As an industry analyst and Forbes contributor who writes about digital transformation, I am always looking for stories of disruption. Attending last week’s massive RSA cybersecurity conference gave me the opportunity to speak with a few dozen of the most disruptive vendors among the thousands at the event.
Based upon these conversations, I uncovered four broad trends that represent deeply transformational aspects of the burgeoning enterprise cybersecurity marketplace. As with most disruptions, however, these four are but part of the story.
Disruption #1: Targeting the Links in the Cyber Kill Chain
Perhaps the broadest disruption: vendors are improving their ability to understand how bad actors behave, and can thus take steps to prevent, detect, or mitigate their malicious activities. In particular, today’s vendors understand the ‘Cyber Kill Chain’ – the steps a skilled, patient hacker (known in the biz as an advanced persistent threat, or APT) will take to achieve his or her nefarious goals.
The product of US Defense contractor , The Cyber Kill Chain contains seven links: reconnaissance, weaponization, delivery, exploitation, installation, establishing command and control, and actions on objectives.
Today’s more innovative vendors target one or more of these links, with the goal of preventing, discovering, or mitigating the attack. Five vendors at RSA stood out in this category.
Ziften offers an agent-based approach to tracking the behavior of users, devices, applications, and network elements, both in real-time as well as across historical data. In real-time, analysts use Ziften for threat identification and prevention, while they use the historical data to uncover steps in the kill chain for mitigation and forensic purposes.
ProtectWise also records up to a year or more of data, but at the network level. It can thus replay an attack, as well as offering visibility from the network to its endpoints. Think of it as a security camera that catches the entire Cyber Kill Chain.
Endgame offers an endpoint security platform that can hunt for threats by identifying and preventing zero-day threats, detect and respond to threats in real-time, and can even stop ‘fileless’ attacks that operate only in memory – one of the tricks hackers use for lateral movement during the ‘installation’ link in the chain in order to establish command and control.
LookingGlass offers several threat intelligence and mitigation services, including its Cyveillance Malware Total Lifecycle Protection, which provides pre-infection protection from malicious web pages, emails and phishing attacks, and prevents post-infection malware from reaching command and control servers, thus interfering with the installation phase as well.
Finally, the iboss Secure Web Gateway Platform can detect command and control callbacks, fingering attackers as they’re about to do the most damage. Its network anomaly detection can also contain data at the moment a bad actor attempts to hijack them during the ‘action on objectives’ link in the chain.
Disruption #2: Leveraging AI to Better Understand Human Behavior
Artificial intelligence (AI) was all the buzz at RSA, with much of the noise just that – noise. One area where vendors are successfully applying AI, however, is to tell the good guys from the bad guys, and furthermore, to tell the good guys from the bots, simply by analyzing their behavior.
Insider threats are among the most pernicious, especially when the insider has special privileges. ObserveIT identifies, investigates, and blocks insider threats by tracking the behavior of users and identifying when that behavior violates policy.
RedOwl uses AI-driven natural language processing to analyze data across human resources, physical equipment like security badges, and IT gear to identify insider threats and build a narrative of their behavior for forensic analysis.
CyKick Labs uses a combination of machine learning and natural language processing as well as more traditional rules to identify suspect behavior, including bot traffic. It enables cyber investigators to track cases based upon business actions.
Disruption #3: ‘Software Defined’ Cybersecurity
Cybersecurity has also joined the Software-Defined Everything (SDX) movement. If we can represent our entire cybersecurity deployment as a software-based model, the reasoning goes, then we have better control, visibility, and flexibility.
empow leverages software-defined techniques to implement an abstraction an orchestration layer on top of a range of disparate enterprise security tools.
SAM Seamless Network protects network equipment at the application level. For example, its software will enable ISPs to protect home routers by providing a security hub for devices in the home.
Disruption #4: Israel Becomes the Cyber Silicon Valley
The fourth trend is how Israeli cybersecurity startups have come to dominate the innovation in this space. We selected the vendors we interviewed by looking for disruption independent of geography, so we were quite surprised with the number of Israeli startups that made our list.
Of the 26 vendors we met with at the RSA Conference, we ended up speaking with no less than six Israeli firms: Cybellum, CyKick Labs, ObserveIT, SAM Seamless Network, Secbi, and Secret Double Octopus, who wins the award for the coolest company name at the conference.
We also chatted with folks from Blumberg Capital, a hot San Francisco VC firm with successes like , Hootsuite, and Nutanix. The firm has a Tel Aviv office and a particular interest in Israeli startups.
Silicon Valley may still have the edge generally, but Israel is gaining fast in the cyber arena – specifically with the right combination of talent, money, and chutzpah. Combined with innovations in threat prevention, detection, and defense like the ones in this article, the long-standing advantage that bad actors have enjoyed may finally be nearing its end.
Intellyx publishes the Agile Digital Transformation Roadmap poster, advises companies on their digital transformation initiatives, and helps vendors communicate their agility stories. As of the time of writing, none of the organizations mentioned in this article are Intellyx customers. Cyber Kill Chain is a registered trademark of Lockheed Martin. Image credit: Blue Coat Photos.