Is It GAME OVER?

Targeted attacks take many forms, though there is one common tactic most of them share: Exploitation. To achieve their goal, they need to penetrate different systems on-the-go. The way this is done is by exploiting unpatched or unknown vulnerabilities. More common forms of exploitation happen via a malicious document which exploits vulnerabilities in Adobe Reader or a malicious URL which exploits the browser in order to set a foothold inside the end-point computer. Zero Day is the buzzword today in the security industry, and everyone uses it without necessarily understanding what it really means. It indeed hides a complex world of software architectures, vulnerabilities, and exploits that only few thoroughly understand. Someone asked me to explain the topic, again, and when I really delved deep into the explanation I was able to comprehend something quite surprising. Please bear with me, this is going to be a long post 🙂

Overview

I will begin with some definitions of the different terms in the area: These are my own personal interpretations of them…they are not taken from Wikipedia.

Vulnerabilities

This term usually refers to problems in software products – bugs, bad programming style or logical problems in the implementation of software. Software is not perfect and maybe someone can argue that it can’t be such. Furthermore, the people who build the software are even less perfect—so it is safe to assume such problems will always exist in software products. Vulnerabilities exist in operating systems, runtime environments such as Java and .Net or specific applications whether they are written in high-level languages or native code. Vulnerabilities also exist in hardware products, but for the sake of this post, I will focus on software as the topic is broad enough even with this focus. One of the main contributors to the existence and growth in the number of vulnerabilities is attributed to the ever-growing pace of complexity in software products—it just increases the odds for creating new bugs which are difficult to spot due to the complexity. Vulnerabilities always relate to a specific version of a software product which is basically a static snapshot of the code used to build the product at a specific point in time. Time plays a major role in the business of vulnerabilities, maybe the most important one.

Assuming vulnerabilities exist in all software products, we can categorize them into three groups based on the level of awareness to these vulnerabilities:

  • Unknown Vulnerability – A vulnerability which exists in a specific piece of software to which no one is aware. There is no proof that such exists but experience teaches us that it does and is just awaiting to be discovered.
  • Zero Day – A vulnerability which has been discovered by a certain group of people or a single person where the vendor of the software is not aware of it and so it is left open without a fix or awareness to it its presence.
  • Known Vulnerabilities – Vulnerabilities which have been brought to the awareness of the vendor and of customers either in private or as public knowledge. Such vulnerabilities are usually identified by a CVE number – where during the first period following discovery the vendor works on a fix, or a patch, which will become available to customers. Until customers update the software with the fix, the vulnerability is kept open for attacks. So in this category, each respective installation of the software can have patched or un-patched known vulnerabilities. In a way, the patch always comes with a new software version, so a specific product version always contains un-patched vulnerabilities or not – there is no such thing as a patched vulnerability – there are only new versions with fixes.

There are other ways to categorize vulnerabilities: based on the exploitation technique such as buffer overflow or heap spraying, the type of bug which lead to the vulnerability, or such as a logical flaw in design or wrong implementation which leads to the problem.

Exploits

A piece of code which abuses a specific vulnerability in order to cause something unexpected to occur as initiated by the attacked software. This means either gaining control of the execution path inside the running software so the exploit can run its own code or just achieving a side effect such as crashing the software or causing it to do something which is unintended by its original design. Exploits are usually highly associated with malicious intentions although from a technical point of view it is just a mechanism to interact with a specific piece of software via an open vulnerability – I once heard someone refer to it as an “undocumented API” :).

This picture from Infosec Institute describes a vulnerability/exploits life cycle in an illustrative manner:

042115_1024_ZeroDayExpl1

The time span, colored in red, presents the time where a found vulnerability is considered a Zero Day and the time colored in green turns the state of the vulnerability to un-patched. The post disclosure risk is always dramatically higher as the vulnerability becomes public knowledge. Also, the bad guys can and do exploit in higher frequency than in the earlier stage. Closing the gap on the patching period is the only step which can be taken toward reducing this risk.

