Interviews | May 4, 2018

Black Hat USA Platinum Sponsor Interviews: CyberVista, Cyxtera Technologies, Lastline, and SecurityScorecard


Amjed Saffarini

Amjed Saffarini
Chief Executive Officer
CyberVista

Simone Petrella

Simone Petrella
Chief Cybersecurity Officer
CyberVista

CyberVista

Q1. Amjed, where do the biggest skills gaps in cybersecurity exist today? How is your company helping organizations address the issue?

Today's cybersecurity skills gap is a two-fold problem comprised of a talent shortage among cybersecurity practitioners, as well as general professionals. Not only do employers commonly face issues filling open full-time roles with adequately trained and experienced candidates, there's also a widening gap between what general professionals - lawyers, doctors and executives - need to know about cybersecurity, and what they actually know.

On the practitioner side, the skills gap is glaring when it comes to general workplace effectiveness skills like critical thinking, business communications, structuring business cases, project management, etc and how security risk relates back to the business. These skills shortages are similar to other modern industries that rely on human capital to power their businesses. On the professional cybersecurity competencies, we find that companies continue to seek talent that has a wide foundational base of cybersecurity knowledge, but are increasingly interested in how that knowledge is curated in learning paths that can be used to help employees specialize and advance.

At CyberVista we solve the human problems within cybersecurity with human solutions. Our programs work with both cyber practitioners, as well as all employees of the workforce to train them on exactly what they need to know to be cyber resilient individuals. A common thread within those programs is the level of personalization we provide by assessing prior knowledge of individuals coming into our programs and tailoring their programs so that they have the most efficient and effective learning journey possible.

Q2. Simone, how exactly does CyberVista personalize cybersecurity training and workforce development for organizations? It would be great to have an example or two of how you personalize training.

We firmly believe that one way to close the growing skills gap is to approach training and workforce development from an employer-driven perspective, which leads to a number of opportunities for personalization. We've started by looking at common security job roles from sources like the NIST Cybersecurity workforce framework, and then worked with actual employers to understand their unique security job roles within their organization. From here we've reviewed the kind of competencies they need staff to be able to perform to be successful in their roles, including both the specialist and managerial career tracks. Tying skills and competencies to roles is of the utmost importance, as one of the most common points of feedback we receive is that despite credentials and degrees, most newly hired staff are not ready to perform critical security job functions on the job.

By breaking down a role into its component skills, we are able to not only create a tailorable and navigable cybersecurity career path for both employers and employees to follow, but we are also able to then develop actual training in modular and bite-size chunks, making the material approachable and retainable. This approach to training allows people to access content at their convenience and reduce operational down-time that often occurs when someone needs to take time off work to attend a traditional training class.

From there, we further personalize all of our cybersecurity training by starting with the basic principle of a self-assessment (or diagnostic). By having a baseline starting point of one's own strengths and weaknesses, whether through knowledge-based or practical cybersecurity skills, both individuals and their organizations can then customize valuable time training to the skills that need to be acquired for a particular individual in his or her specific job role.

Q3. Amjed, talk to us about CyberVista's programs for corporate board members and executives. How does your program help further their understanding of enterprise cyber risks?

In today's world, cybersecurity is not just an IT problem. We developed our Resolve program to help fill the cyber competency gap in the boardroom and the executive suite. Built on well accepted cybersecurity governance standards - including NIST Cybersecurity Framework and ISO 27001 - CyberVista simplifies cybersecurity and cyber risk with our Cyber Governance Framework, which uses three areas of focus: Prepare, Monitor, and React. Furthermore, we have alrighted our program with the Factor Analysis of Information Risk (FAIR) methodology to help quantify cybersecurity risk.

We understand that each organization is different, with unique and specific needs. The modular design of our course encompasses the most important and comprehensive aspects of cyber risk allowing companies to select topics most relevant to their organization. Our goal is to provide senior leadership with the foundational elements needed to measure, manage, and report on cyber risk from a business perspective.

Q4. What do you want attendees at Black Hat USA 2018 to know about your company and its services?

The best way to think about CyberVista is as the human solution to cybersecurity's thorniest problems. We evolved from Kaplan - one the biggest education providers in the world with over 1 million students per year. That intense focus on cybersecurity has allowed us to cover the gamut of training - whether in security awareness training of the most junior employee, to board and executive training for senior leaders, to the initial skilling and upskilling of cybersecurity professionals.

The talent shortage is real in cybersecurity and that means in order to begin to make even a dent, we need to tackle the problem in a way that goes beyond just increasing the pipeline of new entrants into the space. Our approach and workforce development initiatives embrace the multidisciplinary nature of the industry. By specifically targeting the roles and associated competencies most needed at companies, we hope to allow them to start to identify alternative sources of talent (sometimes even within their own organizations) and think about how to transition talent between adjacent security job roles.


