Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

9/3/2019
02:00 PM
Jon Oltsik
Jon Oltsik
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

3 Promising Technologies Making an Impact on Cybersecurity

The common thread: Each acts as a force multiplier, adding value to every other security technology around it.

A few weeks ago, while attending Black Hat 2019, I was invited to participate in a Dark Reading technology panel hosted by editor Tim Wilson. The discussion focused on new types of technologies that can truly improve cybersecurity defenses.

My first instincts were to go with some of the product categories I research daily. For example, I could have described how machine learning algorithms can improve security analytics or vulnerability management. I might have expounded upon how SOAR (security orchestration, automation, and response) platforms can help organizations automate manual processes and streamline security operations. Similarly, I thought about breach and attack simulation tools that can help identify risk and lead to continuous assessment and security improvement.

Yup, these technologies show great promise, but there is also a lot of hype around each. Furthermore, while enterprise organizations are using them, processes and technologies themselves remain immature. CISOs can achieve benefits with these technologies, but most that I've talked to are proceeding slowly and cautiously.

Given this reality, I had to take a step back and really think about technologies I consider ground breaking. It wasn't easy, but I came up with three non-intuitive technologies that are truly making a difference to cybersecurity professionals.

Promising Technology 1: Apache Kafka. According to ESG research, 77% of enterprise organizations collect, process, and analyze more security data than they did two years ago. What kind of data? Everything: log data, network packets and flows, cyber threat intelligence, application data, cloud telemetry, and more. This makes sense for continuous security monitoring, but moving and processing real-time data streams requires a highly scalable data pipeline. Enter Apache Kafka, a community distributed event streaming platform (first developed by LinkedIn) capable of handling trillions of events a day.

Apache Kafka provides a publish/subscribe messaging bus for terabytes of security telemetry and then feeds it to numerous analytics engines in real time. Thus, Apache Kafka (and other tools, such as RabbitMQ) can help enable more rapid threat detection and response. When I first discovered Apache Kafka, it was being used in grassroots development efforts, but vendors have taken notice since then. In 2018, Splunk released a connector for Kafka to leverage the framework and other SIEM tools, and security analytics vendors are also getting involved. We can't collect, process, analyze, and act upon security telemetry without a high-performance, highly scalable, and well-managed data pipeline. Apache Kafka is making a real difference in this area.

Promising Technology 2: The MITRE ATT&CK Framework (MAF). Let's face it, MITRE has had some swings and misses over the years, producing complex technology frameworks that never gained acceptance outside of the US federal government. (FCAPS comes to mind.) Why is MAF different? As Sun Tzu stated, "If you know the enemy and know yourself, you need not fear the result of a hundred battles." In many cases, cybersecurity analysts knew a lot about themselves but not nearly as much about their enemy, so they tended to address each security incident individually rather than look for patterns of attack. Lockheed Martin helped change cybersecurity thinking in 2011 with its introduction of the "kill chain," but security teams needed advanced threat intelligence and security analysis skills to map security events into Lockheed's model.

MAF bridges this gap by acting as the "glue," allowing analysts to contextualize and visualize individual events along kill chains and giving them detailed instructions on where to look next to uncover broader cybersecurity attacks. With its growing user popularity, it's not surprising that MAF support is becoming ubiquitous across security analytics tools of all types. Following Sun Tzu's wisdom, MAF forces cybersecurity analysts to think like a cybersecurity adversary. No wonder it is having such a profound impact.

Promising Technology 3: OpenC2. This OASIS standard is a bit more esoteric than Apache Kafka or MAF, and in truth it really hasn't had an impact yet. However, in my humble opinion, it holds great potential. OpenC2 creates an abstraction layer for standardizing communications and instructions for security controls. For example, suppose an organization receives high-fidelity threat intelligence that a specific IP address is malicious. The immediate response would be to block this IP address across all security controls. With existing security technologies, this could mean translating this rule into vendor-specific syntax, which can get cumbersome in a large heterogeneous enterprise. This is why SIEM, SOAR, and TIP vendors (among others) spend so much time and effort developing connectors and building partner ecosystems.

OpenC2 could alleviate this translation problem through common standards. Rather than individual connectors, security controls such as endpoint security software, firewalls, proxies, DNS services, etc., would talk OpenC2, so analytics engines could issue a single rule for all relevant security controls. I believe this standardization could really help automate, accelerate, and scale data-driven security processes.

There's a common pattern with all three technologies: Each one acts as a force multiplier, adding value to every other security technology around it. This alone could make them extremely beneficial for CISOs and enterprise organizations.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "'It Saved Our Community': 16 Realistic Ransomware Defenses for Cities."

Jon Oltsik is an ESG senior principal analyst, an ESG fellow, and the founder of the firm's cybersecurity service. With over 30 years of technology industry experience, Jon is widely recognized as an expert in all aspects of cybersecurity and is often called upon to help ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
AI Is Everywhere, but Don't Ignore the Basics
Howie Xu, Vice President of AI and Machine Learning at Zscaler,  9/10/2019
Fed Kaspersky Ban Made Permanent by New Rules
Dark Reading Staff 9/11/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-4147
PUBLISHED: 2019-09-16
IBM Sterling File Gateway 2.2.0.0 through 6.0.1.0 is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-end database. IBM X-Force ID: 158413.
CVE-2019-5481
PUBLISHED: 2019-09-16
Double-free vulnerability in the FTP-kerberos code in cURL 7.52.0 to 7.65.3.
CVE-2019-5482
PUBLISHED: 2019-09-16
Heap buffer overflow in the TFTP protocol handler in cURL 7.19.4 to 7.65.3.
CVE-2019-15741
PUBLISHED: 2019-09-16
An issue was discovered in GitLab Omnibus 7.4 through 12.2.1. An unsafe interaction with logrotate could result in a privilege escalation
CVE-2019-16370
PUBLISHED: 2019-09-16
The PGP signing plugin in Gradle before 6.0 relies on the SHA-1 algorithm, which might allow an attacker to replace an artifact with a different one that has the same SHA-1 message digest, a related issue to CVE-2005-4900.