Interviews | May 24, 2019

Automation Can Help Security Analysts Do More With Less: F5 Networks, Splunk, Trend Micro, Tripwire, Verizon

John Morgan
VP & GM Security

Sara Boddy

F5 Networks

Q1. John, what impact has trends like the growing adoption of cloud, hybrid, containers, serverless and on-demand models had on application security?

Many companies have a surgical focus on applications today. But with that, there needs to be a dedication to enhancing and innovating application usage, delivery, development and security. Digital transformation and application modernization are driving trends like multi-cloud migration rapid application development and the move from capex to opex — all of which increase business velocity, create efficiencies, and reduce costs. But, there also needs to be a spotlight on empowering DevOps and AppDevs while allowing SecOps teams to stay ahead of the curve with security controls applied to the rapid pace of new application deployment.

App modernization enables organizations to empower users with the ability to connect from any device to any app, directly, at any time, with reduced or no latency. Yet, a single-minded purpose to secure the application is necessary, because it is the gateway to all data. There needs to be a continuous exploration for additional security insertion points for containers — for portable and elastic workloads that fit into multi-cloud environments; serverless — where application developers simply supply functions and are unaware as to which server or location the app will reside; and APIs, as application workloads are further distributed and application functions are decentralized.

Q2. Sara, what do organizations need to understand about the modern threat landscape and how it has evolved in recent years?

The global attack surface has changed from what used to be compromised servers or systems rented in bulletproof hosting centers, to IoT. Gartner estimates that there will be over 20 billion IoT devices deployed around the world by the end of next year, and our research indicates that 62% of them—12 billion—are vulnerable. That's because they're publicly accessible over commonly attacked ports, "protected" with vendor default credentials, or can be easily brute-forced, which means they can be compromised and used in bots to launch destructive attacks.

IoT devices pose a unique threat because most of them are deployed in residences, commercial buildings or networks that don't have security monitoring in place to detect infections, or anyone responsible for or capable of cleaning up device infections. This results in things like SOHO routers in homes, cellular modems in police cars, surveillance cameras on light posts, DVRs and high-powered digital displays getting infected with malware and launching attacks for years in a row. In the old days, you sent an abuse complaint to the registered network operator and systems got shut down or cleaned up. There is no globally scalable remediation process for IoT right now. There is also a large portion of IoT devices that [cannot be] secured. Developers of IoT products across all industries haven't been thinking, "What could happen if someone hacked this device and used it for nefarious purposes?" As a result, a lot of IoT don't support IP tables, VPNs, or have the ability to take firmware updates. They have been designed for ease of remote access. And in some cases, IoT devices have built-in remote tech support backdoors (that are known to attackers) and you can't disable them.

What this means in the short term is that businesses getting hit by IoT bot attacks have to buckle up and defend themselves. And we have to change the way we defend as traditional IP block lists aren't scalable when the blacklisted IPs are the residences of your customers, whom you still want to be able to access your app.

Q3. Sara, you have recently written about Multi-Purpose Attack Thingbots posing a threat to Internet stability and to human life. What exactly are these things and why should we be concerned?

IoT devices are the termination point between the virtual world and the physical world. They provide virtual access to our bodies (inside and on), inside our homes, or within physical proximity of us once we step outside. Medical devices such as heart pacemakers, and wearables have been remotely hacked, and the CIA admitted their agents are getting made through compromised wearables. Virtually every IoT device inside a home has been hacked.

In the case of vigilante efforts post-Mirai, security cameras, DVRs and home routers were destroyed through permanent denial of service (PDoS) attacks. Russia DDoS'd the country of Georgia offline before rolling in tanks, and it has twice launched PDoS attacks against electrical substations in Kiev, Ukraine that took out power to the city. Dams can be opened to flood downstream towns, bridges can be opened, etc. The potential for cyber-attacks impacting our physical lives has exponentially increased with the growth in Internet-enabled things to the point where warfare and terrorism efforts now include cyber plans. But what is most often occurring is that our smart homes and buildings are being weaponized and used to launch attacks against our businesses.