The Math Behind a Targeted Attacks

Most targeted attacks today use the exploitation of vulnerabilities to achieve three goals:

  • Penetrate an employee end-point computer by different techniques such as malicious documents sent by email or malicious URLs. Those malicious documents/URLs contain malicious code which seeks specific vulnerabilities in the host programs such as the browser or the document reader. And, during a rather naïve reading experience, the malicious code is able to sneak into the host program as a penetration point.
  • Gain higher privilege once a malicious code already resides on a computer. Many times the attacks which were able to sneak into the host application don’t have enough privilege to continue their attack on the organization and that malicious code exploits vulnerabilities in the runtime environment of the application which can be the operating system or the JVM for example, vulnerabilities which can help the malicious code gain elevated privileges.
  • Lateral movement – once the attack enters the organization and wants to reach other areas in the network to achieve its goals, many times it exploits vulnerabilities in other systems which reside on its path.

So, from the point of view of the attack itself, we can definitely identify three main stages:

  • An attack at Transit Pre-Breach – This state means an attack is moving around on its way to the target and in the target prior to exploitation of the vulnerability.
  • An attack at Penetration – This state means an attack is exploiting a vulnerability successfully to get inside.
  • An attack at Transit Post Breach –  This state means an attack has started running inside its target and within the organization.

The following diagram quantifies the complexity inherent in each attack stage both from the attacker and defender sides and below the diagram there are descriptions for each area and the concluding part:

Ability to Detect an Attack at Transit Pre-Breach

Those are the red areas in the diagram. Here an attack is on its way prior to exploitation, on its way referring to the enterprise that can scan the binary artifacts of the attack, either in the form of network packets, a visited website or specific document which is traveling via email servers or arriving at the target computer for example. This approach is called static scanning. The enterprise can also emulate the expected behavior with the artifact (opening a document in a sandboxed environment) in a controlled environment and try to identify patterns in the behavior of the sandbox environment which resemble a known attack pattern – this is called behavioral scanning.

Attacks pose three challenges towards security systems at this stage:

  • Infinite Signature Mutations – Static scanners are looking for specific binary patterns in a file which should match to a malicious code sample in their database. Attackers are already much outsmarted these tools where they have automation tools for changing those signatures in a random manner with the ability to create an infinite number of static mutations. So a single attack can have an infinite amount of forms in its packaging.
  • Infinite Behavioural Mutations – The evolution in the security industry from static scanners was towards behavioral scanners where the “signature” of a behavior eliminates the problems induced by static mutations and the sample base of behaviors is dramatically lower in size. A single behavior can be decorated with many static mutations and behavioral scanners reduce this noise. The challenges posed by the attackers make behavioral mutations of infinite nature as well and they are of two-fold:
    • Infinite number of mutations in behaviour – In the same way, attackers outsmart the static scanners by creating infinite amount of static decorations on the attack, here as well, the attackers can create either dummy steps or reshuffle the attack steps which eventually produce the same result but from a behavioral pattern point of view it presents a different behavior. The spectrum of behavioral mutations seemed at first narrower than static mutations but with an advancement of attack generators, even that has been achieved.
    • Sandbox evasion – Attacks which are scanned for bad behavior in a sandboxed environment have developed advanced capabilities to detect whether they are running in an artificial environment and if they detect so then they pretend to be benign which implies no exploitation. This is currently an ongoing race between behavioral scanners and attackers and attackers seem to have the upper hand in the game.
  • Infinite Obfuscation – This technique has been adopted by attackers in a way that connects to the infinite static mutations factor but requires specific attention. Attackers, in order to deceive the static scanners, have created a technique which hides the malicious code itself by running some transformation on it such as encryption and having a small piece of code which is responsible for decrypting it on target prior to exploitations. Again, the range of options for obfuscating code is infinite which makes the static scanners’ work more difficult.

This makes the challenge of capturing an attack prior to penetration very difficult to impossible where it definitely increases with time. I am not by any means implying such security measures don’t serve an important role where today they are the main safeguards from turning the enterprise into a zoo. I am just saying it is a very difficult problem to solve and that there are other areas in terms of ROI (if such security as ROI exists) which a CISO better invest in.

Ability to Stop an Attack at Transit Post Breach

Those are the black areas in the diagram. An attack which has already gained access to the network can take an infinite number of possible attack paths to achieve its goals. Once an attack is inside the network then the relevant security products try to identify it. Such technologies surround big data/analytics which tries to identify activities in the network which imply malicious activity or again network monitors which listen to the traffic and try to identify artifacts or static behavioral patterns of an attack. Those tools rely on different informational signals which serve as attack signals.

