Interviews | April 28, 2015

Black Hat USA Sponsor Interviews: Lockheed Martin, Raytheon, Palo Alto Networks, Webroot, and LogRhythm

Jim Connelly

Jim Connelly, VP and chief information security officer at Lockheed Martin, talks about the company's EXCITE cyber training courses meant to enhance the competency level of cyber intelligence analysts, and the current priorities of the Lockheed Martin Cyber Security Alliance.

Lockheed Martin

Q: Jim, I know that Lockheed Martin conducts cyber training courses, which you refer to as Experiential Cyber Immersion Training and Exercises (EXCITE). Who are those meant for and what can one hope to learn by signing up for the courses?

Jim Connelly: The EXCITE training courses were designed to enhance the competency level of cyber intelligence analysts and provide them with the skills required to detect, defend, analyze, and respond to cyberattacks using Lockheed Martin's Cyber Kill Chain methodology. The courses feature realistic, hands-on exercises in which participants are immersed in the reconstruction and mitigations of a full-attack scenario. The exercises, which are based on real-world threats, use concepts such as defendable architectures, incident response, and forensic analysis to mitigate threats. EXCITE encourages teamwork and collaboration in a challenging and fast-paced environment. Talented individuals are the foundation of a solid security posture, and EXCITE provides a pipeline for developing that talent.

Q: Radware just became the newest member of the Lockheed Martin Cyber Security Alliance. Tell me about that Alliance … what it's designed to achieve … and what are its current priorities?

Connelly: The Lockheed Martin Cyber Security Alliance was formed in 2009 to create an environment where leading technology providers can collaborate, combine strengths, and share best practices to address cyber security threats for our customers. The Alliance combines the strengths of 20 partners through sharing roadmaps, integrating tools, and ultimately providing early threat detection and protection to solve our customers' growing cybersecurity needs. We jointly engage in customer-focused scenarios, experiments, and pilot programs that enable us to provide improved, lower-risk, and tested services.

The Alliance's current priority is to increase collaboration and information sharing in an effort to develop even more customer-focused solutions and meet future challenges. We're always on the lookout for potential new members who are making big impacts in the security arena and are willing to collaborate.

Q: Marillyn Hewson, your president/CEO, revealed that Lockheed Martin was hit by 50 cyber-attacks during 2014 which is the most the company has ever seen. And she expects the number to only increase. What has the company learned by analyzing these attacks? What sort of trends have you uncovered?

Connelly: To clarify, Ms. Hewson was referring to adversary campaigns, which is different from cyber-attacks. We define a campaign as the identification of a specific actor group through intelligence analysis that focuses on tactics, techniques, and procedures an adversary leverages over a prolonged period of time. The Lockheed Martin Computer Incident Response Team has been tracking adversary campaigns for more than 10 years and is presently tracking more than 50 campaigns. Over that period of time, a great deal of intelligence was derived on the adversaries. This amount of intelligence has illustrated an increase in the number of actors and nation states, a diverse number of adversary capabilities, and advancing tactics from highly targeted malicious e-mails, use of social media, to longer strategic attempts to gain network access.  

The intelligence collected on the adversaries has also helped companies, such as ours, to better understand the motives of the attackers. In the security domain, there traditionally are three focus areas for network defenders: data confidentiality, data integrity, and data/system availability. Until recently, the primary concern for network defenders has been the loss of confidential data through exfiltration. Most nation state actors or Advanced Persistent Threats have focused on attempts to steal data in an attempt to gain intellectual property for economic or military advantage. Recent actors have had more aggressive motives violating data integrity and availability through the use of destructive malware. Carefully tracking campaigns and collaborating with industry and government partners to gain a wider view of adversary attacks allows network defenders to proactively address these changing motivations.

Q: What will Lockheed Martin's focus be at Black Hat USA 2015? Specifically what will attendees be able to learn from your participation?