The attack potential is enormous and potentially devastating—and we haven't even gotten into 5G yet. DDoS attacks launched from things are cheap and common now. The JenX IoT botnet offers 300 Gbps DDoS attacks for $20. Reaper has the potential to launch a lights-out 12 Tbps DDoS attack. And kids—13- year-olds without the emotional maturity to understand the impact of their actions—are building IoT bots. I'm not sure what's worse, global nation-state surveillance or 13-year-olds with their fingers on the cyber trigger.

Q4. John, what do you want attendees at Black Hat USA 2019 to know about F5's security strategy and product roadmap over the next few years?

Digital transformation demands greater automation. Security must be multi-cloud, and elastic as delivery models and workloads change. F5's security strategy — helping tackle the application security challenges of digital transformation — addresses the four primary application risk areas organizations face today and in the future:

  • Application layer security: Increases in insertion points, centralization, and ease of use will transform the traditional Web application firewall and Bot market. As we continue driving our proxy-based technology hardware, software and service-based solutions, we will offer centralized services and a security view across an organization's app portfolio. We will defend against sophisticated attacks using the latest machine learning and analytics. Attack information from one application environment will protect apps running in another environment. Attacker information learned through behavioral analytics will be used to stop that attacker immediately, even in another cloud or app.
  • Trusted application access: A secure, seamless software-defined perimeter solution, independent of user location, with continuous dynamic authentication, continuous endpoint security posture monitoring, that leverages F5's application-layer security capabilities to identify risky behavior and take appropriate actions aligning application access to risk-based identity strategies.
  • Application infrastructure security: To protect the traditional network infrastructure that applications depend on, we focus not only on high performance, but also lightweight, concise software footprints, container-based solutions, and models aligned with consumption based pricing, empowering security-as-a-service offerings.
  • Intelligent threat services: Centralized holistic views that manage risk across multiple clouds. Consuming community input to improve statistics, and analytics to more efficiently determine behavior, including attacker from non-attacker across use cases.

Haiyan Song
SVP and General Manager, Security Markets

Oliver Friedrichs
VP, Security Automation and Orchestration


Q1. Haiyan, describe for us your vision of the SOC five years from now. What would the biggest change be and what, if anything, would likely be the same?

The security industry is going through a transformation unlike anything we've never seen before. As categories like SIEM and UBA continue to get redefined, security analysts are looking for solutions that can help them not only investigate and respond to threats, but take action on them as well. After spending a year on the road listening to our security customers, we've built out a vision at Splunk that we call SOC2020, which details how the SOC should look in 2020 and beyond. New solutions that can help automate and orchestrate security action, predict threats and improve collaboration across the business are readily available and paramount for organizations that are seeking to modernize their SOC. Our vision of SOC2020 helps guide the cyber community across that process, no matter where they are in their security journey.

Furthermore, as cybercrime becomes increasingly sophisticated, the SOC must deftly adjust and adapt to these changes in order to protect valuable data. The biggest change I anticipate when looking ahead at the future of the SOC is the widespread implementation of AI and machine learning to automate data and security analytics. Hackers are already embracing AI and machine learning to steal money and data, but by and large, the broader cybersecurity industry hasn't adopted these technologies at the same rate.

As far as what will remain the same, data will continue to be the SOC's most valuable resource. The organizations that manage to automate the security analytics process will see the most success when fighting cyber crime. There's no simple solution or silver bullet for cyber threats, but by weaving together the power of data and automation, SOCs can evolve.

Q2. Oliver, what are some primary use cases for SOAR in mitigating cyberthreats? Where can organizations gain the quickest wins from using the technology?

Security Orchestration, Automation and Response, primarily functions to help security teams orchestrate and automate workflows, as well as integrate teams, processes, and existing tools to better support SOC functions. The big promise of SOAR is of course the ability for an organization to punch above their weight class and easily scale their security operations.

With the help of a SOAR platform like Splunk Phantom, security teams that are already strapped for resources can work smarter by executing a series of actions — from detonating files to quarantining devices — across security infrastructure in seconds, versus hours or more if performed manually. This level of automation helps teams detect, investigate and — most importantly — respond to threats faster and more effectively.

