Interviews | May 20, 2016

Black Hat USA Sponsor Interviews: Cisco, CrowdStrike, Fortinet, and Webroot

Craig Williams

Craig Williams
Senior Manager, Global Outreach
Cisco's Talos Group


Q: Why is industry collaboration so critical to dealing with modern cybersecurity threats? Could you tell us a little bit about Cisco's own Project Aspis in this regard?

Craig Williams: Industry collaboration is critical because of the need to combat advanced threats as they evolve. Individually, we can develop ways of detecting and mitigating threats, but that alone is not enough to force adversaries to change their behavior. The industry needs to collaborate to not just block threats, but to also take down malicious infrastructure and force our adversaries to change their business models, similar to what we achieved with SSHPsychos last year. By working with the security community and like-minded groups, we can achieve quicker, more effective, and longer lasting interdiction against our adversaries.

Q: What do enterprise need to know about the changing nature of the threat environment these days?

Williams: The threat environment is evolving every single day. The monetization of malware has been a major driving force in how adversaries generate revenue. As adversaries find more efficient and effective ways of making money they will reinvest that money to create more advanced and evasive malware. All of this reinforces two major tenants in information security: companies need to ensure they have an integrated threat defense to cope with rapid change in the threat landscape and the security industry must remain vigilant and provide constant threat interdiction.

Q: You spoke about malware prospecting at Black Hat USA last year. What would be different, if you were to give the same talk this year? What has changed on the threat-hunting front over the past year?

Williams: This year we continue to see threats like ransomware evolve. Previously ransomware required some form of human interaction to spread. In the past couple of years, infection vectors have been focused on the client side, such as someone opening an email or visiting a site hosting a malvertisement. Unfortunately many people have forgotten that server side vulnerabilities can be just as critical. Samsam was the first time an actor used a network-based vulnerability to spread ransomware. By removing the user from the attack chain, ransomware is capable of spreading much more quickly. This changed the way we hunt for ransomware. Now we have entire new threat vectors to consider. The number of potential vectors skyrocketed.

Dmitri Alperovitch

Dmitri Alperovitch
Co-founder and CTO


Q: CrowdStrike has been advocating the use of machine learning in the cybersecurity context for sometime. How exactly does machine learning help bolster security? What issue or issues does it really help solve?

Dmitri Alperovitch: In the early days of security, all there was to keeping a system safe was to compare the content of executable files against a list of known malicious signatures. Updates to these signatures were infrequent and were distributed on floppy disks. Today, threats are spreading in seconds. Looking purely at files is no longer sufficient in a networked environment, and looking only at a single system at a time makes it easy for threats to stay below the radar.

In today's world, security is becoming a data-driven endeavor. The more data sources a solution can tap into, the better of a vantage point it has. Only looking at files leaves one vulnerable to malware-free intrusions—which account for 60% of breaches according to a recent industry study. Attempting to solve all analysis in the milliseconds before execution means going against an adversary who had months to prepare an attack. Instead, the key is to widen the aperture and look at various sources of data concurrently, not just from a single host or a single deployment but, across a large population. This is CrowdStrike's approach.

At CrowdStrike, we observe billions of execution and network behaviors in real-time based on our widely deployed endpoint technology and correlate this data with a deep analysis of file traits. This allows us to take action not just based on what's in a file but, based on what it does.

Machine learning is the tool we use to extract knowledge out of this vast pool of data. CrowdStrike's team has been pioneering the application of machine learning technologies to security long before it was popular. Our Chief Scientist, Dr. Sven Krasser, was one of the first in the industry to apply an algorithmic collaborative cloud-based approach to spam detection in the early 2000s, and later extended it to web security and ultimately malware detection.

Q: How has the nature of endpoint security threats changed over the last few years? What is it about the changed environment that requires organizations to take a fundamentally new approach to endpoint security?

Alperovitch: Today's distributed workforce has finally put a final nail in the coffin of the idea that you can build a wall around the perimeter of your network. The post-Snowden moves by application providers to encrypt all network communications to evade bulk government surveillance has also severely impacted the efficacy of network security tools. If the majority of the network traffic is encrypted in a way that can't be man-in-the-middled, there is little chance to analyze it for malicious threats. These trends have made next-generation endpoint protection technologies one of the hottest segments in cybersecurity industry. CrowdStrike provides the only pure fully cloud-delivered and managed endpoint security solution on the market, which allows our customers to receive the same level of protection on and off the network. It also enables them to get the full benefit of crowdsourcing of threat intelligence from the vast global network of endpoint sensors that are connecting to the CrowdStrike Threat Graph.

Q: What do you want attendees at Black Hat USA this year to know about CrowdStrike's approach to adversary hunting and incident response?

Alperovitch: At CrowdStrike, we believe the most critical problem organizations face today is their inability to stop a breach, regardless of whether the attack method is malware or exploit-based or neither. This requires a combination of next-gen AV capabilities that leverage machine learning and behavioral-based Indicators of Attack (IOA) prevention features. It also entails having full visibility and real-time search capability provided by an endpoint detection and response (EDR) module. Lastly, it is critical to augment technology with intelligence and people. CrowdStrike provides [that] through the dedicated 24/7/365 elite managed hunting Falcon Overwatch team that is there to stop the mega breach and advise the customer on their response options.

