This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.
Interviews | May 11, 2018
Black Hat USA Platinum Sponsor Interviews: iboss, Mimecast, SecureAuth + Core Security, Synack, and Vectra
Q1. iboss's 2018 Enterprise Cloud Trend survey suggests that many enterprises still do not fully grasp how the cloud works. What are the most common misconceptions that people have when it comes to cloud security and privacy concerns?
The most common misconception is that every cloud architecture requires you to put your data into a monolithic cloud that shares resources among all customers. While all clouds utilize multi-tenant platforms, there are options that enable customers to maintain control of data and performance. This naturally leads to concerns around data privacy, cost of maintenance and migration, compliance, and complicated infrastructure. Many of these concerns aren't unfounded, but they also aren't completely legitimate. There are an array of cloud types and delivery models that both laymen and tech pros aren't aware of that address many of the top concerns found in the 2018 Enterprise Cloud Trends Report head-on. This indicates that most people are only imagining the traditional "monolithic," cloud architecture that underpins some of the most popular SaaS offerings.
In truth, the cloud as we know it comes in an array of shapes and sizes. For instance, in traditional monolithic clouds that don't give customers unique gateway collections and control of where their data resides, high-demand tenants are going to usurp bandwidth and support from their neighbors in the data center, resulting in latency and other performance issues when there simply isn't resources or power to support optimal cloud access for all. Further to this, the cloud provider sets the schedule for data center updates and the associated downtime that will affect their servers. This takes away the ability for customers to schedule their own cloud downtime, meaning access might be restricted regardless of an individual customer's business needs during that period. While these drawbacks can make a cloud transition seem daunting for many businesses, there are clouds that operate with a multi-tenant platform but still enable customers to maintain control of their data.
Q2. How does your company's technologies help organizations address those concerns? How is your Distributed Gateway Platform different from other cloud security technologies and services?
The iboss Distributed Gateway Platform is a scalable comprehensive cloud network security solution that eliminates the need for data backhaul. Its elastic multi-tenant platform delivers web gateways that aren't shared among customers, providing better network performance and greater control. Because each customer gets their own, dedicated gateway collection, iboss is the only vendor that allows customers to control versioning and upgrade cycles. These features make iboss the ultimate security platform for teams that are adopting cloud solutions en masse, as the platform addresses the issues that most concern IT decision makers.
Using the iboss Distributed Gateway Platform, data privacy is a non-issue, since customer data is never mixed. iboss' multi-tenant platform dedicates cloud gateway collections for each user, rather than mixing customer data in a monolithic cloud environment. That means that each iboss customer has complete control of their cloud gateways, making each a secure environment for customer data. Dedicated cloud gateways can live in any of iboss' global data centers, or customers can install cloud-delivered physical gateways on-premises to meet regulatory standards. This flexibility eliminates many of the concerns around data protection regulations like GDPR.
Because the Distributed Gateway Platform is sold as a subscription, there is no additional cost of maintenance and the cost of migration is simplified, as companies don't need to rearchitect their networks for deployment. Users can also eliminate the need for expensive backhaul connections by moving their gateways to an all-cloud environment or leveraging physical cloud-delivered gateways to replace their legacy, on-prem appliances. And regardless of the configuration, all of a customer's network security can be managed through a single-pane of glass with a holistic view of all network activity, alleviating the concerns regarding complicated network infrastructure by streamlining security operations from the top-down.
Q3. What topics/trends do you expect will dominate the conversation at Black Hat USA 2018 and why?
Black Hat is the premier venue for new research on attack methods and hacks. The trends will naturally follow the most important research areas of any given year and 2018 will feature a lot of talks on advanced threats, IoT, and cloud security.
Advanced threats are always at the forefront of Black Hat, but this year will be particularly interesting given the political climate and the ongoing debate about cyberwar. These nation-state level attacks are more advanced than the everyday attacks most enterprises are dealing with on a day-to-day basis. However, it's important to remember that these are highly targeted, and most enterprises should focus more on protecting against those everyday threats.
