Interviews | June 2, 2017

Black Hat USA Sponsor Interviews: Alien Vault, Carbon Black Inc., Digital Guardian, Palo Alto Networks, and Symantec

Jim Hansen

Jim Hansen
Vice President, Product Marketing

alien vault

Q: AlienVault launched USM Anywhere earlier this year. How does it build on your threat detection and management capabilities and what specific business need does it help address?

AlienVault pioneered its unified approach to threat detection by combining several essential security capabilities–asset discovery, vulnerability assessment, intrusion detection, behavioral monitoring, and SIEM—into a single platform, Unified Security Management (USM). USM was designed to make threat detection, incident response, and compliance management more affordable, faster to deploy, and easier to manage for resource-constrained IT security organizations of all sizes.

Our USM Anywhere launch in February 2017 marks an important evolution for resource-constrained organizations, allowing them to extend their threat detection and incident response capabilities to the cloud.  USM Anywhere enables organizations to monitor their on-premises infrastructure, cloud infrastructure, and cloud services to identify threats that can lead to compromise.

USM Anywhere has a highly extensible modular framework that allows AlienVault and third parties to develop fully integrated applications that provide data collection, data analysis, and visualization, as well as security orchestration. Orchestration comes in the form of response actions, which are either executed directly within USM Anywhere or executed externally. USM Anywhere enables the seamless orchestration of a customer's security tools to support automated response, reducing the mean time from threat discovery to response.

As new threats are discovered that require new techniques or technologies, AlienVault is well positioned to extend the USM Anywhere platform to introduce new IT security capabilities that can help users keep up with the changing threat landscape. In addition to its essential security capabilities, USM Anywhere currently includes AlienApps that support orchestrated integration with Cisco Umbrella, McAfee ePO, Microsoft Office 365, Google G Suite, Carbon Black, Palo Alto Networks, and ServiceNow.  This enables AlienVault to deliver new threat detection and response capabilities as the threat landscape evolves.

Q: Tell us a little bit about AlienVault Open Threat Exchange. Why are efforts like this important for enterprises and the industry at large?

Threats evolve.  Attackers adapt.  Protective and defensive controls can become obsolete quickly as the threat landscape changes. Threat intelligence is an equalizer.  It provides guidance, context, and knowledge of the threat actor, their intentions, infrastructure, and tools.  It's imperative to enable security professionals to defend against the threats that can infiltrate and devastate organizations of all sizes.

Threat intelligence, however, has traditionally been very expensive, and seen as something reserved for the elite.  For organizations of all sizes that are resource-constrained, acquiring timely threat intelligence is a barrier that can be difficult to overcome.  This is where our Open Threat Exchange (OTX) comes in.  The AlienVault Open Threat Exchange is an open threat intelligence network that enables a global community of over 53,000 threat researchers and security professionals to actively discuss, research, validate, and share the latest threat data, trends, and techniques. Threat data is shared in the form of a "Pulse" that provides users with a summary of the threat, a view into the software targeted, and the related indicators of compromise (IoCs) that can be used to directly detect threats.  The OTX community shares over 10 million indicators of compromise daily.

These "pulses" are directly leveraged by security professionals to instrument their security tools using the STIX and TAXII-compatible DirectConnect APIs and SDKs.  It is also directly integrated with AlienVault's USM products.

So what's the catch?  Oh wait, there isn't one.  Access to and use of OTX and the threat data contained therein is free of charge to everyone, consistent with AlienVault's philosophy that threat sharing should be fostered among enterprises to proactively increase threat detection and reduce response times.

Welcome to the democratization of threat intelligence.  With OTX, it is available and free to everyone, not just a few elite organizations with lavish budgets.  This effort changes the threat detection landscape and allows the defender to keep up with the attackers.

Q: As a Platinum Plus sponsor of Black Hat USA 2017 what is your main focus at the event this year? What do you want attendees to know about AlienVault and its technologies?

IT security teams often find themselves trapped in a "threat cycle". As threats continue to evolve, they keep acquiring more and more point solutions to address the latest threat. With each new point solution brought on, the team may be able to address the specific risk from that specific threat, but the next threat that arises will require yet another point solution. They remain stuck in the threat cycle. They need a way out.

Point solutions, by their very nature, are disconnected from each other, each requiring separate orchestration and management capabilities. The integration of these point solutions takes time and resources that most organizations don't have. These organizations need help integrating their security tools to deliver better security outcomes -- namely, timely and effective threat detection and incident response.

AlienVault solves the problem of the threat cycle with the USM Anywhere platform, its AlienApps architecture, and Open Threat Exchange. Building on the Unified Security Management (USM) approach pioneered by AlienVault, the USM Anywhere platform expands the unified value proposition beyond the embedded five security controls by incorporating new IT and security technologies as they evolve.

