Interviews | May 5, 2017

Black Hat USA Sponsor Interviews: Code42, StackPath, Tanium, and Webroot

John Durant

John Durant
Chief Technology Officer
Code42 Software Inc.


Q: What are companies doing wrong, or not enough of, when it comes to protecting data on endpoint devices?

John Durant: Organizations are still focusing too much on barriers as ways of protecting users, systems, and data. It is easy to understand why. The information security equivalents of an electrified fence surrounding a deep moat that encircles a high wall—these all convey a sense of confidence that the treasure in the castle is safe. But, they aren't enough. We've all heard "perimeter is dead," but we still see an overwhelming emphasis on the perimeter—electrified fences, higher walls, and deeper moats. The best solutions—the ones that the marketplace will ultimately allow to prosper because they actually keep assets safe—will be those that are smart and self-learning. This is the main thrust of our product development at Code42, and we are beginning to see other vendors in the security ecosystem strike a similar posture. Real security will not be achieved by thicker concrete, so to speak. It will be by more accurately predicting where and how the roving gang is going to attack the city.

Q: Besides ransomware, what are some of the other major drivers for services such as those offered by Code42?

Durant: Our customers have been emphatic about their concern relating to inside threats. Security-practitioners work very hard to stay on top of possible threats introduced, both inadvertently and intentionally, by people within their trusted network. The overwhelming majority of employees are trustworthy and committed to doing the right thing. But, there are some whose loyalties lie elsewhere, and they are often the source of serious data security problems. We help mitigate the risk these people introduce, including those unknowingly introduced by more well meaning people, by contributing to a better signals-to-noise ratio. Security professionals are not lacking for data. They have more than they could ever analyze or evaluate. At Code42, we are obsessed with focusing on data that matters—the small indicators of bigger and more likely problems.

Q: Code42 is a Platinum Sponsor at Black Hat USA 2017. What do you expect will be some of main themes at the conference and what is your own messaging at the event?

Durant: I expect that we will see at the event this year an even better balance between technical or somewhat esoteric concepts and the more practical side of things. Black Hat is exemplary in providing enriching and engaging experiences that expose attendees to research and other innovations. It's very exciting. But then attendees return to their real-life jobs, and they sometimes struggle to draw the lines of continuity between their daily problems and what they learned at the show. While I don't know what the session list looks like for this year, I think a strong emphasis on "practical" application of concepts and practices will be on order. Also, I think IoT is starting to sink in and become "real" in the marketplace. As a result, we will see more interesting things that actual companies are doing in this space and how they are approaching security. Finally, I believe the conference will have a consistent—even if not explicit—theme around telemetry and data analytics. This is an area of intense focus for Code42, because it is what our customers are telling us they value. We are passionate about providing tools that give InfoSec and IT teams the chance to more wisely prioritize what could be risks on their endpoints.

Lance Crosby

Lance Crosby
Chief Executive Officer
StackPath, LLC


Q: It's been less than a year since StackPath came out of stealth mode. What do you want enterprises to know about your company? What is its fundamental value proposition?

Lance Crosby: At StackPath, our mission is to make the Internet safe. We have a unique strategy for doing that.

Pretty soon, nearly all Internet traffic will pass through one sort of edge service or another, like a CDN. That's where security needs to start—at the cloud's edge. That's where we're building StackPath, a platform on which we can deliver a wide range of services that developers use to extend, expand, and improve anything they are building in the cloud. We're making each service on the platform frictionless, global, and inherently secure. That way, developers have security built into their solutions, and don't have to bolt it on after the fact.

We're excited about this vision. To bring it to life even faster we've integrated some exceptional companies, including MaxCDN, Highwinds, Fireblade, and Cloak. We're merging the technologies into a single platform with exceptional telemetry and machine learning so customers' solutions and our own services will grow smarter, more secure, and easier to use with every network transaction and threat detected.

Customers already can use our platform for content delivery, API delivery, file distribution and more, with WAF and DDoS protection built-in. And we can't wait to announce what's next.

Q: How will customers benefit from StackPath's recent acquisition of Highwinds?