Attacks pose multiple challenges towards security products at this stage:

  • Infinite Signature Mutations, Infinite Behavioural Mutations, Infinite Obfuscation – these are the same challenges as described before since the attack within the network can have the same characteristics as the ones before entering the network.
  • Limited Visibility on Lateral Movement – Once an attack is inside then usually its next steps are to get a stronghold in different areas in the network and such movement is hardly visible as it is eventually about legitimate actions – once an attacker gets a higher privilege it conducts actions which are considered legitimate but of high privilege and it is very difficult for a machine to deduce the good vs. the bad ones. Add on top of that, the fact that persistent attacks usually use technologies which enable them to remain stealthy and invisible.
  • Infinite Attack Paths – The path an attack can take inside the network’ especially taking into consideration a targeted attack is something which is unknown to the enterprise and its goals, has infinite options for it.

This makes the ability to deduce that there is an attack, its boundaries, and goals from specific signals coming from different sensors in the network very limited. Sensors deployed on the network never provide true visibility into what’s really happening in the network so the picture is always partial. Add to that deception techniques about the path of attack and you stumble into a very difficult problem. Again, I am not arguing that all security analytics products which focus on post-breach are not important, on the contrary, they are very important. Just saying it is just the beginning of a very long path towards real effectiveness in that area. Machine learning is already playing a serious role and AI will definitely be an ingredient in a future solution.

Ability to Stop an Attack at Penetration Pre-Breach and on Lateral Movement

Those are the dark blue areas in the diagram. Here the challenge is reversed towards the attacker where there are an only limited amount of entry points into the system. Entry points a.k.a vulnerabilities. Those are:

  • Unpatched Vulnerabilities – These are open “windows” which have not been covered yet. The main challenge here for the IT industry is about automation, dynamic updating capabilities, and prioritization. It is definitely an open gap which can be narrowed down potentially to become insignificant.
  • Zero Days – This is an unsolved problem. There are many approaches towards that such as ASLR and DEP on Windows but still, there is no bulletproof solution for it. In the startups’ scene, I am aware that quite a few are working very hard on a solution. Attackers identified this soft belly long time ago and it is the main weapon of choice for targeted attacks which can potentially yield serious gains for the attacker.

This area presents a definite problem but in a way it seems as the most probable one to be solved earlier than the other areas. Mainly because the attacker in this stage is at its greatest disadvantage – right before it gets into the network it can have infinite options to disguise itself and after it gets into the network the action paths which can be taken by it are infinite. Here the attacker need to go through a specific window and there aren’t too many of those out there left unprotected.

Players in the Area of Penetration Prevention

There are multiple companies/startups which are brave enough to tackle the toughest challenge in the targeted attacks game – preventing infiltration – I call it, facing the enemy at the gate. In this ad-hoc list I have included only technologies which aim to block attacks at real-time – there are many other startups which approach static or behavioral scanning in a unique and disruptive way such as Cylance and CyberReason or Bit9 + Carbon Black (list from @RickHolland) which were excluded for sake of brevity and focus.

Containment Solutions

Technologies which isolate the user applications with a virtualized environment. The philosophy behind it is that even if there was an exploitation in the application still it won’t propagate to the computer environment and the attack will be contained. From an engineering point of view, I think these guys have the most challenging task as the balance between isolation and usability has an inverse correlation in productivity and it all involves virtualization on an end-point which is a difficult task on its own. Leading players are Bromium and Invincea, well-established startups with very good traction in the market.

Exploitation Detection & Prevention

Technologies which aim to detect and prevent the actual act of exploitation. Starting from companies like Cyvera (now Palo Alto Networks Traps product line) which aim to identify patterns of exploitations, technologies such as ASLR/DEP and EMET which aim at breaking the assumptions of exploits by modifying the inner structures of programs and setting traps at “hot” places which are susceptible to attacks, up to startups like Morphisec which employs a unique moving target concept to deceive and capture the attacks at real-time. Another long time player and maybe the most veteran in the anti-exploitation field is MalwareBytes. They have a comprehensive offering for anti-exploitation with capabilities ranging from in-memory deception and trapping techniques up to real time sandboxing.

