Interviews | May 10, 2019

Organizations Often Underestimate Data Exposure Risks, Sponsors: CyberVista, Demisto, Digital Shadows, ObserveIT

Simone Petrella
Chief Cyberstrategy Officer


Q1. What are the biggest challenges that organizations face with respect to cybersecurity training for the workforce?

By far the biggest challenge organizations have is prioritizing, and then taking action, to appropriately identify and implement training. It is so difficult to find talent and many employers have been struggling to fill critical job roles for six months or more. In this type of environment, the first reaction is to try and find a candidate with the experience and skills you need immediately. While it makes sense to invest in workforce and training initiatives as part of a longer term solution - like identifying a pool of up and coming talent you can train into cybersecurity positions - the reality is that this type of strategy and execution ends up taking a back seat to anything perceived as a short-term solution.

The next biggest challenge is that once an organization commits to training their workforce, they often quickly realize it's impossible to appropriately target training without a comprehensive understanding of their actual cybersecurity job roles and functions. We've worked with so many companies that have taken the critical first step and are committed to a mid and long-term strategy that upskills their workforce, only to find out that they don't have a real understanding of their own needs—or the needs of their staff. Understanding the skills inherent (and learned) in each of their cyber roles is a good start. But more importantly, starting with a baseline that benchmarks staff already in these roles is necessary to efficiently and effectively target training curriculum and solutions. That is why we always advocate for, and build into all our programs, an assessment prior to accessing any and all training interventions. It makes sense with regard to the other challenges any organization is looking to balance: time, money, and results.

Q2. What are the hallmarks of an effective security-training program for employees and for executives?

I alluded to this above, but method and structure of training really matter whether you're an entry-level employee or a seasoned executive (or even board member!). Effective programs provide 1) some level of assessment that gives the learner a baseline of their knowledge and abilities from the onset; 2) engaging, interesting and accurate content that contains conceptual knowledge with real-world perspective; and 3) applied learning and opportunities to reinforce what's been learned whether through cyber ranges, case-studies, expert interviews, or practical exercises.

Q3. CyberVista announced new partnerships and a new product line at Black Hat last year. What can we expect from you this year?

We are extremely excited to build upon our learning recipe for success. We're rolling out skills-based cybersecurity training content and programs that are driven by the demand from the many employers we've worked with and covers the critical skills most lacking through our analysis and assessments of various cybersecurity teams and functions. We dedicated the last year to develop a framework and NIST-mapped skills solution that can re-skill talent (say, from IT to security) and upskill current talent between job roles. Not only do we provide comprehensive content and innovative delivery in a flexible learning environment but also it is affordable, coming in at half the cost of current training and bootcamp providers. Last but not least, we have invested in building a program that also has integrated talent analytics, including an extensive reporting package that helps career managers and cybersecurity executives to track progress and measure a return on their workforce investments.

Rishi Bhargava

Slavik Markovich


Q1. Rishi, how will enterprise organizations benefit from Palo Alto Networks' recent purchase of Demisto?

Under the Palo Alto Networks umbrella, we plan to align the innovation and agility of our existing solution with the scale, go-to-market nous, and strong product base of Palo Alto Networks. Enterprise customers can leverage Demisto to standardize processes across their product stack and accelerate response times with automation. We have strong integrations with existing Palo Alto Networks products that we plan to further improve with time. That said, our open and extensible integration network has been a cornerstone of our success and we plan to redouble our efforts to increase integrations across the board (including non-Palo Alto Networks products).

Q2. Slavik, what trends are driving demand for SOAR technologies? How do you see SOAR capabilities evolving over the next few years?

SOAR drivers:
For us, the key drivers fall under two buckets. Firstly, security alerts are rising at a rate not compatible with accurate human review. This is a result of multiple security products reading overlapping data and throwing up alarms, often without cross-product correlation. Moreover, these products are understandably set to a high sensitivity, resulting in a large number of false positives that security teams need to wade through every day.

The second key driver is the scarce resources at the disposal of SOC Managers and CISOs today. Financial resources are scarce because top management is more discerning of security tool investment now, expecting CISOs to justify any purchases with quantifiable ROI. Human resources are scarce as well, with the well-documented cybersecurity skills gap slowing down both hiring and retention rates of security analysts.

Well implemented and thought out security automation can help mitigate both these challenges.

SOAR evolution:
As SOAR matures and customers get more familiar with harnessing its power, we see evolution along two fronts:

  • Use cases beyond the SOC: SOAR's general-purpose workflow automation can be used across a range of use cases, both security and operational. We've already seen deployments in cloud security, vulnerability management, and OT. We see SOAR evolving to cater better to these use cases and to unify processes across disparate teams.
  • Standardization of playbooks: Playbooks (or runbooks or workflows) are currently standardized within a product but not really shareable across ecosystems. We hope to see a 'common language' developing that enables sharing of enforceable processes across customers and products.

