Interviews | May 30, 2019

Zero-Trust A Genuinely Critical Way to Move Past Legacy Security Models: ExtraHop, Juniper, McAfee, Proofpoint, SecurityScorecard

Jesse Rothstein
CTO and co-founder


Q1. What are some key requirements for detecting lateral movement on enterprise networks these days and why do you need them?

Key requirements for detecting lateral movement include accuracy, scale, and speed. Network Intrusion Detection Systems (NIDS) have been around for decades, but are widely regarded as noisy due to the fundamental nature of rules and signatures. Today, human analysts are overwhelmed by false positives. According to Cisco's 2019 CISO Benchmark survey, respondents were only able to investigate 51% of alerts they received. The same report found that only 24% of those alerts were legitimate. I recently heard this first hand when one CISO told me, "I already have a dozen tools and they're all alert canons. I don't need more alerts."

Recent advancements in technology for detecting threats on the network are game-changing, and ExtraHop is at the forefront. Gains in processing power and storage capacity provide orders of magnitude more data features to analyze. Protocol fluency allows defenders to focus on the conversations involving critical assets, such as domain controllers. Finally, machine learning enables detection of suspicious behavior and potential threats with accuracy that approaches or exceeds human analysts and performs at a scale that was previously infeasible.

Scalability is important because environments continue to grow in terms of data rates and endpoints. Most network security products focus on the internet gateway since this North-South traffic travels at modest rates compared to the internal East-West corridor where lateral movement occurs. Lateral movement signal must be disentangled from background noise of tens or hundreds of gigabits per second, and it must be detected rapidly. The average dwell time of an attacker after the initial compromise is measured in months, and several recent high-profile breaches involved persistent attacks lasting years. With the ability to monitor all of the network traffic in real time, ExtraHop enables defenders to detect, investigate, and respond to incidents at almost any scale with accuracy and speed.

Q2. Describe for us what exactly guided investigation and response means. How does it help with remediation workflows and playbooks?

Writing custom queries in a SIEM should be a last resort during an investigation, similar to downloading and analyzing a packet capture. Unfortunately, many investigations start with this workflow, severely limiting how many alerts a security analyst can process per day. At ExtraHop, we believe such time-intensive tasks should be the last stop, not the first one.

Guided investigation and response means collating and correlating the data needed for an investigation so that the analyst can answer the most important questions in one or two clicks. Questions such as "Why was this detected?" "Which endpoints were involved?" or "Which files or database tables were accessed?"

ExtraHop Reveal(x) is based on a mature analytics platform and collects an immense amount of data. We built expertise into the system to arrange this data so that the next steps in the investigative workflow are at the analyst's fingertips: protocols involved, details such as DNS queries used, files accessed, devices scanned, data exfiltrated, threat intelligence matched, associated user accounts, and more. All this context is included along with a detection so that the analyst can quickly determine whether an anomaly is benign or malicious and assess the potential scope of an incident.

When it comes to response, some attacks are low and slow and can be dealt with in a semi-automated fashion where a human decides what action to take. Other attacks are fast and destructive, causing incredible damage in a short amount of time and exceeding human ability to respond. The NotPetya malware, for example, spread across the globe and caused billions of dollars in damage in a matter of hours. Reveal(x) works with existing firewall, endpoint, and SOAR products to enable fully automated actions for these types of fast attacks by blocking traffic and quarantining devices.

Q3. What do you expect people in SecOps will want to learn most about from Extrahop at Black Hat USA 2019?

Cybersecurity largely focused on protection and preventative measures over the past decade, making large investments in endpoint and perimeter defenses to keep attackers out of the environment. Unfortunately, security incidents and data breaches continue to occur. As a result, the pendulum is currently swinging the other way towards detection and response, and I expect that people at Black Hat this year will be interested in learning if products that claim advanced detection capabilities actually work in real-world environments and solve problems that their current tools can't solve.