At the moment the endpoint market is still controlled by marketing money poured by the major players where their solutions are growing ineffective in an accelerating pace. I believe it is a transition period and you can already hear voices saying endpoint market needs a shakeup. In the future the anchor of endpoint protection will be about real time attack prevention and static and behavioral scanning extensions will play a minor feature completion role. So pay careful attention to the technologies mentioned above as one of them (or maybe a combination:) will bring the “force” back into balance:)

Advice for the CISO

Invest in closing the gap posed by vulnerabilities. Starting from patch automation, prioritized vulnerabilities scanning up to security code analysis for in-house applications—it is all worth it. Furthermore, seek out for solutions which deal directly with the problem of zero days, there are several startups in this area, and their contributions can have much higher magnitude than any other security investment in a post or pre-breach phases.

Exploit in the Wild, Caught Red-Handed

Imagine a futuristic security technology that can stop any exploit at the exact moment of exploitation—regardless of the way the exploit was built, its evasion techniques or any mutation it might have or was possibly imagined to have. This technology is truly agnostic for any form of attack. An attack prevented with its attacker captured and caught red-handed at the exact point in time of the exploit…Sounds dreamy, no? For the guys at the stealth startup Morphisec it’s a daily reality. So, I decided to convince the team in the malware analysis lab to share some of their findings from today, and I have to brag about it a bit:)

 

Exploit Analysis

The target software is Adobe Flash and the vulnerability is CVE-2015-0359 (Flash up to 17.0.0.134). Today, the team got a fresh sample which was uploaded to Virus Total 21 Hours ago! From the moment we received it from Virus Total, the scan results showed that no security tool in the market detects it except for McAfee GW Edition—which generally identified its malicious activity.
Screen Shot 2015-04-28 at 5.56.23 PM

 

The guys at Morphisec love samples like these because they allows them to test their product against what is considered to be a zero-day—or at least an unknown attack. Within an hour, the identification of the CVE/vulnerability exploited by the attack and the method of exploitation were already clear.

 

Technical Analysis

Morphisec prevents the attack when it starts to look for the Flash Module address (which later would be used to find gadgets). The vulnerability allows the attacker to modify the size of a single array (out of many sequentially allocated arrays – size 0x3fe).

An array’s size 0x3fe (index [401]) is modified to size 0x40000001 to reflect the entire memory’s size. The first double word in this array points to a read-only section inside the Flash Module. Attacker uses this address as a start address for iteration dedicated for an MZ search (indicates the start of the library), each search iteration (MZ) is 64k long (after the read only pointer that was leaked is aligned to a 64k boundary).

After the attacker finds the MZ, it validates the signatures (NT) of the model, gets the code base pointer and size, and from that point, the attack searches gadgets in the code of the Flash module.

Screen Shot 2015-04-29 at 9.16.19 AM

Screen Shot 2015-04-29 at 9.03.31 AM

Screen Shot 2015-04-29 at 9.04.13 AM

 

Screen Shot 2015-04-29 at 9.07.39 AM

Morphisec’s technology not only stopped it on the first step of exploitation, it also identified the targeted vulnerability and the method of exploitation as part of its amazing real-time forensic capability. All of this was done instantly in memory on the binary level without any decompilation!

I imagine that pretty soon the other security products will add the signature of this sample to their database so it can properly be detected. Nevertheless, the situation remains that each new mutation of the same attack makes the common security arsenal “blind” to it—which is not very efficient. Gladly, Morphisec is changing this reality! I know that when a startup is still in stealth mode and there is no public information about such comparisons… it’s a bit “unfair” to the other technologies on the market, but still… I just had to mention it:)

 

P.S. Pretty soon we will start sharing more details about Morphisec technology—so stay tuned. Follow us via Twitter  @morphisec for more updates.

Time to Re-think Vulnerabilities Disclosure

Public disclosure of vulnerabilities has always bothered me and I wasn’t able to put a finger on the reason until now. As a person who has been involved personally in vulnerabilities disclosure, I am highly appreciative for the contribution security researchers on awareness and it is very hard to imagine what would the world be like without disclosures. Still, the way attacks are being crafted today and their links to such disclosures got me into thinking whether we are doing it in the best way possible. So I twitted this and got a lot of “constructive feedback”:) from the team in the cyber labs at Ben-Gurion of how do I dare?

