Interviews | February 12, 2015

Black Hat Sustaining Partner Interviews

Bill Taylor

Bill Taylor, VP and GM of LogRhythm APJ, talks about what he perceives as the most significant data security threats that companies could face in the coming 12 months, what LogRhythm is doing to help companies address compromised credentials and fraud detection, and why being a Platinum Sponsor of Black Hat Asia is important to his marketing strategy.


Q: Bill, what do you feel are the most significant data security threats that companies and individuals could face in the coming 12 months?

Bill Taylor: LogRhythm believes we will see more vulnerabilities like Heartbleed and Shellshock aimed at protocols meant to improve security.

It isn't just hacking systems anymore, but hacking the server infrastructure itself. Heartbleed and Shellshock were just the start and it is likely that more will happen. This is more about detecting vulnerabilities in established protocols than attacks; the attacks that exploit them will follow.

Q: Tell us about compromised credentials and fraud detection. What is LogRhythm doing to help companies address those issues?

Taylor: Detecting compromised accounts, insider threats, and fraud requires user behavioral analytics. LogRhythm Security Intelligence Platform's ability to not only collect from a variety of data sources -- including user domain activity, network activity, and application usage -- but also to perform a broad set of analytical techniques on incoming data allows for the ability to mode user activity across a number of different behaviors, such as from where a user accesses the network, what systems do they access, what files do they interact with, and what network application traffic do they generate.

LogRhythm Security Intelligence Platform collaborates multiple anomalies stemming from the same user to reduce false positives and surface activities that truly represent behaviors of a compromised account or fraud activities.

Q: The latest release of your security intelligence platform includes new case management, search, and analysis features to expedite the detection and qualification of high-impact threats. What can your customers expect from those features and how do they work?

Taylor: LogRhythm's 6.3 release includes capabilities that provide end-to-end Threat Lifecycle Management for creating more efficiencies in an organization's ability to detect and respond to threats. An analyst's ability to perform more targeted searches leveraging LogRhythm's data conditioned for analysis saves both time and effort for both creating a search and in analysis by delivering the targeted set of intended data without additional post analysis filtering. Search pivoting allows quick jump-points that allow analysts to fluidly continue investigations.

Case Management provides the perfect repository for all data related to an investigation, facilitating team collaboration and escalation to more efficiently allow for incident recognition and scope identification, reducing the overall time to detect, qualify, and mitigate threats discovered in the environment.

Q: I read a report that says that of the 27 largest U.S. companies that reported cyber attacks to the SEC, all of them stated they suffered no major financial losses from the intrusions. Does that surprise you? What is your take on that?

Taylor: Unfortunately, this does not surprise us here at LogRhythm. For a few years, LogRhythm has believed that it is no longer a question of "if," but "when" an organization will be breached. The over-reliance of preventative technologies has opened many organizations -- even those with sophisticated layered security strategies and skilled personnel -- to attacks that, without being detected, are free to laterally move throughout the organization.

Unfortunately for these organizations, the fingerprints and evidence of compromise were available, but often buried in an unmanageable number of security events and alarms. Organizations need to rebalance their security strategy with a focus on threat detection, requiring a technology that can identify and surface those activities that represent true threat and harm to the organization from the noise.

Q: You are a Platinum Sponsor of Black Hat Asia which takes place March 24-27 in Singapore. Why is that important to you?

Taylor: As one of the most important security conferences in Singapore, being in Black Hat Asia is absolutely critical for LogRhythm.

The core of what we do at LogRhythm is to serve the information security community with the necessary tools to help them reduce their mean time to detect security breaches and data loss incidents, and allow them to respond and remediate threats in a timely fashion. At Black Hat Asia, we will able to share how our customers around the globe are using our Security Intelligence Platform to isolate the activities which are true threats from the noise – that is finding a needle in a stack of needles.

Jason Wright

Jason Wright, senior manager, global field product management, Cisco Security, discusses the advantages of the continuous approach to monitoring vs. the point-in-time approach, and why being a Diamond Sponsor of Black Hat Asia is such an important part of Cisco's marketing strategy.


Q: Jason, a whitepaper from Cisco's Sourcefire group focuses on advanced malware protection and the advantages of the "continuous approach" to monitoring versus the point-in-time model. In a nutshell, give me some bullet points on why you recommend that "continuous approach."