Network traffic, or wire data, is the best place to start in order to detect threats inside your environment. Attackers must use the network to accomplish their goals, and they cannot tamper with or turn off the network as they can with endpoint or logging solutions. Consequently, network traffic provides the ground truth to understanding an attack. The opportunity today is to apply machine learning to this wire data to detect threats that have successfully bypassed perimeter defenses and are now trying to reconnoiter the environment and move laterally.

A challenge for Black Hat attendees (and security professionals in general) is that the cybersecurity market is so noisy, with many vendors making claims about machine learning, artificial intelligence, and other buzz words. When someone visits a vendor booth, they need to understand how that product fits into their comprehensive defense-in-depth strategy, what the product claims to do versus what it actually delivers, and how it solves a problem they have. We invite these justly skeptical attendees to stop by our booth to see a demo and try ExtraHop out in their environment with a proof-of-concept.

Oliver Schuermann
Sr. Director, Enterprise Product Marketing

Samantha Madrid
VP, Product Management

Juniper Networks

Q1. Oliver, what are some of the trends driving demand for Juniper Connected Security? What combined functions and security capabilities do these platforms typically have these days?

The biggest thing we see driving demand for Juniper Connected Security is the fact that customers have an average of eight to twelve security products in their network. This has driven up complexity to manage their overall security posture, created blind spots as multiple teams manage these products, all while driving up operational costs.

The premise of Juniper Connected Security is that we protect users, applications an infrastructure by connecting multiple technologies, and bringing threat intelligence to networking infrastructure. Information security simply must be more than a firewall. Regardless of where you deploy your firewall, you will always have limited visibility into threats. Routers, switches and even wireless access points need to be more intelligent, and need to participate in network security if organizations are to counter today's threats.

This applies to our alliance partners as well as third parties. With Juniper Connected Security our business partners and customers can use our rich set of APIs or our custom threat feeds to create highly capable, easy to manage, multi-vendor defence in depth, and we use this same connectivity to make integrating security products as simple as possible.

Consider, for example, the problem of isolating a compromised device. By combining detection, monitoring, and network infrastructure together with automation Juniper Connected Security offers defenders the ability to act on threats deep inside their perimeter, including blocking threats at the access port level with — or without — an endpoint agent.

Complicating the security landscape is the explosion of IoT devices, most of which were not designed with security as their first priority. Successfully securing an organization today means having visibility everywhere, across every infrastructure that organization uses, being able to identify a threat quickly, and take action with pinpoint accuracy. In other words — See, Automate, Protect.

Juniper Connected Security allows organizations to defend their networks from endpoint to edge, and through every cloud in between. Juniper Connected Security provides the ability to ensure that your security posture and policies stay consistent. This is increasingly important for organizations of all sizes, as both users and workloads as both are now mobile, and regularly changing which infrastructures they make use of.

Q2. Samantha, what new security challenges do multi-cloud environments present and what strategy should organizations take to address those challenges?

Information security is about gaining visibility of potential threats, and preventing the propagation of malicious activity when it occurs. In a multi-cloud environment, it is easy to lose visibility because you do not control the underlying infrastructure. It is also difficult to maintain consistent security policies across multiple infrastructures, something that is critical for preventing the propagation of malicious activity.

There is a lot of discussion about "Zero Trust" in the security industry, but the only way you can truly archive zero trust is through a Connected Security Strategy. A Zero-Trust architecture can't be just a firewall with endpoint software — that's broken. Regardless of where you deploy the firewall, your line of sight will always be limited, so how can you truly have a "zero trust" architecture when all you're using is a firewall?

Juniper Connected Security allows organizations to increase visibility, making it easier to safeguard users, applications and infrastructure. This is accomplished by leveraging that infrastructure to proactively secure your network via automation and orchestration.

Juniper Connected Security interoperates with our own products, those of our partners, and even those of our competitors to help our customers ensure consistent policy across multiple infrastructures. Combined with our automation and orchestration capabilities, this dramatically reduces the risks and the management overhead associated with the inevitable adoption of multi-cloud.