 

So I decided to build my argument right.

Vulnerabilities

The basic fact is that software has vulnerabilities. Software gets more and more complex within time and this complexity usually invites errors. Some of those errors can be abused by attackers in order to exploit the systems such software is running on. Vulnerabilities split into two groups, the ones which the vendor is aware of and the ones who are unknown. And it is unknown how many unknowns are there inside each piece of code.

Disclosure

There are many companies, individuals, and organizations which search for vulnerabilities in software and once they find such they disclose their findings. They disclose at least the mere existence of the vulnerability to the public and the vendor and many times even publish proof of concept code example which can be used to exploit the found vulnerabilities. Such disclosure serves two purposes:

  • Making users of the software aware of the problem as soon as possible
  • Making the vendor aware of the problem so it can create and send a fix to their users

After the vendor is aware of the problem then it is their responsibility to notify the users formally and then to create an update for the software which fixes the bug.

Timelines

Past to Time of Disclosure – The unknown vulnerability waiting silently and eager to be discovered.

Time of Disclosure to Patch is Ready – Everyone knows about the vulnerability, the good and the bad guys, and it is now on production systems waiting to be exploited by attackers.

Patch Ready to System is Fixed – Also during this time period, the vulnerability is still there waiting to get exploited.

The following diagram demonstrates those timelines in relation to the ShellShock bug:

7-ways-to-stay-7-years-ahead-of-the-threat-5-638

Image is taken from http://www.slideshare.net/ibmsecurity/7-ways-to-stay-7-years-ahead-of-the-threat

 

Summary

So indeed the disclosure process eventually ends with a fixed system but there is a long period of time where systems are vulnerable and attackers don’t need to work hard on uncovering new vulnerabilities since they have the disclosed one waiting for them.

I got thinking about this after I saw this stats via Tripwire

“About half of the CVEs exploited in 2014 went from publishing to pwn in less than a month” (DBIR, pg. 18).

This stats means that half of the exploits identified during 2014 were based on published CVEs (CVE is a public vulnerability database) and although some may argue that the attackers could have the same knowledge on those vulnerabilities before they were published I say it is far-fetched. If I was an attacker what would be easier for me than going over the recently published vulnerabilities and finding one that is suitable for my target and later on building an attack around it. Needless to say that there are tools which provide also examples for that such as Metasploit. Of the course, the time window to operate is not infinite such as in the case of an unknown vulnerability which no one knows about but still, a month or more is enough to get the job done.

Last Words

A new process of disclosure should be devised where the risk level during the time of disclosure up to the time a patch is ready and applied should be reduced. Otherwise, we are all just helping the attackers while trying to save the world.

Most cyber attacks start with an exploit – I know how to make them go away

Yet another new Ransomware with a new sophisticated approach http://blog.trendmicro.com/trendlabs-security-intelligence/crypvault-new-crypto-ransomware-encrypts-and-quarantines-files/

Pay attention that the key section in the description on the way it operates is “The malware arrives to affected systems via an email attachment. When users execute the attached malicious JavaScript file, it will download four files from its C&C server:”

When users execute the JavaScript files it means the JavaScript was loaded into the browser application and exploited the browser in order to get in and then start all the heavy lifting. The browser is vulnerable, software is vulnerable, it’s a given fact of an imperfect world.

I know a startup company, called Morphisec which is eliminating those exploits in a very surprising and efficient way. 

In general vulnerabilities are considered to be a chronic disease and this does not have to be this way. Some smart guys and girls are working on a cure:)

Remember, it all starts with the exploit.

No One is Liable for My Stolen Personal Information

The main victims of any data breach are actually the people, the customers, whom their personal information has been stolen and oddly they don’t get the deserved attention. Questions like what was the impact of the theft on me as a customer, what can I do about it and whether I deserve some compensation are rarely dealt with publicly.

Customers face several key problems when their data was stolen, questions such as:

  • Was their data stolen at all? Even if there was a breach it is not clear whether my specific data has been stolen. Also, the multitude of places where my personal information resides makes it impossible to track whether and where my data has been stolen from.
  • What pieces of information about me were stolen and by whom? I deserve to know who has done that more than anyone else. Mainly due to the next bullet.
  • What are the risks I am facing now after the breach? In the case of a stolen password that is used in other services I can go manually and change it but when my social security number was stolen, what does it mean for me?
  • Whom can I contact in the breached company to answer such questions?
  • And most important was my data protected properly?