Q3. Rishi, what's your advice to organizations that want to automate the response process but are unsure where, or how, to begin? What do they need to understand about implementing a SOAR capability?

We've written an entire book about this, but I'll provide the gist here:

  • The maturity of your SOC will play a critical role in guiding your path to SOAR. Relatively less mature SOCs with little to no processes will utilize SOAR for case management capabilities. More mature SOCs that already have processes but are dealing with rising alerts will utilize SOAR for orchestration and automation capabilities.
  • To start your SOAR implementation, figure out which security products you have that will be relevant integrations into your SOAR solution. A good mix of integrations with detection products (like a SIEM), enrichment products (like threat intelligence), and enforcement/response products (like EDR and firewalls) will be ideal.
  • Pick 1-2 common use cases to pilot your SOAR implementation. These use cases will be alerts that have high volume, involve multiple products, and have many high-quantity actions that can be automated. We find phishing to be a good initial use case.
  • Decide the roles and privileges of people that will be using your SOAR solution. Decide levels of ownership for different teams, assign roles (such as playbook creator, tier-1 analyst, and so on), grant and restrict access according to roles, and so on.
  • Verify your deployment and pricing preferences against the vendor options available to you. Do you want the product on-premise or hosted on the cloud (or a mix of both)? Are you more comfortable with consumption-based or user-based pricing? These answers will vary from organization to organization.
  • Once your use cases have been implemented, ensure that the correct metrics are being measured to assess the performance of your SOAR solution. Is it reducing response times? Is it catching false positives? Which actions (that are currently manual) can be automated in the future?

Q4. Slavik, what do you plan on highlighting at Black Hat USA 2019? What do you want attendees to know about the newly merged entity?

We plan to highlight the latest version of Demisto with more out-of-the-box options for common use cases. We also plan to showcase some new and improved integrations with other Palo Alto Networks products.

Rick Holland
CISO, VP of Strategy

Digital Shadows

Q1. What are some of the most common misconceptions that organizations have when it comes to understanding data loss risk?

Organizations often believe that they have less exposure than they actually do. Digital Shadows' research discovered more than 1.5 billion files were exposed across online file stores, containing documents ranging in topic from employee payroll information to enterprise penetration tests. These points of data exposure are also not necessarily controlled by the organization themselves, as third-party suppliers may handle large amounts of sensitive data including purchase orders or even email communications. Although S3 buckets have received high media attention, FTP databases, SMB file shares, and rsync servers still account for a much larger chunk of the overall pie when it comes to data exposure.

Another misconception is that the data exposed, whether it is employee PII or email communications, will be directly used for identity fraud or a Business Email Compromise attack. In our most recent report, A Tale of Epic Extortions, Digital Shadows noted that stolen data could often be used to directly extort a payment from the organization for which the data belongs. One of the more prolific threat actors responsible for this activity, thedarkoverlord, has repeatedly stolen sensitive data from organizations for the purposes of extortion attempts, and recently adopted a crowdfunding model to source payments in exchange for the release of documents and email communications between insurance providers and legal teams.

As organizations continue to digitally transform their business, data is continuing to expand outside the control of their owners. Taking a holistic approach to addressing the risks of data loss within the network perimeter, as well as monitoring beyond your organizational boundaries, companies can begin to get a more complete picture of their digital risk.

Q2. What are some of the trends driving the recent increase in cyber extortion attacks? What do organizations need to know about these attacks?

Extortion-style attacks increased in 2018 according to the FBI, rising 242% from 2017, resulting in a reported $83 million in losses. The majority of the complaints handled by the IC3 were related to the mass sextortion campaigns being distributed in the latter half of the year. Sextortion, mass email campaigns designed to scare victims by threatening to publish extremely sensitive details about the user's online browsing habits, was a trend Digital Shadows extensively tracked throughout 2018. Though these claims were not true, unsuspecting victims would understandably take the threat seriously as the emails contained the user's credential information for specific services. Going back to the exposed data question from before, this was a new way that public breach information was being used in cybercriminal schemes. From the 792,000 attempts of sextortion we witnessed, attackers gained more than $332,000, likely from regular everyday people. I acknowledge that this is not the entire sextortion picture, which is the most alarming part; thousands of other victims more than likely paid a sextortion demand because of the highly personal and emotional response these campaigns evoked in their recipients.

Ransomware attacks, which serve as another form of technical extortion, can cripple an organization. Any amount of down time for an organization is potentially lost revenue, and the potential brand damage which can be associated with a poorly handled ransomware response can potentially be more harmful than the attack itself. Organizations should have clear guidelines and walkthroughs on how to approach ransomware attacks should they fall victim, not only including technical response but public relations and legal departments should be involved as well.

