Interviews | March 2, 2018

Black Hat Global Partner Interviews: Darktrace, ISACA, Qualys, and ServiceNow

Sanjay Aurora

Sanjay Aurora
APAC Managing Director

Max Heinemeyer

Max Heinemeyer
Director of Threat Hunting


Q: Sanjay, how exactly is unsupervised machine learning and AI helping make security systems smarter and more effective?

Today's cyber attackers are faster and more unpredictable than ever. Machine-speed ransomware, insider threat, and novel, silent attacks that lurk in networks pose new challenges for defenders as they try to protect their data, operations and corporate reputation. In addition, digital environments are becoming increasingly complex with distributed infrastructures and non-traditional IT, such as printers and smart coffee machines, exposing organizations to unforeseen risks.

Given this new normal, organizations can no longer handle the threat on their own – AI technology will be essential in fighting back against the new era of threat. Darktrace's technology uses machine learning and AI algorithms that autonomously learn the 'pattern of life' for every user and device to build a sense of what constitutes 'self' for the network and what represents 'other' or anomalous. Modelled on the principles of the human immune system, this technology can not only detect the earliest signs of emerging threats and fend off attacks in real time, but it can also understand if a foreign presence is already in operation on your network.

Traditional security tools are inherently retrospective and can only offer a basic level of protection. Based on rules and signatures of past attacks, legacy systems are designed to define what 'bad' looks like and prevent it from entering the network. However, new, previously unclassified threats are able to bypass these controls and slip into the network unnoticed. The battle at the border is over and organizations need to identify the threats within if they are to get smart about their security. 

Unsupervised machine learning is automating cyber-threat detection and response on an unprecedented scale.  Our machine learning algorithms require no human training. It deploys in less than an hour and immediately starts learning. The technology grows with the network, constantly updating its understanding of 'self' for the organization and learning the most effective actions to take in response to emerging threats.

Q: Max, what has your experience in pen testing and red teaming taught you about threat hunting? What are some of the emerging best practices and trends around threat hunting?

My background in offensive security has formed the foundation for my threat uunting skills with Darktrace. My experience has taught me that attackers will always find smart new ways to bypass security controls - chasing after yesterday's attacks in an attempt to stop those of tomorrow is futile. This was an important realization, as it made me approach my hunts objectively and dismiss prior assumptions about historical attacks. Instead of hunting for 'known-bad', I shifted my focus to unusual activity in general. Knowing how a hacker thinks is an advantage when investigating potential breaches, i.e. why is this device beaconing to an unusual domain on the Internet? What would an attacker gain from this? Might this be a covert Command and Control channel?

A key success factor for every hunt is the ability to quickly and flexibly pivot around and drill into data. An unusual file download was observed on a laptop - what other rare websites did the user visit around the same time? Gaining situational awareness by pivoting around data is critical in order to judge whether behavior is merely interesting, or actually malicious.

Filtering through line after line of log data is time-consuming and often unreliable in the hunt for genuine threats. Instead, comprehensive, real-time visualizations of the network offer huge benefits for security officers. For example, graphs and color-coding can help a hunter rapidly visualize unusual behavior otherwise hidden among the day-to-day network noise.

The most successful hunts are aided by AI technology which autonomously spots abnormal behavior. With the machines doing the heavy lifting and prioritizing the most suspicious activities, the hunters can spend their time more strategically and efficiently than ever before.

Q: Sanjay, you have previously talked about 'trust attacks' as an emergent threat. What exactly are, trust attacks? What challenges do such attacks present from a detection and mitigation standpoint?

In today's world, cyber-threats are no longer restricted to stealing monetizable data and defacing websites. Cyber-crime has evolved to now also include savvy attackers subtly changing data to erode our confidence in organizations. Imagine an attacker moving one decimal point across millions of bank statements, or changing patients' blood types in a laboratory results database. Once our trust in the integrity of data is gone, our trust in these institutions is completely undermined.

The alteration of sensitive information, such as financial or government records, may well have harmful reputational consequences, but these turn potentially life threatening when medical records are implicated. Such attacks can also cause host organizations to doubt the veracity of their own data.

