Interviews | May 26, 2017

Black Hat USA Sponsor Interviews: Arbor Networks, ESET North America, Fidelis Cybersecurity, Fortinet, and IBM

Darren Anstee

Darren Anstee
Chief Technology Officer
Arbor Networks


Q: DDoS attacks are well understood and have been going on for a long time. Yet, they continue to be very effective. What is it that organizations need to know about the nature and scope of DDoS attacks these days?

There are a few key things that need to be understood, some obvious and some not so obvious. First and foremost, organisations need to understand that not all DDoS attacks target infrastructure in the same way. We all tend to focus on the volumetric attacks that we see in the media, which are all about saturating Internet connectivity. But these are just one aspect of the DDoS threat. We also have to be aware of TCP state-exhaustion attacks, which target firewalls, load-balancers et al, and application layer attacks which target our web services, APIs etc. directly.

The second thing they need to be aware of is the way in which attacks have changed over the last 18-24 months. The weaponization of DDoS services—both IoT based and otherwise—has led to a proliferation of both very large volumetric and very complex multi-vector attacks. Arbor's ATLAS saw over 500 attacks above 100Gbps last year, more than double the number we saw in 2015, and our World-Wide Infrastructure Security Report (WISR) data shows that more than two-thirds of service providers saw multi-vector attacks on their networks. Running these kinds of attacks a few years ago required technical know-how, now a button click and some bitcoins is all that is required.

And last but not least, In parallel to the above, from a time-frame perspective, many organizations have become increasingly dependent on Internet services as they have adopted mobility, public / hybrid cloud, SaaS offerings etc., and understanding this level of dependence – and the impact a successful attack could from a business continuity perspective – is possibly the most important things that business need today.

Q: How has Arbor had to evolve its DDoS mitigation service over the years to deal with the evolving nature of the threat? What, if anything, are you doing differently today compared to a few years ago?

The first thing we have had to do is help our customers adapt to the scale of the DDoS attacks that are out there today. With peak attacks getting close to 1Tbps, network operators need to be able to leverage their network infrastructure to filter attack traffic. This is why our TMS platform, Arbor's intelligent DDoS mitigation system, can now offload its dynamic blacklist to network infrastructure using flowspec – so that network operators can leverage their existing infrastructure's capabilities to deal with very large attacks.

We've also seen a big change in the scale of organisations looking for sophisticated defences. A few years ago we would only have seen interest in multi-layer / hybrid DDoS defences from financial, government and large retail organisations – now it's a much broader range of businesses. This has led us to change our product portfolio, to offer a wider range of appliance and virtual options, scaling both up and down, and to start offering new licensing models to MSSPs so that they can service a broader market.

And, in the same vein, another key change for us is our fully managed DDoS protection services, where we take control of both the on-premise and cloud portions of our solutions. This has come about, again, because of demand from a wider range of customers who want the advantages of multi-layer protection without the need to maintain and manage the technology [internally].

Q: Arbor is a Platinum Plus sponsor of Black Hat USA 2017. What is your main theme going to be at the event?

We're looking forward to Black Hat this year. We understand that this is where our key audience will be. We want to demonstrate our capabilities and understanding of the threat landscape, but we also recognize, it's a huge, large exciting show and we're in Las Vegas. We're surrounding the show with some invite-only CISO events, whiskey tastings, things like that. We're going to work hard and play hard.

Juraj Malcho

Juraj Malcho
Chief Technology Officer
ESET North America

Ignacio Sbampato

Ignacio Sbampato
Chief Business Officer
ESET North America


Q: Juraj, what exactly is different about the nature of endpoint security threats these days and how do your technologies help address them?

If we want to talk about differences in security threats then we first need to define the timeframe. Threats are evolving gradually and there is no massive year on year change in its functionality. However, following the cyber security cat and mouse game, the attackers are always looking for weak defense points and maximizing their return on investment. The situation was surely different 15 years ago, however, it hasn't changed dramatically in the past few years – it's just that the focus of attackers shifts once in a while.

In recent years attackers have tried a number of ways to evade detection, by generating vast quantities of malware variants, using code obfuscation, using exploits and automated exploit packs for distribution, hiding in the memory or system Registry (file-less attacks) and so on. The more threats are being targeted the more we're seeing a combination of all of these techniques. To achieve the best protection a multilayered approach needs to be used in order to make the bypassing of security software as difficult as it gets.

