NetEvents

Top Security Trends from the 2018 RSA Conference

By Alan Zeichick & Mark Fox

SAN FRANCISCO — There was no shortage of news at the RSA Conference, held here from 16-20 April 2018. With thousands of participants, and seemingly thousands of vendor announcements, two big trends seemed to drive momentum: Artificial Intelligence and Botnets. Certainly, there were many topics of conversation, covering everything from the ransomware attack on Atlanta, to reports of cyberwarfare, to the rise of cryptocoin mining, to hardware flaws as evidenced by Spectre/Meltdown. Still, AI and botnet attacks seemed to hold everyone’s attention.

Here are some of the top RSA news stories around artificial intelligence, botnets, and other areas, including the fast-growing field of Endpoint Detection and Response (EDR).

Demisto, an innovator in Security Automation and Orchestration technology, launched the latest release of its AI-powered Security Operations Platform. This enables customers to best leverage the incident metrics in Demisto through customizable dashboards and reports, enhance modularity and reusability of playbooks to accelerate workflow development, and improve machine learning suggestions to build leaner response processes.

Organizations can now accurately measure metrics around incident response and leverage Demisto’s rich underlying data through powerful customizable dashboards and reports. CISOs can measure SOC health and business risk, SOC managers can measure analyst productivity and incident bottlenecks, and analysts can measure incident and indicator trends. Access to an easily configurable widget library and the ability to spin up custom incident and indicator widgets results in custom persona-based dashboards to drive actionable metrics.

The new customizable dashboards and reports enable users to better sort, access and understand the collected data to measure metrics about analyst workload, incident trends and security effectiveness across their security product suite.

Speaking of Demisto: JASK, the provider of the industry’s first Autonomous Security Operations Center (ASOC) platform, announced Demisto as the latest technology alliance member to join the JASK Answers Partner Network. The integration between the JASK ASOC platform and Demisto Enterprise will enable security operations center (SOC) teams to focus their attention on the issues that matter during the critical phases of threat hunting, response and remediation.

Security operations teams are overburdened by alert volume and the lack of context needed to stay ahead of increasingly sophisticated modern attacks. Driven by AI and machine learning, the JASK ASOC platform provides SOC analysts with advanced insights and contextual visibility into threat activity. JASK’s integration with Demisto further empowers SOC analysts to easily complete the incident response and threat mitigation process by leveraging Demisto’s visual playbooks and automated response capabilities.

At RSA, Cylance, the company that revolutionized endpoint security with true AI powered threat prevention, announced new features for its AI driven endpoint detection and response (EDR) solution for businesses of all sizes with new machine learning threat detection modules for CylanceOPTICS. More than half of organizations face a shortage of cybersecurity skills and staffing, according to ESG. With the widening security talent gap and exponential growth of cyberattacks, security teams require tools that accelerate and scale their incident response capabilities. Cylance brings automated incident prevention, reducing the time and human resources required to keep a business secure.

Cylance offers a prevention-first approach with CylancePROTECT, its leading AI driven threat prevention solution, first reducing the attack surface by preventing most successful attacks. Then, CylanceOPTICS uses advanced machine learning modules to identify fileless attacks, malicious one-liners, and malicious application behavior. When presented with a potential threat, CylanceOPTICS takes decisive action in real time – without human intervention – to stop the attack and avoid the long-term consequences associated with widespread security incidents. By storing and analyzing data locally on the endpoint, CylanceOPTICS minimizes the infrastructure costs and human resources typically required by other security solutions.

CA Technologies subsidiary Veracode, a leader in securing the world’s software, announced the evolution of CA Veracode Verified, a program that provides third-party validation of a company’s secure software developing processes. With approximately 30% of all breaches occurring as a result of a vulnerability at the application layer, software purchasers are demanding more insight into the security of the software they are buying. CA Veracode Verified empowers software vendors to demonstrate their commitment to creating secure software.

New research Vericode conducted with IDG found that 84% of software buyers include security requirements in new vendor contracts. Prospects and existing customers are more discerning than ever before when it comes to the security of the software being purchased, and without a means of demonstrating proof of security, organizations risk experiencing delayed or lost revenue. The CA Veracode Verified program provides several benefits to companies participating in the program, including:

  • A roadmap for adopting and maturing an application security program tied to practical outcomes and business value for the Modern Software Factory.
  • Third-party attestation from an industry leader that an application has undergone security testing as part of the development process. This can help streamline the sales process to proactively address security concerns.
  • A focus on the secure coding process, not just a point-in-time release, to embrace DevSecOps and the rapid delivery pace of DevOps and Agile development methods.
  • A means of ensuring that third party software purchased or used meets a high standard of application security, to reduce enterprise risk.

SentinelOne, the autonomous endpoint protection company, unveiled AnyCloud, enabling organizations to run the SentinelOne endpoint management platform in any public, private, or hybrid cloud infrastructure. The new SentinelOne management console is natively supported on AWS public cloud, but with AnyCloud, customers can now deploy the entire stack to their private clouds, data centers, or in a hybrid cloud fashion.

AnyCloud now allows all organizations to extend the power of the SentinelOne endpoint protection platform to all cloud environments – public, private, and hybrid. Key features include:

  • Protecting Air Gapped Networks: Critical infrastructure organizations in vertical like Manufacturing, Oil & Gas and Energy typically air-gap their networks to protect infrastructure that was not designed to be securely connected to the Internet. By using the SentinelOne virtual appliance on-premise, customers can protect these critical assets from attacks.
  • Distributed Protection Driven by GDPR: To ensure compliance with regional data regulations, such as GDPR, large enterprises are increasingly deploying distributed cloud sites in major regions such as north America, Europe, and Asia. Protecting data flow and storage in these regions is critical for compliance. SentinelOne now enables customers to assign devices to specific regions, so that even when a user is travelling, all of their data is processed and stored only in their assigned region.
  • Support for All Platforms: The console can be deployed to any cloud infrastructure like AWS, Azure, or GCP. For on-prem customers, the virtual appliance can scale up to 100,000 endpoints and is supported on all major platforms, including VMware vSphere, HyperV and even Fusion, VirtualBox for testing. Customers upload a valid X509 certificate into the appliance to ensure the integrity of communications between the agents and the console.

