August 2017 Newsletter

A month of adventures

Kyle’s bike in repose — a rare moment when it isn’t conspiring with the terrain to murder him.

Savage Security News

This past month, we attended Black Hat; explored the Trans America Trail; analyzed a thinly veiled attack piece; presented on ransomware at a local DEF CON group and a remote OWASP group (simultaneously); signed up several new subscription customers and started planning our first buyer’s guide.

Yeah, it was a busy month.

Words have meanings

The level of hyperbole in a piece by Digital Defense was too much to ignore, especially when the post singled out Carbon Black for something that’s common throughout the industry, off by default and shipped with more than adequate disclaimers. Pieces like this only serve to confuse and distract our industry from what’s really important — like the fact that, what’s often referred to as ‘the basics’ are neither basic nor easy.

Worrying about one product in the industry uploading proprietary code to VirusTotal when an optional feature is enabled is far from a top priority for most enterprises. It’s tempting and easy to get lured away from practical improvements for the more exciting scenarios presented at security conferences, which brings us to…

Black Hat

Adrian went to Black Hat to officially announce and launch our market services. We’re introducing some new sections to the newsletter to support those services, sharing new and interesting companies or market trends we’ve come across.

Black Hat, where it’s totally normal to see giant checks for $1000 in the trash.

Black Hat was largely an uneventful affair aside from the annual legal threat/corporate action against hackers regarding controversial research. This year’s case was over the release of a tool called… well, let’s just say that the innuendo-heavy name fits in well at DEF CON. You can read all about it here. The researchers were fired by Salesforce for refusing to cancel their talk.

The main keynote (starts about 46m in) was delivered by Facebook’s CISO, Alex Stamos. It was refreshingly passionate, forward-thinking and everything else the aforementioned Digital Defense hit piece was not.

Overall, the tone of Black Hat matched what we’re seeing in the startup world — a call to go back to basics. The average asset discovery tool can’t tell the difference between Linux on a router, Linux on a Laptop and Linux on an Amazon Echo, and that’s a problem in 2017. IoT devices are flooding both home and business networks, making network security, visibility and management an even more difficult affair.

Market Research and Services

We’re currently accepting commissioned research projects, due diligence projects and other go-to-market services listed on our website. Additionally, we’ll be announcing our own internal research projects that are already underway — there will be opportunities to sponsor these. Sponsoring will help speed up the work, give sponsors exclusive access to research results and license to publish the results.

Subscription Services

We’re finding a subscription approach is really making sense for a lot of our clients. It’s rare that we run across an organization that just needs “a penetration test, thanks, see you later”. More often, clients are looking for someone to bounce ideas off of, to help with strategies, defensive tactics and even product selection. With a monthly pool of hours to pull from, clients can call us when the next Heartbleed or WannaCry occurs to help quickly build a strategy.

If we can help make healthy, non-judgmental security conversations become more than a one-year affair in a few organizations, we’ll count Savage Security a success.

Ransomware Talks

Kyle talked about some ransomware we reverse-engineered a few months ago, Nemucod-AES, at the local DEF CON group (DC865).

Adrian participated in a virtual conference, Preparing for the Ransomware Reality, for the Brooklyn OWASP chapter. This happened to be on the same day, at the same time (6pm). Good thing there’s two of us…

The Trans America Trail

Kyle went on a heck of an adventure 5 years in the making. He’s got a whole separate blog dedicated to it.

Market News

This is a new section where we’ll talk about some new stuff we’ve seen, but haven’t explored too deeply yet. We’ll also share our opinions on things we might have regretted exploring so deeply.

New and Interesting Companies

We talked to Awake Security at Black Hat, and were excited to find that they weren’t just another ‘SIEM for your SIEM’ vendor. Rather, Awake seems to be taking a rational approach to asset discovery and combining it with user and environment context in a package that looks fairly simple. It sounds like a network tap and some credentials are all the system needs. We only know the barest of details right now, but are exited to see a demo in the near future.

We’re big fans of the software-defined perimeter (SDP) concept, often associated with Google’s BeyondCorp concept. When we heard SaferVPN was moving in that direction we were interested to hear more. We ran into each other at Black Hat (unexpected meetings are one of my favorite parts of the conference experience) and we’re looking forward to a full briefing.

We briefed with Security Compass, which isn’t a new company, but was new to us. The company approaches AppSec from the design phase — something we haven’t seen before, but is more important than ever these days with companies producing more and more code and software than ever before.

One of our research projects is an attempt to improve and simplify the management, storage and handling of customer-sensitive data. Ideally, we want our customers to control as close to 100% of their data as possible, at all times throughout an engagement. We spoke with Ironcore Labs, who provides an intriguing key management API that might help us achieve that goal.

Just for Fun

It seems like ticket prices for the McGregor vs Mayweather fight attracted some impressive social engineering. Just remember, this is illegal and definitely not advisable when you’re breaking into an arena full of people that punch other people in the face for a living.

Wrapping up

Believe it or not, we’ve still got some surprises we’re holding back for next month. Also keep an eye out for some interesting blog posts between now and next month!

Upcoming Events

September 14th — Adrian will be joining the venerable Dan Raywood for another interesting webinar titled, Be Less Man vs Machine, More Man and Machine.

September 22nd — 24th — Adrian and Kyle will be at DerbyCon 7.0. Thanks to Kyle’s quick reflexes, we scored some tickets. Let us know if you want to meet up there, or feel free to say hello!

September 25th — Immediately after DerbyCon, Kyle is giving his Building a Security Program with Zero Budget talk at the 63rd annual ASIS conference in Dallas. ISSA and (ISC)2 often partner with ASIS conferences (more focused on physical security, hence the old age of the conference), and at this one, Kyle’s talk will be part of the ISSA program.

Savage Services

Interested in any of our consulting, market or subscription services? Drop us an email (info at SavageSec dot com) or go old school and give us a call at (844) 572–8243.

Our website and brochures go into more detail on how Savage Security can help you with your security needs or research project.

Consulting Services Brochure

Market Services Brochure

Subscription Services Brochure

August 2017 Newsletter was originally published in Savage Security Blog on Medium, where people are continuing the conversation by highlighting and responding to this story.

This is a Security Bloggers Network syndicated blog post authored by Kyle Bubp. Read the original post at: Savage Security Blog - Medium