Connelly: Our primary focus during Black Hat USA 2015 is to showcase the cybersecurity solutions we've developed and are implementing for our customers in various industries, such as oil and gas, utilities, financial services, chemical, healthcare, and pharmaceutical. Black Hat USA 2015 attendees will learn about the significant investments we've made in countering cyber threats and how the same techniques we're using to protect our own networks are also used to protect the networks of our customers.

Ed Hammersla

Ed Hammersla, president/CEO at Raytheon Cyber Products, discusses the results of the company's most recent Cyber Mega Trends Survey, and also why he believes it's so important for Raytheon to be a Platinum-Plus Sponsor of Black Hat USA 2015.


Q: Ed, your Cyber MegaTrends Survey came up with some really interesting results, like cyber experts saying that their senior leaders view cybersecurity efforts as a cost that cuts into profits, and a large majority revealing that their boards of directors haven't been briefed on their organization's cybersecurity strategy in the last 12 months. What do you make of those findings?

Ed Hammersla: This cybersecurity environment is changing fast. Recent high-profile breaches have put security front and center and it is quickly becoming a serious topic in boardroom discussions. Overall, the Mega Trends Survey points to this trend -- close to 60% said that they believe their organization's cyber security posture will improve. The major success factors that would drive improvements in security posture are personnel and technologies.

What we also see is that security professionals need to be able to translate "security and technology speak" so senior executives can understand the challenges and risk posture in terms of their business initiatives.

Q: I'm told that Raytheon's approach to cyberspace is that trying to stop all forms of cyber attacks is no longer realistic. And, instead, organizations now seek ways to withstand attacks while continuing to operate effectively – in other words, moving from prevention to resiliency. Why is that a more realistic approach?

Hammersla: If you review the breaches that have been reported in the last couple of years, it is quite apparent that these large organizations had best-of-breed technologies in place. The challenge is that the security teams are chasing the myriad of alerts sent out by these disparate technologies and lack the visibility and context to put together a quick and coordinated mitigation and remediation approach.

Additionally, the new threat landscape includes professional cyber criminals and nation states with more sinister aims, better funding, and more advanced skills. Their attacks are low, slow, and stealthy, and as we have seen, easily circumvent current signature-based and even some non-signature-based technologies. Their modus operandi is to be persistent, get inside, and then stay there as long as they can to extract data. Before you can prevent an attack, you need to know that an attack is happening -- or at least has happened. What we have learned from recent events is that prevention is not enough anymore. Organizations need to operate under the assumption of compromise -- it is a matter of "when" not "if."

In today's environment, resiliency is just as important, if not more so, than prevention -- the ability to operate our networks as a "conflicted space" environment. Organizations need something different, something that works -- a way to detect the threat, control it, and contain damage.

Our approach to detect, control, and contain threats is continuous monitoring of end points, user activity, and other key assets. This information, when combined with threat intelligence and analytics, can result in contextual understanding of the breach that enables security professionals to quickly draw insights and take confident and decisive action.

Q: What will be your focus at Black Hat USA 2015? If someone from Raytheon Cyber Products will be speaking, what can attendees expect to hear?

Hammersla: Our focus at Black Hat will be our new approach to cybersecurity which has already garnered widespread support and affirmation. Attendees will hear about how our solutions can operate independently but also seamlessly integrate to extend unmatched visibility into the security posture of an enterprise, enabling a level of risk management that allows organizations to be resilient in today's persistent threat environment. We will also focus on how Raytheon -- with over two decades of cybersecurity experience and expertise -- is well-positioned to deliver cybersecurity solutions that are scalable, secure, architecturally superior, and cost-effective.

Q: Why is Raytheon a Platinum-Plus Sponsor of the conference? What are some of the advantages?

Hammersla: First of all, we believe in and promote the open discussion of cyber security issues. We are showcasing our SureView product suite which requires a lot of real estate which the Platinum-Plus Sponsorship provides.

