LAS VEGAS — Maybe it’s because of the ACDC-inspired CASB socks at the Bitglass booth. Or maybe people are just becoming smarter about cloud-security and realize the importance of cloud access security broker (CASB) technology.
Whatever the reason, more people than usual who approached the cloud security vendor at this year’s Black Hat knew what CASB is — and what it does, said Jacob Serpa, product marketing manager for Bitglass.
Serpa said that compared to past security conferences, many more people approached the Bitglass booth at last week’s Black Hat conference knowing what CASB is. Now the burning question is what is different about Bitglass CASB compared to others?
Serpa also found that people were ready to discuss the cloud security landscape and emerging cloud-native threats. One major new one, he said, is context-aware malware.
“We talk in the industry a lot about machine learning and advanced solutions to detect threats. But hackers and people who are creating this malware have the same game plan,” he said, citing the Rakhni Trojan, which recently added a new tactic that allows it to decide how to infect its victims — via ransomware or cryptomining malware.
“The Rakhni Trojan seems to be context aware,” Serpa said. “Malware is heading in this direction as are threats in general. You want to be able to address the threats of the present but always keep an eye on the future. That’s been a shortcoming throughout industries in recent years. They have been so preoccupied with historical threats that they haven’t been able to look at the future.”
The future, he says, is machine learning, both on the white hat and black hat side of things.
“We’re really just at the beginning of this thing [machine learning],” he said. “There’s so much more room for sophistication and growth of the technology, and not just on the white hat side. The bad guys are trying to increase their offerings as well. As threats become more adaptive and advanced, you are going to need corresponding solutions that can detect and remediate in real-time as opposed to after the attack.”
Serpa circles back to what sets Bitglass apart in the cloud-security realm. “We want to be at the forefront of this machine-learning revolution,” he said. “Whether it’s through the things we’ve been doing awhile, like our partnership with Cylance, or our new shadow IT zero-day discovery.”
How Bitglass Uses ML
Bitglass and endpoint security vendor Cylance first teamed up in 2016 to provide threat protection for cloud applications and bring your own device (BYOD). A couple months ago they extended the partnership to any cloud and mobile devices.
Also this year Bitglass added zero-day shadow IT discovery to its CASB, expanding its shadow IT index to more than 100,000 apps.
“In days gone by we would have shadow IT teams who would manually find apps and rank them on trustworthy-ness,” Serpa said. “It’s a very manual process and you’re going to play a game of catch up.”
So the company automated the process. “We use machine learning to detect these apps on the fly,” he explained.
McAfee’s New Cloud Biz
Despite moving to the cloud, many companies are still looking for network-centric attacks instead of cloud-native ones, said Rajiv Gupta, SVP of McAfee’s Cloud business unit.
Gupta is the former Skyhigh Networks CEO. McAfee bought the CASB vendor late last year and brought its technology under a new cloud business unit.
“What cloud does is expose an entirely different set of security issues,” Gupta said.
Encryption and security protocols like SSL and TLS make network snooping less likely to happen, he added. “Instead, there’s a new generation of cloud-native man-in-the-middle attacks we need to be worried about, where someone you haven’t approved is snooping into your cloud applications and accessing your cloud data without permission rather than trying to sit on the network,” Gupta said.
He’s talking about things like ghost writer vulnerabilities — misconfigurations in which developers leave databases and stores like Amazon S3 publicly readable and writable. “One of the top 10 most-read newspapers in the world left an S3 bucket writable,” he said. This vulnerability could allow nation-state actors or other hackers to write articles that appears to come from a credible news source.
“You’re actually reading fake news,” he said. “You think you’re reading this highly-respected newspaper, but the content is coming from a third party.”
In another instance McAfee discovered hackers trying to get into customers’ Office 365 service accounts — these are automated accounts for email and the like, as opposed to human accounts. “So typically passwords don’t change very often, and they don’t have multi-factor authentication,” Gupta said. “We detected access coming in from 67 IP addresses trying to access these service accounts, trying to log in.”
The attackers found the service account names on the dark web, and would try nine times to hack into the account. “But not 10 times, because at 10 the account would automatically lock. If they didn’t get in after nine times they would move on to the next one,” he said. “That’s an example of a cloud-native attack that if you are still hung up at looking at network-centric attacks, you are missing.”