Keeping up with trends in attacks, ESET gradually implemented various security layers as new types of infection started to appear. They work hand in hand, one layer helping another, starting with scanning network communication for anomalies and known malicious protocols, through file scanning using behavioral DNA detection and preventing suspicious process execution by Exploit Blocker. If none of these layers were able to block the threat its behavior is constantly monitored and the code scanned in the memory, as well as automatically sandboxed and analyzed in our cloud backend called LiveGrid. The backend systems also make use of collected suspicious samples and metadata to automatically classify them by machine learning algorithms, with the updated models directly applied in our endpoint detection mechanisms. Simply said – strike wherever you can.

Applying this approach means that for example in the case of WannaCry ransomware only a minority of our customers actually saw detection of the malware payload itself as the attack was already stopped on the network level during the exploit phase.

Q: Ignacio, what do you see as some of the biggest security trends shaping demand for your products over the next one year?

The main trend we see in the market is the need from enterprises to have more visibility over what's happening – or could happen - in their networks. This creates a stronger need for EDR tools, Threat Intelligence Services, and better ways to prioritize and classify incidents in a meaningful and actionable way.

Q: Juraj, why has cybersecurity training in the workplace become so important especially for smaller and medium businesses?

Every computer or device in a network and every employee is a potential entry point for malware. As large business and enterprises boost their defenses and establish dedicated security teams with security programs, smaller businesses are becoming low hanging fruit for mass attacks. To prevent those attacks it is equally important to deploy fundamental security software protection and patching policy as well as keep staff up to date with latest social engineering tricks, which evolve all the time.

BYOD also opens up another attack opportunity with people using the devices not only at work but also at home, where technical security measures are limited compared to business standards. Every household has a number of connected devices today with varying states of security. Therefore it is necessary to educate employees to keep their home infrastructure up to date and prevent a breach originating from home.

Q: Ignacio, ESET is a Platinum Plus sponsor of Black Hat USA 2017? Why is it important for your company to be at the event? What do you want attendees to learn from your presence at the event this year?

ESET is a TOP 5 Endpoint Security vendor, with a very strong presence in Europe, Asia and Latin America. We want to increase our presence in North America and we believe Black Hat USA is definitely the place to showcase our newest products, services and technologies and show the attendees how ESET can provide the best endpoint security in the market.

Hardik Modi

Hardik Modi
Vice President Threat Researchr
Fidelis Cybersecurity


Q: There's been a push to encrypt everything on the Internet in recent years. How are threat actors exploiting the trend and what security capabilities are needed to stop them?

It's certainly true that the use of network encryption has risen rapidly over the past few years on the Internet at large. A very broad range of threat actors have taken advantage of the wide and easy availability of signed certificates from trusted certificate authorities (CAs) to deceive users by purporting to be widely used sites like Paypal and to encrypt the delivery of malware and subsequent command-and-control communications. As the barriers to acquiring a trusted certificate have lowered over the years, there's been a transition away from self-signed certificates, which were trivial to spot and act on, to the use of trusted certificates.

In terms of capabilities, I have long believed that enterprises need to actively manage encrypted traffic, preferably decrypting for analysis at trust boundaries. Now this needs to be done in a safe manner and vendors and users of such products need to be aware of the significant responsibility that comes with such decryption, but it's my opinion that enterprises should absolutely use their right to inspect traffic on their networks with the goal to protecting the environment.

Whether or not you decrypt, you also need to manage certificate use within the environment. The CA breaches of 2011 should have taught us that even certificates deemed trusted at a given moment are potentially masking malicious activity. So broad and pervasive and preferably historical visibility into all manner of certificate used in the environment is hugely valuable, including network traffic but also executables and popular applications. Such data is valuable in an incident response scenario but from an active protection standpoint, you'll want the ability to apply threat intelligence to such certificates, especially since researchers are often publishing known malicious certificate details.

Q: Organizations are under increasing pressure to improve incident detection and to reduce dwell-times. What are the biggest challenges they face in implementing these capabilities?

Yes, there is vastly increased emphasis on monitoring and incident response as disciplines and the single biggest challenge to this endeavor is the talent shortage, starting from the first-line analysts to specialized roles such as reverse engineers and hunters. There has been an exponential growth in the need for personnel to conduct these functions and it's impossible to scale the talent pipeline needed to address the issue globally. Even where organizations are satisfied with the teams they've built, processes usually haven't evolved to the point where they can withstand the loss of key personnel as they look for new opportunities. Throw into this mix the broad range of, sometimes incompatible, security technologies that the organization is expected to deploy and manage and then you understand why cybersecurity remains a subject of great anxiety for the enterprise. It's my opinion that we'll have to invest in human capital through training but there will need to be superior technology to drive productivity.

