IG3 West was held at the Pelican Hill Resort in Newport Coast, California. It consisted of one day of product demos followed by one day of talks. The talks were divided into two simultaneous sessions throughout the day — therefore, I wasn’t able to attend all the talks, but did have the privilege to serve as a panelist for two sessions and attend a few others while meeting some great people and reviewing some great companies. My notes below reflect my comments, conversations and observations. These are based mostly on my own experiences; therefore, this entire article should be considered more opinion than factual.
Cybersecurity is not just protecting your network from hackers — even though if you have any technology that touches the internet, I’m very confident to say that your resources are attacked by opportunistic hackers several times per day. It’s these sort of numbers that can distort the hidden reality that many data exploits are due to lack of internal processes and systems to regulate the movement of data, and in many cases an innocent developer, IT professional, or consultant that either didn’t understand the security implications of their actions or didn’t have time to do it correctly.
I had the good fortune to meet with several vendors while in attendance. Prior to attendance there was basic research into each of these vendors so that I’d have an idea of the type of questions I wanted to ask or review. These are my notes in no particular order.
EXTEND Resources
extendresources.com — Founded 2016
My first observation was that their SSL wasn’t configured properly on their public website — I found that unusual but it wouldn’t prevent me from taking a look. They were the broadest service provider that I met with and are able to work across every functional division within a company to cohesively solve problems.
They leverage their partnerships and a sophisticated ERP to glue everything together. I focused my discussions around their ISO-27001 solution. The solution is very affordable and the team will hold your hand through the entire process towards certification. Their OnTrack27001 software seems to support it all. Although I only saw a demo and didn’t leverage them yet for an implementation, my impression is that I will certainly consider using them on a future project.
Acalvio
acalvio.com — Founded 2015 — ~43 Patents — Distributed Deception Platform
I have mixed feelings about deceptions (also known as honeypots, honeynets, or honeytokens). They essentially represent a collection of tools that can be used to capture extensive information on threats by either being bait within a collection of resources or mirroring an existing target — without exposing your real production servers or data. They can be great if your intent is to gather the information so that you can more effectively protect your network from future attacks, or you plan to prosecute the attacker. Otherwise the potential costs may not outweigh more traditional resources that can be used to “block” the threat. Those costs include both tangible assets and the lesser known cost of the attacker advertising the vulnerability within the hacker community.
Acalvio’s solution is pretty simple to use — they essentially tap into your existing infrastructure (cloud or on-premise) and generate a collection of deceptions with very little manual work on your part. If you need a near-click-of-a-button solution to deploy a deception cloud, their costs and simplicity are worth an evaluation.
Integris Software
integris.io — Founded 2016
The best way to describe them is to think of them as Electronic Data Interchange (EDI) for data handling — almost like a middleware for all data so that it’s properly classified and mapped to facilitate requirements, identity violations, automated systems, and discovery. I’ll have to follow up with their product and technical team to understand the best use-cases for various staged startups across different verticals.
LogicGate
logicgate.com — Operationalize Your Risk Management Through Agile GRC
They are Enterprise Resource Planning (ERP) for your Governance, Risk and Compliance (GRC). I wasn’t able to view a demo, but everything I found during my research was that they essentially have a focused ERP-like solution with out-of-the-box templates to help build the processes and workflows for managing GRC. Since there are some GRC solutions within NetSuite and Odoo, I’m not sure about the comparison. Prior to building a system out, I’d want to see a demo and understand how well it will integrate.
RedSeal
redseal.net — Founded 2004 — ~13 Patents — Cyber Risk Modeling for Hybrid Environments
Anyone who has used HP Intelligent Management Center or any other device modeling software that detects and displays the various devices within a network topology would recognize the look and feel of this tool very quickly. It imports all of your device configurations and then models out the devices and topology based on their configuration. It’s an interesting approach to viewing the traffic flow of your network — and when combined with known vulnerabilities, it can certainly be powerful for tracking all of the devices and potential problems. I recommend it if you need a way to model the devices on your network; I see some tremendous opportunity for starting from the configuration up.
Fortinet
fortinet.com — Founded 2000 — ~1,127 Patents — Broad, Integrated, Automated Security
My initial research labeled them as a firewall company. Yes, they do have a firewall product as their primary line of defense, but they’ve taken firewalls far beyond the days when I’d set up a Cisco PIX firewall or a dual-homed machine with ports closed on the public-facing end.
I’ve used them before in some of my startup environments. At the time they were a little pricey and had a few problems with high-traffic session-related issues (mostly due to underspeccing), but I stuck with them and never had any security-related issues. Their added products since that time have grown, and they seem to have everything from layer 2–7 covered.