Jason Wright: In a nutshell, it's as simple as this -- a point-in-time technology has only one chance to make a correct decision as the traffic flows through the device. According to studies by Cisco, 75% of all attacks take only minutes to begin data exfiltration but take much longer to detect. More than 50% of all attacks manage to persist without detection for months or even years before they are discovered and, once discovered, several weeks before full containment and remediation are achieved.

Traditional point-in-time technologies only scan once and they infiltrate the extended network where they are difficult to locate, let alone eradicate. What's needed is pervasive protection across the full attack continuum -- before, during, and after an attack.

To elaborate further, continuous analysis gives Cisco technologies the ability to change their mind. This is the way that the human mind works in everyday situations. Why do people change their minds about anything? The answer is because new information presents itself that causes us to reevaluate a previous decision. People do this every day and Cisco is endeavoring to mimic that human intelligence in technologies. So the first time we see a new file, we may know very little about its behavior even after a thorough analysis of file metadata. Regardless of whether we think a file is good or bad, we will continue to track and analyze that file's behaviors, processes, connections, activities, movements, relationships to other files, and so on. If we later decide to change our mind -- that a file is actually bad, for example -- we can go back and quarantine that file, change a security policy, limit the access rights of an infected system, or notify administrators of a problem. With an infrastructure that can continuously gather and analyze data to create security intelligence, security professionals can -- through automation -- identify IoCs, detect malware that is sophisticated enough to alter its behavior to avoid detection, and evaluate full packet capture in order to successfully remediate. A threat-centric model and operational approach to security lets defenders respond at any time, all the time. Continuous monitoring, automated analysis, control automation, and retrospective security exist already. They are integrated. They are pervasive. And they work together, in continuous fashion, to secure networks, endpoints, virtual, data centers, the cloud, and mobile across the full continuum -- before, during, and after the attack.

Q: In a recent Cisco blog, the author says that if he were an IT security manager looking for a security product to defend his organization -- and a security vendor claimed to provide "continuous protection" -- he would ask several "show me" questions of that vendor. What are the most important questions to ask?

Wright: That blog concludes with some of the important questions to ask and links to videos illustrating how Cisco can show customers what we can do:

Like a metropolis, the black market is a collection of skilled and unskilled suppliers, vendors, potential buyers, and intermediaries for goods or services surrounding digitally based crimes. Specifically:

Q: Cisco recently unveiled an analytics strategy to help customers access, analyze, and act on data – from the cloud to the data center and so on. Why should organizations be interested in accessing this new family of pre-packaged analytics software?

Wright: This announcement related to the Cisco strategy on IOE, and specifically our ability to offer analytics at the edge of the network as more sensors are delivered to more devices. Speaking strictly from a security perspective, the analytics strategy mentioned refers to our Cognitive Threat Analytics technology. This is not a software package but technology that is built into our Cloud Web Services (CWS) offering which routes an organization's Web traffic through our cloud-based inspection mechanisms. This is part of the movement beyond traditional signature-based technologies that require foreknowledge of a threat. Because of the high number and sophistication of new threats, one part of our security strategy is to use statistical modeling, machine learning, big data analytics, and behavioral analysis to identify threats we've never seen before. This is also part of the answer to the first question regarding continuous analysis; which we also use in the CWS solution to always be watching, never forget, and turn back time on threats.

In addition, a significant amount of threat data analytics comes from our Cisco Talos Security Intelligence and Research Group. Talos' renowned security experts are a combined team from Sourcefire's Vulnerability Research Team, Cisco's Threat Research and Communications, and Cisco Security Applications group. The team's expertise spans software development, reverse engineering, vulnerability triage, malware investigation, and intelligence gathering. Talos researchers create threat intelligence for Cisco products to protect customers from both known and emerging threats. Talos is backed by sophisticated infrastructure and systems that provide exceptional visibility from the aggregation and analysis of unrivaled telemetry data at Cisco, encompassing:

  • Billions of Web requests and emails
  • Millions of malware samples
  • Open source data sets
  • Millions of network intrusions

The result is a security intelligence cloud producing "big intelligence" and reputation analysis that track threats across networks, endpoints, mobile devices, virtual systems, Web, and email. This provides a holistic understanding of threats, their root causes, and scopes of outbreaks, translating into leading security effectiveness for Cisco security solutions.

Q: Cisco is a Diamond Sponsor of Black Hat Asia from March 24-27. Why is that an important part of your marketing strategy?