Organizations can get the quickest wins by integrating SOAR into the daily process of security teams. SOAR platforms make valuable data available to SOC managers and even C-level executives so they can easily monitor the health of the organization's security practice. From my perspective, there are three numbers you should pay attention to in SOC2020: 90/50/1. By using a SOAR platform, teams can reduce 90 percent of Tier-1 alerts through automation, freeing up over 50% of their analyst's time to focus on higher order activities such as tuning detection and response logic. This allows SOC teams to run data analysis in one single nerve center, parsing signal from noise and making faster decisions to protect their networks. Data is digital gold for every security team, but if you really want to lead with an analytics-driven approach to security, it's essential that you can take action on the data you are ingesting.

Q3. Haiyan, can you give any specific examples on how data analytics are impacting today's SOC?

There are a few key components of a data-fueled SOC. One is the operational element, which is about giving analysts better tools and data to be more effective in their jobs. The other element is truly analytics-based, allowing teams to learn from new attacks and techniques, and then apply their learning in the organization's automated security defenses.

Getting access to the data, leveraging the data and using human intelligence to discover the relationships among dynamic data sources and activities can have clear and immediate ROI. For example, Splunk customer Aflac previously faced a huge increase in the number of security threats targeting its network. The company implemented Splunk as the core of their custom-built Threat Intelligence Center (TIS), which allowed security analysts to compile and analyze data across 20 different threat intelligence platforms. Since implementing Splunk, Aflac has blocked over two million security threats, orchestrated threat intelligence across 20 security technologies sitting within TIS and given security analysts more than 30 hours a month back to focus on proactive security, instead of manual data collection and reporting.

Another key example: data analytics allowed Heartland Jiffy Lube, or HJL, to develop a proactive approach to security, versus playing a reactive game of whack-a-mole. HJL now uses Splunk Enterprise Security (ES) and Splunk User Behavior Analytics (UBA) to protect valuable customer data for over 5 million customers each year. By using data science that produces actionable results with risk ratings and supporting evidence, HJL was able to reduce the risk of insider threats, eliminate the manual processes that often slow response time and improve mean-time-to-resolution of security incidents by over 60 percent.

It's well known that automation can help security analysts do more with less, but in order to fully realize that value and immediately respond and begin investigations, organizations need a solid understanding of their data.

Q4. Oliver, what is Splunk's main messaging and focus going to be at Black Hat USA 2019?

We're excited to be back in Las Vegas for Black Hat, which is one of the biggest events of the year for Splunk. We'll have more than 100 Splunkers and even more customers on-site. One of our own, Ryan Kovar, will be speaking. Make sure to check out his talk with MITRE, which will detail how security pros can implement MITRE ATT&CK in their own security environment.

As for our biggest focus at Black Hat this year- we're looking forward to unveiling the latest updates to Splunk's Security Operations Suite, which combines the power of our security platform - Splunk ES, Splunk UBA and Splunk Phantom. While our customers have used Splunk ES for years to monitor and detect, this trinity of technologies provide the unmatched ability to detect, predict, and also to respond to cyber threats, all at machine speed. This is best demonstrated by a real world use case on how customers can benefit from the delivery of protection and response content as a single package across these three technologies—versus the disparate content packs that we normally provide. Not only can we deliver correlation rules and detection content, but also a response playbook to take action.

Lastly, we're excited to show off some of the work we're continuing to do with Splunk ES Content Updates. A lot of security vendors at Black Hat will be there to talk about research- which is hugely important for organizations to leverage as they defend their systems from nation states, rogue hacking groups and more. We look at research a bit differently at Splunk, with a firm belief that research must be actionable to make a difference within the SOC. ES Content Update provides pre-packaged security research directly to our customers, allowing them to identify immediately whether or not they are at risk to the latest security threats - with data that's already at their fingertips.

Steve Quane
Executive Vice President of Network Defense & Hybrid Cloud Security


Q1. What are some of the requirements for effective endpoint security these days? What's driving the need for those requirements?