Unlike noisy attacks such as ransomware, trust attacks are often silent and can lurk in networks undetected for months, or sometimes years.  For example, polymorphic malware is able to rapidly change its code at the network border, enabling it to penetrate the network under a cloak of invisibility. Once inside, 'low and slow' attacks can make calculated lateral movements under the radar, in pursuit of the 'crown jewels'. Without the ability to detect such threats in their nascent stages, the window for mitigation is extremely small and security teams often do not realize they have been compromised until it is too late.

Q: Max, if there is one thing you would like people at Black Hat Asia 2018 to know about Darktrace, what would it be and why?

The cyber security landscape is intensifying as networks explode in digital complexity and span not just the physical, on-premise network, but also cloud and virtualized environments, non-traditional IT (IoT), and the supply chain. Security teams cannot keep up with a threat landscape that is evolving 24/7, and which includes automated attacks, that can cause an organization to virtually grind to a halt within minutes.

The future of cyber defense belongs to autonomous response technology that can fight back against threats before humans have even had a chance to notice. Darktrace is at the forefront of this revolution – its autonomous response technology, Darktrace Antigena, is already used by organizations around the globe to defend their networks against advanced and fast-moving threats.  The technology works by creating 'digital antibodies'; it intelligently takes defensive action when a threatening anomaly arises without disruption to organizations' day-to-day business activity.

Darktrace Antigena's innate understanding of what represents 'self' for the organization, enables it to generate very precise and targeted actions in response to emerging threats. For example, it can stop anomalous connections to foreign IPs, prevent devices from communicating with unauthorized users, slow down unusual data transfers, and isolate infected devices and suspicious users. At its core, Antigena's AI technology creates a dynamic boundary for users and devices. When they deviate from normal activity, Antigena is automatically triggered to re-enforce the organization's 'pattern of life'.

Matt Loeb

Matt Loeb

Ken Kujundjic

Ken Kujundjic
SVP, Enterprise Business Development and Sales


Q: Matt, how are organizations like ISACA helping alleviate the crisis caused by the severe shortage in cybersecurity skills?

ISACA is narrowing the cybersecurity skills gap with a comprehensive portfolio of knowledge, tools, learning, credentials, networks and conferences designed to help build a cyber-ready workforce in Asia and around the globe. As an objective, vendor-neutral, professional community, we rapidly respond to problems and opportunities at their roots, whether that means changing our CSX certification to require proof of capability and hands-on skills; delivering continually adapted, lab-based training with our CSX Platform offers; or providing tools for management or HR to effectively assess the cyber skills of job candidates, also through the CSX Platform.

Q2. Ken, what do you see as some of the hottest cybersecurity skills? What's driving interest in these skills?

A holistic cybersecurity professional who can speak to each of the five domains of cybersecurity (identify, protect, detect, respond, and recover) is the most prized professional in today's cybersecurity environment. Too often individuals specialize before generalizing, which can lead to lopsided skill sets. Professionals who understand the importance of a strong foundation before specialization demonstrate wisdom and create value. We also see the need to continually hone skills, through access to labs that have real world threats-in-action and mitigation. The pace of change, the known skills gap, and career growth opportunities are the accelerators of interest.

Q: Matt, why did ISACA recently revamp the CSX Practitioner Certification (CSXP)? How is it different now?

ISACA revamped the CSX Practitioner Certification because we understand cybersecurity is a constantly evolving field requiring continually expanded and improved skills. In the last two years, we have seen threats and attacks change drastically. The volume and sophistication of ransomware, for instance, has changed how the world—businesses and consumers--responds. Spectre and Meltdown changed how professionals consider hardware implementations. We must continually confront new problems no one could foresee. As a result, it's important that we update the CSX-P certification on a more regular basis than other professional certifications. In doing this, ISACA ensures that cybersecurity professionals are familiar with the most current threats and skilled in applying the most relevant protection mechanisms. This new version of CSX-P addresses the most relevant approaches to today's hostile cyber battlefield.

More than three-dozen cybersecurity professionals from around the globe, from different industries, and at differing career stages, created the new test scenarios. These scenarios are devised in a performance-based test, and reflect the current and evolving threat landscape, defense as well as offense postures, and mitigation techniques. To respond to worldwide demand, ISACA designed the new certification exam to be remotely proctored exam. It can be taken at work or at home, which improves scheduling options, accessibility and availability.

Q: What is ISACAs messaging at Black Hat Asia 2018? Why is it important for ISACA to be at the event?