Christopher Day

Christopher Day
Chief Cybersecurity Officer and GM
Cyxtera Technologies

Ricardo Villadiego

Ricardo Villadiego
GM, Security & Fraud
Cyxtera Technologies

Cyxtera Technologies

Q1. Christopher, why did Cyxtera buy Immunity Inc.? How will the acquisition benefit enterprise customers?

Immunity offers the best offense-oriented security solutions in the industry; the decision to acquire them was an easy one. Their expertise is a perfect complement to Cyxtera's existing defense-oriented capabilities. Customers will benefit in several ways including, greater visibility into cyber security risks, the ability to address the complete cyber-attack lifecycle, and automated penetration testing combined with advanced adversary simulation.

Q2. Ricardo, what specific security issue is Cyxtera's recently released AppGate SDP 4.0 designed to address? What is the value add it offers over competing products?

AppGate SDP addresses a chronic security flaw that is found in traditional solutions: over-privileged access. Security tools like VPN, NAC and firewalls allow access to nearly everything on the network once the user authenticates. If credentials are compromised, the adversary can move unimpeded across the network. AppGate SDP is different. It creates encrypted, one-to-one connections between users and resources. Authenticated users only get access to resources they are authorized to use, when and where they are authorized to use them. For customers, the value includes a reduction in the costs associated with maintaining and managing VPNs, NACs and firewalls; a greater ability to meet compliance requirements; and, a dramatic reduction of the attack surface.

Q3. Christopher, why is threat analytics becoming so crucial for enterprises? What's driving the trend?

Threat analytics are a necessity for enterprises dealing with savvy hackers who are patient, persistent and motivated. Their tradecraft may be technical in nature, but at the end of the day a human being is behind every attack. That's why enterprises need threat analytics. It gives you a way to dig into the mindset of adversaries. As attacks get more complicated and difficult to detect, threat analytics will play a greater part in helping organizations defend against the people behind them.

Q4. Ricardo, what are Cyxtera's plans at Black Hat USA 2018? What is your main messaging going to be at the event?

Cyxtera will be talking about identity-centric security. Be believe that a user connecting to your network isn't just an IP address; it's a person with intent. It's up to us, as security professionals, to determine if a user's intent is benign or not before granting them the keys to the digital kingdom. We must have a deep understanding of who is accessing the network, how and why. There are a number of ways Cyxtera solves this equation. For example, our recently announced acquisition of Immunity gives us a wealth of offense-oriented tools to meet adversaries head-on. Immunity is well known for their aggressive, real-world approach to understanding the attack lifecycle and how hackers penetrate networks. Their expertise is a perfect complement to Cyxtera's defense-oriented network access security software and threat analytic services. We can provide security leaders with visibility into the holistic, unique threats they face so they can lower their cyber risk.


Engin Kirda

Engin Kirda
Co-Founder and Chief Architect
Lastline

Giovanni Vigna

Giovanni Vigna
Co-Founder and CTO
Lastline

Lastline

Q1. Engin, why are enterprises taking so long to detect data breaches these days? What is Lastline's approach to helping organizations decrease time to detection?

Detecting breaches is still a challenge today if you do not have the right solutions in place. Malware has become more sophisticated, and attackers are often able to stay under the radar if traditional defense technologies are used. Lastline uses advanced analysis techniques that allow us to monitor in great detail what unknown artifacts in an organization, such as executable code, are doing. We then correlate these behaviors with other actions and behaviors we are observing in a network, such as domain names, and are able to quickly detect breach attempts.

Q2. Giovanni, Lastline claims its Deep Content Inspection technology is superior to other methods of malware analysis like OS emulation and virtualization? How exactly is that the case?

OS emulation and virtualization provide visibility only at he library/system call interface. Even though these are the points in which some security-critical operations are carried out, there are many situations in which one has to have instruction-level visibility—especially when analyzing evasive behavior. This is one of the advantages of Lastline's technology. It allows for fine-grained visibility into the actions of a program and is not limited to library and system call interaction. In addition, but using full-system emulation—and 'full-system' is the important keyword—Lastline's approach does not leave in the operating system evidence of instrumentation or other modifications that can be used by malware to identify the sandbox as an analysis environment.

Q3. Engin, tell us a little bit about your new malware sequencing system. What exactly does it do, and how?

Our analysis system is able to dynamically analyze the malware, defeating anti-analysis protections like packing and environmental fingerprinting. We then look at the malware's code and abstract away its functionality, building a library of 'genes' that we can associate to specific behaviors. By doing this, we can cluster together malware that has similar functionality, and, in addition, highlight potential malicious behavior that has not been directly observed during the analysis.

Q4. Giovanni, what do you expect will be some of the major themes at Black Hat USA 2018?

