Judicious use of sarcasm and humor
I’m not laughing at you.
I’m not poking fun at your InfoSec program.
I’ve been there.
I’m cringing right along with you.
4. What does an analyst do?
In short: We’re the FAQ or missing manual to clients for our respective markets.
Who are our (451’s) subscribers?
2. End users (enterprises, practitioners)
3. Investors (VCs, PE firms, Investment bankers, etc)
10. The pace of the security industry… is staggering.
• 9 new security startups… every month
• 5 new security categories... every six months
• 1223 enterprise security companies in our vendor database as of 11/2/15
• 102 security M&A deals so far in 2015…
• …worth over $8.3 billion…
• …with a median value of $69 million.
• Perspective: We estimate security product revenue to be at $18 billion
11. Eight $&%^#* BILLION? What? How?
• 15 of these deals were worth $100m or more
• The top 15% of the deals account for 90% of the value
1. Bain bought Blue Coat ($2.4bn)
2. Raytheon bought Websense ($1.3bn)
3. Cisco bought OpenDNS ($635m)
4. Beijing Jinxing Rongda bought FL
Mobile (?!?) ($626m)
5. Cisco bought Lancope ($452m)
6. Thales bought Vormetric ($400m)
7. Trend Micro bought TippingPoint
from HP ($300m)
8. Microsoft bought Adallom ($250m)
12. I mentioned 5 new categories every 6 months…
...and promised 10 categories you’ve never heard of...
BS? Let’s find out.
13. #1 – How do you secure infrastructure in the cloud?
1. Exactly the same way I do in the traditional datacenter!
2. I… thought it was secure because it was in the cloud. It is, isn’t it?
14. #1 – Cloud Infrastructure Security
The idea: Workloads in the cloud don’t
work with traditional security products
and need their own purpose-built
The customer: Anyone running
production workloads in the cloud
How does it work? Half the market uses
tiny agents and VMs that can be
automatically provisioned – the other
half are agentless - API-only.
• Alert Logic
• Splunk (app for AWS)
15. #2 How do handle data in the cloud?
1. I have data in the cloud?
2. I block the cloud
3. I find a private place to curl into a ball and weep
16. #2 – Cloud App Control (aka ‘CASB’)
The idea: NGFWs gave us the ability to
allow/deny use of SaaS apps, but we still
need visibility into what users are doing
in those apps.
The customer: Anyone that has SaaS
app use within an organization and is
concerned about security (pretty much
How does it work? Kinda like a firewall
for SaaS app features, but much much
more than that.
• Adallom (MSFT)
• Skyfence (Imperva)
• Managed Methods
• IBM CSE
• Palo Alto (Aperture)
17. #3 – How do you stop browser infections?
1. Block all plugins?
2. Force all users to use Opera or some browser attackers don’t care about?
3. Patch things VERY, VERY QUICKLY
4. Secure web gateway, known-bad blacklisting
18. #3 – Browser Isolation
The idea: Most of the malware infections come in
through the web browser – if we move browsing
sessions off the endpoint, we remove a ton of risk
The customer: Any vertical without strict browser
requirements looking for a low-maintenance way
to cut down on infections.
How does it work? The browser session lives on
a highly locked down server on premise or in the
cloud. Only a stream of the session reaches the
endpoint (think publishing an app using Citrix
• Spikes Security
• Light Point Security
• Menlo Security
• Armor5 (Digital Guardian)
19. #4 – What can we do about WAF evasions?
1. Keep tabs on all known evasions and update/configure WAF to deal with
every single one. It works for IDS/IPS, right?
2. Start drinking
3. Fetal position; weep
20. #4 – Endpoint Security for Web Apps (RAST)
The idea: Network security is always easier to
evade, making the most ideal scenario to put the
security control as close to the focus of the threat
as possible. Think ‘web app HIPS’.
The customer: Enterprises that feel their network
WAF isn’t doing a good enough job, or requires
too much work to maintain.
How does it work? The agent/engine either lives
on the same host as the webapp, and inspects
requests. Unlike traditional IDS/IPS, most of these
build behavioral models and look for anomalies.
• Shape Security
• HP App Defender
• Contrast Security
21. #5 – The Internet and users are HUGE THREATS
How can we deal with problems this big?
1. Get rid of the users
2. Take away all users access to everything
3. Let someone else run our websites and applications – liability shift
22. #5 – Software-Defined Perimeter (SDP)
The idea: Manage users like any other host coming
from an untrusted network (like the Internet). Have
little to no Internet attack surface.