Derek Manky

Derek Manky
Global Security Strategist


Q: Fortinet released its Security Fabric architecture for enterprises in April. What is it about? What specific challenges is Fortinet helping organizations address with the Security Fabric?

Derek Manky: Networks are currently undergoing dramatic change. Organizations are simultaneously wrestling with issues such as BYOD, IoT, virtualization, SDN, cloud and fog computing, along with the continued proliferation of devices and applications. To do this, networks don't just need to be bigger and faster. They need to be dynamic, fluid, and intuitive. And they are going to become part of a larger, global meshed Internet, where data and intelligence is shared dynamically between traditionally isolated users, devices, and organizations.

Current security strategies and solutions simply can't keep up. Security managers are already monitoring an average of 14 dashboards, and still have to hand-correlate events, alerts, and data. This is simply not sustainable, especially as the attack surface of the network continues to expand, the volume of data needing inspection grows exponentially, and the time to respond to advanced threats gets shorter.

The Fortinet Security Fabric is an integrated architecture designed to enable autonomous communication and centralized orchestration between individual security components that have traditionally operated in their own silos. This allows them to create and share local threat intelligence and consume global threat data in near real-time, and then use that information to collaboratively respond to threat events anywhere across the network.

Q: You recently blogged about the growing use of sophisticated obfuscation tools by cyber criminals. What do your customers need to know about the trend and its implications for them?

Manky: As criminal justice agencies and governments everywhere have doubled-down on investigation, attribution, and prosecution of cybercrimes, cyber criminals have responded with more advanced strategies and ways to hide their activity. We've previously predicted the rise of new obfuscation methods and constantly track existing tools as they expanded their scope to multiple vectors for infection. It will continue to be very difficult to identify, monitor, and protect against these types of threats.

What customers need to understand is that while these threats are difficult to defend against, it's not at all impossible. Continued investments in threat research, the sharing of threat intelligence, and the expanded capability to see deeper into traffic and wider across the distributed network provide the visibility needed to reveal these new methods as they arise. Customers should ensure that they work with security vendors with the global visibility to identify new and existing strategies, and technologies that can coordinate this threat intelligence and collaborate to respond with the appropriate tools as close to the threat as possible.

At Fortinet, the threat intelligence generated by FortiGuard Labs dynamically generates new defensive signatures and protections that are automatically transmitted to the relevant security solutions at every point in the attack chain. We then connect this to our unified Security Fabric approach to truly defend against increasingly advanced threats seen in the wild.

Q: Why is being at Black Hat USA important for Fortinet? What topics do you expect will dominate the conversation at the event this year?

Manky: Black Hat attracts the best and brightest minds in the security industry, providing an indispensable venue for individuals and organizations to connect and drive continued innovation as an industry. Fortinet has long been committed to this sort of industry-wide collaboration and we strongly believe that working together is the best way to stay ahead in the cybersecurity arms race.

I would expect topics like the Internet of Things will continue to dominate many of the conversations at Black Hat this year, and hope to see some new cutting-edge research and demonstrations at the show. I also expect that threat intelligence sharing will be a major topic at the event, and I'm sure there will be many conversations about specific strategies like the impacts of ransomware, and how to defend against these types of threats.

Hal Lonas

Hal Lonas
Chief Technology Officer


Q: Why has threat intelligence become such a critical component of enterprise endpoint security? Is it about getting better at blocking threats or about detecting and responding to incidents faster?

Hal Lonas: Threat intelligence offers the ability to improve on both fronts. From an upfront blocking perspective, TI improves the speed to detection by correlating real-world threat encounter data into real-time awareness of threats as they emerge. The result is improved blocking of threats as the time to live before discovery is greatly reduced. Detection aside, TI also improves the ability to respond to a compromise by providing specific details about an incident. By assisting with forensic information, less time is spent researching a threat, thus leading to a shorter time to recovery.

Q: What does Webroot's recent integration with Citrix mean for enterprise customers? How do they benefit from it?

Lonas: The recent integration of Webroot's BrightCloud IP reputation with Citrix's NetScaler ADC platform means better security for enterprises using Citrix solutions. The IP reputation system provided by BrightCloud is capable of identifying and tracking millions of malicious IP's with up to the minute accuracy. This integration into NetScaler will enable enterprises to rapidly identify malicious IP traffic and is also capable of delivering detailed contextual information about the history of a suspect IP address.

Q: If Webroot had one overarching message for attendees at Black Hat USA this year, what would it be? What do businesses need to know about the nature of the cybersecurity challenges they face these days?

Lonas: Changes in the cybercrime ecosystem continue to increase to outpace the security industries ability to keep up. Ninety seven percent of threats detected by Webroot's BrightCloud threat intelligence network are unique to the endpoint [that] reports the infection. At the same time, over 100,000 new, never before compromised IP addresses are observed participating in malicious activity on a daily basis. Numbers like this are proof that cybercriminals have mastered defeating traditional security solutions. To compete today, you need visibility at the endpoint, a global perspective, and the ability to crunch real-world data in real-time with automated classification driven by advanced machine learning to provide instant protection that is always up to date.

Sustaining Partners