The other thing that attracted Raytheon Cyber Products to the Platinum-Plus level was the speaking opportunity in the business hall theater. This 45-minute slot gives us an excellent opportunity to present our integrated SureView portfolio to an audience that we might not otherwise reach via booth traffic. We have a very robust digital and social media strategy that we aggressively engage for all tradeshows, so the pre-event social media marketing was also very important to us. The full-conference briefing passes are significant to us as we send a number of our engineering team to Black Hat for educational purposes. There is no other event where they can gain the kind of current cybersecurity knowledge that they can get from Black Hat.

Scott Gainey

Scott Gainey, head of product marketing & programs at Palo Alto Networks, chats about the latest research from the company's Unit 42 Threat Intelligence experts, and the advantages of becoming a member of the new Fuel User Group which is designed to "shape the future of cybersecurity."

Palo Alto Networks

Q: Scott, we're seeing the brands of many retailers – brick-and-mortar as well as online – being tarnished by cyber attacks. Tell me about your recent white paper which explains how your enterprise security platform helps retailers protect their highly distributed environment. What does the platform do that competing platforms don't?

Scott Gainey: The Palo Alto Networks enterprise security platform is designed with safe application enablement and prevention of known and unknown threats in mind. Our platform, which includes the Palo Alto Networks Next-Generation Firewall, Threat Intelligence Cloud, and Advanced Endpoint Protection, allows retailers to deploy security consistently across their organization -- from endpoints to the data center and supply and distribution networks. This natively integrated platform approach with a central management console eliminates many of the complexities involved with deploying an assortment of individual point products, eliminates the need for expensive manual processes, and improves retailers' ability to quickly respond to new global threats.

Q: I understand that your Unit 42 Threat Intelligence experts are taking their new research on the road. What "new research" are they focusing? Can you give me a few takeaways?

Gainey: Unit 42, the Palo Alto Networks threat intelligence team, is focused on understanding how attacks evolve over time, providing detailed research to our customers, partners, and the broader security community. Unit 42 goes beyond simply sharing security data, ensuring organizations understand the wider implications of advanced attacks, with full context, including:

  • The tactics, tools, and procedures used by a variety of adversary groups tracked by Unit 42, which you can use to prevent future attacks.
  • New attack campaigns and how they could impact your business across highly targeted verticals.
  • An update on the latest Point-of-Sale (POS)-based malware.

Q: Palo Alto Networks recently launched what you're calling the Global Fuel User Group whose goal is to "shape the future of cybersecurity." Tell me what that means and why other cyber professionals should be interested.

Gainey: Having timely, unfiltered, and trusted access to practical cybersecurity minds is key to winning against today's cyber criminals and threats. The battle can't be won alone, so they are turning to others in their field for collaboration. We see this happening through communities like Fuel and consortiums like the Cyber Threat Alliance (CTA).

The Fuel User Group is a growing global community of expert Palo Alto Networks users. Fuel provides the power to share collectively, educate others, challenge the status quo of security best practices, and ultimately shape how cybersecurity is implemented in the future.

Hear from Lee Klarich, our senior VP of product management, on how Palo Alto Networks will interact with Fuel here, and become a member at

Q: You are a Platinum-Plus Sponsor of Black Hat USA 2015. Why did you make that investment and how why is it important to your marketing strategy?

Gainey: Black Hat is a premier industry event where cybersecurity professionals gather for continued education and networking. As a leader in enterprise security and advocate of threat intelligence sharing and collaboration, we believe that participating in this event can help advance the cybersecurity industry efforts as a whole in the battle against cyber criminals and threats.

Patrick Kennedy

Patrick Kennedy, VP of enterprise marketing & analyst relations at Webroot, talks about the company's partnerships with Palo Alto Networks and with Allied Bank, why only 45% of mobile banking apps are "truly trustworthy or benign," and what will be the takeaways at Webroot's Black Hat presentation.


Q: Patrick, Webroot just expanded its partnership with Palo Alto Networks which, I'm told, will enable the company to deliver smarter security with your BrightCloud Threat Intelligence. How does this deal specifically benefit Palo Alto Networks – and, of course, its clients?

