As summer comes to a close it’s a good time to reflect on “Security Summer Camp,” the affectionate name given to the triad of security events that happened in August in Las Vegas: BSides, Black Hat, and DEF CON.
Like so many other conferences this year, the focus was on being back together after the COVID pandemic. All three events sold out and were packed to the brim. BSides took over the second floor of the Tuscany, Black Hat filled the gigantic Mandalay Bay Convention Center to capacity, and DEF CON spilled out of the huge Caesars Forum and into two other hotels. Without question, people are excited to be back together.
There are lots of review posts about the shows, but I want to focus on just a few points that really stuck out to me.
To SIEM or not to SIEM, that’s the XDR question
Alert fatigue, burnout, and information overload are popular topics. With so many tools available today, the number of findings and alerts produced is completely overwhelming. Everyone knows it, but what can you do? There are two solutions we’re seeing out there.
The first solution is to decide that the vulnerabilities and problems in your infrastructure are inevitable. You’ll never stomp them out, so let’s rub some machine learning on the problem and look instead at new risks to at least keep the environment from getting worse.
A common case in point is the futility of anti-virus today. Do you care if a virus or malware is on a hard disk somewhere? Not really. You care about it being executed and spreading. By using a machine-learning-powered endpoint detect and response (EDR) solution, we can look at running processes and their behavior and stop them in their tracks—or at least examine and respond to them.
But that's only half the battle. The other is determining how the malware got into your environment in the first place. Email? Downloaded from the internet? Exploit? We need to correlate behavior between multiple systems to gain a complete picture.
On the Black Hat Business Hall floor, a three-sided battle raged between:
- Traditional SIEM providers
- New, alternative SIEMs at a lower cost or higher performance
- A class of solutions built on top of the EDR suites called extended detection and response (XDR)
The promise of XDR is to be able to trace a malware infection from its source in User 1’s email attachment to being stored on a Team Drive to execution on User 2’s laptop, all as a single chain of events.
I’m excited to see how the market evolves to integrate more and more data sources and correlates them. Regardless of what it’s called, XDR’s focus on management and response over simple detection is a step in the right direction, and we’ll be keeping a careful eye on this space.
Here a threat, there a threat, everywhere a threat threat
Perhaps the most anticipated and notorious part of these events is the exploits and “research” presented. The majority of the threats presented already are disclosed and have CVEs, but attention is drawn to the fact that most of the world is slow to install the necessary updates, making nearly all the presented exploits viable attacks.
One presentation at DEF CON that drew considerable attention was Patrick Wardle’s You’re <s>Muted</s> Rooted. Patrick found, and ethically disclosed, several vulnerabilities in the Zoom Mac package installer that permitted an escalation to root. These vulnerabilities became much more attractive when Zoom rolled out an automatic updater that could be stimulated by a non-privileged user.
At the end of his presentation, special for DEF CON, Patrick revealed an (at the time) undisclosed race condition that was an exploitable zero-day, to the delight of all in attendance.
The fact that such a ubiquitous software solution was vulnerable stole the headlines, but the real lesson is that packaging and other auxiliary components of your software are just as important. It wasn’t really Zoom, the software, that was vulnerable; it was the installer.
A presentation at Black Hat that caught my attention was In Need of 'Pair' Review: Vulnerable Code Contributions by GitHub Copilot. Copilot is an incredible tool that will change the way developers code, and will open the door to many who ordinarily shy away from coding. The presenters demonstrated a number of experiments in which code output was biased based on several factors such as dependencies, word choice, and style, producing very different code based on context for the same problem.
In particular, they explored how often code produced by Copilot was inherently insecure. The takeaway was to avoid assuming that GitHub’s suggestions should be trusted because they aren’t GitHub’s. They are from a machine, and one trained on a lot of open source, which includes vulnerabilities and bad habits. As the presenters concluded by saying, it’s important that Copilot remain just that: a copilot, and not blindly trusted.
Some other notable presentations:
- DEF CON: All Roads leads to GKE's Host : 4+ Ways to Escape
- DEF CON: Trace me if you can: Bypassing Linux Syscall Tracing
- Black Hat: I Am Whoever I Say I Am: Infiltrating Identity Providers Using a 0Click Exploit
- Black Hat: Process Injection: Breaking All macOS Security Layers With a Single Vulnerability
- Black Hat: IAM The One Who Knocks
Where’s the love?
Three topics were underrepresented at all three conferences, both in talks and vendor representation:
- Supply chain security
- DevSecOps
- Kubernetes
Dude, where’s my supply chain security?
The Solarwinds breach has brought the need for supply chain security front and center but only a handful of vendors are yet playing in that space. Furthermore, most solutions don’t offer supply chain security per se; they are simply tools that can work in the supply chain, namely adaptations of traditional static application security testing (SAST) and dynamic application security testing (DAST).
DevSecOps? Anyone?
DevSecOps is a term gaining attention but is still foreign to the Black Hat and DEF CON crowds, which underlines the increasing need for DevOps practitioners to take the lead and reach out to Security teams to open the lines of communication.
Kubernetes schmubernetes
I counted only two booths in the whole Black Hat vendor area that explicitly mentioned Kubernetes. The majority of vendors today seem to view Kubernetes as simply another black-box deployment solution. I expect to see this change over the next two to three years.
At Mondoo we’re proud to offer a policy solution that extends throughout the entire application lifecycle, at every stage of the supply chain and in the deployed environment, and at each layer, from bare metal or cloud up to containers, registries, and beyond. Our easy-to-use query language allows Security and DevOps teams to translate policy into action, as code, and for continuous coverage.
We look forward to seeing you at BSides, Black Hat and DEF CON next year!
