Impressions of the RSA Conference 2018 part II – On the expo floor

Like last year, the main expo filled two complete buildings with more than 550 vendors. The floors were dominated by all kinds of machine learning related products (including malware detection, identification of suspicious user behavior or classification of sensitive information). Companies claiming
to leverage Artificial Intelligence (as in deep learning with automated feature extraction utilizing neural networks) however, were relatively sparse.

Furthermore, identity-focused solutions kept peaking due to the elimination of the traditional perimeter. Orchestration and automation, big data analytics of all kinds, software defined networks and vulnerability management were other prominent topics. Still, based on the sheer number of products and exhibitors it is impossible to comprehensively list them. One major surprise was the low number of companies advertising blockchain-based solutions, even though we know that the cyber-industry never shies away from technology hypes to get an edge, even if only marketing-wise.

As the major hot topics of RSA are discussed in a number of available resources, we would like to shine some light on what looks more like a niche as of now, but with some potential: attack simulation as part of the overall vulnerability management.

The basic idea is to deploy a number of sensors within your network, resembling common components such as Windows endpoints, web servers and others. Controlled by a central management backend, the system runs common attack vectors using those sensors as starting points, e.g. simulating a successful phishing attack against the stated Windows machine. The objective is then to evaluate, what the impact of those breaches might be and how effectively already existing security measures detect or protect against those types of attacks.

“If done right, sensor-based attack simulation has the potential to reveal serious gaps and misconfigurations …”

Several vendors are active in this area (such as SafeBreach, a former ISBC contestant, and Turkey-based Picus Security as well as Cymulate, Verodin and AttackIQ to list a few); however, with minor differences regarding approach and main objective: while SafeBreach runs a large number of automated attack vectors once in a defined time interval, Picus follows a continuous approach. What both have in common is one challenge: selection of both the sensor configuration as well as its respective placement are key to getting relevant results. In a heterogeneous environment security controls might differ and one needs to make sure that the sensor actually applies the appropriate ones. The same is true for the location of the sensor, otherwise the results might create a false sense of security.

Another differentiator between attack simulation tools is the expected outcome: while some rely on a blue team ability to derive actions based on detection (or failed detection), others provide configuration recommendations (such as firewall changes) for available tools they partner with. Obviously, the quality of respective research teams and the resulting attacks included in the simulations (including their timeliness) are another criterion to consider. One probably wants to run a simulation within a couple of hours when the next NotPetya hits the globe, not weeks afterwards. Obviously, all vendors claim to have such simulations available with a short lead time after a critical vulnerability is disclosed.

It remains to be seen whether this approach, given the effort in setup and maintenance, develops into a major part of a company’s approach to identify and approach gaps in their security architecture. Furthermore, the trust required to allow external parties to tunnel into an enterprise’s most sensitive network areas needs to be considered. If done right, sensor-based attack simulation has the potential to reveal serious gaps and misconfigurations without significantly adding to the workload of red and blue teams within organizations.

Who we are
The “Technology Scouting & Evaluation” (TSE) service identifies and evaluates promising IT security solutions. With this service, DCSO supports companies in staying ahead of a dynamic and ever-changing market. The centralized and unbiased evaluation process is supplemented with the experience of all community members.