AlienVault is highlighting USM Anywhere at Black Hat this year.  We encourage IT security personnel who identify themselves as under-resourced, under-funded, and in need of a unified security monitoring solution for their on-premises or cloud infrastructure to stop by and talk to us.  Take a good look at USM Anywhere to determine if it meets your needs and can you help reduce the cost and complexity of the alternative approaches.

Mike Viscuso

Mike Viscuso
Senior Vice President, Chief Technology Officer
Carbon Black Inc.

Carbon Black

Q: What exactly does Carbon Black mean by "zero-gap" protection? From an endpoint security technology standpoint what sort of capabilities are required to deliver zero-gap protection?

Zero-gap protection is the consolidation of detection, prevention and response, powered by comprehensive visibility into all endpoint activity. This comprehensive visibility, coined "Continuous and Centralized Recording" or CCR for short, is at the core of our "zero gap" protection. With CCR, our customers don't have to worry about missing security relevant events because we have the ability to collect all endpoint activity. It's this capability that fuels our superior detection, prevention, and response.

From a detection point of view, because we've collected all endpoint activity, we can identify the unknown threats never seen before, as well as insider activity that is specific to an organization.

For prevention, a zero-gap solution protects against malware and non-malware attacks.

And, for response, the solution should provide quick and conclusive answers to the four questions every person has when under attack: How did the attack start; what did they attacker do; how many machines and/or users are compromised; what do I need to do about it?

The solution should be able to take immediate corrective actions, regardless what those actions are or where they should take place.

Q: Nearly 75% of respondents in a recent Carbon Black survey expressed dissatisfaction with machine learning driven cybersecurity tools. What is the problem with ML-based tools? What needs to improve?

The problem with ML-based tools is that they are still in their nascent stages and cannot match the creativity of a human being who is craftily trying to evade detection. Machine-learning-based technologies are adept at sifting through large amounts of data to recognize abnormalities and similarities, but are prone to high false positives. These high false positives often require a human user to validate and triage them.

Researchers have found that ML-based security technologies are just as easily evaded as traditional, signature-based antivirus. While machine-learning and AI certainly has its place, there is still a significant amount of development needed to be done before seasoned security professionals are willing to trust ML and AI with cybersecurity. ML and AI can be great tools to help augment human decision-making but they are not ready to replace humans in cybersecurity just yet. Security is still very much a human vs. human game.

Q: Carbon Black is a Platinum Plus sponsor of Black Hat USA 2017. What can attendees expect from your presence at the show? What cybersecurity topics will likely dominate the event in your opinion?

It's an honor to once again be such a big part of the Black Hat USA conference, which I've seen grow dramatically in a short time. It's likely we'll see a few topics dominate the conversation at this year's conference. My bet is that ransomware, machine-learning, and non-malware attacks will be top of mind for most attendees and comprise a big part of the conversations on the expo floor. As we do with many major conferences, Carbon Black will have a large presence at this year's Black Hat, where we'll focus on how traditional defenses are continuing to wane in efficacy. We'll also provide guidance on how organizations can strengthen their security postures and defend against the most advanced cyberattacks, including ransomware and non-malware attacks.

Ken Levine

Ken Levine
President and Chief Executive Officer
Digital Guardian

digital guardian

Q: How have requirements for enterprise data loss prevention changed or evolved over the years? How has Digital Guardian had to evolve its products and services to meet these changing requirements?

The data loss prevention category grew out of the need to meet regulatory compliance requirements. For example, safeguarding credit card numbers while they were in use or stored in a database, as required by PCI-DSS. And the DLP protections were designed to avoid inadvertent disclosure by well-meaning employees. To say that these requirements have "evolved" over the years would be an understatement – they have nearly been revolutionized.

Data loss prevention requirements today have to accomplish more than checking a compliance box. The threat landscape is changing quickly with sensitive data now under threat from malicious insiders, outside hackers and cyber-criminals as well as still from the well-meaning employee. Not only have the threat vectors increased exponentially, the amount and types of sensitive data requiring protection has exploded. Most all organizations now consider their sensitive data part of their intellectual property, from client lists to executive emails to trade secrets to medical records, we need to protect it all.

Digital Guardian has been at the forefront of this revolution in DLP. In 2014 we launched a new Threat-Aware Data Protection Platform that protects all data types from all threat types. Leveraging the DG Platform companies can discover where their sensitive data resides, classify that data, create protection policies based on that classification and, most importantly enforce, those policies. This means data is protected against everything form an insider trying to steal IP or a hacker who has command and control of a laptop and attempts nefariously to encrypt files – DG stops those actions.

Q: Digital Guardian has consistently been placed among the leaders in the DLP space in Gartner's Magic Quadrant for some time now. What is it about your technology that you believe has helped Digital Guardian win that recognition?

