It’s over and we’re a bit sad to leave all the great conversations. Before we head over to Defcon, we wanted to share some thoughts on Thursday’s Black Hat events. Privileged account security is on everyone’s radar as a critical link in the kill chain against advanced threats. Almost every CISO and security professional that we’ve talked to understands that locking down privileged credentials is critical to protecting the enterprise.
This was reflected in many sessions throughout the conference. From the dangers of privileged escalation to hacking into medical devices and ICS systems through default and hardcoded privileged credentials, there is an on-going discussion of the role privileged accounts play in advanced attacks. It’s not hard to see why when we’re inundated with breach stories on an almost daily basis. We believe privileged account takeover is the crux of every advanced attack … And no, it’s not just because our purpose in life is to solve the privileged account security challenge.
Bruce Schneier’s Presentation
This session on the evolution of the incident response industry was a must attend. Schneier discussed the importance of an incident response ecosystem that helped businesses deal with the threat landscape and overcome challenges driven by three primary trends:
- Companies are Losing Control of their Infrastructure: Cloud computing, outsourcing, the dissolving perimeter with a mobile workforce – these are all trends that have taken infrastructure control out of the hands of businesses. As a result, organizations are becoming more reliant on partners and third-parties to protect their own networks and to prevent attackers from using partner networks as backdoors into the primary target network.
- Attacker Sophistication: Schneier made some excellent points on the state of cyber-warfare. His overall point was that cyber crime as an industry has matured almost as fast as the security industry. We’re seeing attackers use war-like tactics to perpetrate their attacks, with the biggest difference being that in a ‘traditional’ war, you can usually tell who the enemy is by the weapons they use. This isn’t the case in the cyber-world, where states and rogue actors are releasing sophisticated malware and cyber-weapons and making them available to a growing percentage of attackers. His inescapable point was that the sophistication has reached the level where it is impossible to keep motivated attackers or groups out of your network.
- Government Involvement: The growing number of state-sanctioned hacker groups has driven an increasingly menacing threat landscape. We’re in the middle of a cold-war arms race, except nations are stockpiling zero-day exploits, vulnerabilities, and nasty malware for when the time is right to strike.
So what does this have to do with incident response, and more specifically, privileged threat analytics? The point was that the need for real-time incident response has never been greater. While a lot of the process and information gathering can be automated, there needs to be a human element to intellectually figure out what the right response should be.
Schneier believes that the human component of incident response must be fueled with information on the methods attackers use to infiltrate an organization and exfiltrate data. This is where privileged threat analytics comes in. Real-time analytics on the anomalies of privileged user behavior will be a critical driver in the incident response industry, providing the IR teams with the information and insight needed to get ahead of attackers that may already be on the network.