It’s Refreshing to See the Industry Hyping Security Concepts That Actually Work
Every year at the RSA Conference, industry practitioners are treated to a never-ending set of marketing buzzwords. Peppered throughout the talks, and plastered on booths and billboards, with invocations of FUD and FOMO to energize spend in a new area. Of course, the use of buzzwords isn’t exclusive to RSA, but this time of year seems to be when new campaigns are rolled out and the big new products are announced.
Everyone’s experience is difference, but at this year’s RSA Conference, I got the feeling that peak buzzword might be behind us. Previous years’ buzzwords included everything from “APT” and “Machine Learning” to “Artificial Intelligence” and “Threat Intelligence.” While there’s a place for all of these, they’re the essence of buzziness. They were amorphous and hard to put into action. How is a CISO really supposed to make Artificial Intelligence useful? How can a SOC actually make Threat Intelligence work for them?
This year’s buzzwords – if you can call them that – seemed more cogent, and represented actionable, proven concepts. Here were the trending themes that I picked up on:
DevSecOps: DevSecOps is all about incorporating security into the Software Development Lifecycle and building software that is secure by design. Pure play vendors such as ThreatModeler Software, Aqua Security, Puppet, and Synopsys help developers think about risks, gain visibility into application activity, automate security checks, and build security throughout the SDLC. Larger vendors, such as IBM, AWS and Microsoft are promoting their tools for integrating security at every phase of design, build, and test. I like the DevSecOps buzzword because it calls for building secure software from the start, and in that sense is really nothing new. Companies have been incorporating static code checking into developer IDEs for a long time, and I remember Shannon Lietz (@devsecops) proclaiming the fundamentals of DevSecOps five years ago, before the term was popular. I’m all for drawing attention to good fundamentals, even if it means making the old new again!
Zero Trust: It’s great to see the fundamental ideas behind Zero Trust gaining so much traction, and unlike nebulous concepts such as “Artificial Intelligence,” this is a proven concept that can help organizations start securing their environment. Least privileged access, stronger identity-based access to applications, inspection of traffic, and network segmentation are old ideas, and get to the heart of security. I also like the emphasis on Zero Trust because it doesn’t need to be (nor can it be) purchased from any one vendor – in fact, the very idea of that is funny, and should make organizations question any vendor who says they can sell it. Anyone can make incremental and cost-effective steps by applying its underlying principles.
MITRE ATT&CK™: MITRE describes ATT&CK as, “…a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations.” Much has been written about how to use it to help secure an environment – I like Devon Kerr’s (@_devonkerr_) recent SecurityWeek article on the topic. ATT&CK is great because it’s based on the real world, has so many practical applications, and doesn’t belong to any vendor. I see it shaping the way we think about attacker activity in the same way that @mikecloppert and @rohanamin’s Kill Chain or @Mandiant ‘s Attack Lifecycle helped us think about attacks 8+ years ago (hard to believe it’s been that long!).
Breach & Attack Simulation: This last bit of buzz might be the most commercial one on the list, and that’s because it represents a new class of products seeking to establish a category. Again, the concept isn’t new. For years, smart security teams have taken what we know about an attacker – their tactics, techniques, and procedures (TTPs) – perhaps as represented in the MITRE ATT&CK framework. They then use those TTPs to test the controls in their environment. Over the last few years, this has been expressed through internal or external Red Team engagements. I love the idea of Red Teaming, but it is very point-in-time, and can get expensive. Breach & Attack Simulation (BAS) vendors claim to do this constantly, and can provide real-time reports on how an organization would fare against a specific attacker (APT35, FIN7, etc.) or type of attack (e.g., a cryptocurrency miner delivered via a specific vulnerability). The BAS vendors talk a lot about “automated red teaming at a fraction of the cost” because they’re looking for existing budget to sell into. This is reasonable, but I don’t see BAS products just as replacements for Red Teaming. They lack the creativity and determination of a good Red Team. Instead, I see them as supplements (or eventually, replacements) for traditional vulnerability scanning. Security practitioners always struggle to get senior leadership to prioritize vulnerability management and eyes tend to glaze over when vulnerability managers share CVE status. Reframing the conversation around real-world vulnerability is different. Explaining to a risk committee that your organization is vulnerable to the OceanLotus/APT32 group, which they read about in SecurityWeek, and which has been targeting companies in your industry, could create a completely different sense of urgency.
Unlike buzzwords from prior years, this year’s buzzwords are all throwbacks of sorts. They represent a return to fundamentals of information security. DevSecOps is about building security in. ZeroTrust is about verifying everything and trusting nothing. MITRE ATT&CK is about understanding attacker TTPs and how they relate to an environment. Breach & Attack Simulation is about applying those TTPs to the organization and operationalizing the concepts behind a Red Team.
Although it wasn’t due to any coordinated effort, it’s refreshing to see the industry hyping concepts that work, instead of pushing products that are likely unneeded. Let’s hope this year’s themes represents a longer-term turning away from buzzwords and toward effective fundamentals.