Q: More than 80 percent of the respondents in F5's recent ‘State of Application Delivery' survey said they are moving to a hybrid cloud environment to take advantage of the increased flexibility and cost advantages. What are the security implications of this trend for enterprises?
Mike Convertino: The security implications can be very significant and center on the loss of visibility into application behavior, logging, and control. Most IaaS providers don't provide a sufficient level of visibility into the SDN structure that services your applications, nor do they provide the same level of auditability expected out of typical datacenter security components. Some don't even have parity with industry best practices in the logging from virtual firewalls that they provide. IaaS providers pass the responsibility for security down to the customer to carry out at the instance level.
It gets even worse when you make the move to SaaS solutions. SaaS providers often provide even less visibility to how security controls are enforced and provide even less visibility to monitoring tools. The net result is a markedly decreased security level.
Our focus is on restoring visibility into the behavior of your cloud apps by providing a high performance view into all application traffic, allowing organizations to dynamically add additional layers of intelligence to their security portfolio. The F5 security platform is designed to enable organizations to mitigate confidentiality risks by authenticating and authorizing the right people to the right information, while providing data integrity and availability by effectively countering application attacks.
Q: How can DevOps help improve application security?
Convertino: I've heard that sometimes security people think of DevOps as an ungovernable group of cowboys that thumbs its nose at any restriction – including security restrictions. The truth is that DevOps needs security and security needs DevOps. With the increasing number and the rise in effectiveness of attacks versus applications today, DevOps already recognizes that it needs security embedded in its core development and testing elements from the start. It must, in order to ensure the survival of the business and its reputation.
Developing both feature verification and security tests at the beginning of the development process ensures that that previously released features don't regress and new vulnerabilities are not opened. Speed does not have to be the enemy of security; proper orchestration and automation can be the key to quickly identify security flaws and accelerate the release schedule.
DevOps done right is the very future of security. We view our solutions as an important part of an application's infrastructure, offering the ability to rapidly enforce protection against issues exposed in orchestrated testing, while keeping the speed and flexibility of the DevOps agile model intact.
Q: What do you want attendees at Black Hat USA to know about the trends that are driving the need for technologies such as those from F5?
Convertino: Consumer-led work styles and mobile-first approaches have paved the way for "anytime, anywhere" access to data. There's an app for everything: organizations now offer a variety of apps to both employees and consumers to drive greater productivity, meet business demands, and ultimately achieve a superior competitive advantage. But, as organizations deliver a higher volume of sensitive data through applications, they introduce a higher level of risk.
It's a given that today's users are everywhere, and the apps they rely on can be anywhere—from private datacenters to the public cloud.
Technology is clearly trading convenience for visibility. Cybercriminals are taking advantage of this, targeting the identities used to access data and apps themselves – knowing that attacking these far-flung resources is far less likely to be noticed than storming the front gates of an organization's own datacenter. It takes a fully integrated set of security solutions that restore enterprise app visibility, but it doesn't stop there. The same solution must protect privacy, simplify and integrate identity and authentication, protect them from intrusions, and halt volumetric and computational denial of service threats in any environment.
Q: Core Security's recently introduced Core Insight 5.0 adds attack intelligence capabilities to vulnerability management. What exactly does attack intelligence mean in this context and how does it help improve vulnerability management programs?
Chris Sullivan: In the world we live in, virtually all of the major breaches have been at companies and agencies that regularly scan for vulnerability. Even though they regularly scanned and patched what they thought were dangerous exploits, 99 percent of the time, the breaches were due to an exploit that had patches available for more than a year. Seems counter intuitive but the problem is that scanners overwhelm security teams with too many things to fix and some of these fixes can be hard or you simply don't know which ones are more dangerous than the others.
Core Insight already uses more than 60 parameters to personalize what these vulnerabilities mean to your enterprise. This is done to help you understand which vulnerabilities really need to be fixed so that you, and your colleagues across the company, can focus on a smaller set of real issues. Attack Intelligence takes this to another level. It uses a property graph to analyze vulnerabilities across complex network paths and considers how an attacker might pivot through your defenses. By thinking like an attacker, we can truly understand things like potential access to credit card data or PHI. Path A might use all high risk vulnerability but require 20 exploits. Path B might use all medium levels but if it also requires 80 exploits—which path is more vulnerable?
Q: Courion and Core Security are working together on new products that combine vulnerability management with access risk management capabilities. What's the benefit here for enterprises?
Sullivan: When we consider merging the two companies, we did so because we knew that the universal answer to "What's the fastest path to admin rights, or root, or intellectual property or card data, or those process that control the nuke plant?" was that nobody knows. Well, our adversaries know, but the security world is fragmented and our adversaries hide in the cracks. The classic access governance world looks at people and accounts and their rights. The classic vulnerability management world looks at infrastructure access. No one could see across both of them until now. Now we can see which vulnerabilities are the most threatening and then ask "If this machine was compromised, what access would that expose? Which people and accounts? What do they have access to? Are they privileged, orphan and/or abandoned?" This provides over-burdened vulnerability managers a much better answer about what needs to be fixed first.
At the same time, access managers worry about what the most scary accounts are and if controls are commensurate with their risk? How can you answer that without knowing if the infrastructure you use is vulnerable? We are investing across all products because we do not envision these worlds merging, but each one is better with context from the other.
Q: What do you want the audience at Black Hat USA 2016 to know about evolving identity, governance and management and vulnerability management requirements?