ISACA partners with individuals and organizations to grow the world's situation-ready information and cybersecurity workforce.  We see what's next, now--to better plan, train and respond. Within ISACA's Cybersecurity Nexus portfolio, the CSX Training Platform manages skills assessments, training, and always-evolving, lab-performance-based development, for teams and individuals. The forthcoming CMMI Cybermaturity Platform will set the standard for organization-wide cyber capability and risk assessment.  It's a first-of-a-kind assessment that provides program, priority and investment roadmaps, to achieve a more secure, cyber-resilient enterprise and cyber-informed stakeholders among senior leaders and board directors.

ISACA is adding to its annual presence at Black Hat in the US through our participation here in Asia because our professional community in the region is growing and demand is increasing for our learning solutions and credentials. We have engaged, growing chapters in Singapore and Malaysia and elsewhere in the region, with a total 217 chapters worldwide. Last year we announced our partnerships with the Cybersecurity Agency of Singapore during Singapore International Cybersecurity Week and with Malaysia Digital Economic Corporation. Through our offices in China, our leaders across the region, and our CMMI Institute subsidiary, we continue to anticipate opportunities across Asia and the Pacific regions.

Doug Browne

Doug Browne
Managing Director, APAC


Q: GDPR goes into effect this May. How will it change things for organizations in the APAC area? What is your assessment of their compliance readiness?

General Data Protection Regulation (GDPR) is a groundbreaking initiative undertaken by the EU and underlines the importance of privacy and privacy data of EU residents. Anything that can personally identify someone will be covered by the regulation, and any organisation that touches on the data of EU residents will be required to comply with GDPR. That includes APAC. So GDPR will require more stringent controls around how that data is accessed, stored and secured.

The APAC market is not as mature as the EU in this regard, and whilst GDPR compliance is a challenge, it also poses a huge opportunity to use GDPR as a driver of organizational maturity with regards to handling all personally identifiable data rather than purely for EU based data. Since it is likely that other regions will follow suit with their own versions of GDPR, it will pay to be prepared.

The important thing to note is that GDPR compliance is not just an IT issue. There is a belief that GDPR focuses on data and technology, and thus is an IT issue. The reality is that it demands that all processes be reviewed, not just technology. As data privacy issues move cross borders there will be further legal obligations. For example, under GDPR, a business will remain responsible for its customer data even when a third party stores it, so working with your suppliers to evaluate and understand their security procedures is therefore necessary.

Many APAC organizations may not have considered the level of preparation required, nor the resources needed to implement the correct procedures around GDPR. While many have put together their budgets for the next year, how many have considered GDPR? As the sheer scale and impact of GDPR becomes known, companies will need to increase the amount of resources they devote to compliance. It will require buy-in and effort from the entire organisation to ensure a success.

Q: What did Meltdown and Spectre teach us about the state of security today? What should we be taking away from the disclosure of the two vulnerabilities and the response to it by industry and by enterprises?

The Meltdown and Spectre vulnerabilities confirm what we have always accepted as the state of security: that the only constant is change. The severity and complexity of these vulnerabilities certainly places them amongst the most widespread and unique ever. If exploited, these vulnerabilities can give hackers unprecedented access to compromised systems and widespread liberty to steal a broad variety of confidential and sensitive data. Also, dealing with them is a moving target, as new, relevant information that must be factored into ongoing mitigation efforts.

The industry may be dealing with these vulnerabilities for years. Since they're hardware flaws, the patches and updates being released do mitigate the danger, but don't fully erase the attack surface. That could only be done by physically replacing the affected CPUs. Also unique is the massive scope of impacted IT assets. Most Intel CPUs released in the past 20 years are affected. Compounding matters is that real operational risks exist when patching these vulnerabilities in certain systems, including degraded performance and complete malfunction. And of course, the risks are colossal. Both vendors and IT departments must now modify long-standing ways of identifying threats, prioritizing remediation, managing patches and evaluating risk by staying on top of the latest information, and analyzing the vulnerabilities' impact in their IT environments, in order to stay as safe as possible.

For Intel and the other CPU manufacturers it is clear that these types of exploits are going to need to be part of their design considerations moving forward to negate this happening again. Before releasing emergency patches for use by the wider industry, there needs to be far more stringent testing and not just a knee jerk rush to release a patch, which has seemed in a number of cases to have further exacerbated the situation. When there is no indication that an exploit is readily available, caution could be exercised both with patching and the need to release a patch.

