Black Hat is the marquee cybersecurity expo for companies to showcase new tools and evolving technologies that will help defend against cyber threats. But the massive developments in the cyber security arena means you can easily get overwhelmed and struggle to see the wood from the trees.

The Smarttech team have consolidated the hot topics at Black Hat into four topics here is our pick from Black Hat 2016.

• Behavior Baselining

The concept of behavioral baselining is understanding the normal behaviour within a network and then utilising tools that can can identify deviations from this normal activity in real time. In my experience this is without doubt critical in this day and age.

The best way to detect advanced malware is to differentiate between normal and abnormal activities. Network Behaviour Anomaly Detection (NBAD) or Behaviour baselining builds a database of network characteristics and when deviations from normal are detected it will generate an offence. Time and time again we see undetected malware inside customer networks for months on end without detection.

• Active Response

Organisations are investing in better security technologies and as a result the number of threats being discovered increases dramatically. But with new technologies there will also be a battle between false positives and true positives. (Firewall is saying there is a breach / AV is saying it was contained)  This often causes what security operations center (SOC) managers call alert fatigue. Far too many alerts, but not enough time to investigate properly or even respond to them. The analogy that is often used is imagine knowing about all the wildfires in a region but not being able to prioritise or address them dues to a lack of resources.

Active response is the ability to respond to an attack as soon as it is detected within the environment. This is usually death with internally in the companies own SOC or in an outsources capacity to a SOC service provider. The active response is where either an automated system or a live body will take ownership of an issue and priorities the issue bases on a set of metrics and data correlation. The following steps include issuing instructions such as blocking at firewall level & segregating assets within the network. The ultimate goal of active response is to deal with the fire either through automation or a live body.

• Security Analytics

Analytics is on everyone’s radar because it is now easier than ever before to extend analytics capabilities throughout the organisation, pushing deep into the heart of the business. With Cybersecurity becoming increasingly complex, analytics will provide enterprises with important capabilities to derive insights from data. This will help enterprises to make more effective and timely decisions and allow them to create a competitive edge for themselves.

Identifying patterns to stop will male will be the new normal. Security analytics will be applied to millions of events across multiple data sources and then cross reference with threat intelligence. This will be delivered using SIEM technology like IBM QRadar. The purpose of security analytics is to provide actionable knowledge to the security analysts and to security managers.

Malware is regularly designed to exploit and target unpatched systems.  An example of security analytics in this case will be the use of continuous vulnerability scanning to identify the number of systems that are vulnerable and accessible from the internet. This Analysis and reporting allows the security team to prioritise remediation.

• Ransomware / Public Key Cryptography

The Ransomware epidemic of the last 12 months is set to increase throughout the rest of the year and into 2017. As more applications use encryption for communication malware developers are adopting the same techniques.  Also zero day vulnerabilities like heart bleed in openssl shake the foundations of secure communication over the internet.

It is now critically important for all organisations to understand the implications of cryptography to their business with good and bad.  Critical applications that use cryptography need to be documented and the management of keys needs to be secure. Also how can your organisation decipher between standard application SSL comms and malware comms from internally to C&C.

The Bottom Line

Cyber Security is complex and the growth in sophisticated malware is unprecedented. Because of its rapidly shifting nature, cybersecurity is a moving target. It’s unreasonable to expect everyone in your organization and external parties, like partners and customers, to be experts, but making the risks easier to understand can go a long way toward improving security hygiene.

The organisations who are successfully winning the cyber security battle  accomplish this by employing technologies that utilise analytics and automation to determine what is normal and where there is deviation from normal. This is combined with incident response professionals either internally or externally.