Patrick Kennedy: Webroot provides Collective Threat Intelligence to deliver the most up-to-date enterprise-class protection for endpoints, firewalls, and SIEMs. Webroot has attained partner certification with Palo Alto Networks, and is helping their customers to reduce the number of malicious IPs infiltrating their network infrastructure and creating incidents for their info security teams to respond to. To accomplish this, they are augmenting their existing Palo Alto Networks next-generation firewall (NGFW) devices with an additional layer of protection against malicious IPs via Webroot's BrightCloud IP Reputation Service for Palo Alto Networks.

Webroot's BrightCloud IP Reputation for Palo Alto Networks enables enterprises to enhance the effectiveness of their Palo Alto Networks NGFW by integrating highly accurate IP reputation data into their Palo Alto Networks firewall to block malicious incoming IPs. This solution analyzes inbound IP addresses from each Palo Alto Networks NGFW appliance in the customer environment and customizes the threat intelligence for each NGFW device to include malicious IPs that have attacked that device in the past and other malicious IPs that are likely to attack in the future.

Q: Similarly, Allied Bank has also partnered with Webroot. What does that partnership mean for Allied Bank and its customers?

Kennedy: Ally Bank is offering their customers, who are active online banking users, the opportunity to download a complimentary copy of Webroot SecureAnywhere to protect their online transactions, financial information and assets, and identity. The Webroot software has dramatically reduced Ally Bank's rate of fraud and contributed to being awarded "top five most secure online banking" status, according to financial analysts Javelin Group.

Webroot SecureAnywhere AntiVirus for Financial Institutions provides Ally Bank's customers real-time detection and remediation for PCs and Macs against today's advanced threats. With 99.7% efficacy against even brand-new, zero-day attacks, Webroot blocks financially targeted malware, viruses, Trojans, backdoors, spyware, worms, and rootkits, among others. The cloud-based solution of Webroot secures customers' online identity and financial information without the need to download signature updates.

Webroot protects Ally Bank's interests and reduces instances of online fraud by working silently in the background to protect usernames, account numbers, security codes, and other personal information from theft -- even if malicious applications are present on a user's device.

Q: In your report on mobile banking apps, your Mobile Threat Research Team revealed that they found that only 45% of the apps were "truly trustworthy or benign." Fill me in on what problems they discovered, and what do you recommend to banks and their clients to avoid hacker attacks?

Kennedy: According to BI Intelligence, as of August of 2014, over one quarter of all Internet traffic is mobile. The average user has over 100 apps on their device, and users in the U.S. have indicated that if a mobile wallet were available, they would trust their current bank by an almost 2-to-1 margin over anyone else as the wallet to use. However, mobile threats are growing fast with over 27% of apps either malicious or unwanted as of August 2014. Mobile threats include scams, phishing, spam, and malicious apps themselves.

Part of the issue is customer mobile usage patterns -- mobile device usage behaviors heighten security issues. For example, users download apps from third parties, connect to insecure public Wi-Fi, lose their mobile devices, root and jail break their own devices, and disable their device security. This leaves users vulnerable to spyware, Trojans, PUAs, system monitors, adware, worms, and rootkits which conspire to steal user information.

Overall, the number of malicious apps have increased over 6,200% from just 203 in 2011 to 1.3M in 2014, and the main threat vectors for mobile devices are rooted or jail-broken devices, malicious or suspicious apps on the device, and malware on the device.

Q: As the amount of data at risk expands, many organizations are increasing their consumption of intelligence data. In your report on enterprise security, why do respondents believe threat intelligence is essential for a well-rounded cybersecurity defense and how is it effective in stopping cyber threats?

Kennedy: We see organizations increasing their consumption of threat intelligence for two primary reasons: first, they are continuing to experience breaches with their current technology and are looking to integrate threat intelligence into their security environment to reduce the volume of security incidents; second, integrating threat intelligence can help then to automate certain security operations and remediation activities, such as updating firewall blocks lists and prioritizing alerts.

