Interviews | March 5, 2015

Black Hat USA Sponsor Interviews: IBM Security Systems, Proofpoint, Tripwire, and ZeroFOX

Patrick Vandenberg
Chris Poulin

Patrick Vandenberg, program director, and Chris Poulin, research strategist/X-Force, at IBM Security Systems, talk about IBM's Threat Protection System, and whether the ubiquitous connectivity of the Internet of Things means less security.


Q: Patrick, I understand that IBM's Threat Protection System is capable of both detecting and preventing even unknown attacks, including those utilizing advanced malware. How does that function -- and what are its capabilities compared to competing systems?

Patrick Vandenberg: We know in today's advanced threat landscape that it is an incomplete strategy to rely on point solutions or focus on a single point in the attack chain. The continual stream of advanced attacks on enterprises requires a coordinated strategy to disrupt the lifecycle of these attacks. IBM's Threat Protection System is designed to do this across three critical areas: prevention, detection, and response, as follows:

  • Prevent even the most sophisticated attacks. Although many in the industry have redirected focus on detection, many have done so at the expense of prevention. But prevention remains crucial to effective enterprise security. Real-time prevention is essential to stop advanced attacks from penetrating the organization. This is no easy task. But with behavioral-based capabilities that can protect against unknown and zero-day attacks, the IBM Threat Protection System can block the initial phases of an attack at the endpoint and network. An innovative new product called Trusteer Apex disrupts exploits leading to advanced malware on users' computers, while IBM Security Network Protection (XGS) prevents attacks from reaching vulnerable hosts; they also work in tandem to block attackers from establishing external control channels. Complimenting endpoint and network prevention is real-time policy enforcement of data access provided by IBM Guardium Data Activity Monitoring.
  • Detect stealthy threats across the entire infrastructure. Even the strongest immune system cannot prevent 100% of invaders from getting inside, making it essential to quickly detect active threats hiding across today's complex IT environments. We solve this problem with data. Working as the central nervous system of our approach, the IBM QRadar Security Intelligence Platform is able to combine massive amounts of data from network traffic, user behavior, security events, and numerous other sources to automatically identify unknown or previously undetected threats. Real-time analytics find stealthy attackers lurking within the enterprise, while pre-attack analytics predict and prioritize security weaknesses before someone else does. This is the meaning of Security Intelligence.
  • Respond continuously to security incidents. Finally, in the event of a successful security breach, it's important to quickly minimize its impact, understand exactly how the intrusion occurred, and learn from findings to prevent another similar incident. This rapid investigative capability is provided by IBM Security QRadar Incident Forensics, an offering that can scale investigative activity to security teams to quickly retrace breaches step-by-step, often in hours instead of days when time is most critical. This new solution, coupled with the expertise of our IBM Emergency Response Services and real-time incident response with automatic quarantine of non-compliant endpoints from IBM Endpoint Manager, helps organizations mount a strong and adaptive response to future occurrences of attack.

As previously mentioned, siloed security activity is an insufficient defense against today's cyber attacks, so the IBM Threat Protection System has prioritized integrations across the prevent, detect, and respond pillars to not only share and correlate information in a security analytics platform for security insights, but can also act on these insights with integrations that can update security control policies for immediate protective response, such as the "right-click" integration from IBM Security QRadar to IBM Network Protection XGS. This integrated system of prevention, detection, and response provides a unique ecosystem across hundreds of vendor offerings for a greater disruption of cyber attack activity.

Q: Chris, in your most recent X-Force Threat Intelligence Quarterly, it talks about the Internet of Things and whether ubiquitous connectivity means less security. Can you give me some insight into that?

