Interviews | May 2, 2019

Brand Impersonation, Sextortion Attacks Are Increasing: Barracuda Networks, CyberSponse, EventTracker, Intsights

Asaf Cidon
VP, Email Protection

Barracuda Networks

Q1. Asaf, describe for us some of the latest tactics that threat actors are using in email attacks. How should enterprises be preparing for these attacks?

We're seeing more and more email attacks that take advantage of social engineering, with cyber criminals trying to use psychological leverage or a position of authority to get what they want. Three of the latest tactics that we've been tracking are brand impersonation, business email compromise, and sextortion.

Brand impersonation attacks, designed to impersonate well-known companies and commonly-used business applications, are by far the most popular because they are well designed as an entry point to harvest credentials and carry out account takeover.

Business email compromise, which involves scammers impersonating an executive in an email, requesting a wire transfer or personally-identifiable information from employees with access to sensitive information, makes up only a small percentage of spear-phishing attacks, but it has caused more than $12.5 billion in losses since 2013, according to the FBI.

Sextortion is a newer threat that is growing quickly. We recently evaluated more than 360,000 spear-phishing emails in a three-month period and found that 1 in 10 phishing emails are blackmail or sextortion attacks. These attacks only started appearing a couple of months ago, and now they are a significant fraction of targeted attacks.

Preventing these types of email attacks require security solutions that are flexible enough to detect social engineering, even if it is tailored to a specific employee. Traditional email security gateways rely on looking for malicious links or attachments. By leveraging AI, we can analyze the unique communication patterns within your organization, and automatically spot anomalies that may indicate an attack. It's also important to educate users about spear-phishing attacks by making it a part of security-awareness training. This ensures that staffers can recognize these attacks and know how to report them.

Q2. What are blackmail emails? Is this something that enterprise organizations need to be concerned about, or is it mostly a consumer threat?

In most blackmail scams, which includes sextortion attacks, cybercriminals claim to have a compromising video, images, or other content allegedly recorded on the victim's computer, and threaten to share it with all their email contacts, unless they pay up. These emails are hard to detect because they are tailored, and do not contain a malicious attachment or link. These attacks are effective, because attackers often include an old compromised password within the body of the email to "prove" that they have been able to hack into the account.

Blackmail is certainly a threat that enterprise organizations need to be aware of and concerned about. With about 1 in 10 spear-phishing emails being a sextortion attack, employees are twice as likely to be the target of blackmail than business email compromise. Employees are also less likely to report a blackmail threat due to the embarrassing nature of the email, which means that could be a more significant issue than IT teams initially believe.

Q3. What does Barracuda plan to focus on at Black Hat USA 2019? Why is it important to be there?

At Black Hat USA 2019, we're planning to focus on ways our innovations in artificial intelligence, machine learning, and automation can be leveraged to improve protection across threat vectors, from email to websites to clouds. We're excited to share our latest developments in cloud security, IoT defense, bot mitigation for web application firewalls, and total email protection with forensics and incident response. It's important for us to be at Black Hat USA 2019 so we can connect with IT professionals and show them that whatever the size of your business, whatever your journey, Barracuda is here to secure it.

Joseph Loomis


Q1. How have the role and the responsibilities of the Security Operations Center evolved in recent years? What have been the biggest changes?

The role of the Security Operations Center, or SOC, has changed dramatically over the past few years. Previously, only very large organizations would incorporate a SOC into their organization; but recently, even organizations with teams of five or less are adopting SOC processes, procedures, tools and playbooks that are comparable to those of more mature organizations. As a result, teams are now seeking more inter-organizational collaboration with other groups to help aid in alert management, workflow and best practices for incident and alert response.

Q2. What specific business issues can SOAR tools help enterprise organizations address?

Organizations value SOAR as a solution to address alert fatigue, repetitive workload, analyst burn out, employee turnover and insufficient playbooks incorporated within daily operations. SOC's increase the effectiveness of their operations through SOAR capabilities, out-of-the-box playbooks, easy to use response processes, and overall maintenance of security operations in a simple yet effective manner. Automation is the future of cybersecurity, and the more automated a SOC can become, the more effective and efficient the team within it can be.

Incorporating a SOAR platform allows SOC operators to have full visibility into their organization's entire security posture, through a "single pane of glass" allowing for all the numerous tools in the organization's stack to be orchestrated and automated within a single platform.

Q3. What do you want attendees at Black Hat USA 2019 to know about your company's products and roadmap over the next few years?

Over the next few years, best practices will center on automation security. CyberSponse continues to coalesce advanced playbooks, which incorporate machine learning and artificial intelligence, with the MITRE ATT&CK framework. As tools generating more alerts and better detection methods, false positives decrease, while SOC operator's workloads continue to surge dramatically. This apart, CyberSponse will continue to better its multi-tenant product offering — the industry's first truly distributed model — which has proven to be very effective and lucrative for both MDRs and MSSPs alike.

A.N. Ananth


Q1. How can organizations benefit from integrating EDR with SIEM? What's driving the need for this?