Wright: Cisco has taken several actions that illustrate our commitment to becoming the world's foremost security solution provider, including:

  • The acquisition of Sourcefire
  • The acquisition of Cognitive Analytics
  • The acquisition of ThreatGRID
  • Integration of Cognitive Analytics into CWS
  • Integration of Sourcefire Advanced Malware Protection (AMP) technologies into content security products and services within four months of the close of acquisition
  • Integration of Sourcefire IPS and AMP technologies into the ASA Firewall platform, and Content Security solutions within one year of acquisition close
  • The acquisition of Neohapsis, a trusted provider of mobile and cloud security services

Because the Black Hat conference series is such a high-visibility event, we want to be a part of it. Expect to start seeing Cisco a lot more in security events as we prove to the world that we are not only thoroughly committed to the security industry, but thoroughly committed to leading it.

Jonathan Trull

Jonathan Trull, CISO for Qualys, talks about a next-generation service that gives clients the ability to identify threats and unexpected changes in their Internet perimeter before they turn into breaches, and what are the advantages to being a Diamond Sponsor of Black Hat Asia.


Q: Jonathan, Qualys always seems to be at the forefront of defending against the latest attacks. According to your most recent SSL Pulse scan, about 10% of the servers are vulnerable to the POODLE attack against TLS. Is that what should be one of today's top concerns – and what advice would you give clients?

Jonathan Trull: POODLE is a fairly serious vulnerability. The initial POODLE vulnerability, announced in October 2014, only impacted the SSLv3 protocol. Specifically, the attack targeted a flaw in the CBC encryption scheme. In December 2014, the attack was repurposed to attack certain vendors' TLS implementations. The main target continues to be the Web browser, as the attacker must inject malicious javascript to initiate the attack. Qualys can scan for and detect both POODLE vulnerabilities and has created a POODLE filter into our Certificate Dashboard to help organizations look at their exposure in a natural, real-time way. For POODLE impacting SSLv3, the easiest way to deal with the vulnerability is to disable SSLv3, both at the server and client, i.e. your browsers. If your Website is vulnerable to the POODLE attack against TLS, then you will need to apply the appropriate vendor's patch. In many cases, Web application firewalls and network logs can be used as indicators if an attack is underway and should be monitored accordingly.

Q: I've read that in this era of continuous compromise, enterprises need to shift from a mindset of "incident response" to a mindset of "continuous response." What is Qualys' take on that?

Trull: Given the number of high-profile breaches we saw in 2014 -- including Home Depot, Sony, and critical vulnerabilities in open-source software like Heartbleed and Shellshock -- organizations can no longer afford to take an event-driven approach to managing their security (i.e. wait for a major breach to happen). The stakes are way too high when it comes to protecting data and assets that are critical to the business, and we believe that organizations need to shift their mindset to take a continuous, "always-on" approach to security. This means that networks, Web applications, and other assets are continuously being scanned and monitored in order to quickly and more proactively address potential threats before they impact the business.

Q: Qualys Continuous Monitoring is a new, next-generation service of yours that gives clients the ability to identify threats and unexpected changes in their Internet perimeter before they turn into breaches. How does that work?

Trull: Our Qualys Continuous Monitoring (CM) solution brings a new approach to vulnerability management and network security enabling organizations to immediately identify and proactively address potential problems such as unexpected hosts and OSes, open ports, expired SSL certificates, and unwanted software. Additionally, Qualys CM includes automated alerts that let you know when there's been a change in perimeter IP addresses which can be integrated into incident response systems and SIEMs such as Splunk and HP ArcSight. This not only provides organizations with the most comprehensive view of their security perimeters, but also notifies the IT staff responsible for the affected assets so they can take appropriate action. Essentially we are providing our customers with a hackers-eye view of their perimeter from the Internet, making it easier and quicker to detect changes in the perimeter that could be exploited, and direct the information to the hands of first responders so they can immediately address and mitigate risk.

Q: You are a Platinum Sponsor of Black Hat Asia March 24-27 in Singapore. Why is that important to you and to your marketing strategy?

Trull: Black Hat has long attracted the brightest security professionals across the globe. For Qualys, Black Hat Asia is a great opportunity for us to not only connect with our customers in the Asia Pacific region, but also keep our fingers on the pulse of emerging threats that are impacting the region and how those threats are being countered. Black Hat Asia is also an excellent opportunity for our staff to enhance their skills and connect with other professionals. We find that our staff returns with new ideas that help us drive innovation and enhance our own internal security.

Sustaining Partners