Chris Poulin: The IoT encompasses a broad range of devices, including smart home electronics and appliances, consumer wearables, connected vehicles, implantable medical devices (e.g., pacemakers and insulin pumps), manufacturing and energy and utility systems (e.g., assembly robots, pumps and gates), and a myriad of others. One problem is that not all devices operate the same and, while some may run on general operating systems -- such as Google Android, Apple iOS, Windows Embedded, Blackberry NGX, and various Linux-based distributions, such as Tizen and Ubuntu -- others run on real-time OSes. Some are controlled and monitored through Web portals and mobile apps, while others may not have a human interface at all. The problem is that the security community at large is treating the IoT as a monolithic entity with one silver bullet. The reality, though, is there is no reductionist, unified theory of security for the IoT. Rather, we need to divide devices into functional categories with a set of appropriate security controls. Those include:

  • Trusted firmware and rapid updates. Many IoT devices are cobbled from various parts, with the hardware, firmware, and software assembled who knows where and touched by who knows whom along the way. And when a vulnerability is discovered, it needs to be patched as soon as possible. This poses a few challenges because IoT devices aren't guaranteed to be connected to the Internet at any given time, and many tether over mobile channels as they travel with the consumer. IoT devices may be in the middle of performing a critical task and firmware updates may interrupt -- or worse, corrupt -- the operation of the device. Over the air and over the wire updates over untrusted networks create the risk of an attacker tainting the firmware or app. An integrity checking mechanism is imperative, and possibly a mechanism to revert back to a known good firmware version without interrupting the device's operation (e.g., a vehicle in transit.)
  • Encryption for data and commands. Both at rest and in motion, data may contain private consumer data or metadata. IoT devices must preserve the privacy of consumer data, such as name and geolocation. IoT devices may even provide transitive access to consumer mobile devices and infrastructure -- e.g., an attacker breaks into a connected vehicle to which the driver has paired their mobile phone, or an attacker breaks into a connected toothbrush and uses that point of presence to attack the rest of their home network. Attackers can also inject commands onto the local network to induce a device to perform in a way it wasn't intended. Encryption and message integrity help solve these problems.
  • Device identification and authorization. Another method to stop bogus control commands, or even connection of rogue hardware, the ability to uniquely identify device beyond simple IPv6 addresses, is important. There must be a method for the device to register and identify itself without user intervention. For example, the electronic control units in a connected car must be authorized to coexist and send control commands on the controller area network bus.
  • User authentication where appropriate. On the user side, such as a mobile phone or Web portal, the authorized operator of the IoT device must be positively identified and authenticated. This is a standard security requirement, but worth mentioning if for no other reason than to draw the distinction between user interactive devices and those that intercommunicate without user intervention.
  • Policy enforcement. What is appropriate between IoT devices? Should the window control module be able to turn off the engine? The wheel speed may control the volume of the sound system, proof that inter-network communications is useful, but setting policies on what should be able to send which control messages to other devices is important, although complex in a broad IoT ecosystem. Policy enforcement is tied to device identification and, optionally, user authentication.
  • Behavior monitoring and intervention. Because of the complexity involved in designing interoperation polices, and given that some policies may be dependent on external, analog factors, such as human behavior, it makes sense to have monitoring devices profile behavior and identify anomalies against the baseline. For example, general policies can be set in a connected car (window control module should not be able to send control messages to the engine). However, different drivers will exhibit varying driving patterns. Some may drive with one foot on the gas and the other on the brake while others may be hyper-aware of traffic movement ahead and use the brake sparingly, preferring instead to let up on the gas in advance of slowdown or gear down in a manual transmission.

On the maker side, many come from the hardware world, where software is foreign. When seasoned software developers write code for IoT devices, they often are not experts on handling conditions where entropy in the real world intervenes. The consequences of vulnerabilities in traditional software are generally loss of money and time, exemplified by the huge number of retailer compromises in 2014; whereas, the consequences with IoT devices are often consumer safety. IoT products are being rushed to market by makers who may not be experts in both consumer safety and software security.

Q: Chris, that same publication focuses on who is the top offender for malware hosting? For those who haven't read that article yet, how about giving us some bullet points on that. Who is the top offender?

