ABS, SDS & TIG — Three New Cyber Emerging Market Categories You Should Know
October 29 2017 Filed in: Bandura | ThreatCare | Threat Intelligence | Cyber Policy | Red Team | Blue Team
The cyber industry continues to innovate and offer new ways to help organizations stay secure and compliant. Over the past few months I’ve observed analyst, media and pundit coverage of three new cyber product categories — software defined segmentation, threat intelligence gateways and automated breach simulation. All three offer many new ways to increase the effectiveness and efficiency of your security programs. I will discuss each briefly and reference relevant Gula Tech Adventures portfolio companies in these new categories.
ABS — Automated Breach Simulation
At the recent DC Cyber Talks conference, Booze Allen and Hamilton cyber executives Brad Medairy and Brad Stone spoke about measuring a SOC’s effectiveness and efficiency. They felt that many SOCs had made big investments in detecting and hunting and were effective, but were not efficient. Both Brads expressed that they’ve helped SOCs become world class by leveraging automated breach simulations to increase their efficiency.
I’ve been a fan of automated breach testing for SOCs for a long time. You would think that continuous configuration audits of the security infrastructure would be the norm, but most organizations still audit periodically and not continuously. This means that small configuration changes can stop collection and monitoring of critical security telemetry. These gaps in monitoring go unnoticed in the SOC because there is already a firehose of alerts coming in.
Rather than auditing the configuration of all security sensing and sense making, automated breach simulations attempt to test network security holistically with a benign attack to see if things are configured correctly and procedures followed. Automated breach simulations support a wide variety of use cases such as:
- Scheduled and unscheduled training exercises for SOC staff
- Alerting when simulations are not discovered automatically
- Tracking metrics such as “time to discover” breaches and attacker dwell times
- Providing evidence to support recommended policy changes in SOC procedures and technology deployments based on gaps in coverage and detection
SDS — Software Defined Segmentation
Traditionally, if you wanted to control network access inside a physical network, you used firewalls or VLANs. Both have issues with scalability, performance and management of the configurations. Different users have different network access needs and operate at different parts of the wired, wireless and remote networks.
Because of this increased complexity and difficulty to manage, most organizations have focused more on access control to the applications directly with either passwords, active directory integration or two factor authentication. This situation leaves modern networks “flat”. Once on the inside, there is little to prevent network reconnaissance, lateral movement and actual network separation of users from systems they don’t have any reason to connect to. And lately, those systems could be IOT, medical, power, media and other types of hard to patch systems.
Software defined segmentation (SDS) changes all of that. It allows user or role based access control rules to be applied internally to the network. There are many different types of solutions in this space and I’ve had it suggested to me that both the NAC space and the CASB spaces will be subsumed into SDS as well. However, right now, I feel SDS is very much LAN or data center focused and not something that brokers access to the cloud in all cases. Two SDS solutions available today for deployment are from Cisco and from CryptoniteNXT.
Cisco TrustSEC combines a variety of Cisco technologies to offer software defined segmentation. I’ve spoken with many companies who have standardized on Cisco who are considering upgrading their existing technology to support TrustSEC. However, many inconsistencies exist between products and software versions, considering Cisco has acquired numerous companies and incorporated their products into the portfolio, lending to an overly complicated compatibility matrix. Having said that, they have made more progress in this space than any other networking company and I expect them to continue to improve on the situation. You can also read Forrester’s take on TrustSEC in this 2016 report.
CryoptoniteNXT is a Gula Tech Adventures portfolio company and their approach combines software defined segmentation and an overlay network with a DHS and US Air Force funded technology called “moving target defense”. This solution creates a true “white-listed” set of network access controls for each user without the need to deploy an agent or internal firewalls. Moving target defense makes the network invisible, stopping all forms of network reconnaissance and lateral movement. CryptoniteNXT also provides a span port and user activity logging for monitoring with a SIEM or NSM. CryptoniteNXT also helps organizations implementing the NIST Cybersecurity Framework because it is a new type of protection, the alerts and telemetry make it easy to detect intrusions and the ability to block users helps with any incident response.
TIG — Threat Intelligence Gateway
Gartner analyst Lawrence Pingree recently made two tweets on Oct 19th:
The need for threat intelligence sharing created a market of threat intelligence producers such as Flashpoint, Crowdstrike and Wapack Labs, as well as a set of threat intelligence platforms (TIPs) such as ThreatConnect and Anomali. Unfortunately, the amount of threat intelligence created and consumed by a TIP outpaces the ability of a network sensor, firewall, NSM, SIEM or log analysis solution to consume all of it. Instead the TIPs are used to only push the most critical intel into the network. The bulk of the threat intelligence ends up being stuck inside the TIP and only used for investigations after an incident.
To overcome the limitations in firewalls and other types of network sensors, dedicated “Threat Intelligence Gateways” have been brought to market. These systems are deployed much like a firewall, but only implement rules based on allowing or dropping IP addresses and DNS queries based on the threat intelligence. Threat intelligence can come directly from one or more providers or can come from an enterprise’s TIP deployment.
As the above tweets show, Gartner is starting to track this category and several companies, including Looking Glass out of Baltimore, MD, are using the category name.
The Gula Tech Adventures investment in this space is Bandura. They offer a wide variety of physical and virtual solutions that can can block 100 million unique IP addresses. The solution offers blocking of countries as well, so you can “disconnect” yourself their systems. I’ve had the chance to speak with customers who have deployed Bandura, and there are typically two reactions that are unexpected. The first is that the firewalls and perimeter security systems simply run better. You can literally measure lower CPU usage in your firewalls, NIDS, .etc. Second, you can visually see dramatic drops in security alerts logged by your SIEM or MSSP. After installing Bandura, the typical security team has less alerts to del with which lets them focus on more serious and stealthy attackers.
Each of these new categories helps your organization be both more effective and more efficient at cyber defenses. Each has new types of protections not currently being performed on networks today. Each also lowers the cost to having a well performing security program. As you evaluate your security portfolio of vendors, consider if any of these new categories can help you be better at cyber security.