Splunk announced new and expanded AI capabilities across its product portfolio. With the power of AI, Splunk customers can use Splunk solutions to help boost their profitability, performance and security. Splunk also expanded integration capabilities with open source software and cloud-native technologies as part of its ongoing commitment to provide a true, open machine data platform for customers.

Splunk Cloud and Splunk Enterprise 7.1 deliver AI through machine learning to help customers monitor, search and alert on the critical information organizations need to accelerate their business. These latest releases include an updated metrics engine to power customers’ ability to monitor and alert on numeric data points, from CPU speeds and available hard disk space in a complex IT environment, to temperature readings in Internet of Things (IoT) devices and sensors.

The latest versions are also the only enterprise-class data analytics solutions that can ingest petabytes of data per day, as well as search, monitor and alert on that data in real time. With these enhancements, users are better positioned to make sense of their machine data to predict future IT, security and business outcomes.

Splunk also announced a new Experiment Management Interface for its Machine Learning Toolkit (MLTK). This interface makes it easier to view, control, evaluate and monitor the status of machine learning experiments. The latest Splunk MLTK also includes new algorithms for identifying patterns and determining the best predictors for training machine learning models.

Darktrace, the world’s leading AI company for cyber defense, has launched version 2 of the Darktrace Mobile App. The new update enhances the ability for security teams to investigate in-progress threats and control Antigena autonomous response actions while in transit.

Powered by AI, Darktrace’s Enterprise Immune System is uniquely capable of identifying and stopping subtle and stealthy threats in real time. With 5,000 deployments across more than 97 countries, organizations across all industries rely on its self-learning technology to detect in-progress attacks missed by traditional tools – including insider threat, IoT breaches, and zero-day attacks.

Available for iOS and Android, the Darktrace Mobile App gives security teams the ability to easily access Darktrace after working hours or on the go. Designed to offer maximum flexibility, the Darktrace Mobile App increases the speed of threat mitigation by offering push notifications of in-progress threats. For the hundreds of customers around the globe relying on Darktrace Antigena, the Darktrace Mobile App offers one-click confirmation of autonomous response actions when in human confirmation mode – enabling organizations with the ability to automatically fight back against emerging threats.

Version 2 of the Darktrace Mobile App adds new features that provide teams with in-depth, detailed insights into their networks. The new update allows for even faster threat notification and mitigation, the means to locate external locations, and a streamlined authentication process.

Ziften collaborates with Microsoft by integrating its security solutions with Microsoft Windows Defender ATP. The integration enables customers to detect, view, investigate, and respond to advanced cyber-attacks on macOS and Linux-based endpoints in the Windows Defender ATP Console.

Together, Ziften and Microsoft help organizations speed detection of attacks and zero-day exploits, uncover the full scope of a breach, and quickly respond to contain attacks and prevent recurrence.

After all, even the best endpoint defenses, including those for desktops, laptops, servers, and VMs can be breached, as cyberattacks become more sophisticated and targeted. Ziften, the leading provider of all-the-time visibility and control for client devices, servers, and cloud VMs, announced a strategic business and technology collaboration with Microsoft. The collaboration brings together Ziften’s Zenith systems and security operations platform, and Windows Defender Advanced Threat Protection delivering a cloud-based, “single pane of glass” to detect, view, investigate, and respond to advanced cyber-attacks and breaches on Windows, macOS and Linux-based endpoints.

Together, Ziften and Microsoft help organizations speed detection of attacks and zero-day exploits, uncover the full scope of a breach, quickly respond to contain attacks and prevent recurrence, and as a result, increase overall security operations productivity.

The integrated, cloud-powered approach supports the most highly complex multi-system, multi-cloud enterprise environments, giving business, government, and MSSP customers the capability to extend post-breach detection, investigation, and response to any asset, anywhere — client devices, servers, and cloud VMs — whether on-network or remote; connected or not. Customers get an integrated “single pane of glass” supporting Windows, macOS, and Linux-based systems. They can also overcome cloud monitoring and security concerns with visibility and control of all virtual operating systems deployed across any cloud service provider.

More Security Coverage Coming out of NetEvents in May

Following from the important news coming out of the RSA Conference, the next major event for the security industry is the NetEvents Global Press and Analyst Summit, coming to Silicon Valley from 24-25 April.

While it’s too soon to predict the news announcements, here is one session at NetEvents that’s certainly to make headlines:

Can AI Solve the Internet Cybersecurity Epidemic? Nobody Knows for Certain

Introduced & chaired by Dr. Ronald Layton, Deputy Assistant Director, US Secret Service

Cyberattacks from criminals, insiders, state-sponsored actors, fanatical hacktivists, ransomware taking down hospitals, malware invading Android phones – it simply never stops. Vendors develop countermeasures, patches, and fixes – and customers don’t install them, but soon enough there are new attacks anyway. Can artificial intelligence make a difference? Some security experts believe that AI can do better at detecting zero-day malware, protecting against rogue users, and discerning the behavior of intruders, while machine learning can learn how to find anomalies in network traffic and log files. On the other hand, other experts say that AI/ML are overhyped – and could be just as dangerous in the hands of hackers.