Poulin: IBM X-Force researchers continuously track sites that contain malware and store the information in our IP reputation database. We analyze this data to establish a baseline of the sources of massively distributed malware: countries where malicious links are most often hosted, based on our research, as well as the geographic distribution of botnet command-and-control (C&C) servers. When it comes to the top countries hosting malware, the United States has historically topped the list by a large margin, followed by Germany and China, vying to place each year. For countries hosting botnet C&C servers, we find a similar pattern, with the United States in the lead, with the Russian Federation, Republic of Korea, China, Germany, and the United Kingdom with strong showings.

However, that's on a straight numbers basis. It's not surprising that the countries with the greater numbers of technology users and service providers figure higher in the rankings. Consequently, we decided to normalize the figures based on the ratio of IP addresses as a percentage of total IP-addressable systems in the corresponding country. The result is that the U.S. moves out of the top 20 countries for hosting malware -- down to number 25. Hong Kong, Lithuania, and Bulgaria now appear in the top three positions. When normalizing the data for C&C server contaminations, the U.S. moves out of the top 20 countries for C&C servers -- down to number 28. This time, the Russian Federation only moves from second to third. Lithuania comes in first by a large margin, and Belarus, Slovakia, Ukraine, Turkey, Thailand, Hong Kong, Hungary, the Czech Republic, and Poland all appear above the average, which is just slightly less than two contaminated systems per one million.

In short, Lithuania leads the pack in C&C server contamination and comes in second for malware contamination, while Hong Kong comes in first for malware contamination.

Kevin Epstein

Kevin Epstein, VP, advanced security & governance, Proofpoint, discusses the acquisition of NetCitadel, and Proofpoint's recent social media analysis which revealed how often Facebook and Twitter accounts claiming to represent Fortune 100 brands are unauthorized.


Q: Kevin, you've done quite a few acquisitions lately, the most recent being NetCitadel in the summer. What did they bring to the table and what are you now offering your customers as a result?

Kevin Epstein: The acquisition extends the reach and capabilities of Proofpoint's existing advanced threat solutions, adding additional threat verification and containment capabilities via an open platform that unifies products from Proofpoint and other vendors. The unification of disparate threat intelligence data combined with automated incident response enables security professionals to respond to threats faster, in a more scalable way, and with higher confidence and accuracy. This allows an enterprise to prioritize their efforts more effectively to prevent data breaches and data loss across their entire organization.

The facts are that loss of customer records and other sensitive information can begin within minutes of a system compromise, yet it typically takes organizations hours or days to respond to and contain an attack. By leveraging NetCitadel's cutting-edge technology, organizations can close this critical gap and dramatically reduce the risk of significant data loss. This technology is a natural complement to our cloud-based offerings and allows us to deliver a comprehensive advanced threat solution to all organizations, regardless of their existing IT security infrastructure.

The NetCitadel automated incident response platform confirms and prioritizes potential security incidents by unifying, correlating, and synthesizing security alerts from Proofpoint and other leading security vendors, such as HP ArcSight, Palo Alto Networks, and FireEye. Based on this confirmation and prioritization, impacted systems can be automatically quarantined and further communications to malicious sites can be blocked -- all within seconds or minutes of an initial alert.

The result is that not only do Proofpoint solutions help block known threats and detect previously unknown threats, Proofpoint solutions can also confirm and contain successful attacks in a fraction of the time and at a fraction of the cost of traditional incident response approaches.

Q: LinkedIn just selected your Nexgate Div. for its Certified Compliance Partner Program. What services does that division provide and what impact do you expect that will have on LinkedIn?

Epstein: Proofpoint's Nexgate division provides social media security and compliance products. The result of the partnership is that organizations of all sizes can now monitor branded LinkedIn accounts in real-time, stop hackers from defacing branded pages, remove malicious and inappropriate content, and prevent unauthorized publishing -- all transparently to end users. This protects all LinkedIn brand pages, employee profiles, groups, and activity in any configuration from any device or location, and proactively addresses compliance requirements.