Keyfactor
keyfactor.com — Founded 2001 — Secure Every Digital Identity
Essentially anything and everything “identity.” Their products consist of Cloud-Hosted PKI as-a-service, Certificate Lifecycle Automation, Secure IoT Device Design, and Secure Code Signing. That product line allows the company to secure every aspect of their business, systems, and devices. If you are using Azure AD, they will also integrate directly into your AD forest. As more companies are starting to rely on IoT for several aspects of their supply chain, this will certainly be a front-runner for me.
Zscaler
zscaler.com — Founded 2008 — ~20 Patents — The Internet is your new secure corporate network
I had never heard of the internet being an extension of your corporate network (from a security perspective) until hearing about their product. Based on my initial research, it seems like they extend your intranet to the cloud so that your users can have access to a secure internet while still being able to access the various business applications — all while maintaining software-defined policies to manage security. Security Stack as a Service (SSaaS).
BlueVoyant
bluevoyant.com — Founded 2017 — Exceptional Intelligence and Cyber Defense for Your Business
My preliminary notes summarized them as “Cybersecurity powered by data analytics.” Although I wasn’t able to speak directly with them very long, it was my goal to try and differentiate them from other services that support deep-learning, analytics, and AI.
There were a few other demo companies I didn’t get additional information for, but are worth noting: Synopsys, Armorblox, DarkTrace.
Panel: “Tales from the Trenches — Cyber Threat Hunting in the Real World”
Hosted by Kurt Van Etten, RedSeal CPO. The overall topics covered easily identifying devices on the network posing the most risk, identifying devices with exploitable vulnerabilities, and quickly visualizing where aggressors can pivot following a system compromise.
Q: When faced with a security decision that was shut down by the CEO, how did you deal with that and what was the result?
A: There are several examples in any CTO’s or CSO’s career where the accepted way to get something done is not the ideal thing that should be done. We must always compromise to meet resource requirements while not compromising security or integrity.
One of the most prevalent security problems I’ve seen in recent startups is getting the sales and business development team access to data to run reports. When a startup is focused on building the core platform or product, they commonly connect third-party cloud tools to the data, which forces them to open their data endpoint to the public. Of course, I shut this down as soon as it’s discovered — but it’s very common that if you don’t have a direct solution to provide the team, it will impair their decision-making process, which can easily lead to some heated discussions. I am shocked to see how many startups do this, even with a senior “CTO-level” figure within the organization.
Q: How do you prioritize incoming threats? Do you classify threats based on opportunistic, motivated, or persistent?
A: First, it’s important to understand what that actually means. There can be so much white noise when it comes to security alerts. I assume that there’s not a single network endpoint publicly accessible that doesn’t get hit with one or several opportunistic scans per day. To help with prioritizing alerts, I like to classify them as:
- Opportunistic: The aggressor found the endpoint via a scan and got a hit for a known vulnerability. If you find several of your threats are opportunistic, you need to improve the security on the edge of your network.
- Motivated: The aggressor has some basic knowledge about you — a former employee, competitor, or curious party. If you find several threats along this nature, processes, internal tools, and internal security education should be your focal point.
- Persistent: The targeted attack is ongoing. I normally use this opportunity for deceptions to gather session data and signatures to help hunt down the aggressor.
Panel: “Sifting Through the Noise: Actionable Threat Intelligence”
Hosted by Saeed Abu-Nimeth, CEO Seclytics.
The majority of threat intelligence is information about attacks that have already happened — and that threat information is noisy, contains lots of false positives, and is not actionable.
Q: What is a cost-effective tool you use to help sift through the noise?
A: Working with startups that normally have a tight budget, my go-to solution is an Elasticsearch, Logstash, and Kibana (ELK) stack. I’ll dump every log known to mankind — syslog, nginx, fpm, elb, access, etc. — into various indexes within Elasticsearch and then connect a Kibana dashboard. Most people only use ES for their application search engine, but I’ve found it’s perfect for fast access and search across millions of documents.
Q: Is AI and threat assessment a myth for truly aiding threat intelligence?
A: Certainly not a myth. Companies like DarkTrace have demonstrated the power of deep learning layered with basic AI. The impossibility of a human reading through billions of logs and detecting patterns highlights the need for deep learning models. Since high-confidence accuracy normally requires very large datasets that may take years for a startup to collect, I’d prefer to see companies like DarkTrace share the data models and events across a community so that the models and actions mature more quickly.
Overall, I had a great time at the event, and I’ll be sure to spend more time with the products so that I may deepen my knowledge and use-cases for each.