This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.
Interviews | May 19, 2017
Black Hat USA Sponsor Interviews: Cybereason, F5 Networks, iboss cybersecurity, Malwarebytes, and SentinelOne
Q: Lior, you have advocated the need for enterprise cyber security teams to take a more law-enforcement like approach to addressing security threats. Why is that necessary and how do your technologies help enable that approach?
When police officers investigate a crime, they assume that there was malicious intent behind the perpetrator's actions. Every action taken by the bad guy was intentional. Law enforcement also looks over every piece of evidence in an attempt to piece the crime together. One strand of hair can change an entire investigation, for example.
As information security emerged from IT, it was developed with an IT perspective. Unfortunately, that perspective hinders our ability to face security issues. By that I mean an IT perspective assumes bugs or machine failure by default, and doesn't necessarily include the belief that malicious intent is behind a security alert.
Security professionals are often too eager to remediate an incident. Instead of looking for evidence of a larger, more complex attack, they quickly try to close the ticket. Again, this is also how IT approaches security. In IT, success is measured on how quickly you close tickets. But in security, this approach can result in missing the entire attack. You may have discovered malware on a few machines and immediately wiped them. But the attackers could have wanted this. They know that each malicious event is treated as a singular incident. By not closing the ticket so fast and taking a deeper look, you could have discovered an APT that the attackers also planted in your environment.
Cybereason was built with the assumption that malicious adversaries will be able to compromise the network and will make an effort to hide their tracks. It specifically look for signs of attacker activity in the network and connects all these disparate points together to form a full attack picture. The technology monitors endpoints, collects data and queries that data to detect malicious activity. This lets the good guys really understand the entire threat and remediate it completely.
Q: Yonatan, what do organizations need to understand about the use of machine learning in cyber security? What are some of the biggest misconceptions that exist around it presently?
One of the biggest misconceptions around machine learning is that silicon will replace carbon. In other words, some fancy technology will make humans obsolete. Well, security analysts aren't going away anytime soon. Machine learning is meant to make people more effective by removing blind spots and enabling better decision making, not take their jobs.
We can't outsource security to machine learning since no algorithm can never fully understand human intention or decide between right and wrong. Remember, there are people behind every attack. The ransomware that locked your company out of its files didn't write itself. Someone had to compile that code. Machine learning can't compensate for how the attacker thinks, despite all the hype around the technology.
Deciphering the attacker's intention is the role of the analysts. Machine learning is a tool that allows them to make that translation. Machine learning technology excels at parsing and making sense of the reams of data companies collect faster than a human can. Humans can't cross-correlate, in real time, data from a huge corporate environment, see emerging patterns in that data and check to see if these are just abnormalities or a security incident. Machine learning closes this gap so that humans can use this information to decide the best course of action.
Another misconception is that machine learning will allow security teams to set and forget their procedures. They think security is done because machine learning will detect all bad activity. Security is never complete. The adversaries will always find new ways to get around your defenses. This ties into my earlier point that there's intention behind every attack. There may not always be a pattern for machine learning technology to use since the attacker will always change his tactics. Maybe he won't follow a predictable pattern that an algorithm can understand.
Q: Lior, Cybereason has attracted significant investor interest recently. What's it about your company and its offerings that, you believe, sets it apart from others in this space
We think like the enemy. Many of our employees worked for government agencies that conducted offensive cyber operations. We approach information security with that attitude that the bad guy needs just one small chance to successfully infiltrate a target. But this gives the good guys many opportunities to discover malicious activity since attackers aren't invisible. They always leave some clues.
We're not saying to build a higher or bigger wall, which has been the common message from security vendors. We're saying that the bad guy will get in, but you can use this to discover their activities and stop them from doing more damage.
From a technology perspective, there are a few differences. First, we don't look to harm IT environments, a rule that security companies are notorious for ignoring. We collect data with sensors that do not slow endpoint performance. Second, we truly monitor environments in real time. There's no delay from when the data is collected on the endpoint to when it's sent to our hunting engine.
We also automate a large portion of the threat hunting process by asking millions of questions about the data that's collected. The data doesn't require manual querying by an analyst. With other technologies, there tends to be threat hunting with an asterisk. Sure, the technology gathers the data but a person has to query it. What analyst really wants to query the tons of endpoint data that an organization collects?
Lastly, our technology looks at data from every point. Not one or a handful. This matters because what's happening on one machine could look minor when viewed just on that machine. But viewed in context of what's happening on other endpoints, the incident could show that a more advanced attack is occurring.
Q: Yonatan, Cyber threat hunting was a major focus area for Cybereason at Black Hat USA 2016. What is your focus this year and why?