At the end of the day our technology is about deep data visibility. We see everything, without any blind spots. This is the key differentiator for DLP and even among all the other endpoint vendors. We look into every application, the content and context of every piece of data, every executable, and monitor every possible data egress point. Our customers will say that we see things no one else does. So this forms the foundation of why we have been recognized as a Leader for many years.

From there, we are also recognized for having support across Windows, Mac OS X and Linux, having network and cloud DLP integrated, the most granular rules and policies, and a next generation analytics and reporting platform.

Q: Digital Guardian is a Platinum Plus sponsor of Black Hat USA 2017. Why is it important for your organization to be at the event?

Black Hat provides an ideal platform to showcase our new technologies and offerings, meet with customers, prospects, analysts and press while engaging with reseller partners. But most importantly, we find Black Hat to be the #1 show to interact with the actual users of cyber-security technologies. They are the SOC analysts and the threat hunters and, as the only DLP solution that protects data from external attacks, with the ability to detect and contain malware, ransomware and other advanced threats, the Black Hat audience is an important one for us.

Rick Howard

Rick Howard
Chief Security Officer
Palo Alto Networks

Lucas Moody

Lucas Moody
Vice President, Chief Information Security Officer
Palo Alto Networks

Palo Alto Networks

Q: Rick, how has the emerging Internet of Things complicated the enterprise endpoint security challenge? How should enterprises be preparing or responding to the security implications of the IoT?

The reason it is more complicated is because, typically, IoT devices are consumer grade, cheaply priced, and low-margin machines. Manufacturers have squeezed every cost out of them in order to make a purchase compelling to the buyer. Buyers traditionally have never purchased a network device because it has more security anyway and manufacturers are against adding one penny of cost to their products to provide that functionality. Consequently, the chances of manufacturers adding some kind of endpoint security onto these devices are not very likely. That said, the endpoint is not the only location where network defenders can have success against IoT cyber adversaries.

Two best practices are obvious. First, reduce the attack surface for your enterprise's IoT galaxy by limiting the communications channels they are allowed to use. There is no reason to allow your toaster to communicate with anybody besides maybe the manufacturer and the toaster service you have signed up for. Cut everything else off. Second, we forget that cyber adversaries still must negotiate the entire attack like cycle in order to pursue their mission. Network defenders have many locations further up the attack life cycle that they can use to thwart these attacks. The end point is not the only game in town.

Q: Lucas, from your perspective as the CISO of a cybersecurity firm, what are the biggest challenges that organizations face from an endpoint security standpoint? Where do you see the biggest gaps in capabilities?

Endpoint security is critical to a comprehensive security strategy. Where some organizations still fall short are in the areas of dealing with the dynamic borders of traditional networks and migrating from traditional signature based malware detection to more advanced exploit prevention.

Organizations have increasingly invested in protecting their perimeter, adopting technologies like cloud based perimeter malware sandboxes, url filtering and ids/ips capabilities. But for users that work remotely, the traditional network security stack doesn't follow them. Organizations must think about how to strategically architect environments to account for these users. Leveraging always-on VPN connectivity that takes advantage of their existing security stack is one way to ensure that users have consistent security protection regardless of where they are.

Additionally, organizations are fast learning that traditional signature based malware detection is no longer scaling to the speed of threats. Organizations must incorporate into their strategies a shift from signature-based detection, to exploit prevention at the endpoint. This should of course be complemented by robust network based malware prevention as well as holistic visibility, but exploit prevention at endpoint is no longer an area that can be ignored.

Q: Rick, you have predicted that automation and playbook models will become increasingly important in threat intelligence sharing. What is driving this trend?

When Lockheed Martin published their seminal white paper, Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains in 2010, the network defender community believed that we had found the right defensive model. Instead of the less precise Defense-in-Depth model where we would deploy random security controls into our network and hope that the adversary would run into them, we would instead install precise controls at every stage of the attack life cycle where we know that the adversary must go. Instead of having one or two chances of stopping the adversary, we would have a chance to stop them at every stage. But we never made the transition. Years after we all accepted the new model we are still stuck in our old ways. We did not change. The industry continues to focus on blocking the adversary at one stage of the attack life cycle or the other; sometimes at the delivery stage via phishing, sometimes at the installation stage with the latest zero-day attacks, sometimes at other places. But we never try to defend against the entire adversary playbook.

The security vendor community has realized this and has formed an information sharing organization, called the Cyber Threat Alliance, to change the status quo. They don't share attacker artifacts, they share updates to the entire adversary playbook. Those playbook changes are automatically converted into multiple prevention controls and distributed to the Alliance member's own products. This is automatic security orchestration done by the vendors so that the customers don't have to do it themselves. Because the vendors are leading the charge on this, the rest of the network defender community will come along.

Q: Lucas, what can attendees expect from Palo Alto Networks at Black Hat USA 2017? What do you hope they will take away from your company's presence at the event?