For the last several years IoT and connected car hacks have made big news at Black Hat and this year will be no different. As consumers and enterprises continue to increase the number of devices they're connecting, this type of research is important because it forces people to think about the vulnerabilities of these connected devices. It also shows the lack of concern many device manufacturers have about security and cements the need for enterprises to focus on IoT security at the network level, rather than relying on baked in security.
All of this will be talked about under the cloud umbrella. Most large organizations have realized that the world is moving to the cloud and it's time to adapt whether they like it or not. Gone are the days that you could create a defined network perimeter to protect your most sensitive data and equipment. That's why iboss is focused not only on the latest attack trends and prevention techniques researchers publish at shows like Black Hat but how to deliver them directly to users and devices.
Data Protection Officer
Senior Vice President, Systems, Risk and Security
Q1. Marc, Mimecast's recent Email Security Risk Assessment tests showed thousands of known malware and impersonation attacks easily getting past enterprise email security defenses. What's going on??
Our quarterly Email Security Risk Assessment (ESRA provides insights on the effectiveness of incumbent email security systems. Interestingly, our latest quarter's assessment reports that these systems missed 11,653 emails containing known malware. This malware should be the easiest to identify, as they are detectable by commonly deployed endpoint-based anti-virus technologies. This tells us that organizations are still skipping out on the basics of good security hygiene and deploying a defense-only strategy. We believe a defense-only security strategy is not designed to protect against the level and volume of advanced attacks. Continuing to invest in disparate technologies and focusing on a defense-only security strategy will lead to consequences like intellectual property loss, unplanned downtime, decreased productivity and increased vulnerabilities. Organizations need to embrace cyber resilience for email, a strategy that empowers organizations to secure, preserve and continue the flow of information via email. Cyber Resilience for Email is Mimecast's framework to help prepare organizations for every stage of a cyberattack – before an attack happens, running during an attack or failure, and finally the ability to recover data and other corporate IP after an incident or attack occurs.
Q2. Janet, talk to us about Mimecast's API Developer Portal. What specific issue is it designed to address and how does it do that?
The API Developer Portal is designed to extend business and cyber resilience for email with a consistent, scalable and uniform API. The portal is a dedicated site for developers to easily access sample code, documentation and pre-built integration packs. APIs unlock valuable data and give organizations unprecedented flexibility in using Mimecast services. As cloud adoption continues to increase exponentially, companies need to break data silos and integrate solutions into existing processes. The Mimecast API already processes millions of requests per day and is a key enabler for many Mimecast services and applications. Now customers and partners can visit the portal to use the same API to take advantage of Mimecast security and archive data, integrate to existing applications and harness important email risk management services.
Q3. Marc, one of your immediate missions is to drive Mimecast's efforts to support GDPR. What exactly are the implications of GDPR from an email standpoint and what are you doing to help customers comply with the statute?
Mimecast is committed to GDPR compliance across our products and services when enforcement of the law comes into effect and will provide GDPR related assurances in our contracts.
We are dedicated to helping our customers comply with GDPR. We have closely analyzed the requirements of GDPR and are working to make enhancements to our products and documentation to help support our customers' GDPR compliance journey.
Q4. Janet, what are Mimecast's plans at Black Hat USA 2018? What is your main messaging at the event?
Email remains the number-one business application used by companies and is also the number-one threat vector used to execute cyberattacks. Our focus at BlackHat will be on sharing what we've learned over this last year. Everything from our latest Email Security Risk Assessment to the framework we call Cyber Resilience for Email, as well as demonstrating the latest attacks getting through today.
SecureAuth + Core Security
GM, Pen Testing Solutions
SecureAuth + Core Security
Q1. Chris, what exactly is Adaptive Authentication? How does it work and what's driving the need for it?