Q3. What are Digital Shadows' plans at Black Hat USA 2019? What do you plan on highlighting at the event?

Security and threat intelligence teams are increasing their understanding of threats and issues from outside their perimeter. Unfortunately, this is often a massive time suck. When trying to cover new sources of intelligence, it's easy to be quickly be overwhelmed by false positives as teams often lack the time to go and wade through all these alerts. Worse still, even if this is all achieved, the information is rarely actionable. With growing regulatory and compliance pressures, this is not sustainable.

As the market leaders in Digital Risk Protection, Digital Shadows will be showcasing how to quickly triage and remediate phishing, fraud, data loss, and account takeover risks. This includes taking down domains before they're used in phishing campaigns; validating DLP controls and removing exposed data, and detecting exposed employee credentials.

Mike McKee
CEO & Founder


Q1. Why do most organizations have such a hard time identifying and mitigating insider threats? What are some key requirements for effective insider threat management?

Managing the threat from the inside can be an incredibly challenging task for cybersecurity teams because users need access to critical systems and data in order to perform their jobs so it is possible, even likely, for nefarious actions to be disguised as employees, contractors or third parties doing their respective jobs. Organizations that treat insider threat management more holistically than as "just" a cybersecurity problem are set up for greater success in identifying and eliminating insider threats. The requirements for managing insider threats include:


  • Insider threat management should be a team sport that includes, at least, cybersecurity, HR and legal. Depending on your organization, worker councils, privacy, compliance and individual business units may be appropriate partners. Build a governance council with leaders from [these] key groups to sponsor the program
  • The insider threat risk vector comes in both accidental and malicious forms. To tackle the accidental form, all users need both positive reinforcement of following good security hygiene and real-time training when they violate company and security policies. Use this opportunity to improve the perception of cybersecurity by providing alternative paths or technologies to users when users violate security policies


  • Elect a champion within your insider threat governance council
  • Ensure the organization has security policies around data security and user behavior within critical systems and with sensitive data
  • Update the existing or create an Incident Response playbook to triage alerts and investigate potential incidents involving employees, contractors and third parties
  • Create a process for capturing feedback to improve the process


    Look for solutions that provide or enable:
  • Comprehensive visibility into user and data activity at the endpoint, application and network layer across the enterprise
  • Easy-to-understand context when triaging alerts and investigating security incidents
  • Proactive detection of unauthorized access and activity, accidental or negligent behavior, data exfiltration and nation-state sponsored threat actors
  • Rapid response capabilities

Q2. How exactly are data analytics tools, methods and techniques helping improve insider threat detection and management?

There are four categories of risky behavior that we need to detect and manage insider threats comprehensively:

  • Unauthorized access or activity
  • Accidental/negligent behavior
  • Data exfiltration
  • Nation-state sponsored threat actors and other sophisticated hacking

The common thread is that these are wrought by users with knowledge about your systems and data. In the recent past, detection engines have improved to monitor and analyze user behavior across data, applications, endpoints and networks they interact with. No single statistical technique – be it machine learning (ML), deep learning or simple correlation – can detect all the individual threat vectors. Hence, companies are using multiple detection engines to detect the variety of threat vectors employed by potential insider threats.

The more successful proactive threat intelligence techniques have been in finding patterns of similar behavior to known examples of past insider threats. This is where ObserveIT has focused our attention. Based on Carnegie Mellon's CERT Institute and customer research of past incidents, we compile a regularly updated insider threat library of the most common technical risk indicators. Today, that stands at 320+ risk indicators based on past incidents. Our customers use these as templates to proactively detect early signs of insiders on the track to causing harm to the organization, their customers or their employees.

Q3. Why is it important for ObserveIT to be at Black Hat? What can attendees at the event except to see and hear from your company?

Black Hat brings together the best technical cybersecurity professionals from companies of all sizes, across all industries and from all around the world. At the event, we have the opportunity to learn from attendees how they are thinking about protecting themselves from insider threats, where they are in the steps of building out an insider threat program to include the optimal people, processes and technology. Our team enjoys sharing with conference attendees our experience in helping our 1,900+ customers as they identify and eliminate insider threats within their organizations.

This year, we're excited to show how ObserveIT's Insider Threat Management platform helps organizations expedite investigations (by as much as 90% according to the CISO at an insurance technology firm) through gaining rich context and deep visibility into insider threat scenarios such as data exfiltration, privilege abuse, unauthorized activity and accidentally insecure behavior. We'll be having some fun throughout the event. Stop by the ObserveIT Sponsored Workshop on Wednesday August 7th to hear our Head of Security, Chris Bush, speak about insider threats, investigations and the importance of context. Don't forget to come say hi at our Booth 1000 and learn more about ObserveIT, the leader in insider threat management.

Sustaining Partners