One area we're focusing on is ransomware, which is a concern for everyone from enterprises to average users. Attackers have really taken an interest in using this threat vector since they can reap huge profits with minimal efforts and there's little risk of getting taught. The fact that criminals made at least $1 billion from ransomware attacks last year is astounding. The only way to stop ransomware is to make this these attacks unprofitable for the bad guys. To help achieve that goal, we developed a free anti-ransomware tool called RansomFree. We wanted to do something that would benefit everyone, not just major companies, and give back to the security community.
Our other area of focus for the year is this notion of deep security. We understand that adversaries are using a variety of tools, attack vectors and methodologies to achieve their goals, and we have to evolve to address them. This is why our technology not only covers malware-based attacks. It covers malware-free and fileless malware attacks. It looks at attacker behaviors that cannot be identified based on rigid rules, like signatures and hashes. And as the attack surface grows, we also grow our capabilities to address it. From endpoints, to servers, to IoT, we are looking to cover the entire computing power of the organization, since everything is hackable and everything is connected.
I still think organizations still take a siloed approach to security. They understand that defenses are needed but see them as being applied to one machine or one section of their company. There isn't a real effort to approach security holistically. We're hoping the concept of deep security will change that.
Q: How does F5's new Herculon security product line help address the evolving application security requirements of enterprises?
The F5 Herculon series of security products are built purposefully for the use of security professionals as opposed to [being] an add-on for other devices and software. There are two products in the line right now and they are the Herculon DDoS Hybrid Defender and the Herculon SSL Orchestrator.
DDoS Hybrid Defender is a managed service which combines the ability to simultaneous leverage our Silverline high-volume anti-DDoS service in the cloud with a presence on your local network. It allows our Silverline team tight control of all high-volume traffic headed to your network.
Herculon SSL Orchestrator allows our customers to quickly and securely decrypt traffic entering their network and feed it to a variety of devices and software to inspect it for malicious content. The "decrypt once and inspect with many" model decreases Total Cost of Ownership (TCO) by offloading the burden of decryption from other devices and hardware, reducing the load on them, speeding them up and extending their useful life. The decrypted traffic can then be fed to other devices and software such as an intrusion protection system through a "Service Chain" for inspection. Many services chains can be defined for each type of traffic.
Q: F5 has assembled a team of security industry experts, including you, to gather and analyze global threat intelligence and application threats. How will this benefit your customers and complement the capabilities of your products and services?
First, our team of security industry professionals will directly benefit current customers of our security products through specialized threat feeds and highly accurate threat analytics, and integrations with our many security partners to provide them the ability to automatically discover, block and mitigate attacks. This is an expanding business for us from both a product and service perspective. Second, we will publish and contribute our threat research findings to provide the greater security community our insights and foster more sharing of findings and strengthen the community itself.
Q: F5 organized a Cipher Challenge at Black Hat USA in 2016. It is a Platinum Sponsor at Black Hat USA 2017. What are your plans for the event? What is your main focus?
We are definitely going to come out with an even more challenging Cipher challenge to test your mettle, but I will not reveal the grand prize so that we can keep it a surprise! We will also have a number of interesting talks by our threat researchers from around the world about our latest research cued up for our in-booth theater. Additionally, we will have demos of our security products including an opportunity for some hands on keyboard for those interested. New to F5 this year is our participation in two Sponsored Workshops on Thursday July 27th [between] 11am -1pm. In these workshops our experts will discuss TLS – trends in encryption and IOT – the rise of death star sized botnets. Lastly, look for updates about how to join us Wednesday evening the 26th at Border Grill – we'll be there starting at 7pm for small bites, drinks and discussion.
Q: Tell us a little bit about your recently launched iboss Distributed Gateway Platform SaaS offering and how exactly enterprises will benefit from it. What do you see as its primary value-add in this space?
The iboss Distributed Gateway Platform is built for the cloud, so it can defend today's complex and distributed networks. It features an elastic, node-based architecture that easily stretches and scales without the need to ever buy and manage expensive on-premise appliances again.
Enabling greater deployment flexibility than any other solution, the iboss Distributed Gateway Platform uses cloud gateways to secure remote offices and mobile users without the cost and hassle of backhauling data, along with optional local gateways to secure data at headquarters without the need for network rearchitecture. By removing the need for backhaul appliances and expensive VPN and MPLS links, the Distributed Gateway Platform delivers immediate ROI and reduces future costs of increasing backhauled bandwidth.
The iboss Distributed Gateway Platform fundamentally redefines the way cybersecurity is delivered and managed. Its revolutionary architecture consists of nodes – self-contained, non-shared components that deliver cybersecurity functionality and link together to provide unified protection for your organization. Because all cloud and local gateways are non-shared, customers benefit from overall system security, including complete control over change management schedules.