There are several challenges driving today's endpoint security requirements. These include a broadening attack surface with remote employees and more endpoints being continuously added to a network, as well as the persistent and ever-evolving threat landscape.

To mitigate the risks brought on by these changes, endpoint security needs to prevent, detect, investigate and respond automatically to threats. An endpoint solution should be a single pane of glass to see a holistic and detailed look at an enterprise's security posture. Prevention is still a critical component of an overall protection strategy because prevention leaves fewer attacks and less noise from false positives. Likewise, automated detection and response of threats leaves less to be investigated, which is important given resource and skill constraints. We're hearing a lot about EDR these days, but we believe that the best protection brings automated endpoint protection together with investigation for complete protection augmented with automated response. We also fundamentally believe that the capabilities needed to protect and investigate servers, particularly Linux servers, are significantly different than laptops and mobile device protection and therefore need specialized focus, technologies, and process.

Q2. What risks do organizations face in excluding IT security teams from IoT projects? What should security teams be doing to ensure they are involved from the outset?

Overall, the risk is that organizations are exposed to severe security threats due to unprotected or ill-protected IoT devices and implementations. The organization is exposed in an area where there is exponentially growing adoption, thus making it ripe for cybercriminal attention. In a recent survey conducted by Trend Micro we even found that 32% of respondents were unable to define who was even responsible for IoT security within their organization.

In addition to understanding that IoT device manufacturers do not place security on the top of their list of priorities when designing and manufacturing their systems, security teams must also educate all levels of their business about the critical risks introduced by IoT. The focus should not only be on the corporate IoT platforms, devices and projects, but the risk that IoT in general can bring to the organization. For example, with the increasing number of IoT devices finding their way into people's homes, cybercriminals can consider these gadgets (and the smart home networks they belong to) lucrative attack vectors. Once inside a smart home network, cybercriminals can potentially launch targeted attacks into a corporate network that may be connected as a result of employees working from their homes and/or using personal connected devices.

Q3. What do you want people attending Black Hat USA 2019 to know about the nature of modern endpoint security threats and your company's strategy for helping them address these threats?

Given the nature of the endpoint market dynamics, including a broadening attack surface, persistent and ever-evolving threats, and resource and skill set constraints, Trend Micro's endpoint security is automated, insightful and offered as an all-in-one solution, which maximizes protection effectiveness and efficiency for our customers.

The key points on our strategy include:

  • Automated detection and response means manual intervention is kept to a minimum. The automated detection uses a broad blend of threat detection techniques leveraging Trend's XGen capabilities without the need for specialized intervention by skilled security professionals.
  • Insightful management and EDR investigation tools integrated with and leveraging the endpoint workflow for optimal visibility and control. We also offer optional Managed Detection and Response for 24/7 detection, investigation and threat hunting, which can also extend beyond the endpoint to correlate and investigate across network, server and email telemetry.
  • Server protection and investigation is vastly different than endpoint protection, particularly in the increasingly prevalent Linux distribution across cloud servers. As the global server security leader according to IDC, Trend Micro has unprecedented expertise and technology to protect server infrastructure.
  • An all-in-one, single agent, single server, single console for a complete solution that includes endpoint protection, EDR and data protection in an equivalent choice of SaaS and on-premise deployment options.

David Meltzer


Q1. What strategy should enterprise organizations adopt to address the challenges posed by the cybersecurity skills shortage?

Organizations everywhere are struggling with the cybersecurity skills shortage. It is impossible to find enough qualified candidates to fill all the open positions so organizations have to look for other options when staffing and running their security programs. Enterprises are at the point where they cannot do everything themselves and need employ some help from trusted security advisors. Using outsourcers and contractors have been popular options but many of these companies across the globe are also fighting for the same resources. Sustainable long-term options are for organizations to use a Security as a Service (SaaS) and managed services to deliver or supplement their programs.

Managed services are the easy button for enterprises, allowing organizations to extend their teams with a 24x7 Security Operations Center (SOC) that will deliver actionable information in a timely manner. The engineers staffing the SOCs are experts in the products and processes so this is like adding an expert quick response team. A good managed service will also take a holistic view of your security program and understand the specific requirements of how to integrate assets with the latest patches, configuration changes, and security policy changes.