By having Proofpoint's security and compliance solutions transparently protecting LinkedIn profiles, pages, and groups, brands can directly use LinkedIn without interruption from third-party marketing and sales tools. In conjunction with Proofpoint's archiving solutions, LinkedIn customers who use Proofpoint are now protected by the broadest set of security and compliance functionality on the market.

Q: Your recent Fortune 100 social media analysis revealed severe threats to corporations and consumers, saying that social media accounts are compromised every business day. What were some of the key findings from that analysis?

Epstein: Increasingly, the Fortune 100 are losing money, having their audiences attacked, and experiencing brand damage on their own social media presences. Company-affiliated social pages, profiles, and accounts are the next big attack surfaces for fraud, phishing, hacking, and data theft. Threats to corporate social media accounts and programs have not received the appropriate level of attention, and our recent study highlights this. Among other startling statistics, the research revealed that on average:

  • Two out of five (40%) Facebook accounts claiming to represent a Fortune 100 brand are unauthorized.
  • One out of five (20%) Twitter accounts claiming to represent a Fortune 100 brand are similarly unauthorized.
  • In aggregate, Fortune 100 brands are experiencing at least one compromise per business day on their social media channels.

Q: You are a Platinum Sponsor of Black Hat USA 2015. Why is that so important to your marketing efforts?

Epstein: Proofpoint has a long history with Black Hat and Black Hat attendees. We've had speakers featured, been exhibitors, and been sponsors -- all because our customers have told us they want to see us there. Black Hat attendees appreciate the technology and depth of advanced threat research that Proofpoint brings -- and we appreciate the opportunity to connect, on real issues, without the hype.

Dwayne Melancon

Dwayne Melancon, chief technology officer, Tripwire, details what Belden's purchase of Tripwire will mean to Tripwire customers, and why consumers lack confidence in third-party mobile payment providers such as Apple Pay and Google Wallet.


Q: Dwayne, in December, Belden Inc. announced it would be buying Tripwire for $710 million, a deal that's expected to close in the first quarter of 2015. How will that benefit current Tripwire clients? What new services will the purchase enable you to offer?

Dwayne Melancon: Current Tripwire clients will benefit from Tripwire being part of a multi-billion dollar, publicly traded company with a demonstrated commitment to investing in technology that benefits its customers. This acquisition substantially expands Belden's portfolio of cybersecurity solutions which not only help customers secure their infrastructure but position Belden as a leader in helping customers deploy and secure the Internet of Things.

Initially Tripwire will continue its focus on enterprise security and compliance software, and continue to run as a stand-alone entity. Tripwire and Belden are already working with critical infrastructure providers and manufacturing companies through a joint Cybersecurity Initiative, and the services offered through this initiative will continue to expand over time.

Perhaps the most interesting aspect of this partnership is the ability to expand Tripwire's adaptive threat protection to enterprises and industrial customers by leveraging the skills and relationships of both companies.

Q: You recently released the results of a consumer survey that said that only 1% of respondents believe using a third-party mobile payment provider -- such as Apple Pay or Google Wallet -- is a safe way to pay for in-store purchases. What needs to be done in order for consumers to be confident in that manner of payment? What suggestions is Tripwire offering?

Melancon: Education is a key missing link when it comes to the leading mobile payment services. Both services include a number of valuable features designed to protect payment card information as well as dramatically reduce the impact if a specific payment terminal or transaction is compromised. For example, these services create a unique payment ID that doesn't disclose the consumer's identity or card number, and provide mechanisms to establish single-use "tokens" that become invalid after one transaction. This has huge potential in reducing the appeal data breaches will have to a cybercriminal. In other words, these mobile payment services are a big improvement over traditional payment card approaches used in the U.S., but consumers have no idea that this is the case. Therefore, consumer education is probably the most effective action at this point.