Q: What topic or topics do you think will dominate the security conversation at Black Hat Asia 2018 and why?

As we see more and more organizations forced to go through digital transformation, one of the biggest challenges has remained how to do so securely. This transformation is an opportunity for organizations to implement security as an integral part of their future business, and not something to be handled as an afterthought.

DevSecOps will be a key focus particularly at Black Hat Asia. One of the underpinning requirements of digital transformation is the ability to have a CI/CD process. How to include security into this is more than just inserting security between the two words "Dev" "Ops". It is the ability to make security an integral part of the process and enabling it with speed and efficacy. It is about the ability automate, and orchestrate. The reason this is so important is the speed at which businesses are starting to move requires us to think more flexibly in order to time to market by bringing security into the process earlier and ensuring you are using the right tools to get this done properly.

Cloud, as always, will be one of the dominant topics. In Asia, this is a growing area in almost every business. The infrastructure and security teams in these businesses again have a huge opportunity to secure these environments and do so in such a way that the end user and organisation embrace the implemented controls. Cloud offers some huge advantages that cannot and should not be avoided so I expect that to be a topic in a number of our conversations.

Piero DePaoli

Piero DePaoli
Sr. Director, Security Product Marketing


Q: What are some of the biggest challenges organizations face when it comes to increasing security response times and efficiency?

Responding quickly to security incidents is challenging for nearly every organization.  Most have security runbooks for how to work through specific security issues after sorting through alerts from dozens of different security tools.  But they typically are made up of manual processes including use of spreadsheets for tracking and email for communication between team members.

The first challenge is that security analysts are simply overwhelmed with alerts that are missing context.  More senior analysts may recognize a specific server or IP address associated with an alert as being important or not important, but most alerts are simply categorized by time stamp and the potential severity of the problem.  What's missing here is for the analyst to easily understand which security incidents are most important to his or her organizations.  It's missing business context on top of the potential severity of the security alert.

Typically, when critical teams have too much work, organizations solve this by hiring or assigning more staff.  But there is a scarcity of security talent available to hire.  We have negative unemployment in the security industry and teams can't hire enough people and can struggle to retain them.  I can't tell you the number of times I've talked to my peers and heard stories about it taking six months for a junior analyst to become productive only to have that analyst leave for another higher paying role within a year of their start date.

Another challenge is collaboration with IT.  Most security and IT team use different tools to manage their work, yet the work to remediate many security issues is actually performed by the IT team.  Inefficient handoffs between the two teams can significantly increase the time it takes to solve a security incident.

Q: How do you see the use of AI and machine learning in security operations evolving over the next few years? Where do you see the most opportunities for applying AI and ML in the security context?

Over the next few years, security teams will be leveraging automation as an important part of their security response process.  Machines will help teams accomplish tasks that used to take hours or days finish in seconds.  Machine learning and artificial intelligence will become a meaningful way to accomplish important response tasks including quickly identifying anomalies, recognizing potentially malicious behavior and confirming the validity of an alert.

Most importantly, automation, machine learning and artificial intelligence will not devalue a security analyst.  It will actually have the opposite effect.  Security analysts will have more value, as they will be able to make faster decisions after analyzing the output from automated tasks.  It will also significantly reduce the boring, repetitive and even mundane part of their job allowing them to focus on higher value and more strategic work.

Lastly, the organizations leveraging these technologies may achieve a competitive advantage in hiring and retaining security talent as the security work will be more interesting than at firms who are not automating.

Q: Why is it important for ServiceNow to be at Black Hat Asia 2018? What is your main focus going to be at the event?

Black Hat Asia is the premier event for ServiceNow to have an interactive dialog with security professionals in the region.  While ServiceNow is widely known for providing IT Service Management, we expanded our platform capabilities several years ago to extend workflow, automation and orchestration into security runbooks to enable security operations professionals with security incident and vulnerability response.  Our focus at the event is for attendees to experience how ServiceNow can help organizations improve their security response program.  The security orchestration, automation and response market is just beginning. I would like to invite all Black Hat Asia attendees to come and see us at B09 and attend our breakout session on How Threat Intelligence Sharing, Automation & Orchestration wins the war against attackers on March 22 at 14:15 to 14:40 in the Business Hall Theater.

Sustaining Partners