Integrating SIEM and EDR technology is critical to winning the battle for the endpoint. There are many more endpoints than there are fortified servers in the data center, and they are staffed by non-technical users who present softer targets for today's attacker. Attacks are continuously sprayed at every endpoint and if any one of them is successful then lateral movement is next.

The traditional defense at the endpoint has been signature-based anti-virus which has proven inadequate in the current threat landscape. Aside from efficacy, there is also the problem of visibility, of detecting the kill chain, and of course the pervasive shortage of skilled staff required to administer such solutions. This leads to teams being reactive and resorting to re-imaging the endpoint as the first and only remediation.

Endpoint Detection and Response (EDR) technology was initially conceived to address the post-breach visibility requirement but has evolved to provide top quality prevention as well. But how does integration with SIEM solve this? The SOC analyst requires more advanced monitoring and analytics to gain visibility into complex and layered indicators of compromise. Netsurion's EventTracker EDR is designed to let the analyst quickly detect and efficiently respond to, and recover from, cyberattacks.

EventTracker EDR is much more effective when integrated with our EventTracker SIEM - enabling the business to index and aggregate systems and log data including data from endpoints. Once centralized, EventTracker EDR telemetry is used to correlate data and sharpen contextual visibility into attacks that span multiple endpoints and networks. Lastly, co-managed SIEM and SOC services are key to operationalizing EDR as organizations have discovered that self-managing a robust SIEM and bolt-on EDR platform is too expensive, arduous to maintain, and difficult to staff for constant monitoring.

We're excited about the Black Hat 2019 opportunity to showcase our integrated EventTracker SIEM + SOC + EDR solutions that are better together at reducing dwell time and the risk of lateral movement.

Q2. How have GDPR and other compliance requirements impacted the use of SIEM technologies? What, if anything, are organizations doing differently, or more of, with respect to SIEM?

Compliance frameworks like PCI DSS and HIPAA have long been the driver for SIEM adoption, and GDPR is no exception. GDPR compliance is relevant to organizations of all sizes and geographies if they have personally identifiable information (PII) on European Union citizens in their databases. [This] likely applies to almost every organization in all geographies, including US businesses. The Global Data Protection Regulation sets a high bar for privacy, data protection, and breach disclosure and with steep penalties for non-compliance, has been a catalyst for increased security maturity and risk mitigation since its release in May of 2018.

While GDPR encompasses several components, the criteria that we see most surrounds the required expedited notification within 72 hours after a data breach. EventTracker SIEM and our 24/7 security operations center (SOC) work together with customers to analyze event data in real time through the collection, storage, investigation, and reporting for incident response, information governance, and regulatory compliance. EventTracker SIEM helps GDPR by:

  • Providing 24/7 visibility and storage of forensic evidence, all in one location
  • Delivering a comprehensive audit trail that documents and traces any authorized and unauthorized access to confidential data
  • Enabling organizations to leverage EventTracker's SOC and expert analysts to correlate events and generate dashboards, alarms, and reports, providing real-time insights regarding who is doing what, when, and how with sensitive information
  • Protecting information across a myriad of third-parties
  • Detecting and alerting on sensitive data to help identify information requiring special handling such as adding extra descriptors and customized tooltip text

We also offer role-based-access-controls (RBAC) that limit access to SIEM dashboards containing sensitive information to reduce data disclosure risk. If your security posture is not where you'd like it to be, augment your IT and security team with network solutions and security expertise from Netsurion.

Q3. What are EventTracker's plans at Black Hat 2019? What can those attending the event expect from your company?

This year at Black Hat, we're focusing on pragmatic ways that security operations can enhance their efficiency and effectiveness. Many organizations face a shortage of qualified experts and yet face the same advanced threats as the largest organizations. We at Netsurion are showcasing our EventTracker portfolio including a co-managed SIEM service that combines the expert analysts of our SOC with robust, disciplined, and documented processes that overcome alert fatigue and pinpoint actual threats that deserve your time and attention. Whether you're a Fortune 1000 firm or a small and medium-sized business, EventTracker by Netsurion provides cybersecurity to resource-constrained organizations that is both outcome-based and affordable.

We look forward to conversations with customers and partners at Black Hat USA to understand the security challenges that keep you awake at night. We'll be demonstrating our managed SIEM + SOC + EDR solutions to enhance your security and compliance outcomes. With a laser beam focus on delivering security that is simple yet flexible, it's easy to see why we've been recognized in the Gartner SIEM Magic Quadrant for over 11 years. Take a guided tour of EventTracker at booth # 130 to see how our comprehensive solution meets your specific business requirements. Security is complex. We make it simpler.

Guy Nizan

Nick Hayes
VP of Strategy


Q1. Guy, how is the use of threat intelligence evolving and maturing within enterprises? What types of organizations are using it these days and why?

First, I'm happy to be able to say that the market is maturing. It was only a few years ago when threat intelligence as a topic in security conversations was all lumped into one generic category focused on security feeds, IOC data, and event management. Today, cybersecurity practitioners are more practical with their use of threat intelligence. They're scenario-driven today, meaning they look to integrate threat intelligence capabilities to augment or fully-achieve specific security initiatives (e.g., phishing monitoring, retail fraud, or VIP or executive protection).