Q3. Oliver, what attributes should enterprises be looking for when shopping for a Connected Security Solution?

Modern enterprise IT cannot be done without automation. Security is a fundamental consideration for all aspects of IT. As a result, the interoperability of security products should be the primary concern of any organization.

If the security product you pick today is proprietary or inflexible, there is a strong chance that you'll have to replace it in five years with something completely different. That's a potentially large problem when you consider how integrated into automation security products will be, or in many cases already are. Customers need to move away from a closed vendor eco-system - often referred to as a "platform".

Open standards compliance is a must-have. Organizations should be looking not only at the standards support of individual products, but the reputation of the vendors selling these products. Is the vendor a champion of open standards? Can you reasonably expect that, 5 years on, that product—or its immediate successor—will still be interoperable and flexible enough to be in such a critical position within your then highly automated IT infrastructure? Or is the openness of that product an artifact of its history, and will that go away as part of the digestion of that product by the parent company?

Security products can no longer be considered point solutions that meet some immediate need and are then largely forgotten about. They are strategic investments whose total life cycle through multiple iterations must be carefully considered. Organizations can no longer afford to rip and replace every cycle; they must connect and integrate with their existing investments, and be confident that their ability to do so will still exist in the future.

Q4. Samantha, what are Juniper's plans at Black Hat USA 2019? What do you plan to highlight at the event?

We're very excited to participate at Black Hat USA this year, but we're going to keep you in a bit of suspense. But, I will say we are highlighting ways to solve security challenges that arise as more and more traffic becomes encrypted. Our goal is to partner with our customers to help them achieve their organizational initiatives, like developing a Zero-Trust architecture or adopting a multi-cloud strategy, through Juniper Connected Security.

Christiaan Beek
Lead Scientist and Senior Principal Engineer


Q1. What do enterprise organizations need to understand about the threat posed by nation-state actors? How is protecting against nation-state actors different from protecting against other cyber threats?

The biggest difference in attacks executed by groups tied to nation-states is the incentive to gain persistence. Cybercriminals are motivated to cash out quickly, while nation-states are generally focused on long-term intelligence gathering. That said, the previously held belief that nation-states have a higher degree of capabilities no longer holds true; we have seen cybercriminal groups execute attacks with significant capabilities. If an organization has been compromised, their focus should be on restoring operations, evaluating lessons learned, adapting their security posture, and reducing any impact to key stakeholders.

Q2. What role can, or should, governments play in cybersecurity and in the protection, especially of critical infrastructure, against cyber-enabled threats?

National governments have a legitimate interest in securing critical infrastructure, which is largely owned by the private sector. As such, the private sector should take the lead role in protecting it.

Government should allow industry to continue to innovate voluntarily in critical infrastructure protection. Regulations and mandates will be counterproductive to the goal of ensuring the protection of our critical infrastructure, for example, if regulations were to force manufacturers to guard against today's threats, tomorrow's may very well slip through the cracks.

To this end, public-private partnerships where knowledge is exchanged actively, are critical. A great example is the NoMoreRansom organization, where the public and private sector work together to fight back against ransomware with free tools that have prevented tens of millions of dollars going into criminal hands.

Q3. What topics do you expect will dominate the conversation at Black Hat USA 2019? What does McAfee plan to highlight at the event?

I expect CPU and IoT related research to be front and center, as well as new strategies on how to use artificial intelligence and machine learning to tackle challenges facing the industry. McAfee will have some exciting news to share with the industry; don't miss it!

Ryan Kalember
EVP, Cybersecurity Strategy


Q1. What's driving the need for a zero-trust approach to network and application access?

Zero trust has unfortunately been overused as a buzzword lately but is a genuinely critical way to move past legacy security models that never worked in the first place. The simplest way to describe zero trust is that the perimeter is not your internal network – it's everywhere you make an access control decision.

As people, not infrastructure components, have become the primary targets for attackers, limiting access to only what each individual needs has never been more critical to prevent the compromise of a single user from turning into a much bigger breach. In addition, as users need to access resources across on premises and cloud systems, zero trust becomes an essential way to limit the attack surface for both the corporate network and cloud-hosted systems.