As security categories emerge and mature, they will have to be measured on how much the organization benefits through superior workflow and acceleration of response, beyond classic measures such as prevention capabilities. The solution that enables the full flow of detection to response, with as much automation and knowledge-enrichment as possible will ultimately [let] us to raise our game. Further, as a community, we have to get to where Incident Response is a mature discipline and we're not reinventing the wheel in each organization. As much as it hurts to lose talent, we have to prepare for when that happens and look for ways to reduce friction and the learning curve when new people join the team, empowering them with mature technology and process.

Q: At Black Hat USA last year, Fidelis debuted several freeware tools and resources including your Barncat Intelligence Database and Threat Scanner. What are your plans for this year? What can attendees expect from your presence there as a Platinum Plus sponsor?

At Fidelis Cybersecurity we take our role as contributors to the broader security community very seriously. To this end, we're constantly publishing and presenting new research and making tools and information available to the community. Black Hat USA 2016 was extra special since we unveiled a whole series of freely available tools and services, including Fidelis Barncat, a malware configuration database.

We've spent the past year maturing Barncat and our intention at Black Hat this year is to highlight the many improvements we've made to the toolchain that builds the dataset. Our original focus was on various Remote Access Trojan (RAT) families – hence the name 'Barncat' – but we've done a lot of work expanding it to where we're capturing key configuration data from other malware types, including Ransomware, Exploit Data and Banking Trojans.

These are very nice complements to the research we publish on our blog at Fidelis ThreatGeek. Further, one of the reasons we made the large dataset available was to encourage others to conduct analysis and we've seen a number of research projects spawn from this data. One example is graph analysis to explore more relationships between the use of malware families by threat actors. Our plan is to shine a light on these innovative projects that have come about from the broader security community.
Of course, we'll have a considerable presence on the show floor with our booth and we encourage all attendees to come and get a sense of the Fidelis Cybersecurity solution through our demo stations and by directly engaging with us, whether your interest is in our products, services or research.

Phil Quade

Phil Quade
Chief Information Security Officer


Q: You joined Fortinet recently after three decades in cybersecurity roles in government, including most recently the NSA. What has that experience taught you about the nature and scope of the threats that organizations face these days?

Some people say that street cops and detectives see an especially negative view of humanity, because, more often than not, they are called to assist with an unlawful or sad situation.  Similarly, coming from the foreign intelligence business, you get a first-hand view of what foreign adversaries aspire to do, and how they do it.  It is indeed sobering.  In fact, that's one of the reasons why NSA conducts both a foreign intelligence mission and an information assurance mission, so that the insights on the foreign threat helps to set the bar for how much rigor is needed to protect the nation's most sensitive secrets.

As the former head of the NSA's cyber task force, I worked closely with the highest levels of the White House and Congress and spent years on the front lines of developing cybersecurity strategies to help protect our nation's most critical assets. At Fortinet, I apply my experience managing diverse and complex cyber strategies with a variety of partners to ensure that both Fortinet and its global customers have the most effective, broad security postures.

The gallows-humor quip that those in cybersecurity have job security is an unfortunate truth.  But customers can't just buy their way out of cybersecurity threats. It takes strategic choices. For example, to take on the cybersecurity problems of speed and scale, you need to embrace the solutions of integration and automation.

The private sector has much to offer in these areas, and is what Fortinet specializes in with its Security Fabric architecture. Another key strategy is to make sure you're looking at all dimensions of risk [and] not mitigating just threats and vulnerabilities, but mitigating bad consequences out of the risk equation by engineering them out by design. We call that 'Consequence-based Engineering'.

Q: You are in charge of expanding Fortinet's Federal and Critical Infrastructure business. How similar—or different—are the security challenges that organizations in these sectors face, compared to other organizations?

Our country's economic competitiveness, national security, and general well being is highly dependent on the cybersecurity of the government, critical infrastructures, and private institutions. Federal agencies have unique security needs for a number of reasons. In addition to being a favorite target of hacktivists, for-profit blackhats, and hostile foreign governments, they often have strict compliance regulations, need solutions for combat and have more critical data and lower budgets. Federal cybersecurity solutions often need to be specifically tailored, and even validated, to protect agencies within the intelligence community and the Department of Defense, as well as civilian agencies.

The scope and scale of the Critical Infrastructure security challenge has mostly frozen ambitions to take on the problem holistically. No one owns and operates all critical infrastructure anywhere. There are different infrastructures. Various companies own it. The industry needs to look at this as a problem that can only be solved over time. We need to establish a multi-year planning and action horizon and steadily march toward it. Rushing into this and trying to solve it overnight will just lead to more problems.

By creating automated information-sharing standards and mechanisms, we can better help identify and mitigate the risks due to the dependencies among infrastructures. The establishment and practice of private-public partnerships is key for innovative solutions to be shared and for muscle-memory (e.g., relationships, procedures) to be established during normal conditions that can be flexed during times of crisis.