This unique architecture allows for the drop-in replacement of legacy SWG appliances with no disruption to the existing network topology, configuration, or processes, which shortens implementation time and reduces costs. Additionally, it provides on-demand scalability, enabling customers to easily add target capacity and capabilities to support organizational growth, increased bandwidth, and evolving requirements for device support. And regardless of whether gateways are deployed locally or in the cloud, all features, functions, policies, and security services are consistent across the distributed enterprise, regardless of device or location.
The iboss Distributed Gateway Platform is offered as a one hundred percent software as a service (SaaS) subscription. This industry-first pricing and packaging approach completely eliminates the need to purchase hardware and makes managing future growth predictable.
Q: iboss prides itself on challenging the status quo with its technologies and its delivery models. What specific shortcomings in legacy, hybrid, and all-cloud SWG options are you helping to address with your distributed model?
Traditional on-premise, hybrid, and cloud-only SWG appliances simply don't meet the needs of modern, distributed businesses. Legacy solutions either attempt to bolt on cloud capabilities to old-school appliances, or force a move entirely into the cloud.
With more mobile and remote workers using cloud-based applications, legacy SWG appliances are obsolete. These workers generate more data, requiring costly data backhaul bandwidth and additional SWG appliances. SWG vendors have approached this problem in one of two ways: hybrid or cloud-only solutions.
With hybrid solutions, legacy appliances process traffic at headquarters. A separate, cloud-based SWG manages remote and mobile traffic. This means administrators need to manage two separate systems -- a time-consuming exercise. From the user perspective, the two systems often lack feature parity, creating operational issues and weakened security.
Cloud-only SWG services require expensive network overhauls to run security in the cloud. This is costly both in terms of budget and resources. In regulated industries, cloud-only SWG solutions create compliance issues where organizations cannot guarantee the location of their data. Additionally, the multi-tenant infrastructure of cloud-only SWG solutions reduces change management control, resulting in poorly timed system updates.
The iboss Distributed Gateway Platform meets the needs of distributed organizations by addressing these challenges. Its elastic, node-based architecture eliminates the need for backhaul bandwidth appliances and expensive VPN and MPLS links. With the ability to replace legacy SWG appliances with no disruption to the existing network, implementation is fast and affordable.
iboss customers can scale seamlessly through a 100% SaaS subscription model. iboss also gives control back to its customers with non-shared cloud and local gateways that give the customer the ability to manage update schedules.
And most importantly, the iboss Distributed Gateway Platform is delivered with uniform policies, capabilities, and system management across the entire enterprise, improving overall security while reducing complexity.
Q: Why is it important for iboss to be at Black Hat USA 2017? What is your key messaging at the event this year?
Organizations are constantly faced with competitive pressures that force them to adapt their business. While an organization's technology strategies and resources should keep pace with these changes, the reality is they often lag behind. This creates a gap between how people work and how the IT infrastructure supports them. When the gap becomes too big, many problems arise, including security risks, operational disruption, compliance violations, skyrocketing costs, and poor user experience. Organizations using legacy secure web gateways lack a clear solution to these challenges, leading to escalating costs and user dissatisfaction.
At Black Hat we will be talking about how most organizations have shifted from centralized to distributed operations, and what that change means from a cybersecurity perspective. They can't continue to backhaul the skyrocketing amount of bandwidth as legacy secure web gateways require. By leveraging its system of distributed gateways iboss eliminates this challenge while simultaneously providing advanced security for all users, regardless of location.
For many organizations, compliance is one of the biggest challenges they face. In addition to defending against advanced threats, they need to ensure they are complying with regulations like HIPAA, GDPR, CIPA or PCI all while fighting against budget constraints. They need a security system that can pair advanced defense with the quality audit trails and reporting required by most compliance programs.
Black Hat is where security industry gathers to discuss how we can defend against the advanced threats facing organizations around the world. It is our responsibility to provide solutions that can keep businesses safe without hindering their operations or growth. We're looking forward to discussing how iboss is helping achieve that goal with our peers and how the Distributed Gateway Platform is revolutionizing the Secure Web Gateway space.
Q: Malwarebytes' Global State of Malware Report earlier this year described 2016 as the year when cyber threat reality finally caught up to threat hype. In what way did that happen and what are the implications for enterprises?
Globally, sophisticated threats became accessible with the advent of ransomware kits, known as "ransomware as a service." Tools such as these enabled script kiddies—mal-intent individuals with minimal technical skill—to join the threat landscape, creating the largest volume of attacks that we'd ever seen.
As these tools proliferated, so did the number of cybercriminals and consequently the targets became more widespread and indiscriminant. People no longer needed to be a "high value target." Individuals attacked would generally face ransoms in the hundreds of dollars. Enterprising cybercriminals, though, set their sights on corporations with ransoms in the tens of thousands of dollars. Now businesses that previously felt safe from targeted attacks were suddenly vulnerable. The number of ransomware attacks exploded and nabbed upwards of one billion dollars in 2016.