Tripwire's focus is on the payment processors, card companies, and enterprises that use the payment systems for transactions. In all of these cases, it is critical that companies securely configure their systems and have the ability to detect when they've been compromised. Tripwire recommends several fundamental elements to achieve this:

  • Establish an accurate, continuous inventory of all of the devices and software on your network whether they are authorized or unauthorized.
  • Implement secure configurations for all the software and hardware you've found. Ideally, this should be anchored to a well-known set of security guidelines, such as the security hardening guidelines provided by the Center for Internet Security (CIS) or the Defense Information Systems Agency (DISA).
  • Assess your systems and software for vulnerabilities using automated vulnerability management software, and keep patches up-to date.
  • Integrate all of the three activities above into an automated, continuous process so you can quickly identify any tampering or compromises in your environment.

Q: Tripwire is now offering what it calls "adaptive threat protection," an automated service that you say reduces the time required to detect, prioritize, and remediate cyber threats. What does your service offer that other automated services do not?

Melancon: Tripwire is unique in two key aspects. First, Tripwire provides Advanced Cybercrime Controls that are aware of the symptoms and indicators traditionally associated with cyberattacks. This awareness watches for such things as indications that attackers are dropping malicious payloads on systems, that criminals are covering their tracks or destroying forensic evidence, or that they are installing backdoors to enable access to critical systems at a later time.

Second, Tripwire provides real-time visibility into what is happening on endpoints (servers, workstations, etc.) and can immediately identify new executable files that appear on a system regardless how they got there. Through integrations with threat intelligence providers and threat sandbox companies, Tripwire immediately analyzes unknown executables to determine whether they exhibit behavior associated with malware. If the executables act in a malicious manner, they can immediately be stopped and prevent cybercrime from occurring.

Q: As a Platinum Sponsor of Black Hat USA 2015, how will you be participating in the conference?

Melancon: As a Platinum Sponsor, we will demonstrate how Tripwire is a leading provider of advanced threat protection via security matter experts who will be present in our booth, our own experts who will demo our solutions, and an engaging staff who will invite attendees into the booth for a fun activity.

James Foster

James C. Foster, CEO and co-founder, ZeroFOX, talks about ways that social media can be leveraged to target and compromise organizations, and about the company that launched a social engineering campaign against its own security staff.


Q: James, I know that ZeroFOX monitors clients' social media assets for suspicious behavior and malicious activity. Give me some insight as to ways social media can be leveraged to target and compromise organizations.

James C. Foster: Attackers exploit the virality and trusted nature of social networks to launch low-cost, highly effective attacks, ranging from the technical to the behavioral, from phishing and malware to malicious impersonations. The major types of attacks to watch out for throughout 2015 will be:

  • Executive impersonations. Creating a fake account takes no more than 15 minutes and an Internet connection. A well-made fake account can run amok on the social world, sending phishing links and malware to associates, slandering the company, launching social engineering attacks, and scamming customers or employees.
  • Watering hole phishing and malware. Social media has become the source for breaking news and trends, and attackers have quickly learned that virality on this scale is the most effective way to amplify the scope of an attack. By planting malicious links where users are interacting, discussing, and sharing, attacks gain steam organically and touch a wide array of potential victims.
  • Account takeover. An organization's publicly facing accounts are the ultimate targets for attacks. Once in control of an account, an attacker can do serious damage, be it slander, malware, or phishing dissemination, cybervandalism – like what happened to CENTCOM already this year – or even stock manipulation. Organizations must protect their social accounts like any other high-value asset.
  • Customer scams. Social media is an ideal venue for organizations to interact with customers, clients, and prospects. Unfortunately, it's an ideal venue for attackers to do the same. Malicious actors target an organization's users by posing as customer support or offering fake discount codes.
  • Corporate impersonations. The adversary may have a variety of things up their sleeve when they create a corporate impersonation. They could be scamming customers, connecting with and phishing employees, slandering the brand, or building followers to "flip" the account.
  • Information leakage. "Social media" is a difficult term to fully define. Most people's immediate reaction is the big players – Twitter, Facebook, Pinterest, LinkedIn, and Youtube. But the Internet itself has gone social. Ben Solis' excellent infographic – the Conversation Prism – is a good glimpse into just how much falls under social media. But it goes beyond even that – hackers are buying and selling personal information on their own deep Web discussion boards and marketplaces.
  • Planning of an attack. Employees, customers, and marketers aren't the only ones using social media. Cyber criminals are conducting business on social media too, planning attacks – be it DDoS, physical protests, cyber defacement, or hacktivism – coordinating their members and even sharing the occasional cat video.