Using a SaaS is next best option. SaaS can save a lot of time, money and resources since it's already set up in the cloud and just needs to be configured for your environment. SaaS offerings reside in large cloud environments that are scalable, offer redundancy, backup, and have integration with other SaaS offerings. SaaS solutions also quickly deliver the latest features and fixes to the solution without the need for change controls windows.

Q2. Why do organizations have such a hard time integrating security into DevOps? What's the most common mistake that organizations make when approaching the issue?

DevOps has been a big shift for almost every company. Engineers have adopted DevOps practices and new technologies to develop at an astounding speed. With so many tools available, and many of them free or low-cost, the engineers have been quick to adopt. This creates two major challenges for organizations. First, instead of the new technologies being vetted and purchased by IT, the engineers bring them into the organization themselves and go straight to using them. Second, DevOps is speeding up the delivery of new products, features, and service in a way that just doesn't work with standard waterfall release process. This causes great frustration for all the teams involved.

To solve the issues, we need to break down the traditional team dynamics and create hybrid teams that drive this new shift in the organizations. The teams should be comprised of representatives from the various security, IT, program management, and engineering teams to act as representatives who define the adoption of the new tools and processes. The representatives from this team makes sure they have a business process that works for everyone and champions these when back on their own teams. The goal should be development speed, security, and time to market. If you create a complicated process or too many gates it will slow down innovation and people will find ways around process.

Q3. What is Tripwire's main focus and messaging going to be at Black Hat USA 2019?

Technology environments are complex, and are becoming more complex at an increasingly fast pace. Tripwire will help you make sure you have critical security controls deployed as your attack surface expands. Whether your organization is moving more to the cloud, adopting DevOps, or increasing connectivity in your industrial environments – Tripwire will be there to lay down a strong cybersecurity foundation.

Tripwire is the trusted leader for a strong cybersecurity foundation. Partnering with Fortune 500 enterprises, industrial organizations and government agencies, Tripwire protects the integrity of mission-critical systems spanning physical, virtual, cloud and industrial environments. Tripwire's award-winning portfolio delivers top critical security controls, including asset discovery, secure configuration management, vulnerability management and log management.

As organizations evolve and expand their environments, it's critical to maintain breadth of foundational security practices. With so many moving pieces, it can be extremely difficult to maintain proper visibility across the different environments, and quite easy to inadvertently leave data exposed. Several cloud-related breaches have shown that simple misconfiguration issues could go overlooked and cause big problems as environments expand.

Similarly, vulnerabilities could slip through the cracks as organizations adopt DevOps practices and containerization. Recent Tripwire research has shown that last year, 60% of organizations suffered a container security incident. Nearly half (47 percent) of IT security professionals surveyed knew had vulnerable containers in production, and almost the entire other half (46 percent) said they didn't even know if any vulnerabilities were present. Tripwire's giving visibility into containers and embedding security into the rapid DevOps practices.

Tripwire has a rich 20-plus year history in cybersecurity, delivering technology and services are critical for establishing and maintaining a strong foundation of security and expanding that foundation across new and complex environments.

Alex Schlager
Executive Director, security services, for global products and solutions

Bryan Sartin
Executive Director of Security for digital transformation and other technological Professional Services


Q1. Alex, why do many organizations have a hard time quantifying cyber risk? What are they doing wrong?

Enterprises are increasingly using edge-based applications to deliver credible insights and experience. But often security strategies are not updated at the same speed as new technologies and applications are embraced.

We recently highlighted in our 2019 Data Breach Investigations Report (DBIR) that C-level executives — who have access to a company's most sensitive information — are now the major focus for social engineering attacks, being 12 times more likely to be the target of social incidents, and nine times more likely to be the target of social breaches than in previous years. We also saw 71% of breaches were financially motivated with 25% of breaches motivated by the gain of strategic advantage—espionage.