The sheer volume of attacks further created issues for the enterprise beyond just the infection. As high volumes of alerts triggered across the enterprise, security teams, who were already resource constrained, struggled to prioritize and respond, particularly when they lacked tools for automation.
Q: How have endpoint security requirements evolved over the years and how are products such as those from Malwarebytes positioned to address those requirements?
The broad consensus is traditional endpoint security is failing tremendously, especially when it comes to addressing modern threats. As the worldwide standard for endpoint remediation, people turn to Malwarebytes when their security systems fail. We have over half-million new daily downloads of our tools and process over three million remediation events every day. We routinely hear from businesses [that have] tried to improve their defensive posture by adding so called next-generation tools, which promised unbelievable levels of effectiveness but failed to deliver on that promise.
At the core of Malwarebytes is the world's best-informed telemetry. As the trusted company for providing complete and thorough remediation solutions, we have the unique insight into the threats that are succeeding in the wild—the attacks that are evading defenses and infecting machines. These insights uniquely position us to protect our customers with our layered defense strategy.
Malwarebytes solutions leverage multiple techniques to identify and defend against attacks at all stages of the attack chain using a highly effective mix of signature-less and signature-based layers. This provides superior protection to businesses even if they combined both a next-generation approach with their traditional AV solution.
Q: What do you expect will be the biggest security themes at Black Hat USA 2017 and why?
Given the constant failure in traditional endpoint antivirus, we will see detection and response tools continue to be a trend as organizations continue to be compromised. Automation will certainly be a key theme as security teams with stretched resources battle the onslaught of daily alerts. At Malwarebytes, we absolutely believe in the importance of automation and response tools. Our best-in-class remediation tools, which include Malwarebytes Incident Response, provide the automated remediation capabilities our customers require.
But as the saying goes, an ounce of prevention is worth a pound of cure. Malwarebytes will focus on the primary issue that customers face today: failing prevention. Malwarebytes Endpoint Security provides superior protection capabilities on the endpoint by leveraging seven layers of both signature-less and signature-based techniques.
Our main thrust at Black Hat USA 2017 will be [on] educating customers [about] the importance of a layered approach on the endpoint. We will highlight how customers are responding to modern threats by replacing their failing traditional and next-gen endpoint antivirus products with a single-unified solution.
Q: How has the emergence of memory-based malware changed end-point security requirements? What do organizations need to understand about the challenges of file less malware?
Endpoint security was traditionally very file-centric. Signatures are applicable to files, and most AV heuristics—what people sometimes confuse with "behavioral analysis"—are often just simple rule-sets to track file and other static IOC manipulation. Memory- based attacks are stealthy, and are incredibly good at evading these controls by naturally not leaving or showing any "sign-able" trace. That means that most endpoint products on the market today, including the new ones, are left with very little to do against memory-based attacks. It requires a full, real-time monitoring of memory, alongside a full machine-learning driven behavioral context to detect with accuracy in-memory anomalies, and block these types of attacks. Most organizations that get hit with those types of attacks today, will unfortunately not learn about them until it is too late, or the attack has ended.
Q: Gartner positioned SentinelOne as a 'Visionary' in its 2017 Magic Quadrant for Endpoint Protection Platforms (EPP). What, in your opinion, is the value-add that SentinelOne delivers in the endpoint protection space?
First and foremost- we offer unparalleled protection. Our ability to provide meaningful and accurate protection for every attack vector, in a complete autonomous manner by leveraging true AI, applied on the lowest level kernel operations, not just files, is a breakthrough in detection technologies and a whole new concept. No one is doing that today, nonetheless in real-time and without a need for an online connection to the cloud. On top of that, we deliver unparalleled visibility intro endpoint operations in real-time, and allow deep introspection as well as dynamic remediation for any type of attack. Couple these abilities with the fact that we offer full platform coverage—Windows, Mac, Linux—from the endpoint to the datacenter - and you get a powerful suite that can protect any asset you have, physical or virtual.
Q: SentinelOne is a Platinum Sponsor of Black Hat USA 2017. What do you want attendees at the event to know about your company and the value-add it brings to the end-point protection space?
Our breakthrough endpoint protection platform is certified as an antivirus replacement, recognized by Gartner and NSS Labs for its disruption, and trusted by the world's most forward-thinking companies to protect their business. We allow businesses to deploy rapidly without disruption, and to manage easily no matter the size of the environment. Upon detection of malicious behavior, SentinelOne will mitigate and remediate at machine speed to minimize the vulnerability.
We give your business complete confidence that your sensitive data is prevented against ransomware and other sophisticated attacks—without the need for additional cyber insurance coverage, and we offer an industry-leading guarantee that no ransomware attack will go undetected and cause irreparable damage.