Crosby: Customers will benefit from Highwinds merging with StackPath by getting the full power and capabilities of our mission sooner. Our two companies shared the opinion that the services we've come to know as Content Delivery Networks are actually fundamental building blocks for more than content delivery, but that these businesses and their infrastructures need to evolve for the next era of cloud.

Merging Highwinds and StackPath technologies and teams gives us the scale, scope, and experience to accelerate that evolution, bringing customers an integrated, next-generation platform with unprecedented security advantages even more quickly.

We've already integrated StackPath and Highwinds technologies into one platform with the advantages and features both companies already offered. The enterprise-class performance and capabilities that were hallmarks of Highwinds are now paired with the frictionless account creation, simplified content delivery management, and WAF and DDoS features that distinguish StackPath.

Q: This is the first Black Hat for StackPath. What do you want attendees at Black Hat USA 2017 to know about your company?

Crosby: It's time for a new era in Internet security, and we're all in.

Probably everyone who goes to Black Hat would agree that, at the current rate and trajectory of Internet threats, we could easily reach a point where the risk of being online outweighs the benefits. But slowing and reversing that trend really will take some fundamental shifts and industry-wide changes. It's going to take new thinking, new infrastructure models, new approaches to security and an aggressive investment in the cloud's aging infrastructure. Likewise, it's going to require new approaches to developing solutions in the cloud, regardless of the underlying infrastructure.

That's what we're thinking about at StackPath. We're excited to be a part of Black Hat 2017 for the chance to speak with others at the show about the challenges and opportunities we are facing and what we can

Ryan Kazanciyan

Ryan Kazanciyan
Chief Security Architect
Tanium Inc.


Q: What is it that enterprises need to know and understand about endpoint security and management technologies such as those from Tanium? What specific security issues do such products help address?

Ryan Kazanciyan: We see Endpoint Detection and Response (EDR) and Endpoint Protection Platforms (EPP) as critical capabilities, which must be complemented by innovations in patching, configuration control, vulnerability management, integrity monitoring, and the like. It turns out if you can do all those things effectively, and with the requisite speed and scale to keep pace with modern enterprises, you can direct your resources on EDR and EPP against a much more focused set of remaining threats. In our experience, well-managed and secured environments have a lower "noise floor" than others, and have built in resiliency which keeps singular compromises from leading to catastrophic enterprise-wide failure.

There are tons of point solutions in this space jostling to differentiate. It's important to note that enterprises, which focus only on getting better at EDR and EPP—without addressing the broader security ecosystem—won't resolve their underlying security weaknesses. Organizations that invest in security hygiene can break the re-compromise cycle, rather than just improve their ability to detect and respond.

We're committed to delivering a platform, which delivers on the vision - and underlying need - for a unified approach to security and systems management.

Q: You recently talked about the need for organizations to look inwards for the best threat intelligence. Why is that the case? How can internal data help organizations enable better threat intelligence?

Kazanciyan: Threat intelligence services can help automate detection workflows, and provide context to help prioritize response efforts. However, attackers have grown increasingly adept at adopting techniques, which are less conducive to the common means of threat data sharing. In the past, we've seen antivirus signatures and host-based IDS evolve into helpful controls rather than all-encompassing silver bullets. Similarly, we're now seeing Indicators of Compromise and so-called "pattern of attack" detection emerging as important complementary controls which, taken alone, cannot address all your security challenges.

A commercial "one-size-fits-all" feed can never tell you what's anomalous in your own environment. Knowing which applications should be running, which users should be accessing which resources, where data should reside and which processes should interact with it, what devices should be connecting to one another, and so on, is essential before you can begin to spot anomalies. You can't detect a new, novel attack campaign or spot the malevolent actions of a disgruntled insider without deriving your own intelligence from automated, real-time awareness of what's "normal" for your organization.

Q: Tanium is a Platinum Sponsor of Black Hat USA 2017. What do you want attendees to take away from your presence at the event?

Kazanciyan: This is Tanium's first time exhibiting at Black Hat. We've been helping our customers manage and secure millions of systems for 10 years. We're excited to showcase why our platform is fully deployed across the largest banks, government agencies, retailers, healthcare providers, and other businesses around the world. We'll have content and experts ready to engage with visitors and share the full spectrum of our capabilities, from EDR and endpoint protection to automating security workflows and delivering compliance and systems management with unrivaled speed, scalability, and simplicity.