The companies that are most successful take an integrated approach to threat intelligence; they operationalize intelligence embedding data and process automation into existing security systems and workflows. For instance, we can agree that all security teams have a mandate to protect their organizations from phishing attacks, but most focus on protection within their network perimeter. The mature, successful security programs that we see don't stop there; they look to extend security beyond the perimeter and establish proactive mitigation measures that prevent the phishing attack before it even starts. This is, of course, where threat intelligence comes in – neutralizing threats outside the wire.

To get the most out of threat intelligence, it's important that security leaders clearly define the ways in which it will support meaningful security objectives, tied to quantifiable metrics. This degree of specificity, however, is only possible if the threat intelligence itself is tuned to the company itself. We refer to this curated approach as "tailored" threat intelligence. We bring in business context to narrow our monitoring to key digital business assets and exposures, including associated strategic and sensitive data, assets, points of presence, and people.

We've seen most Fortune 1000 companies using threat intelligence this way, but more specifically, have seen strong adoption in the financial services, retail and healthcare verticals. Again, these organizations are using threat intelligence to identify threats as early as possible and augment existing security operations and defense strategies.

Q2. Nick, what's driving IntSights' strategy to deliver a tailored intelligence offering? What exactly are you customizing?

The easy answer is that our tailored intelligence provides wider visibility and drives faster response for our customers to more effectively detect and mitigate external threats and exposures. And while that's true, when you dive deeper into the real challenges of our customers and the variety of use-cases that our threat intelligence supports, the value we're delivering to our customers is even more fundamental than that.

At the core, IntSights equips cybersecurity and threat teams with the tools and capabilities they need to enhance and extend their existing SecOps functions beyond the firewall. Tailored intelligence equips security and threat teams with the knowledge and functionality they need to automatically and rapidly assess, prioritize, and take swift action against every external threat.

This approach to threat mitigation, however, requires a major shift to today's security mindset, primarily that: Threat detection and remediation now supersede prevention. We posit that security teams spend far too much time focused on one of the two primary ways to mitigate risk, reducing the chances of an attack rather than minimizing the impact if it does. Security leaders are starting to recognize the effectiveness of this strategy when it comes major events and breaches, but rarely apply it to more common cyberevents like phishing, data leakage, or retail or financial fraud.

When "detect" and "remediate" are the default actions for security and threat teams, external threats are defanged early in the cyber kill chain, well-before the exploit activates or weaponization can even be completed. This approach is effective because the tailoring component applies both to the analysis and the remediation of our threat intelligence. Swift remediation is possible because we've already mapped to the customers' existing internal security applications to automate blocking and blacklist updates, as well as to their external social, mobile, and web infrastructure that every digital business relies on.

Q3. Nick, what role do you see for AI and ML in the threat intelligence space over the next few years?

Over the next few years, I expect the cyber-arms race to continue on a fast and accelerating trajectory – by security technology vendors and the threat actors themselves. Starting with the latter, I expect to see attackers to use AI for evil, to coordinate bot attacks at unforeseen scale, and to increasingly target corporate brands for both geopolitical motives and financial gain. To effectively exploit these new corporate victims, I also expect attackers will develop more advanced influence operations and social engineering techniques to seed customer and public distrust.

In turn, I expect cybersecurity providers to finally make good on the promise of AI and machine learning. We've faced years of failed marketing promises with far more fiction than fact when it comes to meaningful security results and outcomes. Dub me an optimist, but I see too much untapped potential and continued computing performance improvements in line with Moore's law for me to dismiss them.

I believe we'll see real security innovation with AI and ML as developers retool and narrow the scope of training models to address more concentrated tasks based on clear, well-defined parameters. For example, IntSights already has robust analytics as part our brand security solution, but we're at a point in our product development where can start to push the boundaries further with our AI, beginning to develop real computer visioning techniques. As computer vision capabilities manifest in our products, we will be able to help our customer organizations identify and remediate brand attacks, impersonations, and stolen and counterfeit sales at efficiency rates that are orders of magnitude higher.

Q4. Guy, what do you want attendees at Black Hat USA 2019 to know about IntSights, its near-term product/service strategy and its long-term vision?

Our mission is to help organizations detect and mitigate threats externally. Threat intelligence can be incredibly useful, but it can also be incredibly overwhelming. We are helping organizations not just gain visibility into new, potential threats, but helping them understand how they are impacted and enabling them to integrate and orchestrate the mitigation process.

Throughout the year, we've significantly bolstered our phishing detection and brand protection capabilities by developing new sources, increasing automation, and incorporating additional machine-learning functionality. We're also extending intelligence to new areas of our customers' digital footprint, like new industry-specific assets and third-party organizations. Long term, we expect our external threat intelligence and protection platform to become even more extensible and interoperable, both between our internal solution offerings and within our customers' security systems and cloud infrastructure.

Sustaining Partners