Passwords are ineffective. 2FA is not enough—every form has been beaten. Typical solutions are "one size fits all", whereby every person is required to use a second factor for authentication whenever they try to access. This slows business down. What is needed is a more intelligent approach that incorporates "situational awareness of risk" into the authentication process – and for the first time allows companies to have both high levels of security while at the same time reducing friction in the process. Adaptive authentication evaluates numerous risk factors in a fraction of a second immediately prior to logging on. Things like geo-fencing/geo-velocity, threat feeds, malicious IP, fraudulent device/recently ported device are used to determine contextually whether or not someone trying to gain access should be stepped up – or down as the case may be – as they authenticate.
Adaptive authentication makes passwords obsolete and adds the necessary intelligence to multi-factor authentication to make it efficient and effective in preventing the misuse of credentials. Any 2FA can be beat, but can you beat 10 at once? And if you have 10, does the password even need to be one of them?
Q2. Steve, how does the latest version of the Core Impact penetration-testing tool build on previous versions? What are some of the new capabilities in it?
Impact is a comprehensive penetration-testing platform that we are continually improving to make pen testers more effective and efficient. For example, we recently expanded Impact's phishing capabilities. Pen testers can now clone websites in real time, making it easier to launch phishing campaigns and improve the effectiveness of their efforts. We are about to release newly expanded web application pen testing capabilities in Impact that have been driven by requests from our customers. We are constantly releasing new commercial-grade exploits, which are filterable, so you know potential consequences before running them. We are committed to enhancing the capabilities of Impact and have some exciting things coming.
Q3. Chris, what are some of the trends shaping the identity and authentication space? How is SecureAuth+Core Security responding to those changes?
For too long, Identity and authentication have been kept separate and siloed from security operations and governance. Yet more than 80% of breaches involve some misuse of credentials – either valid or stolen; it comes back to the human element. Companies are finally realizing that you can't deter, detect and remediate cyber risk without considering access. For instance, using a visual approach to replace endless spreadsheets to accurately and easily understand who in an organization has access to what rapidly helps a company identify who is over-provisioned or where Segregation of Duty violations may exist - Adding where they have accessed from or how often they are locked out significantly enhances audit and governance. Knowing which employees are the biggest risks when it comes to phishing attacks is essential to stepping up security appropriately as opposed to universally. And being able to augment incidents with full identity context and attack paths automatically allows companies to detect and stop breaches in minutes instead of months, or prevent them altogether. The convergence of Identity and Authentication as equal partners in the cybersecurity equation will create a force multiplier for the SOC and keep enterprises safer than ever before possible.
Q4. Steve, what do you want attendees at Black Hat USA 2018 to know about your company and its products/services?
Silos of security within a company are not working. Being that the vast majority of breaches are credential-related, SecureAuth + Core Security have developed Identity Security Automation – a new approach that integrates the missing link of Identity to strengthen an enterprise's overall cybersecurity position. ISA tears down barriers by creating intelligent intersections between network, endpoint and Identity to help companies become more effective and efficient in preventing, detecting and rapidly responding to threats. At the heart of ISA is Security Risk Analytics, which uses machine learning to assess vulnerabilities and anomalous activity and automatically respond to it. From identifying attempted logins from compromised devices to recognizing over-provisioned employees to understanding individual employees' susceptibility to phishing attacks, ISA has the capacity to situationally address risk in real-time and step-up or block access altogether. Identity Security Automation connects the dots across the entire threat surface to make individuals, enterprises, and governments safer and security teams more effective.
Q1. Why is crowdsourcing cybersecurity a good idea? How do enterprises benefit from it?
The security industry's talent shortage is growing faster than any other industry and it's also one of the only industries where computers simply can't replace the creativity of a human. Would you trust Siri with your security? Most industries and governments are under constant fear of attack, and crowdsourcing ethical hackers as part of an offensive security solution gives organizations access to hundreds of trusted and highly-skilled cybersecurity experts who approach security problems like the adversary sees them.