Hal Lonas

Hal Lonas
Chief Technology Officer
Webroot, Inc.

Webroot, Inc.

Q: Why is machine learning so critical to addressing modern threats? How exactly is Webroot using machine learning to make its products smarter?

Hal Lonas: Humans just can't keep up with the rapid evolution of modern threats. The speed, volume, and volatile nature of today's cyberattacks are forcing people to take a backseat in day-to-day prevention and threat tracking. The only way to beat the bad guys is to leverage human knowledge and productivity a-million-fold using machine learning and artificial intelligence. While human experts are essential to this process, we need to look to models that can magnify their capabilities. Machine learning enables threat researchers to shift mundane tasks to computers so they can tackle the problems that require more creativity and critical thinking.

Webroot has been using machine learning for 10 years. We pioneered this technology to analyze large volumes of threat data and turn it into actionable intelligence. Our analysis and findings come from — and feed into — all of our products. Our machine learning models spot malicious traffic, label it accordingly, and then alert all other Webroot products of the threat dynamically and in real time. As we continue to run our models and experience more and more samples, our products get smarter and smarter.

Q: Webroot describes itself as a vendor of next generation endpoint technologies. How exactly do such products build on the capabilities of previous generation endpoint tools?

Lonas: Next-generation protection accounts for the evolving nature of threats. Ransomware is, without a doubt, one of the biggest threats facing organizations today. According to our own research, 97 percent of malware is polymorphic and unique to the specific endpoint it infects. Part of the problem is the rate at which polymorphic malware is developing, resulting in thousands of new strains each month. Traditional endpoint technologies use a signature-based detection, which keeps a stagnant list of "good" and "bad" files and websites. This list, and the power to process it, must live on your device, taking up valuable hard drive space. And, these lists also are only as good as their latest update. When faced with the overwhelming amount of polymorphic malware in the threat landscape today, a static list of signatures can't keep up.

I wish we had been able to build more on previous generations of endpoint security tools – in reality we had to start with a clean sheet design in many ways. Webroot developed a dynamic, cloud-based, multi-tenant solution. The less-than-1-megabyte software agent installs on your machine in less than a minute and quickly checks URLs, websites, files, and applications against our constantly evolving list of behaviors and Internet objects and their threat reputations. This allows our SecureAnywhere products to flag objects that haven't previously been identified as malicious, but are now displaying suspicious or malicious behaviors. That means we catch Internet objects that wouldn't yet be on any signature-based list.

Q: At Black Hat USA 2016, Webroot hosted several live booth presentations on the threat landscape and the importance of contextual analysis in detecting and mitigating threats. As a Platinum Sponsor, what is your main focus at the show this year?

Lonas: We will continue to focus on the threat landscape and how we use machine learning and artificial intelligence to stay ahead of the threats. However, we also launched some new capabilities and services earlier this year and plan to showcase them. One I'm particularly excited to share with attendees is our new Webroot SecureAnywhere DNS Protection solution. Leveraging the Webroot BrightCloud Web Classification, Web Reputation, and IP Reputation Services, SecureAnywhere DNS Protection defends devices at the most basic level of internet communication, the Domain Name System (DNS). Tightly integrated with Webroot SecureAnywhere endpoint security, SecureAnywhere DNS Protection deploys in minutes to reduce web threats by up to 90 percent, enforce web access policies across 82 URL categories, and lower liabilities and costs. These benefits are especially important because more than 85 percent of infections are generated through web browsing.

We also developed BrightCloud Streaming Malware Detection to further address the challenges of unknown polymorphic malware, as well as targeted malware in general. This new tool enables organizations to detect malicious files in transit at the network edge in real time. It places advanced machine learning models directly on perimeter security appliances to make extremely fast and accurate determinations about incoming files without needing to download them in their entirety. The technology makes determinations on files at a rate of over 5,700 files per minute—over 500 times faster than network sandboxing. Users determine the threshold at which files are blocked or routed for further investigation, helping to focus limited resources on the most pressing threats.

Sustaining Partners