The customer: Anyone that feels like they’re
fighting a losing battle keeping endpoints secured
and under control.
How does it work? Like the idea of NAC, users have
no access by default. Access is granted to apps from
anywhere and any device through an authentication
gateway. Successful authentication creates an IPSEC
tunnel or reverse proxy to the app.
• Unisys Stealth
24. #6 – The attacker got in. What now?
1. Call an IR/Forensics team to clean up
2. Take everything offline, kill the Internet egress and start rebuilding
3. To the SIEM! (80 hours of querying later, go to #1)
4. Game over, man!
25. #6 – Detection through Deception (D&D)
The idea: Seed fake hosts, credentials and/or data
throughout your network to discover attacks.
The customer: Anyone looking for ways to discover
attacks that don’t use malware or evade typical
detection (especially insider threats).
How does it work? This ‘fake’ infrastructure (think
honeypots/honeynets) never has any valid reason to
be touched or used. 100% of alerts coming from this
infrastructure should indicate a true threat (as long as
you are aware of all authorized pentest activity)
• Attivo Networks
• Shadow Networks
• Illusive Networks
• Thinkst Canary
• Perception Point
26. #6 – Detection through Deception (D&D)
Stolen from https://canary.tools/#how-it-works
27. #7 – Incident response work is eating up all resources/time
1. Hire more people?
3. Buy more/better forensic tools?
28. #7 – Incident Response Automation
The idea: Incident response doesn’t
have to be an entirely manual affair,
especially with incidents that are false
alarms or routine infections that must be
dealt with, but aren’t real threats.
The customer: Companies that spend
an inordinate amount of time in “IR
How does it work? Network and
endpoint agents that integrate with
other products to automate remediation
• CSG Invotas
• Resilient Systems
• Phantom Cyber
• Dell SW ECIR
• Proofpoint Netcitidel
29. #8 – Attackers know how to recon. What can we do?
1. Brace for impact!
2. Do more preparation
3. Buy more prevention
4. Practice IR skills/plans
30. #8 – Automated Public (OSINT) Threat Assessments
The idea: Discovering, quantifying and
prioritizing threats to your business that
are outside your network and control.
The customer: Anyone with brand
reputation concerns or issues. Anyone
that stands to lose big if a breach occurs.
How does it work? Largely using OSINT
data and sources, determine if brand is
being abused or used for fraud. Hash
corporate sensitive data and determine
if it has been leaked to known
dark/deepweb, forums, paste sites or
other likely places for stolen data to turn
up. Some vendors do anti-phishing
takedown assistance also.
• Area 1 Security
• Palantir (Kinda)
• Maltego (manual)
• Recorded Future
• Digital Shadows
• Terbium Labs
31. #9 – How do you know your defenses work?
You bought all the things and plugged them all in. Do they work?
2. Watch for China?
32. #9 – Incident Response Testing
The idea: In theory, our annual pentests
should be the key opportunity to
determine how good we are at detecting
attacks. Once a year isn’t enough for
training and continuous improvement
The customer: Anyone serious about
really getting good at incident response.
How does it work? These products
simulate real attacks, allowing your IR
team to practice responding; fix gaps in
awareness, monitoring, alerting; do
more effective proof-of-concept testing
on new products; verify products are
working correctly; etc.
• Stratum Security
More exploit or anti-
33. #10 – MDM/EMM/BYOD is hard.
The employees own the devices, but have corporate data on it.
Head, meet wall.
1. Wipe it?
2. Partial wipe?
3. Lock it down?
4. Issue corporate phones, forcing them to carry two smartphones at all times?
34. #10 – Virtual Mobile Infrastructure
The idea: Separating work and personal on a mobile
device is still a challenge. Two phones fixes this, but is
physically inconvenient. Why not virtualize your work
The customer: Companies that don’t like existing
MDM/container options or have had little success with
How does it work? Like with browser isolation, a
virtualized Android instance houses all your work stuff,
and you stream it remotely to your personal
• Remotium (Avast)
• Trend Micro
35. #10 – Virtual Mobile Infrastructure
Lifted from https://nubosoftware.com/vmi.html
36. Crazy one-off bonus round: Power Fingerprinting
1. “You can’t put software on those systems”
2. “You can’t put anything on the network, either”
37. Crazy one-off bonus round: PrivateCore
1. Service providers encrypt our data when stored.
2. What if someone dumped RAM in a multi-tenant environment?