Sullivan: Attendees have a lot to think about, it's a challenging world. Everyone attending wants to deter inappropriate access to information and processes. In case that fails, they need to detect issues and then need to remediate them quickly. There's a lot of appropriate ways to do this but if all comes down to access. With a continuous, comprehensive, current and historic view of the attack paths, you can really understand the risks, you can manage down the high ones and you can think about where IoCs (indicators of compromise) can or did pivot to very quickly. Most importantly, you can remediate the issues efficiently, effectively and in a time scale that matters.
Q: How have endpoint security requirements changed in recent years?
Stuart Solomon: Endpoint security requirements have changed as threats have changed. For many years security products, that included an endpoint agent were shunned by clients due to their potential impact to performance and user experience. Today, IT operations and security operations teams have been inundated with malware incidents of all types. Too many of these incidences [involve] very sophisticated software, which may require the system [to] be completely re-imaged.
All of this has led to a desperate situation where the victims are forced to search for supplemental or alternative solutions to their more traditional endpoint defenses. The industry has responded by creating new endpoint defense software. This generation of software goes by many names and use new methods for prevention, detection and response including machine learning techniques, kernel level system activity recording, and Big Data storage and data mining technologies, to name a few.
Endpoint defense software providers are responding to new threats by aggressively adding new capabilities every day. A few of the most valuable features are making their way into the industry nomenclature becoming new endpoint security requirements in the eyes of potential buyers.
With these "next-gen" technologies, the endpoint segment of the market is not a homogeneous one anymore. It now involves signature-based antivirus, next-gen antivirus, endpoint monitoring and DLP capabilities, as well as endpoint management. It also includes segments of the user behavioral analytics market.
Q: How exactly do Optiv's clients benefit from the recent acquisition of Advancive LLC?
Solomon: With the identity market continuing to grow and evolve quickly, coupled with the involvement of identity and access management (IAM) in addressing the root causes of data breaches and insider threat, the need for identity solutions is greater than ever. Optiv's acquisition of Advancive brings together two leading IAM organizations to solve client identity problems in new and innovative ways. With this move, we provide global organizations with a single source for all their identity-related needs. Our company will offer expanded identity and access expertise and offerings, create new IAM services and solutions, and have global capabilities to better help clients plan, build and run holistic IAM programs that meet business objectives.
More specifically, the acquisition provides Optiv clients with greater benefits through improved access to resources, capabilities and solutions, including:
Q: Accuvant and FishNet Security merged and launched the Optiv brand at Black Hat USA 2015. In the nearly one year since then how has the merged company evolved? What do you want attendees at this year's Black Hat to know about Optiv?
Solomon: Optiv has done remarkable things in a very short amount of time. Our clients have made us the market-leading provider of comprehensive cyber security solutions, with $2B in sales in 2015. We have more than 1,200 cyber security experts dedicated to help clients plan, build and run successful security programs. From the most strategic to the most tactical and technical, we partner with our clients to work on projects, solve problems or build programs. As we look to the future, we are committed to innovating, researching and developing new solutions that meet the evolving needs of business.
Q: Studies have shown that 95 percent of state-sponsored attacks rely on phishing, spearphishing and other email-based techniques. What does it take to stop these attacks considering that a lot of them depend on some kind of human interaction to succeed?
Ryan Kalember: Most truly serious attacks are extremely targeted, and involve new attacker tradecraft. Stopping state-sponsored attacks requires a security ecosystem that discovers and blocks email-based threats before they reach the people they target. Email security systems need to assume social engineering and anticipate users will try to click on malicious emails, open infected attachments and dangerously send/store confidential information.
Supplementing legacy email gateways with targeted attack protection and automated threat response, while securing confidential data, are all crucial aspects of stopping state-sponsored attacks. Effective email security needs to use dynamic and static techniques to analyze behavior and code of both URLs and files. Most advanced threat solutions only look for malware executables, system anomalies or scan data, but attacks like credential phishing do not necessarily start with malware.
Solutions need to be built on threat intelligence that finds connections between attacker traits, and is adaptable. The tactics used to defend against attackers rapidly become obsolete. The ability to defend against a specific known attack is less important than the ability to adapt on a consistent basis—and stop the previously unseen attack attempt.
Q: Business email compromise (BEC) has emerged as a major threat to enterprises over the past year. What's driving the trend? What can organizations and consumers do to protect themselves?
Kalember: The recent surge in BEC emails is part of a larger cybercrime trend—fooling humans into becoming unwitting accomplices in the quest to steal information and money. Attackers are moving away from technical exploits and are exploiting human curiosity and trust. Because these threats do not use malicious attachments or URLs, they can evade security solutions that look for only malicious content and behavior. Stopping BEC emails requires a solution that can dynamically analyze the attributes of all email as it arrives and detect anomalies that reveal the threat.
Employees should be suspicious if they receive a request for unusual information or a wire transfer via email, even if it appears to come from a high-level executive. Check the reply-to email address and always call to confirm. If a vendor changes their wiring instructions over email, call them to confirm. If the CEO requests a significant transfer that is unusual, call to confirm it. If the email header has a warning from your email security system, such as a subject like [BULK] or [SUSPICIOUS], then contact the vendor directly on the phone, do not enter the invoice for payment.
Q: Do you see email security being a topic of high interest at Black Hat USA this year considering the concerns around BCE? What are you hoping attendees will be able to take way from Proofpoint's presence at the show?
Kalember: Yes, email is the top channel for targeted attacks and is a top concern. We hope attendees walk away with concrete ways to protect their people, data and brand from advanced threats that attempt to exploit their email channel, mobile apps and social media properties.
Employees need to be able to use email, social media platforms and mobile devices safely—from any location. An effective security infrastructure needs to take these varying communication channels into consideration or it will be outpaced by cybercriminals who are constantly evolving their techniques.