Enterprises benefit from crowdsourcing cybersecurity by going beyond compliance standards to find exploitable vulnerabilities that often remain undetected by other solutions. However, if a CISO or a security team leader committed to merely take a "crowdsourced" approach to testing, they would be missing some key benefits. With Synack, it's not just "crowdsourced testing", but it's "managed, controlled, and data-driven crowdsourced testing".
Synack's crowdsourced security testing helps our customers triage, patch, and manage vulnerabilities found by our crowd of ethical hackers. We provide our customers with Coverage Analytics so that security teams can see the number of researchers on the project, hours spent testing, and number and type of attack attempts to help them better understand the thoroughness of the testing. Our customers also receive an Attacker Resistance score, which shows them how strongly their assets stand up to attack, helping them benchmark against the industry average, prioritize resources, and manage their risk.
Q2. What has your experience as a penetration tester taught you about enterprise readiness to deal with existing and emergent cyber threats? Where do the biggest gaps exist?
During my time as a member of the DoD's Incident Response and Red Team and as a Senior Computer Network Exploitation and Vulnerability Analyst at the NSA, I saw firsthand that adversaries were swimming through networks with relative ease. Often they used known vulnerabilities as points of entry, but in others, they leveraged common vulnerabilities that should have been discovered (but weren't) by a testing team. Traditional solutions were leaving exploitable vulnerabilities unknown and undiscovered.
There are a lot of gaps left by traditional pen testing. I see those as: delayed start-up times; point-in-time testing on a semi-annual or annual basis; limited testers with variable skill sets; a system based on billable hours instead of incentives and; limited support following the final deliverables.
The fact of the matter is, cyber adversaries are persistent, creative, and evolving. The incoming threats to an organization are constant. Not only are the threats constant, but an organization's digital systems change often with new software releases, code changes, network configuration updates, etc., meaning their attack surface is constantly changing as well. A pen test will help the organization achieve compliance, but, realistically, it won't protect them from a breach. If you aren't testing regularly, you're leaving vulnerabilities open for an adversary to exploit it.
It's important for security teams to cover those gaps in order to effectively defend against and even outpace the adversary. Organizations need to look for solutions that are on-demand, scalable and flexible, continuous, utilize trusted experts, incentivize based on findings, controlled, data-driven, and able to effectively mitigate their cyber risk.
Q3. Why is it important for Synack to be at Black Hat USA 2018? What do you want attendees to know about the company?
Corporate security teams, undoubtedly, are feeling the burden of trying to manage a myriad of vendors, recruit and retain scarce talent, and stay on top of a constantly changing digital landscape. Synack comes to Black Hat as not just a bug bounty platform or a pen-testing provider, but as a true partner to current and future customers.
Bug bounties have been gaining traction in the past year, which is good for the industry, because they are proving to be more effective than traditional testing at finding unknown vulnerabilities. However it's no small task scoping assets for testing, recruiting and vetting hackers, reviewing vulnerability submissions, paying hackers for their findings in a timely fashion, remediating valid vulnerabilities, and extracting testing metrics to review results. A CISO needs more than a platform to take on these tasks without further burdening the security team.
Synack's managed and controlled approach to crowdsourced testing utilizes the power of technology alongside the creativity of humans. This technology empowers our crowd of hackers to find more critical vulnerabilities and it also allows our customers to view and track all testing traffic on their assets.
When resources or budgets get tight, people tend to make compromises. Synack is at Black Hat this year because we stand for zero compromise. That means zero compromise in trust, consistency, talent, incentives, reputation, ethics, efficiency, and results. Without any form of compromise, we stand behind both our crowd of ethical hackers and our growing base of customers, with total respect for the work done by our hacker crowd and with high regard for the security teams trying to protect their organizations under a lot of scrutiny and pressure.
Q1. Chris, why has AI become so critical to detecting and responding to cyber attacks these days? How do you see the use of AI evolving over the next few years in the cybersecurity context?
