This past Friday AppGuard hosted its 6th event in this year's CISO Summit series. In an unprecedented event, the largest group yet, a sphere of influencers of the world's Cyber leadership. Cyber leaders from the intelligence community, investment banks, critical infrastructure, and cutting edge technology companies.
I wanted to share some of the key takeaways from the day and share the valuable knowledge that was shared amongst this group of dynamic leaders.
- Existing cybersecurity tools are not as effective as once thought - Anti-Virus+EDR solutions continue to struggle with countermeasures and more sophisticated attacks. Sandboxing, whitelisting, and deception technology struggles to deliver a holistic solution to prevent malware from hijacking the OS.
- Zero Trust Architecture is no longer a buzzword. "ZTA" is now a framework being supported by NIST and a draft of the new ZTA Framework is available now.
- Multilayer approaches to security are becoming harder to manage and continue to degrade the performance of the system, the people in the cyber organization, and the board's ability to make appropriate decisions for cybersecurity. The idea is that each tool focuses on a different type of cyber attack, so when one misses another will find it is creating massive redundancy that the business side is shrugging off as the cost of doing business and staying safe. Daily news reports reveal this approach is not effective.
- The CISO role is now MISSION CRITICAL to the success of the company and needs to have access to the board to align the cyber org with the board's strategic vision.
- It does not serve the C-suite strategy if your cyber stack starts at "reacting" to the bad thing that just happened. The board is entitled to a prevention plan for cyber versus a reactive plan.
Here are some of the challenges in the cyber ecosystem:
- We no longer understand our perimeter. The perimeter was lost with mobile cloud, third-party applications and supply chain access everywhere. IoT devices are being introduced not scrutinized for vulnerabilities.
- We continue to overlook and not fix the basics. Patching remains unpredictable and unreliable. +6M vulnerabilities are manifested each week and 30% of them go unrecognized for weeks. We have a mature Software Development Life Cycle and are hush-hush about SecDevOps. We share our code OR leverage open-source code, and its origins are unclear.
- No employee has ever said “the reason I clicked on the phishing email is that I missed the training”
- The "bad guy" is already inside our network. Even with "AI" and humans watching the logs, we know they are in there. We just don't know where. We think antivirus is effective OR rely on endpoint protection. We think our firewall, IDS, IPS, HIDS is going to save us.
- No matter how much we train people, humans make mistakes, All applications are flawed, despite our best efforts, Flaws & mistakes collide.
- There is a Gap in the NIST Cyber Security Framework, even when you follow the framework to the letter, you will miss new malware patterns, arbitraging this malware is costly and it's hard to scale.
LIVE Penetration Testing - During our live penetration testing four machines were set up
- Attacker machine
- Vic-machine - with AV+EDR
- Tim-machine with AV+EDR
- Machine with Appguard running
The attacker machine launched a two-pronged zero-day attack and within moments was able to encrypt Vic+Tim's machines and exfiltrate the direct of both machines easily. Appguard was able to defeat both attacks pre-exploit with the trifecta of Space Policy, Isolation, Inheritance
In the second round of penetration, Appguard was able to defeat credential harvesting, data exfil, and encryption when the hackers attempted to get into the network.
Bob Bigman was our keynote speaker and he reigned down fire and brimstone knowledge as he always does:
We must understand the hacking threat:
- Your greatest threat comes from organized hacking entities OUTSIDE your network
- All external facing endpoints (including network clients) are at highest risk
- Sophisticated hacking tools begin with identifying endpoints at risk (e.g., OceanSalt)
- Hacking tools detect vulnerable firmware/software, local administrative credentials, and weak security settings
- Latest attacks focus on Living-on-the-Land technique (e.g., Emotet)
- Above accounts for 87% of all cybersecurity risks
Hackers Respect Prevention:
- Properly deployed tools reduce the hacking risk by (at least) 80%.
- Prevention measures make it hard for hackers to apply surveillance and LOTL exploit tools
- Prevention measures increase the likelihood that hackers have to stay in a network longer (increasing the risk of being caught)
- Prevention measures increase the “dark-net” reputation ranking of an organization
- Prevention measures increase the ability of an organization to accept more risk
Six Critical Prevention Measures:
- Security hardened “gold” network, O/S and application images
- “Strong” two-factor authentication
- Strict privileged account credential management (e.g., Microsoft Just Enough Administration)
- Network-level security segmentation
- Strong end-point kernel, memory prevention, and white-listing measures
- Automated vulnerability identification and patch management
AppGuard prevents breaches at the endpoint by blocking applications from performing inappropriate processes while allowing harmless processes. This is done through three foundation pillars of our technology:
- Space Policy: Applications can only launch from System Space unless a “Trusted” exception is granted.
- Isolation: Applications in system space are grouped into high risk and “normal” applications. High-risk apps are blocked from executing potentially harmful processes.
- Inheritance: Child processes that start in a high-risk app but execute from a low-risk app “inherit” the high-risk policies. Advanced malware cannot exploit AppGuard into thinking a harmless app is executing a suspicious process.
* If you are up for a beer and to talk about this further let me know and we'll set up a time for us to get together at our office and try some long beard lager or Hiroshi Hang Ten IPA.
Feel free to email me if you have any questions - Neal