Q2. Describe for us Proofpoint's strategy for helping organizations implement a zero-trust model.

Zero trust is a difficult model to move toward overnight, so we believe in identifying the greatest areas of risk and mitigating those first. For example, limiting third party and contractor access to only authorized resources, rather than the entire corporate network, is a critical control to reduce enterprise risk and a great first step in zero trust. In addition, we already help organizations identify which users receive the most targeted and sophisticated attacks across vectors like email and cloud.

We call these users Very Attacked People, or VAPs for short. Making sure VAPs can only access the resources they need, can be the difference between a click on something malicious turning into an incident that can be remediated versus a full-blown breach. In sum, we're focused on helping organizations implement these high value use cases that show immediate impact.

Q3. What can people expect to see from Proofpoint at Black Hat USA 2019?

You can expect insights into both our unique view of the threat landscape and updates on our people-centric portfolio of security products. We continue to believe that the best way for most organizations to understand their risk is through the lens of their people — the vast majority of breaches still happen through email and via compromised credentials — and we're always happy to share the strategies for understanding and mitigating risk that have helped our customers, including over half of the Fortune 1000, better secure what matters.

Jasson Casey

Alex Heid


Q1. What are the top attributes of a good cyber security ratings platform? How do you ensure that a cyber risk score provides an accurate representation of an organization's cybersecurity posture?

The necessary attributes of a high quality cybersecurity ratings platform are fairly straightforward.

  • Access. Legal entities must be able to access their score without having to pay a fee.
  • Transparency. The data driving a score must be clear and obvious. The process and timing of changing the scoring model must be obvious and clearly communicated.
  • Feedback. It must be possible for a legal entity to provide immediate feedback on data driving a score to help indicate a finding is in error, provide additional context around a finding (compensating controls) and indicate when a finding has been remediated for rescoring.
  • Efficacy. Finally, a score must have some statistical significance upon future security outcomes. Entities, which score poorly, should experience security events at a rate higher than entities with good scores.

Q2. How will tools and processes for assessing cyber risk evolve over the next few years? Where do you see the opportunity for greatest improvement?

CyberSecurity risk ratings are going to leverage more behavioral signals in the future. Today most data that drives a risk score is comprised of information about cybersecurity hygiene. However, there is a small but growing category of signals which attempt to map and measure an organization's behavior. Specifically, metrics measuring an organization's effectiveness at protection, detection and response are more impactful indicators of future performance during a security event than singular measures of hygiene. High performance teams introduce fewer hygiene issues and fare better during security incidents than low performance teams. SecurityScorecard recently introduced these types of behavioral metrics around endpoint management. Moving forward SecurityScorecard will expand this type of analysis more management domains (network management, endpoint management, software development/operations and IT services) as well as increase coverage to smaller organizations.

Q3. How are organizations currently using security ratings? What are some future use cases for it?

Organizations currently use risk ratings in their 3rd party risk management programs. A rating is used to help focus security resources on the highest risk suppliers and enable a more efficient conversation around security program intent versus externally observed performance. One of the most exciting evolving use cases pertain to cyber insurance. Cyber Insurers can use ratings to assist the diligence process of large enterprises. These insurers also use ratings to understand specific company and portfolio risk for small and medium business cyber policies. Portfolio analysis can help carriers understand systemic risk across their book of business as well as estimate performance of the book against expected claims. Additionally, portfolios can be diversified given the specific risk associated with individual policyholders helping manage loss.

Q4. What do you want attendees at Black Hat USA 2019 to take away from your company's presence at the event?

CyberSecurity risk ratings are an integral tool in the third party risk management process. Companies that engage their suppliers through a SecurityScorecard's cybersecurity risk ratings platform see an average of 5% improvement in risk score of their portfolio within the first 90 days of engagement. SecurityScorecard offers all legal entities free access to their scorecards and access to technical support resources.

Sustaining Partners