Black Hat Postmortem: Geopolitical Risks and Complexity on the Rise

Last week’s Black Hat USA 2022 conference solidly framed the cybersecurity issues IT and network managers are facing. From the keynotes throughout the conference sessions, the message was clear. Security challenges are increasing, and the complexity of modern applications and infrastructures makes it all the more harder to secure networks and defend against attacks.

Some areas are out of the control of networking managers. Yet, they must be prepared to deal with the consequences. A prime example is the rise of geopolitical risks in the last year.

That was a major theme in a keynote delivered by Chris Krebs, former director of the US Cybersecurity and Infrastructure Security Agency (CISA), who is now with the Krebs Stamos Group consultancy. He noted that there is an unprecedented collision between geopolitical risks and technology risks.

One example is the war in the Ukraine. And he cautioned that Taiwan is a hotspot to watch. As reported in Dark Reading: A Chinese invasion of Taiwan has the potential to impact organizations across the board, especially affecting the technology supply chain, competition and markets, and IT operations.

Industry trends increase risks and challenges

Throughout the conference, speakers noted the increased risks due to digital transformation and the move to cloud. Both accelerated due to Covid.

With regard to digital transformation, author and journalist Kim Zetter focused on the vulnerabilities of critical infrastructure in her keynote speech. She noted that this is not a new issue citing the awareness generated when Stuxnet was discovered in 2010. At that point, the security community, which had been focused on IT networks, realized the importance of protecting operational networks and industrial control systems that manage pipelines, railways, the electric grid, water treatment plants, manufacturing, and more. Yet, even with this awareness, she discussed how Colonial Pipeline was blindsided by a ransomware attack last year.

Digital transformation has made problems in this area even more troublesome. In the past, operational technology (OT) and industrial control systems were typically not connected to other enterprise systems and most definitely not connected to the internet or cloud. That provided two benefits. It was harder to compromise a device (such as a sensor) that was part of an OT system. And if a device was compromised, the damage was limited to the OT environment.

Now that these systems are connected to IT systems and moved to the cloud, they are more susceptible to attacks. That point was clear earlier this year when security researchers identified 56 vulnerabilities in OT systems. As we reported then, “The bugs included high-severity vulnerabilities in 10 vendors' products, spanning programmable logic controllers, SCADA HMI systems, and software development kits. Many of the systems are widely used in oil and gas, chemical, nuclear, power generation, and distribution, manufacturing, water treatment and distribution, mining, and building automation.”

Complexity is the enemy

Networking infrastructures typically comprise on-premises and multiple cloud elements. That alone makes management and cybersecurity challenging. But worse, applications are now often composites of smaller entities (including third-party elements) that run on a variety of platforms that IT has no control over.

As a result, IT managers and security teams use many disparate tools to monitor conditions. Unfortunately, many of the tools are siloed and generate vast amounts of logs, traces, and alerts. IT and security teams have to correlate and unify data across multiple products from different vendors, many of which use proprietary formats. So, instead of focusing primarily on detecting and responding to events, the teams spend time normalizing this data before they can begin to understand and respond to incidents.

The industry is under pressure to remedy the situation. A major effort to address this issue was announced at the conference. Specifically, 18 systems and security vendors announced the Open Cybersecurity Schema Framework (OCSF).

The effort, led by Amazon Web Services and Splunk, includes Broadcom, Salesforce, Rapid7, Tanium, Cloudflare, Palo Alto Networks, DTEX, CrowdStrike, IBM Security, JupiterOne, Zscaler, Sumo Logic, IronNet, Securonix, and Trend Micro.

The project aims to provide an extensible framework for providing interoperable core security schema not tied to a specific provider. It includes an open specification for the normalization of security telemetry across a wide range of security products and services, as well as open-source tools that support and accelerate the use of the OCSF schema.

Related articles: