Interviews | May 12, 2017

Black Hat USA Sponsor Interviews: Darktrace, Optiv Security, Proofpoint, Inc., Rapid7, and Trend Micro

Nicole Eagan

Nicole Eagan

Justin Fier

Justin Fier
Director of Cyber Intelligence and Analysis


Q: Nicole, Darktrace announced last quarter that it had secured over $150 million in Total Contract Value. What's driving enterprise demand for your technology? What specific business issue is your technology helping enterprises address?

Nicole Eagan: With over 2,400 deployments across 64 countries, there's certainly been an unprecedented demand for Darktrace's AI technology and we believe that to be largely a result of the new cyber and business landscape. The breaches of the past year have made one thing clear: we've entered a new era of cyber warfare characterized by silent, stealthy, and advanced cyber-threats. These subtle threats can remain hidden in a network for an average of 146 days before being detected by traditional tools – and at that point, it's already too late.

Further, new attacks that require less human interaction are increasingly being launched, and they can wreak havoc on an entire network in a matter of minutes. Automated threats like these are far easier to detect and stop with automated defenses – machines will be fighting machines on the battleground of corporate networks. The key issue at hand is that threats have become extremely difficult to detect, a challenge compounded by a complex business landscape. The proliferation of non-conventional IT, like IoT devices and cloud and virtual environments, means that organizations are suffering from an underlying lack of visibility. You can't protect what you can't see.

Darktrace's ‘immune system' technology represents the first successful implementation of AI in cyber security. Powered by unsupervised machine learning, it is capable of learning ‘normal' for enterprise networks and identifying subtle deviations in real time, before they can become a crisis. It monitors every user and device across every type of network environment, and it detects and responds to threatening anomalies in real time. And not only does Darktrace's technology spot threats in their nascent stages, it automatically takes precise and proportionate action to neutralize threats, without disrupting normal business operations.

Q: Justin, how can AI and machine learning make security products smarter? What sets your technology apart from others?

Justin Fier: Traditionally, AI has been attempted through rigid programming designed to try and define what ‘bad' is in advance. Up until this point, the technology was supervised, fine-tuned, and trained. It struggled to scale, evolve, and work across every type of business environment, despite the fact that modern networks are incredibly complex entities, containing millions of constantly changing data points, where billions of events take place every day. Darktrace's technology differs in that it uses unsupervised machine learning and AI algorithms to learn the unique ‘pattern of life' for every network, device, and user on a corporate network.

Darktrace's AI detects the slightest, most subtle anomalies in networks of any size – from 12 to 400,000 users – and across every industry vertical. Manual threat hunting has become tedious and unreliable, but unsupervised machine learning has automated the process on a previously unimaginable scale. While humans will always have a vital role to play in cyber security, Darktrace's technology augments security teams with the first proven application of AI for the enterprise.

Our machine learning algorithms require no additional training or configuration. It deploys in less than an hour and immediately starts learning. It instantly provides a visual overview of the entire network, including cloud and SaaS applications and Industrial Control Systems. The technology grows with the network, constantly updating its understanding of normal and learning the most effective actions to take. And most importantly, it's the only technology capable of automatically fighting back against in-progress threats, taking precise, defensive actions to slow or stop threats at the earliest possible stage.

At the end of the day Darktrace helps take the burden off of the analysts allowing them to focus on only the most important threats and work on innovative and proactive projects. We need to be working smarter, not harder.

Q: Nicole, tell us a little bit about Antigena and why you believe technologies like these are critical to enterprise cyber security efforts?

Nicole Eagan: In this threat landscape, we're seeing threats constantly evolve to become faster and more sophisticated. Automated attacks like ransomware spread in a matter of seconds. Employees may jeopardize security with just a few clicks, accidentally or otherwise. It has become impossible for security teams to keep up with the pace of threats amid dynamic enterprise environments.

Darktrace Antigena completes the functionality of the Enterprise Immune System by autonomously and surgically responding to these threats in real time. The technology works like a ‘digital antibody': it intelligently takes defensive action when a threatening anomaly arises. By selecting and executing the most effective response based on the specific context of the threat, its responses are surgical. For instance, Antigena can terminate anomalous connections that are indicative of ransomware without disrupting normal business operations. What makes the technology so powerful is its ability to automatically enforce the ‘pattern of life' for users and devices the moment they start to exhibit signs of threatening behavior.

The actions at Antigena's disposal are vast. When Antigena detects a sufficiently threatening anomaly, it can stop anomalous connections to foreign IPs, prevent devices from communicating with unauthorized users, slow down unusual data transfers, and isolate infected devices and suspicious users. At its core, Antigena's AI technology creates a dynamic boundary for users and devices. When they deviate from normal activity, Antigena is automatically triggered to remediate the situation – taking action that could prove crucial in preventing an anomaly from escalating to a crisis.

Q: Our new DFI engine identifies and prevents malware while it is in a static state - without a signature - before it has a chance to execute a malicious payload. This makes the SentinelOne Endpoint Protection Platform the only solution to combine advanced static prevention with dynamic behavior-based detection within a single platform, regardless of operating system – MacOS or Windows.

Justin Fier: Justin, how will Darktrace use its presence at Black Hat USA 2017 to drive home its product and services messaging? What are you hoping enterprises will learn about your company?

We are excited to be at Blackhat USA this year to educate the market not only on the types of threats we see every day but the different types of machine learning available, and how the immune system approach is fighting back on behalf of enterprises.

Darktrace is the first company in security to successfully build a company around AI and genuine unsupervised machine learning. We look forward to explaining to attendees on the difference between various types of AI, and how to break through the buzz to find technology that can scale, evolve, and truly learn ‘normal' for networks in real-time.

Our technology has been deployed in networks of every size, across every industry, and in many different network designs. To date, it's detected over 30,000 serious cyber-incidents that other tools have consistently missed. We plan on walking through some of the most unique threats we've found: from malicious insiders running underground bitcoin mining operations to infiltrated internet-connected fish tanks.

At the end of the day, the technology speaks for itself. Darktrace's tried-and-tested AI technology will be on full display at Blackhat. Come by our booth (1548) for a demo of our Threat Visualizer, and watch our technology in action as it both detects and responds to emerging threats.

Stuart Solomon

Stuart Solomon
Senior Vice President, Security Solutions and Operations
Optiv Security


Q: How will enterprises benefit from your recently launched Cyber Threat Intelligence-as-a-Service offering? What specific pain point is it designed to help address?

Stuart Solomon: Today most companies take a completely reactive approach to cyber security, but identifying when and how an organization may be attacked by a cyber threat requires a more proactive strategy. Cyber threat intelligence enables good decision-making and contextual understanding of the threat environment for analysts and machine-enabled interactions during the analytical as well as response and remediation phases of security operations.

Optiv's approach to cyber threat intelligence includes bringing together a combination of people, process and technology that helps clients assess their threat landscape and maturity level before implementing a cyber threat intelligence program that better detects, analyzes and remediates threats in real-time.

Optiv's technology-enabled cyber threat intelligence-as-a-service offering is powered by a cutting-edge technology platform from IntSights and delivered by Optiv's dedicated team of cyber threat intelligence and security experts. The combination of Optiv's extensive cyber security consulting expertise; the analytical and contextual approaches deployed by its global threat intelligence center within the Optiv managed security services division; and IntSights' technology helps organizations monitor for threats beyond the traditional network perimeter and provides them with focused, prioritized and actionable intelligence. As a result, companies can create informed, proactive security policies, more accurately define cyber risk and rapidly mitigate identified threats.

Q: What do organizations need to understand about building a strong incident response capability? How are your services geared towards helping them address the challenges involved in building a robust IR capability?

Solomon: Incident response (IR) is a critical aspect of any overall security strategy. However, a solid incident response program is something many organizations – large and small – either lack entirely or don't take seriously enough.

A robust IR program should be proactive instead of "event-driven." IR planning too often is viewed as a single project instead of an ongoing, constantly changing program. The plan has to be a living document that is constantly tested, reviewed and updated to account for lessons learned, changing industry conditions and/or environment upgrades and installs.

  • Key capabilities for an incident management program should include the ability to verify a security incident has occurred (and prioritize based on potential impact to the business)
  • Collect and investigate the incident (log capture and analysis)
  • Orchestrate response and remediation efforts across the organization (including third parties and cloud vendors)
  • Remediate or mitigate the incident
  • Reporting for regulatory and legal evidentiary requirements.

Optiv helps clients discover and respond to cyber security incidents and events of all kinds. Our services include securing the scene, defining the scope of the compromise, collecting and analyzing data related to the event, and issuing a report documenting the findings. We also focus our expertise to help clients proactively plan for potential incident response and more holistic crisis management scenarios. Additionally, we offer technically enabled and cyber threat intelligence informed proactive services to assess breach potential within client environments, and to enable proactive monitoring services.

Q: Optiv has a pretty broad portfolio of security products, services and solutions. Which of them do you plan on focusing on at Black Hat USA 2017 and why?

Solomon: Optiv is proud to be a market-leading provider of end-to-end cyber security solutions. We have extensive capabilities and proven expertise in cyber security strategy, managed security services, incident response, risk and compliance, security consulting, training and support, integration and architecture services, and security technology. We are excited to showcase these capabilities to Black Hat USA's broad audience of technical and senior-level security professionals and business executives in the industry. We will participate in the Business Hall (#1008) and are planning various other activities for that week to take full advantage of this great opportunity.

Ryan Kalember

Ryan Kalember
Senior Vice President, Product Marketing
Proofpoint, Inc.


Q: Business email compromise (BEC) attacks have grown sharply in recent months and the FBI has estimated that such scams have cost businesses some $3 billion worldwide so far. What can organizations do better, or more of, to mitigate the issue?

Ryan Kalember: At StackPath, our mission is to make the Internet safe. We have a unique strategy for doing that.

Organizations need to incorporate two forms of BEC into their threat models, each of which can be mitigated in a different way. The most well known variant of BEC is the inbound spoofed email, which claims to be from an executive, a vendor, or anyone else with whom the organization conducts business via email. These are pure social engineering attacks, and typically don't contain a malware payload. However, well-configured email gateways leveraging machine learning can detect many of the techniques these attackers use, including display-name spoofing and reply-to spoofing.

The second category of BEC includes attacks that never hit the email gateway at all. Third parties, such as supply chain partners and vendors, are often the targets of these attacks, which can affect any transaction or business process that is conducted or changed via email.

Q: Tell us a little bit about Proofpoint's recently launched unified fraud and phishing detection and protection technology for social, mobile, web, and email. How does it move the needle forward in helping enterprises address email and phishing scams?

Kalember: Attackers now clearly target people and not infrastructure, and understanding those threats requires looking well beyond the traditional perimeter. In addition to the wave of BEC, 2016 was a record year for both enterprise and consumer phishing. Cyber criminals continued to expand their efforts to target people via social media and mobile apps, in addition to email. Our digital risk services are designed to help organizations understand who is impersonating them via fraudulent emails, social media accounts, mobile apps, and web domains, all presented in an integrated interface with full workflow to remedy the identified risks.

Q: Proofpoint is a Platinum Sponsor of Black Hat USA 2017. What is your main theme at the event and why?

Kalember: Our main theme is visibility beyond the network, which in our view is at the nexus of three major trends. First, attacks are targeting people via social engineering – it's harder and harder to find vulnerabilities and exploit them, but it's still viable to trick someone into running your code, giving you their credentials, or even sending you sensitive information or money. These attacks are difficult to detect via traditional forms of security visibility, such as logs, endpoint alerts, or network alerts. Second, key workloads such as email and collaboration are moving to the cloud, and sensitive data is moving with them. Third, the consumerization of IT has changed the attack surface for the typical organization, with SaaS applications, BYOD devices, mobile apps, and social media all serving as vectors to target users and the data they have access to.

We're devoting ourselves to giving our customers visibility into these types of threats. First, you need to be where the threats are: cloud email, SaaS applications, social networks, and mobile app stores. Second, you need to detect them, even when they don't contain malware, as is the case with spoofing attacks, credential phishing, and even malicious mobile apps. Third, you need to put the threats in context. This means understanding the risk to the organization in terms of sensitive data exposed by the attack, as well as understanding how targeted or widespread the attack is, and what motivates the threat actor involved.

Lee Weiner

Lee Weiner
Chief Product Officer


Q: Rapid7 recently announced some enhancements to the Rapid7 Insight platform. What exactly are they and how will your customers benefit from the additional capabilities?

Lee Weiner: The Rapid7 Insight is a next generation analytics platform for security & IT professionals. The Insight platform collects a very broad set of security & IT data from the endpoint – to the cloud – and then delivers pre-packaged analytics that are utilized in purpose built applications built on top of our platform. The cloud-based platform makes it possible for security and IT professionals to share data, research findings, and analytic-processing resources. It significantly reduces the overall total cost of ownership inherent with on-premise, analytics-driven solutions, and automatically scales to meet the needs of users, helping to solve challenges presented by rapid data growth for both security and IT. Recently we announced two new applications delivered on our platform, InsightVM and InsightAppSec. InsightVM builds on Rapid7's vulnerability management solution, Nexpose, and now leverages the power of the Insight platform to provide live answers to security professionals' most critical questions. InsightVM's gathers continuous data, whether via agents or agentless, to provide security professionals with increased visibility into the risk posed by their entire network footprint, including cloud, virtual, and endpoints. InsightAppSec is designed to provide security professionals with an ability to assess modern web applications, easily finding flaws found in web applications and helping developers remediate those flaws. Enabled by the Rapid7 Insight platform, InsightAppSec streamlines results to provide more comprehensive visibility, instantaneously.

Q: One of Rapid7's main value propositions is that it helps make it easier for organizations to unify and analyze operational data from across systems. Why has this become such a critical need from a security standpoint?

Weiner: As businesses evolve and increase their use of technology to drive employee productivity and deliver better customer experiences resulting in business growth, the need to gain visibility, manage risk and improve operations is critical for businesses to succeed. Without the right information at the right time, it's impossible to accurately understand what's happening or act quickly to take control of the outcome. Security & IT teams today are forced to rely on a plethora of point solutions, and they are drowning in fragmented data, with little to no insight. This results in a lack of confidence that security and IT professionals are taking the right action at the right time creating risk and uncertainty for organizations. Our solutions and expertise harness the critical information essential to advance and protect an organization's best interests. We make it simple to unify operational data across systems, and our advanced analytics unlock the information required to securely develop, operate, and manage today's sophisticated applications and services.

  • Rapid7 shines a light on blind spots to uncover hidden network and application vulnerabilities, risky user behavior, asset misconfiguration, cloud service usage, IT operations issues, and more.
  • The company delivers the advanced analytics that allow security, IT, and operations to collaborate effectively to analyze risk, detect attacks, prioritize remediation, measure the impact of their actions, and respond at the moment of impact.
  • With automation and a maniacal focus on simplifying, we eliminate data drudgery and liberate technology professionals from the burden of manual busy-work so you are free to focus on more strategic, high-impact projects.
  • Armed with the right insight, at the right time, making the right impact — our customers finally have the clarity, control, and confidence they need to move their organizations forward.

Q: Rapid7 is a Platinum Sponsor at Black Hat USA 2017. What do you expect will be some of the major themes at the event this year?

Weiner: Rapid7 has a long history of participating at BlackHat and engaging with the security community. It really is an opportunity for us to share our research and demonstrate our commitment to the community. The last year has demonstrated that we continue to see a high amount of activity in threat landscape, and it will be interesting to see how different verticals and businesses are managing this dynamic. As an example, a lot of research coming out of the connected device world (things, cars, homes) is really showing us that we have a lot of work to do to ensure the safety of the future connected world that we are living in.

Justin Foster

Justin Foster
VP, Hybrid Cloud Security
Trend Micro

Trend Micro

Q: What are some of the unique security challenges that enterprises face in implementing and managing a hybrid-cloud environment?

Justin Foster: When adopting a hybrid-cloud strategy, the first challenge for an enterprise is inevitably tooling. Organizations have always been used to hardware compensating controls, like firewall and IPS, at the perimeter of their datacenter. Even some software-based security can be challenged by the diversity and pace of change in the cloud. Tools often don't account for the diversity and rapid update of Linux-based operating systems, or agile features like auto scaling.

Once they overcome this challenge and adopt cloud friendly tools, the perennial issue of security skills shortage still stands in the way. There are often too many tools, too few skilled resources and not enough budgets to meet the complex compliance, identity, and data protection requirements that come from adopting a hybrid environment.

The other challenge comes from a rather unexpected place—procuremnt. procurement. Organizations move to the cloud partially for the agility and shift to an OpEx model. Too often, security is still stuck in the past, failing to provide options that fit the swift movements of a modern cloud environment. Today's savvy security buyer expects per-hour, zero-commitment options that allow them to burst and vary the number of workloads every hour.

Ultimately adopting a hybrid environment can mean reevaluating organizational structures, policies, procedures and how security is integrated into the fabric of a deployment. This challenge presents an incredible opportunity to innovate, streamline and reduce the overall cost of securing modern hybrid environments.

Q: How does Trend Micro help address some of these challenges? What do you see as the fundamental value add that Trend Micro brings in this space?

Foster: Trend Micro has always been at the forefront of technology and infrastructure change. We saw the rise of virtualization and were the first to offer agentless security for virtual environments. We anticipated the development of the cloud and invested heavily very early in the birth of public cloud.

Now hybrid environments are the new normal. Most organizations have not just one cloud provider, but a set of trusted cloud providers in addition to on premise resources that form an overall cloud of clouds. This unified cloud needs a unified approach to security in order to reap its true benefits.

Trend Micro offers tools designed to meet the complex security and compliance requirements of these environments and treat a diverse hybrid environment as a single entity. This means a consistent policy and unilateral visibility across the hybrid cloud, from a tool designed to fit platforms like a glove.

What we uniquely offer this space is a single security control with a cross-generational blend of threat defense techniques. Our solutions, powered by XGen security, apply the right security controls based on the context of the environment. Most importantly, we ensure the tools fit cloud environments by offering per-hour pricing with no commitment, full automation and the broadest coverage for cloud environments.

We recognize the industry-wide shortage of skills and have designed our solutions to operate with minimal time spend configuring and monitoring. Automation is critical to overcoming the challenges of skill shortage and put the focus back on proactive security. After all, a customer once told me "I don't want to be told when I have been breached, I never want to be breached in the first place!".

Q: Trend Micro has often used Black Hat as a platform for highlighting trends, discussing new threats or demonstrating various things. As a Platinum Sponsor at Black Hat USA 2017, what do you expect your main focus to be at the event?

Foster: The information security field is fast paced. Our research has shown that there are now 500,000 new unique threats that are created every day to get at valuable information. What may be surprising is that 90% of malware variants only impact a single device. There are more network-facing vulnerabilities than ever and attacks, like the recent Struts 2 flaw, cause a high impact on servers worldwide. Unfortunately, the user is often the weakest point in any organization with 74% of attacks beginning with a simple phishing email.

When it comes to emerging threats, our international team of researchers predicts an increase in challenges with API's, being compromised for command and control, and a growing trend in threats to IoT and ISC/SCADA. No matter if it is smart homes, smart factories, smart cities or smart vehicles, as more devices are connected, security becomes more critical to organizational success than ever. With a strategy that is all about anticipating and adapting to the evolving IT and threat landscape, Trend Micro is in a unique position to protect against these threats before they reach your business.

At the show, our focus will be on our XGen security, a new class of security software that addresses the full range of ever-changing threats—now and in the future. We believe that there is no silver bullet when it comes to protecting your organization, so XGen security delivers a cross-generational blend of threat defense techniques that includes high fidelity machine learning, app control, behavioral analysis and custom sandboxing, and intelligently applies the right technique at the right time.

Our show theme this is out of this world, literally. We take our visitors on a trip through deep space, using metaphors to show how a blend of security controls is the answer to creating a strong information security practice.

Sustaining Partners