With one-third of all Internet users leveraging social media, this is a threat vector that security teams cannot overlook.

Q: You have said that the three pillars of social risk management are reconnaissance, asset protection, and attack monitoring. Explain that to me.

Foster: Organization can comprehensively address the risks posed by social by taking a firm stance in three overarching areas.

  • Reconnaissance. Adversaries lurk in the shadows of social media, buying and selling stolen corporate information, planning coordinated cyber offensives, and even recruiting new compatriots for their illicit actions. The power of social media has changed the way the ordinary human communicates – it has done the same for the cyber criminals. Organizations must be proactive in their approach by fighting fire with fire and leveraging social media as an early warning system. Security teams can be on the lookout for sensitive data being bought and sold, or an attack in the planning stages. This proactive approach will give security teams the edge on the adversaries' activities.
  • Asset protection. Your social accounts are high-value assets, making them prime targets for the adversary. Whether the goal is political, ideological, or criminal, attacking your official social account with spam or offensive content gives the adversary direct access to your customers, employees, and partners. The ultimate prize? Compromising the account itself. As the mouthpiece of the organization, a compromised account is a costly and embarrassing breach for any organization, and security teams need to be especially careful to lock down their accounts and monitor for abnormal behavior.
  • Attack monitoring. The reach and trust inherent on social media has created a paradigm shift in security tactics. The adversaries' focus has changed from targeting systems to bypassing existing security technologies and attacking the person (employee, customer, or partner) directly. Social media has become the adversaries' playground with attacks ranging from impersonations and fraud to watering hole malware and phishing campaigns. Organizations must be monitoring their social footprint for suspicious activity and incoming attacks.

Q: Last year, ZeroFOX talked about a company launching a social engineering campaign against its own security staff. Talk to me about the results … about impersonators being leveraged to target employees. What did you learn from the results of that campaign?

Foster: The results reaffirmed what we already knew about social engineering campaigns -- they are shockingly easy to carry out and highly effective. Even more frightening, just about anyone with an Internet connection and 15 minutes of free time can do it. There is no hacking required – just the time taken to make the account look genuine and to connect with influencers in the target's network. Once this in place, the opportunities are nearly endless for the attack – they can request data directly, harvest credentials, distribute malicious links, or use the target to dig deeper into the organization's system.

The story also indicates that just about anyone can be a target. Even the most adept security professionals who knew the ins and outs of the industry can fall victim to a convincing profile on social media. If security teams themselves fall victim, how can we expect the average employee to protect themselves? Social engineering campaigns are difficult to spot for a host of reasons, the primary reason being they exist on social media and thus well outside of the security team's visibility. Behavioral indicators are often the only way to root out a social engineer in progress. The case of the company launching the attack on themselves only confirms this.

Q: Why did ZeroFOX decide to become a Sustaining Partner of Black Hat USA 2015? What do you hope to get out of your participation?

Foster: The security industry is changing and social media is the new battleground. Social media has exposed organizations to the biggest organizational security risk in decades. The new endpoints are not systems or networks but your people themselves. Because of this, we view education as a critical element of our mission. We strive to demonstrate the risks of social media and help our customers mitigate threats before it's too late.

Our partnership with Black Hat is rooted in this emphasis on education. Because Black Hat represents perhaps the biggest network of security professionals, we are excited to open the dialogue around social media and begin the conversation in the broader security industry. Our partnership opens the door for our work to become an important mainstream topic of conversation in the industry – a goal which we see as critical to addressing the risks posed by social media.

Sustaining Partners