The main point here is the fact companies are not obligated either legally or socially to be transparent about how they protect their customers’ data. The lack of transparency and standards as for how to protect data creates an automatic lack of liability and serious confusion for customers. In other areas such as preserving customer privacy and terms of service the protocol between a company and its customers is quite standardized and although not enforced by regulation still it has substance to it. Companies publish their terms of service (TOS) and privacy policy (PP) and both sides rely on these statements. The recent breaches of Slack and JPMorgan are great examples for the poor state of customer data protection – in one case they decided to implement two-factor authentication and I am not sure why didn’t they do it before and in the second case the two-factor authentication was missing in action. Again these are just two examples which present the norm across most of the companies in the world.

And what if each company adopted a customer data protection policy (CDPP), an open one,  where such a document would specify clearly on the company website what kind of data it collects and stores and what security measures it applies to protect it. From a security point of view such information can not really cause harm since attackers have better ways to learn about the internals of the network and from a customer relationship point of view, it is a must.

Such a CDPP statement can include:

  • The customer data elements collected and stored
  • How it is protected against malicious employees
  • How it is protected from third parties which may access to the data
  • How it is protected when it is stored and when it is moving inside the wires
  • How is the company expected to communicate with the customers when a breach happens – who is the contact person?
  • To what extent the company is liable for stolen data

Such document can increase dramatically the confidence level for us, the customers, prior to selecting to work with a specific company and can serve as a basis for innovation in tools which can aggregate and manage such information.

Cyber Tech 2015 – It’s a Wrap

It has been a crazy two days at Israel’s Cyber Tech 2015…in a good way! The exhibition hall was split into three sections: the booths of the established companies, the startups pavilion and the Cyber Spark arena. It was like examining an x-ray of the emerging cyber industry in Israel, where on one hand you have the grown-ups whom are the established players, the startups/sprouts seeking opportunities for growth, and an engine which generates such sprouts—the Cyber Spark. I am lucky enough to be part of the Cyber Spark growth engine which is made up of the most innovative contributors to the cyber industry in Israel—giants like EMC and Deutsche Telekom, alongside Ben-Gurion university and JVP Cyber Labs. The Cyber Spark is a place where you see how ideas are formed in the minds of bright scientists and entrepreneurs which flourish into new companies.

It all started two days ago, twelve hours before the event hall opened its doors, with great coverage by Kim Zetter from Wired on the BitWhisper heat based air-gap breach, a splendid opening which gauged tremendous interest across the worldwide media on the rolling story of air-gap security investigated at Ben-Gurion university Cyber Research center. This story made the time in our booth quite hectic with many visitors interested in the details, or just dropping by to compliment us on our hard work.

 

Startups

I had enough time to go and visit the startups presenting at the exhibition which were the real deal—as someone living in the future—and I wanted to share some thoughts and insights on what I saw. Although each startup is unique and has its own story and unique team, there are genres of solutions and technologies:

Security Analytics

Going under the name of analytics, big data or BI there were a handful of startups trying to solve the problem of security information overload. And it is a real problem; today security and IT systems throw hundreds of reports every second and it is impossible to prioritize what to handle first and how to distinguish between what is important and what is less important. The problem is divided to two parts: the ongoing monitoring and maintenance of the network and managing the special occasions of post-breach—the decisions and actions taken post-breach are critical since the time is pressing and the consequences of wrong actions can damage the investigation. Each startup takes its own angle at this task with unique advantages and disadvantages and it is fairly safe to say that the security big data topic is finally getting a proper treatment from the innovation world. Under the category of analytics, I also group all the startups which help visualise and understand the enterprise IT assets addressing the same problem of security information overload, in their own way.

Mobile Security

Security of mobile devices—laptops, tablets and phones—is a vast topic including on-device security measures, secure operating systems, integration of mobile workers into the enterprise IT and risk management of mobile workers. This is a topic that has been addressed by Israeli startups for several years now, and finally this year it seems that enterprises are ready to absorb such solutions. These solutions help mitigate the awful risk inherent in the new model of enterprise computing which is no longer behind the closed doors of the office—the enterprise is now distributed globally and always moving where part of it can be on the train or at home.

