4 cybersecurity developments to watch in 2018

Be ready for when the future arrives, start monitoring a pipeline of emerging technologies.

number 4 four film strip
Getty Images

Have you ever wanted to watch new technology develop years before it attains mass appeal? Or wondered how entrepreneurs, venture capitalists and security CTOs start building today what users will request in two years?

I try to track an incubation pipeline starting with venture capitalist funding, requirements from government agencies, security startup competitions and analyst reports. Now that we’re done with the RSA and EnFuse security conferences, I wanted to highlight how I used these, and what's new on my radar.

RSA’s conference hall acts as an “echo chamber” for trends and buzzwords that have just arrived. RSA also has a startup competition, Innovation Sandbox, which is run like a Shark Tank Style reality show. It's where you’ll see emerging tech a few years before it becomes popular on RSA's showroom floor.

Attending RSA isn’t just about the latest fad. Wait until the year after a trend hits the exhibitor hall, and you’ll see the herd thinned to only those viable solutions.

Now EnFuse is more of a niche conference. It offers hands on technical training and is packed full of government personnel involved in cyberwarfare, insider threats, incident response and criminal forensics.

We should never forget that technology often bleeds downward from the cyber-industrial complex. My claim to fame is having been part of building one of the first modern incident response products in 2006. My bosses were ahead of the times and very bright, but not necessarily visionaries. You see, the prior year the CIA had asked us to build this product. The moral of the story is: network with government buyers.

Here are four developments I'm watching in our space:

1. Sensitive data, where art thou?

For years I’ve been promoting a future where we work incidents from both the threat and data centric perspectives. Consider the big picture: nobody blocks anything anymore; the perimeter doesn’t even exist. Today InfoSec knows their job is to reduce a bad actor’s dwell time on devices. That means their real job is to cut off adversaries before they reach sensitive data.

So, is InfoSec told where this sensitive data resides? No. Almost never. Imagine providing a physical security company the floor plans of a bank. Then asking them to deploy cameras, guards and alarms, but never telling them where the vault or cash registers are. That's about our level of data ignorance.

The professionals who know what sensitive data looks like, and are allowed to review it, are currently working hard to locate and classify it. These are people in information Governance, Risk and Compliance (GRC) departments, along with C-levels touting the words “Data” or “Governance” in their title. Maybe when they’re done locating and classifying the data, the industry could start sharing this with InfoSec?

Enterprise information management giant, OpenText, touted expansion of its big data, content awareness and AI technologies at the EnFuse keynote. OpenText is extending its reach with newly acquired EnCase investigation, discovery and response offerings, and IoT visibility from the Covisint acquisition. RSA 2018’s exhibit hall was flooded with so many data centric security products, I dare not even single out names. The most popular sub-categories included data classification, discovery and identity management.

Truth be told, we’re mostly seeing a gold rush around Europe’s General Data Protection and Regulation (GDPR) laws and impending legislation in the US. When the dust settles I hope what’s left are effective data exchanges between GRC and InfoSec.

2. Manual forensics is commoditizing

The past six years have seen massive shortages in cybersecurity practitioners, and a suffocating backlog of unverified alerts. It’s not surprising that Gartner and IDC have predicted a huge boom in automation technologies.

Security Orchestration Automation and Response (SOAR) products automate all the tools a SOC uses in incident response. SOAR does this by building visual playbooks that call into each disparate product’s APIs.

Take a spin in my time machine and you could see SOAR coming a mile away. Capital investment began flowing in 2014 and 2015. The following year, Phantom, which was recently acquired by Splunk, made the cut for Innovation Sandbox. Then in 2017, SOAR was the unofficial “Trendy Category of the Year” in the RSA exhibit hall. This year the ranks have thinned out, with most products acquired by Splunk, FireEye, Rapid7 and IBM, and only a few dedicated vendors remaining.

Orchestration is much bigger than just SOAR. It's now a standard bullet point for SIEMs, endpoint protection and response products. These products now ship with functionality to chain together internal tasks within visual playbooks. As a matter fact, it was hard to find a solution which didn’t tout orchestration this year.

If you’re doing all your forensics manually, you’re now old school.

3. Time to buy visibility into IoT

When compared to traditional computing devices, IoT offers an extremely closed environment. The past few years have not seen too many incident response products tailored to these new era computing environments. It’s been mostly buzzword bingo, without real solutions to buy. That might be changing.

There are Software Development Kits (SDKs) that IoT manufacturers license and build into their devices. These SDK's detect malware and provide identity management. Yet for organizations who own devices from a variety of manufacturers, there haven’t been many options to secure them. You can monitor network traffic around IoT nodes, but what about malicious code running inside them?

IoT startup, Refirm Labs, just made it into Innovation Sandbox’s top ten finalists. Refirm Labs takes an approach similar to static binary analysis: look inside the file for malicious things that might occur, if executed. For IoT this means scanning a device's firmware image to detect harmful code or exposed credentials.

This is a notable approach. Firmware images are frequently floating about for public consumption, which is why hackers are so good at attacking IoT. Refirm Labs is mostly used by device manufacturers. Though, organizations could also scan suspicious devices deployed within an estate by locating their firmware images.

4. Agents? We don't need no stinkin' agents

In cybersecurity, endpoints are king. They’re where those crazy users click phishing emails and get socially engineered. Traditional software required installing agents to access these endpoints, but that’s changing. Agentless tech hit my radar three years ago with Outlier Security (acquired by Symantec in 2017). This year, I saw four or five companies touting agentless endpoint access, including Blue Vector and Illusive.

Deploying agents is a huge headache because it affects users, endpoint uptime, and introduces security risks. Mostly it’s a headache because organizations already have too many. New agentless products use Remote Procedure Calls (RPC) to execute binary files on far off machines, like the popular ps-exec utility. They send executables to remote endpoints and move the data back using existing Windows services, then delete themselves.

The past two years I’ve been part of an agentless threat assessment service. I admit that it can sometimes be quirky, but it’s worked in every customer environment we’ve seen. Since nothing is left on the endpoints, and we use only network ports already open for Windows services, deployment bypasses our customer's version control and change management bureaucracies.

As agentless tech becomes ubiquitous, expect organizations to utilize many more endpoint solutions.

Don't be a victim of the coming future

Once you know where to look, and find a formula that works, predicting the future is not that hard. Be ready for when it arrives, get started monitoring your own pipeline of emerging technologies.

SUBSCRIBE! Get the best of CSO delivered to your email inbox.