The Federal and Critical Infrastructure markets share the unfortunate distinction of having especially big targets on their backs.  Adversaries seek to project influence or gain attention by affecting them.

Q: As a Platinum Plus Sponsor of Black Hat USA 2017 what is Fortinet's biggest focus going to be at the event? What is your main messaging there?

Black Hat is a very important event for the industry, so we will have lots to talk about. In particular, we will be emphasizing actionable threat intelligence. With the data deluge of threat information today, security professionals need customized insight to help determine how to prioritize resources to best protect against threats to their organizations. We use big data analytics to help IT decision makers understand those threats in context with timely threat intelligence, trends among other organizations, and statistical analysis of potential risks.

Now more than ever, security controls need to be able to automatically trust and digest threat intelligence at speed and scale. The challenge is that today's security teams monitor an average of 14 separate security consoles to try and manage, assess, and secure the expanding array of devices and technologies deployed across their hybrid and distributed networks. Many times, they end up having to compare log files, hand correlate data, and manually change policies between devices in order to address threats. It means that far too many threats go undetected, and for the ones that are, response times are too slow for attacks that operate at machine speeds. This is essentially a growing big data problem for cybersecurity today.

We will be demonstrating the latest in actionable threat intelligence. Fortinet's Security Fabric is powered by the security services deployed by our FortiGuard Labs Global Threat Research team, which consists of more than 200 expert researchers and analysts around the world who discover and analyze breaking threats and automatically feed the intelligence to our more than 3 million sensors around the globe. Our threat research team has dedicated experts studying every critical area including malware, botnets, mobile, and zero-day vulnerabilities to protect more than 310,000 customers every day.

Charles Henderson

Charles Henderson
Global Head of X-Force Red


Q: What has your experience leading IBM's penetration testing services revealed about enterprise preparedness to deal with modern cyber threats? What are the most common vulnerabilities and security gaps that you uncover when conducting these tests?

The security postures of enterprise companies are all over the place. Some have sophisticated security programs with excellent monitoring and testing; others are still struggling to just manage their antivirus software. The common element they share is a need for help.

The most frequent vulnerability varies by target, and largely depends on the technology stack that's being used. One class of vulnerability that we're seeing more often is flaws related to third-party libraries. Modern applications are using increasingly large and complicated frameworks for everything from data persistence to presentation. This can significantly reduce development cost, but the larger net code base inevitably has an increased attack surface.

The most common gap, in my opinion, is related to how the scope of security is defined. It's very easy for a CISO to focus on the security of key targets—often those with compliance mandates—but ignore what are perceived as less critical areas. In reality, unless a network is air-gapped, you have to look at the entire environment. For example, with the proliferation of IoT in the enterprise, there are many devices in low-security network segments that attackers can compromise and use as a pivot point to attack more critical targets.

Q: Tell us a little bit about IBM X-Force Red. What is the specific value add that your group brings to the security testing space?

IBM X-Force Red is an elite security testing and research group. It is our mission to provide a flexible, customizable security testing program that provides rapid test scheduling, leverages an industry-leading ability to test virtually any target, and combines economic tool-based testing with essential manual testing by global security specialists. IBM X-Force Red gives organizations a more powerful security approach and more control over their security test spending, providing an agile testing methodology to complement today's agile development environments.

We organize our targets of testing into four pillars:

  • Applications – including web, mobile, terminal, thick-client, middleware, and mainframe
  • Networks – including external, internal, wireless, and SCADA
  • Humans – including phishing, social engineering, and physical engagements
  • Hardware and Device – including automotive, IoT, wearables, point of sale, ATMs, aircraft entertainment systems, and kiosks

Q: IBM has a broad portfolio of security technologies and capabilities. What do you expect will be your main focus at Black Hat USA 2017?

IBM X-Force Red will be focusing on the importance of sophisticated testing strategies and elite manual testing for all targets – not just web applications and networks. Automated tools and scanners are important, but can at times lull organizations into a false sense of security. It is important to remember automated testing and defense tools are best suited to defend against automated attack and exploitation. There are only so many ways a machine can fight a machine.

Criminals can use automated tools too, but they are becoming more sophisticated all the time and often employ manual methods to achieve their goals. As a counter to manual attacks, elite human testers can learn how a system works and discover flaws that are unique to a particular environment.

In the end, both automated and manual testing makes sense. When we build a security-testing program, it is important to utilize the entire testing arsenal rather than look for a silver bullet in a tool or toolset. IBM X-Force Red's managed testing service helps clients to identify a proper balance of testing techniques against a prioritized list of targets.

Sustaining Partners