Authentication

We all know passwords are bad. They are hard to remember and most of all insecure and the world is definitely working toward reinventing the ways we can authenticate digitally without passwords. From an innovative point of view, startups of authentication are the most fascinating as each one comes from a completely different discipline and aims to solve the same problem. Some base their technology on the human body, i.e., Biometry, and some come from the cryptographic world with all kinds of neat tricks such as zero knowledge proofs. From an investor point of view, these startups are the riskiest ones since they all depend on consumer adoption eventually and usually only one or two get to win and win big time while the rest are left deserted.

Security Consulting

Although it is weird to see consulting companies in the startups pavilion, in the world of security it makes a lot of sense. There is a huge shortage in security professionals globally and this demand serves as the basis for new consulting powerhouses that provide services such as penetration testing, risk assessment and solution evaluation – the Israelis are well-known for their hands-on expertise which is appreciated across the world by many organizations.

Security in the Cloud

The cloud movement is happening now, with a large part of it and enabler to it being security—and startups of course do not miss out on that opportunity as well. Cloud security is basically the full range of technologies and products aimed to defend the cloud operations and data. In a way, it is a replica of the legacy data center security inventory simply taking a different shape to adapt better to the new dynamic environment of cloud computing. This is a very promising sector as the demand curve for it is steep.

Security Hardware

This was a refreshing thing to see with Israeli startups which tend to focus, in recent years, mostly on software. A range of cool devices starting from sniffers to backup units and wifi blockers. I wonder how it will play out for them as the playbook for hardware is definitely something different from software.

SCADA Security

SCADA always ignites the imagination thinking to critical infrastructure and sensitive nuclear plants—a fact which has definitely grabbed the attention of many entrepreneurs looking to start a venture in the interest of solving these important issue. Problems such as inability to update those critical systems, lack of visibility with regard to attacks on disconnected devices, and ability to control the assets in real-time in the case of attacks. The real problem with SCADA systems is the risk associated with an attack that anyone would try to avoid at all costs, while the challenge for startups is the integration into this diverse world.

IOT Security

IOT security is a popular buzzword now and hides behind it a very complicated world of many devices and infrastructures in which there is no one solution fits all resolution. Although there are startups which claim to be solving IOT security, I project that with time, each one of them will find its own niche—which is sufficient as it’s a vast world with endless opportunism. A branch of IOT that was prominent in the exhibition was car security with some very interesting innovations.

Data Leakage Protection

As part of the post breach challenge, there are quite a few startups focusing on how to prevent data exfiltration. From a scientific point of view, it is a great challenge consisting of conflicting factors—the tighter the control is on data, the less convenient it is to use the data on normal days.

Web Services Security

The growing trend of attacks on websites which has taken place in recent years and the tremendous impact this makes on consumer confidence, i.e., when your website gets defaced or is serving malware, grabbed the Israeli startups attention. Here we can find a versatile portfolio of active protection tools which prevent and deflect attacks, scanning services which scan websites and tools for DDOS prevention. DDOS has been in the limelight recently and with all the botnets out there, it is a real threat.

Insider Threats

Insider threats are one of the biggest concerns today for CISOs where there are two main attack vectors: the clueless employee and the malicious employee. This threat is addressed from many directions, starting with profiling the behaviour of employees, profiling the usage of data assets and protecting central assets like Active Directory. This is definitely going to be a source for innovation for the upcoming years as the problem is diverse and difficult to solve, in that it involves the human factor.

Eliminating Vulnerabilities

Software vulnerabilities was, is and will be an unsolved problem and the industry tackles it in many different ways, ranging from code analysis and code development best practices, vulnerability scanning tools and services and active protections against exploitations. Vulnerabilities are the mirror reflection of APTs and here again there are many unique approaches to detect and stop these attacks, such as: endpoint protection tools, network detection tools, host based protection system, botnets detection and honeypots aiming to lure the attacks and contain them.

What I did Not See

Among the things I did not see there: tools which attack the attackers. developments in cryptography. containers security. security & AI and  social engineering related tools.

 

I regret that I did not have much time to listen to the speakers…I heard that some of the presentations were very good. Maybe next year at Cyber Tech 2016.