster than ever. Security is commonly the limiting factor against the pace of digital innovation and an organization's ability to be first to market. Organizations that step back, pause and look at the entire process from idea to outcome, and then craft a secure strategy around that, will win the long game.
Network and endpoint security have led cybersecurity priorities for years. Today, the attack surface is expanding at a rapid pace, and it's driven by digital transformation and consumer demand. Organizations are differentiated by applications, services and products; their ability to innovate digitally is directly tied to competition against market leaders and startups alike and is key to longevity and brand. Cloud adoption is accelerating at a rapid pace and brings a new and evolved complexity. Lax permissions and other misconfigurations can leave data exposed. This attack surface explosion is driving a rapidly developing market around security posture management for cloud, data, applications, SaaS, etc.
Welcome to the digital era
All eyes are on applications, APIs, software supply chains, AI, and data security. As I walked the Business Hall at Black Hat, I photographed every booth that had mention of:
- Application security
- API security
- Code to cloud
- Penetration testing
80+ vendors highlighted these use cases in their booths. The noise on the showroom floor is like the noise in the market. How can we expect customers to wade through so many vendors and expect efficient, effective, affordable security?
What we are seeing?
The modern delineation between network, security, development and operations teams is almost non-existent. Developers must understand and adapt to security like network engineers have had to adapt to automation and deploy network infrastructure as code.
Digital transformation is painting a new picture for cybersecurity, and it's highlighting the importance of security beyond the basics. I'll share some significant changes we're seeing and how they align with what we observed at Black Hat 2023 in Las Vegas.
- Expanding attack surface: Digital transformation is responsible for an expanding attack surface, providing cybercriminals with more entry points. Security has commonly been an afterthought, or considered a gate, but organizations are quickly realizing they must build in security and consider it a requirement for innovation.
- Complexity: Many times, complexity results from considering security at the wrong point in a conversation around digital transformation. The integration of tools and technologies often results in complex and interconnected networks, with varying degrees of interoperability, making it challenging to effectively monitor and secure every component.
- Speed of change: Digital transformation accelerates the pace at which new technologies are introduced and existing ones are updated, sometimes called App modernization. As speed increases, so must cybersecurity measures that can adapt just as quickly to ensure continuous protection.
- Data and privacy: More applications. More APIs. These lead to an increase in data collection and storage needs, but more importantly, there are concerns around data privacy and regulatory compliance like GDPR and CCPA. CISOs are charged with the implementation of robust data protection measures to maintain compliance and protect sensitive customer information and intellectual property.
- Cloud security: With the ongoing increase in migrations of apps, APIs and other workloads to the cloud, the shared responsibility model requires CISOs to collaborate with CSPs to ensure proper security configurations and data protection. This is leading to an explosion in vendors around CSPM, CNAPP, DSPM, ASPM and other security tools.
- AI and automation: While AI and automation can enhance cybersecurity, they also bring new risks, such as AI-driven attacks and the potential for vulnerabilities in learning models and systems. There will be more emerging solutions around AI in the future and we'll continue to focus on the growing concerns and innovation around AI.
- Threat landscape: Cybercriminals are adapting to the changing landscape, using basic and advanced techniques against targets likely to be left unprotected, such as web applications and APIs. For years, web applications have been a top attack vector, (Verizon DBIR) and while customers are focusing on protecting those vectors, the complexities and uncertainty around protecting them leave the door wide open. Whether it's through vulnerabilities, zero-days, or authentication, the attacks or breaches could have been prevented before runtime.
- Secure vs. defend: CISOs must stay ahead by using AI/ML threat intelligence and proactive defense solutions, or, focus on securing assets before runtime and ensuring proper configuration, security posture and code that isn't laden with vulnerabilities. Zero trust and best practice architecture can help shrink the attack surface, reduce cost and minimize toil in production environments.
In the shadows of digital transformation, the foundation of success rests upon modern cybersecurity. We understand that embracing innovation without fortifying defenses is like building castles without walls. By championing a security-first culture and robust cyber solutions, we not only protect sensitive data but also foster an environment where creativity thrives, unburdened by fear. Our commitment to modern cybersecurity not only secures digital assets but also ensures the trust of our stakeholders, partners and customers.
It's not about just defending against threats; rather, it is about enabling the limitless possibilities that the digital future holds. So, let's stand united as architects of secure transformation, embrace change and propel our organizations into the future with confidence and resilience.