We're very excited that this year's Black Hat USA will be the 20th year of the event. At Palo Alto Networks, our mission is to protect our way of life in the digital age, and we know that Black Hat is the place for top security minds and researchers from around the world to come together and share their expertise with the rest of the security community.

We hope attendees will come check out the Palo Alto Networks booth (#1016) for our latest technology integrations and product demonstrations, including the latest from Traps Advanced Endpoint Protection. Technical experts will be available to talk about solutions to help tackle security challenges. Also, there will be chances to win cool prizes. It's time to evolve conventional thinking about security – see you at Black Hat USA 2017!

Brian Kenyon

Brian Kenyon
Chief Strategy Officer


Q: Tell us a little bit about Symantec's vision for delivering an integrated cyber defense capability that will span the cloud, data centers, private cloud and the IoT.

Threats aren't getting easier to manage. Depending on its infrastructure, an organization may need 10 or more security vendors to address the most critical cyber security challenges and needs. Customers deserve better – they NEED better. Our customers are looking for the most comprehensive and advanced set of technologies delivered in one solution that can protect across every critical threat vector.

To help customers stay protected, we knew it was going to take a new cyber defense platform that was truly open. We had to deliver a platform that could provide visibility, enhance defensibility and reduce operational complexity. Our Integrated Cyber Defense Platform is built for the cloud generation of computing – where users and data move beyond the traditional security perimeter with the adoption of cloud applications and infrastructure. Our platform supports companies that leverage their existing infrastructure to move more computing to the cloud, as well as those starting in a cloud-only world. It is an open platform that our customers can build upon – integrated not only between our products, but completely open to third parties and other vendors.

The entire Symantec organization is laser-focused on the execution of our platform, the technical road map, the ability to make it happen in the field and the innovations in our pipeline. We are working to redefine cyber security – by driving security outcomes that are real, tangible and best for our customers and partners.

Q: How exactly has Symantec leveraged its Blue Coat purchase so far? How have your customers benefited from it?

Within days of the legal close of the transaction between Symantec and Blue Coat, we integrated Blue Coat's threat intelligence into our Global Intelligence Network, creating the industry's largest and most diverse set of threat data. With the combined Symantec-Blue Coat threat telemetry, we are now seeing 3.2 million new detections every day. That's nearly a five percent increase from our previous benchmark. It's allowed us to create better defenses against phishing and URL attacks related to malware. Our joint intelligence has also led to a series of new discoveries and pushed us ahead of the curve that the adversaries once owned.

We also launched our first integrated product—within 90 days of the close—featuring technologies from both Symantec and Blue Coat: Symantec Data Loss Prevention (DLP) with Symantec CloudSOC (formerly Blue Coat's Elastica CloudSOC Cloud Access Security Broker [CASB]) and Cloud Data Protection. This integrated solution provides CISOs visibility from end to end, as well as a single point of control over sensitive data created, shared, and manipulated across on-premise systems, mobile applications, and cloud services.

Another example is Symantec Endpoint Protection 14 – a security offering that combines machine learning, memory exploit mitigation, and threat intelligence provided by Symantec and Blue Coat. By harnessing machine learning to collate data and detect patterns and anomalies, which may indicate a cyber attack, SEP 14 provides a multi-layered solution able to stop advanced threats and respond at the endpoint, regardless of how the attack is launched. When installed in a customer environment, Symantec Endpoint Protection and our ProxySG share detections and intelligence together.

We're encouraged by the progress we've made and we think we're well positioned to tackle the industry's most difficult challenges.

Q: If you were to pick one topic that you think will dominate the conversation at Black Hat USA 2017, what would it be, and why?

The last several months have identified a real pivot point in the world of cyber security and privacy – actually, digital intelligence in general. We are seeing the convergence of issues that affect the boardroom, war room and living room. 
For example, in 2016, Symantec identified a 36 percent increase in ransomware attacks worldwide and we don't see that slowing down anytime soon. Those attacks are affecting systems across all verticals, industries and platforms – enterprise and consumer. As much as we will see a rise in ransomware and ransom-based attacks, it is probably safer to assume that WannaCry and other malware will bring to bear a new set of adversarial tools, techniques and processes that will start to be the "new way" of doing things. 

Instead of picking one topic that will dominate, I would suggest that – with the change and improvement in the adversarial techniques – we are going to see material changes in attacks that force industry and technology suppliers to respond faster than they ever have before. As this happens, people and companies will realize that this becomes a race that can't be won with point products or specialist niche vendors. The best platform with the best intelligence will win. Additionally, I think that organizations will need to push to reduce the vendor fatigue they are experiencing by trying to cobble content and responses together. Whether it is cloud or traditional IT, organizations will need to ensure visibility, establish a defensible network and reduce operational complexity. 

Sustaining Partners