Q: What will your focus be at Black Hat USA 2015? If you'll be giving a talk, what will the takeaways be?

Kennedy: At Black Hat, we want attendees to see that smarter companies are using collective threat intelligence to combat today's threats -- and that you can apply that same real-time threat analysis to endpoints in order to provide a level of protection and response not possible with traditional endpoint solutions. Timur Kovalev, our senior director of client technology and threat intelligence, will be speaking about mobile application security and, specifically, which Android applications are easy to disassemble/reverse engineer, and code hardening solutions. He'll include demonstrations on how to re-package apps with malicious code, how hackers are accessing server-side endpoints today, and how vulnerabilities expose intellectual property. He'll also show the security methods that combat these modern threats.

Mike Reagan

Mike Reagan, chief marketing officer at LogRhythm, discusses one of the most common ways malware makes it into the organization, what LogRhythm is recommending to health care providers to thwart attackers, and why his company is a Platinum-Plus Sponsor of Black Hat USA 2015.


Q: Mike, in a recent LogRhythm blog, readers are cautioned that using their work laptops at home and outside of the company network is one of the most common ways malware makes it into the organization. I believe that point is rarely made and I wonder whether security people at the enterprises stress that enough. What are your recommendations here?

Mike Reagan: When users take their laptops home with them, they are often no longer protected by the security controls that the organization has in place to defend against drive-by downloads and similar Web-based attacks. This is normally done via a content-filtering proxy solution that screens all Web-browsing traffic. This technology is useful for security but also assures that users remain compliant with the organization's acceptable use policy.

The problem arises when taking a computer outside of the internal network -- the system's traffic no longer traverses through the proxy, so it is up to the user to remain vigilant. There are many things that users can do, such as use browser add-ons to filter advertisements, disable JavaScript and similar client-side content, and avoid potentially dangerous Web sites. Unfortunately, most users are not security professionals, so this is not necessarily a feasible resolution.

Providentially, there are commercial solutions available that can configure work systems to pass their traffic through the organization's proxy even while they are not in the office. This is a critical security control, especially for organizations that have disparate employees who work outside the office. In fact, LogRhythm works closely with these vendors to deliver monitoring of these solutions within the SIEM, providing SOC analysts with the proper data, so that they can act quickly when anomalies are observed both inside and outside of the network.

Q: Chris Petersen, your CTO, recently cautioned health care providers after hackers infiltrated health insurer Anthem's network. He said that that such data "can be valuable for identity thefts as well as valuable for extortion." What is LogRhythm recommending to such enterprises to thwart attackers?

Reagan: Organizations need to operate with a mindset that attackers will get in, that they will penetrate the environment, and compromise systems and accounts. However, data breaches take time and can be avoided if the initial compromise is detected early. Healthcare providers need to focus on early detection and fast response alongside preventive measures.

Q: Nancy Reynolds, your VP of Americas channels, recently was named a 2015 CRN Channel Chief. That's quite an honor. Fill me in on what you think she – and LogRhythm – did to deserve that designation.

Reagan: Team work. We believe Nancy's recognition was based on her formula for success: 20 years of experience (successfully building channel plans) plus months of collaboration and a healthy dose of perseverance led to the development of a compelling business model that met the needs of LogRhythm and the partner community.

Q: LogRhythm was a Platinum Sponsor of Black Hat Asia and is now a Platinum-Plus Sponsor of Black Hat USA 2015. Why do you believe it's important for you to make those investments each year?

Reagan: Black Hat events have become critical training grounds for IT security professionals around the globe. The training classes are intense and designed to substantially bolster the cyber security skills for those responsible for protecting businesses and government entities amidst a rapidly shifting cyber threat landscape. Attendees also leverage Black Hat to see the latest innovations in cyber security through the vendor exhibition. LogRhythm continues to be a Black Hat Platinum Sponsor because the need for our award-winning Security Intelligence and Analytics platform has never been greater and Black Hat is the ideal environment to engage with the IT security professionals responsible for improving their organizations' security intelligence posture.

Sustaining Partners