I think that people are starting to look at the implementations of crypto-currencies—while most people have focused on the crypto itself so far. I anticipate a few "Hi I broke crypto currency/wallet/blockchain implementation XYZ..." presentations


Alex Yampolskiy

Alex Yampolskiy
CEO & Co-Founder
SecurityScorecard

Sam Kassoumeh

Sam Kassoumeh
COO & Co-Founder
SecurityScorecard

SecurityScorecard

Q1. Alex, what is it that enterprises need to understand about third-party risks and how to manage them?

First, mitigating third-party risk relies on all members of an organization, and consequently, an effective cybersecurity program mandates a common security language. The CISO, CSO, and CTO need to present information in a language that explains security concepts in business terms. Often technical staff members focus on a vendor's encryption methodologies and other granularities about the vendor's approach to security. The reality is boards, investors, CISOs and other business leaders need access to all the important technical details, but they also need a simple and clear language to be able to easily communicate how a company and its third parties manage their security.

The SecurityScorecard platform provides this by distilling a company's overall health to a letter grade: something easy to understand whether the consumer is technical or not. Second, information security professionals must educate the C-level on risk mitigation strategies and how to create a resilient organization by monitoring vendor activities. Attack landscapes and vectors constantly evolve, and most information security professionals understand fully locking down an ecosystem is an impossible task. Working off the assumption that an organization will be hacked puts information security teams in a better position to develop controls that will ensure business continuity.

Third, organizations need to not only map assets but also ensure appropriate control levels. Third parties should only access the information they need. Organizations need to create thoughtful control mechanisms that secure sensitive data and provide limited access to it. Moreover, they need to focus on maintaining relationships only with vendors whose risk tolerances match theirs in both words and action. Thus, continuous monitoring becomes more valuable long-term.

Q2. Sam, describe the process by which SecurityScorecard assigns risk scores/ratings to vendors. How should enterprises use the scores/ratings in managing third-party risk?

SecurityScorecard grades the cybersecurity health of organizations based on the information collected by ThreatMarket, our proprietary data engine, as well as our own internal collection activities. Threatmarket collects information from several sources like data feeds, sensors, honeypots, and sinkholes. Both methods collect data that is externally accessible and public, meaning no intrusive techniques are used to gather the information. Once assembled, ThreatMarket mathematically weighs riskier issues more heavily using industry-accepted standards. This means each company can look at a carefully measured, holistic, and statistically relevant view of the cybersecurity risk associated with its IP footprint and that of its vendors.

Ultimately, the SecurityScorecard platform reports on whether a company's behaviors contribute to or mitigate cybersecurity risk over time and provides the user with clear identification of vulnerabilities or gaps in a company's systems. This enables organizations to monitor their vendors continuously in a streamlined way and to engage with their ecosystem to reduce risk.

Q3. Alex, SecurityScorecard's 2018 Government Cybersecurity Report painted a pretty dismal picture about the readiness of government entities to deal with cyber threats. Why is security such a struggle for government given all the money that is being poured into the effort over the past few years?

On the federal level, increased spending should lead to stronger infrastructures, but even the Department of Homeland Security failed its annual IT audit by running outdated software and leaving critical vulnerabilities unpatched. For example, DHS missed patches on Windows 2008 and 2012 systems, including security updates released in 2013. When even the agency tasked with protecting U.S. cybersecurity fails its IT audit, the security industry, as a whole, needs to make strategic interventions.

In part, new infrastructure costs outpace the funding allocated thus leaving legacy systems in place. A single new device costs anywhere between $200 and $400. Multiply that by the number of federal government users accessing data, and the amount cripples the budget. Apply that to state and local governments trying to manage decreased educational funding, and, again, the costs cripple those taxpayers. Outdated systems accessing the organization/agency network lead to endpoints running outdated and insecure browsers, vulnerable operating systems, and insufficient malware protection software. Moreover, the cybersecurity skills gap and national hiring freezes due to budgetary restrictions create overworked and undereducated IT departments. Eighty percent of cyberattacks exploit CVEs. Overworked departments have difficulty tracking assets to updates. Undereducated departments cannot triage risks appropriately.

A look at the 2018 report shows that governmental organizations/agencies do well with application security. They do far worse with endpoint security and patching cadence. By focusing more on high-need areas, government agencies can more effectively combat risk.

Q4. Sam, what do you expect will be some of the hot topics at Black Hat USA 2018 and why?

A consistently hot topic has been monitoring ecosystem risk: we know point-in-time reporting and assessments only show a limited picture of the cybersecurity posture of an ecosystem. And we know a large percentage of breaches emanate from third parties. This year, expect more discussions regarding ecosystem risks and how to test vendors. Increasingly attackers now find a single exploit and review entire ecosystems just for that vulnerability. What those attack vectors are and finding effective ways to foresee and respond to systemic risks are both likely topics this year. Lastly, in the last few years, as IoT devices flooded the tech market, IoT discussions focused on proof of concept for hacking the devices. 2018 is the year we expect to hear more about enterprise IoT device controls and tools to protect against IoT hacks in an automated way.

Sustaining Partners