We must remember that the ultimate aim of cybercrime is not random; security controls shouldn't be random either. Security strategies have historically been focused on static defenses but in today's fast-evolving security landscape, to be truly effective they need to be dynamic, proactive and adaptable. Cybersecurity tools are available that utilize cyber intelligence for greater proactive threat hunting and security awareness within the business, increasing detection speeds and response for more timely containment of threats.

More importantly CIOs making a business or purchasing decision can now access a dynamic snapshot of their risk profile that is relevant to their industry. This is fused with company specific dark and deep web intelligence and utilizes a company risk scoring toolset enabling businesses to make data-driven security decisions based on their risk, and efficiently adapt their security posture in real-time to address any gaps that are identified in their profile.

With so much at stake if a breach is incurred — loss of customer data, intellectual property, brand reputation and more — companies need to adopt a risk-based approach to invest wisely and prioritize how they allocate their budgets. They need to think about the holistic end-to-end purpose of their security-operating model to counter-this-risk and spend their money wisely and to greatest effect.

Q2. Bryan, Verizon's recent insider threats report showed insiders are responsible for a relatively high percentage of data breaches and cybersecurity incidents. Why do organizations have such a hard time addressing the threat?

The Verizon 2019 Data Breach Investigations Report flagged that Insiders still account for 34% of breaches. For far too long data breaches and cybersecurity incidents caused by insiders have been pushed aside and not taken seriously. Often they are treated as an embarrassment or just an issue for Human Resource departments. This has to change. Cyber threats do not just originate from external sources, and to fight cybercrime in its entirety we also need to focus on the threats that lie within an organization's walls.

Detecting and mitigating insider threats requires a different approach compared to hunting for external threats. Verizon's aim is to provide a framework that enables companies to be more proactive in this process and to slice through the fear, uncertainty and embarrassment that surround this form of insider cybercrime.

Our Insider Threat Report provides practical advice and countermeasures to help organizations deploy a comprehensive Insider Threat Program, which should involve close co-ordination across all departments from IT Security, legal, HR, to incident response and digital forensics investigators. These 11 countermeasures can help reduce risks and enhance incident response efforts. They include - integrating security strategies and policies; conducting threat hunting activities; performing vulnerability scanning and penetration testing; implementing personnel security measures and network security solutions as well as employing physical security measures and endpoint security solutions; applying data security measures; employing identity and access management measures; establishing incident management capabilities and most importantly retaining the services of a digital forensics company.

Verizon sits between the sources and victims of cybercrime on a daily basis, and by sharing real scenarios from our caseload within this report, we hope that organizations can learn and adopt the countermeasures we recommend to implement their own programs.

Q3. Alex, how has Verizon's purchase of Niddel last year benefited customers? What business issue or security issue is Niddel's technology helping enterprise organizations address?

Niddel's automated threat hunting technology has been effectively integrated into the already robust set of managed security services offered by Verizon.

Not every business has the budget or opportunity to engage professional security personnel to help review cyber intelligence to determine what security solution is required. However now Verizon can offer tools that optimize data organizations' already have. They perform much of the identification, investigation, analyses and decision-making of security professionals, but with computer-driven precision, speed and scale.

Q4. Bryan, what does Verizon's Enterprise Solutions Group plan on highlighting at Black Hat USA 2019, and why?

Last year was a year of digital acceleration, as new technologies such as 5G, artificial intelligence and next-gen cloud moved into the realm of reality and started to radically transform how business operations work. In particular, these technologies enable real-time insights that are changing business behaviours. Organizations want to build a 'Real-Time Enterprise', where they can make business decisions based on what is happening right now, rather than what happened last week, or last month — and this is particularly the case when it comes to security strategies.

At Black Hat 2019, we'll be profiling the latest security solutions that can help companies proactive tackle cybercrime head-on and our experts will be available to discuss the cyber-attack trends we are witnessing through our Verizon Data Breach Report research with a focus on the world of Insider Threats. Most importantly attendees will see how information from the Verizon Risk Report can be integrated into their own security intelligence; helping them demonstrate a tangible return on investment (ROI) on security spend and guide strategies, to effectively target security breaches before they begin.

Visit Verizon at Black Hat 2019, Booth #138.

Sustaining Partners