Time is the most important factor in detecting network breaches. There is a significant amount of time it takes an attacker from initial infection of a system inside the network until the point that the attacker can find and steal data. In the Equifax, breach, it took 60 days from the time attackers first exploited external facing web servers until they could compromise internal databases. Unfortunately for Equifax, it took their security team 78 days to first notice the compromise. Reducing the time to detect and time contain an incident can significantly mitigate the cost of a breach, and possibly prevent it.
To achieve efficient incident handling, security operations needs to avoid bottlenecks in their process. Bottlenecks can occur due to too much "white noise," alerts of little consequence or false-positives that lead to analyst "alert fatigue." This is where human judgment alone of what is an incident becomes a problem. Humans simply cannot operate at the necessary scale to make decisions at the needed speed.
We have three choices here. Hire lots of highly skilled people – a good SOC team needs at least 10 analysts; augment existing analysts and junior staff using AI to create repeatable process and the ability to manage large volumes of data at scale or; give up. I clearly believe the correct and most achievable option is number two.
There are many things we have already done with AI around automation of the detection and response process. Over the next few years I think we will see the further application of AI to those repetitive and tedious tasks that slow down human analysts which are perfectly suited to machine learning techniques.
Q2. Oliver, you are proponent of conducting red team exercises for assessing a blue-team's readiness to face or stop an advanced attack. What do security managers need to know about conducting an effective red team exercise?
The test of an effective red team exercise is whether it reasonably approximates what an attacker would need to do to carry of a realistic threat scenario.
Organizations need to start by setting a reasonable goal for the red team—for example, stealing intellectual property from servers deep in your data center—and allowing the team a reasonable amount of time to accomplish the goal. Goals that are too easy don't stress test the organization's defensive capabilities. Goals that are nearly impossible to accomplish don't progress far and also don't reveal much about the organization's blue team capabilities. And if the time limit for the red team to accomplish its goal is too short, it will either cause the team to rush—and be discovered due to carelessness—or prematurely end what would have been a successful attack.
If the red team is intended to mimic an outside attack, the constraints that an outside attacker would have should be imposed on the red team as well. This means no foreknowledge of the target network and which assets contain the crown jewels. It means controlling a compromised asset from the outside rather than sitting on-premise pretending to do so.
Finally – make sure the red team keeps good record of exactly what they did and when. This is critical as it enables security manager to analyze exactly what the blue team missed and how improvements in tools and techniques can help close the gaps.
Q3. Chris, do you se AI eventually eliminating the need for security analysts? Or, is there always going to be a need for human involvement in threat investigations and analytics?
Human beings alone, no matter how skilled, won't have the bandwidth to handle the tsunami of security data, cacophony of alerts, and plethora of security tools. With hyper growth in the attack surface and threat landscape – and constrained by limited security analyst resources and capabilities – enterprises need to augment their teams with artificial intelligence to automate the detection of threats and response to security incidents. But we still need security analysts. I would not trust a machine to make decisions alone.
What security needs is the combination of both man and machine. Machines are good at tedious, repetitive tasks, such as detection, triage, and prioritization of real time alerts. Security analysts are good at providing unique human insight and capabilities to the information presented by artificial intelligence. Machines then apply automation of task to the response actions needed to contain an attack. In this way, you end up with a process combining the best of both man and machine to reduce the time to detect attacks.
Q4. Oliver, why is it important for Vectra to be at Black Hat? What are you hoping attendees will take away from Vectra's presence at the event?
Black Hat is unique in that it brings us in contact with a healthy mix of hands-on security practitioners as well as CISOs and SOC managers. As one of the premier events on every security professional's calendars, Black Hat represents an opportunity for Vectra to reconnect with a huge number of customers and prospects and to inform them on the progress we've made in our journey. And given the rapid pace we're innovating at, the pace of change after a few months can actually be transformative.
We hope all attendees come away from Black Hat realizing that the confluence of ML and AI and cybersecurity is yielding significant benefits today—and [that] it will continue to get better.