Application Security. PHOTO: Cybercrime Magazine.

Application Security Goes Hollywood

Conceal rolls out the red carpet for black-hat drama

David Braue

Melbourne, Australia – Jun. 22, 2022

Assertions that companies must bake security into their application development are hardly a surprise to any company working in the cloud era — but with many still favoring fast delivery over secure delivery and most CISOs worried that vulnerabilities are being missed, how can security providers get their message across?

For security obfuscation company Conceal — until recently known as NetAbstraction — the answer has been to try something completely new: a five-part miniseries, called Ransom, that brings the risks of application vulnerabilities to life through an engaging dramatic approach that is miles away from conventional marketing.

“We’re transforming and disrupting cybersecurity marketing by developing story arcs and weaving cybersecurity product into the story,” Alissa Valentina Knight, a cybersecurity specialist and Conceal board member who is consulting and co-writing the “very technically accurate” new series, recently told Cybercrime Magazine.

Knight, a career hacker and storyteller whose many roles include principal analyst at Alissa Knight & Associates, is working with Conceal to finalize the series — due to debut during the upcoming Blackhat 2022 conference in August — that she calls “Black Mirror meets Mr Robot.”

“People don’t buy what you do,” a “super excited” Knight explained. “They buy why you do it — so we’re making sure we can maintain that technical accuracy in demonstrating these attacks on these businesses, what they’re going through from a blue-team perspective, and also what the antagonists are going through from the adversary’s perspective.”

The commitment to realism — something that has varied widely in Hollywood’s past feints at hacker-themed movies — is a nod to a new generation of cybersecurity buyer that, Knight said, “really don’t want to be advertised and marketed to anymore.”

“We’re dealing with a completely different generation of buyer that wants video,” she explained. “Salespeople don’t need to call around and educate them anymore; they already know what they need and what they want. It’s really just about affecting that buyer at a visceral level, and making the Conceal brand part of their life through the series.”

Spoiler alert: Cybercrime is bad

By using engaging narrative devices to spread the word about the importance of application security, Conceal’s investment in the series is intended to bolster the perception that the newly-renamed company offers proactive security tools that can help CISOs stay ahead of the threats that plague them.

Those threats are keeping many CISOs up at night, according to recent research that found 75 percent of CISOs are worried that too many application vulnerabilities are leaking into production despite their efforts to implement a multi-layered security approach.

Multi-layered security is one thing, but the multi-layered design of today’s cloud-based application environments “definitely poses complications,” said Knight, who notes that the proliferation of development environments often forces application shops to compromise designs or adopt different products just to maintain consistency.

“Runtime application security is wholly dependent on the language that the application is written in,” she explained, “and it definitely complicates things having multi-stack environments because building controls around them at the application layer is going to be wholly dependent on the language.”

Solving this issue is close to the heart of Conceal CEO Gordon Lawson, who believes in the importance of both observability — providing visibility into the application architecture as it spread across multiple, distributed cloud environments — and being able to obfuscate that visibility, disarming attackers that seek to exploit the complexity of modern application environments for their own purposes.

“We’re now seeing that the crown jewels usually aren’t in one public cloud provider but spread out,” he explained. “Being able to understand how those architectures are set up, and being able to communicate amongst different cloud instances and really secure your critical assets very effectively in those environments, is key.”

That means providing CISOs with access to capabilities, he said, such as “really clear cloud obfuscation to make sure that a threat actor can’t be performing C2 on your cloud infrastructure. … That’s an important piece of hygiene that needs to be talked about to make sure there are strong defenses as more data moves to the cloud.”

Building those defenses requires intelligence-driven automation capabilities “that understand what ‘unknown’ looks like,” Lawson said. “We know known-bad and we know known-good — but the unknowns are where zero-days and the really catastrophic stuff can occur. And we’ve got to change our approach here, because just locking down an entire network … is impossible.”

Controlling the narrative

As well as identifying tools that can most effectively support efforts to provide this level of security, companies need to develop strategies for ongoing security assurance including application penetration testing, which can identify and trace data flows to monitor the interactions between the many components of evolving cloud systems.

“Now that we’re in an API-first world, we’ve moved away from monolithic applications to microservices and you’ve got applications broken up across multiple cloud environments and multiple locations,” said Knight, “so understanding where those applications are and what they’re vulnerable to … is absolutely huge.”

If that sounds like a teaser for the upcoming series, you’re probably right in Conceal’s target market — so keep your eyes out as the first episode in the series, called Eyes Wide Open, premieres at AMC Theatres across the country.

Timed to coincide with Blackhat 2022 in Las Vegas, the debut in that city will be held at AMC Town Square and will, in true Hollywood style, also include the chance to meet the actors, Knight and her production team.

As advisor, director and creator of the series, Knight “hit the nail on the head,” Lawson said, “that our customer base and potential client base want to consume content in a different way.”

“These productions are entertaining and a bit edgy,” he continued. “It’s just different than the traditional bland marketing that you see out there. No one wants to watch a product video — but if you can weave a great product into a really compelling story, I think that’s a game-changer.”

David Braue is an award-winning technology writer based in Melbourne, Australia.

Go here to read all of David’s Cybercrime Magazine articles.

About Conceal

Conceal provides a capability that protects people and critical assets against the most advanced threat actors in the world. We are fundamentally changing the approach to cybersecurity by creating a platform where security practitioners can see the latest threat vectors and implement enterprise-wide solutions that comprehensively protect their organization.

With our Conceal platform, we take those core capabilities and evolve them into a commercially available product that incorporates intelligence-grade, Zero Trust technology to protect global companies — of all sizes — from malware and ransomware.

Conceal is leading the fight to protect enterprises from cyber threats — if there is malware, we detect, defend and isolate it from users and the network.