Interviews | June 8, 2018

Black Hat USA Platinum Plus Sponsor Interviews: DarkMatter, Digital Guardian, Symantec, Recorded Future, Webroot

Shreekant (Ticky) Thakkar

Shreekant (Ticky) Thakkar
Chief Scientist, Advanced Research

Eddie Schwartz

Eddie Schwartz
Executive Vice President of Cyber Services


Q1. Shreekant, describe for us the focus of DarkMatter's research efforts around AI and quantum technology. How will your customers benefit from the integration of these technologies in DarkMatter's products?

We are excited about the potential that quantum technology and artificial intelligence has to make our customers safer, and were exploring how we can integrate these technologies within our products and services. For instance, one of our research initiatives is focused on developing quantum-safe encryption that fits on small devices. We are also working on implementing a higher level of testing and validation especially for IoT devices within critical infrastructure.

Research underpins everything we do. We have a network of R&D centers in North America, Europe, Middle East and China all working to identify and combat tomorrow's threats, helping keep clients secure and ready for the threats on the horizon. Our forward-looking, data driven approach gives enterprise the ability to plan strategically and to grow with confidence.

Q2. Eddie, you've previously described DarkMatter's mission and outlook as being 'truly disruptive'. How exactly is the company's strategy disruptive?

We are one of a handful of companies who have adopted a holistic approach to cybersecurity. Most approaches to date have focused on perimeter security—keeping hackers out, and ultimately, figuring out what to do once they get in. Ironically, this reactive approach can leave organizations more vulnerable to attack. It's clear that building walls isn't enough.

Our approach instead focuses on helping organizations become cyber resilient. This means that we encourage using evolving ecosystems designed to respond to the relevant attack. With this big picture perspective in mind, we provide the essential tools, services, products and expertise to help enterprises and governments secure their business operations and data and withstand the onslaught of a cyberattack. Ultimately, there is no silver bullet that will magically solve all security issues. Cybersecurity is a systemic problem that can only be solved with a holistic approach.

Q3. Shreekant, what is the DarkMatter and Safelayer collaboration about? How will it benefit your enterprise customers?

Our collaboration with Safelayer will allow us to deliver advanced digital services for the entire community facilitated by the deployment of a secure Digital Identification infrastructure.

Safelayer has developed the EID technology, which protects the digital identity of corporate users, private citizens, or connected objects. It's a crucial piece of technology, particularly in light of the rise of smart nations and the explosion of intelligent, connected devices. By combining Safelayers world-class software and DarkMatter's cyber security expertise, we will be able to jointly deliver the highest levels of security to Mobile ID applications including multi-factor authentication systems, electronic and cloud signatures and data encryption.

Our ultimate goal is to ensure trust in digital transactions that are performed by our customers and that there are no weak links within this chain of trust.

Q4. Eddie, what are some of the topics you expect will dominate the conversation at Black Hat USA 2018, and why?

I anticipate that there will be a lot of discussion around the security implications of smart cities. The smarter [that] cities get, the more vulnerable they are to cyber-attacks particularly if security measures haven't been able to keep up. We are living in world of incredibly swift technological growth and advancement. For instance, in 2017, the Internet of Things harbored approximately 18 billion connected devices. The total is expected to stand at 75 billion by 2025, a fourfold increase. IoT is a key aspect of a smart city and its multiple entry points presents a potential source of weakness.

At DarkMatter, we've developed specific technologies designed to protect smart cities, incorporating crypto, blockchain, and trust services. We work closely with governments, so we are very attuned to their needs and priorities when developing ways to keep smart cities safe.

Dave Karp

Dave Karp
Chief Product Officer
Digital Guardian

Digital Guardian

Q1. What are some of the limitations of traditional DLP technologies? What are some of the factors driving the need for DLP evolution?

Data loss prevention has evolved far beyond legacy network based appliances that in most instances were traditionally used to meet compliance. Many forms of traditional DLP included a rudimentary agent that was limited to content inspection and the control of removable media. Solutions lacked visibility into data, system and user events—creating holes in policy and rules to block activity—and failed to give users control or context around incidents.

Organizations have realized they can't limit themselves to simple data discovery and analysis tools. Companies instead need to implement a data-centric program that prioritizes securing the crown jewels of an organization, the data. That involves taking a look at the point of risk: the systems and users that are interacting with that data. Enterprises need the ability to automatically locate and identify their sensitive data, apply labels to classify it, and to implement flexible controls.

That's partially what's driven the evolution of DLP. The recent proliferation of mobile services and cloud environments has broadened the boundary for enterprises. The need to secure the endpoint from advanced threats has also forced businesses to move beyond traditional, compliance-driven, network-based DLP solutions.

Q2. Why is a cloud-based approach to DLP a more cost-effective option for enterprises?

Enterprises that extend their data protection policies to the cloud can protect their data while ensuring they're getting the same deep visibility, flexible controls, and real-time analytics as Digital Guardian's standalone solution. Cloud-based DLP also means organizations don't have to purchase any additional overhead or infrastructure that can drive up the cost of ownership.

Organizations who choose to deploy Digital Guardian's cloud-based data protection as a software-as-a-service (SaaS) can not only cut costs but do away with the complexities that often go hand in hand with managing a large data security architecture. The scalable solution can also reduce the stress around compliance requirements like the Health Insurance Portability and Accountability Act (HIPAA) and the EU's General Data Protection Regulation (GDPR) while mitigating data loss.

The ability to have centralized reporting in the cloud means enterprises can keep track of analytics, workflow, and reporting from anywhere, anytime, from any device, as well.

Q3. What do you want attendees at Black Hat USA 2018 to know about the direction in which the DLP market is headed currently given all the recent controversy over the topic?

Over the years, as the perimeter has dissolved, the Data Loss Prevention market has had to adapt as data has moved into the forefront of protection. Digital Guardian has helped redefine DLP since the company's inception. The recent integration of features such as user and entity behavior analytics (UEBA) and endpoint detection and response (EDR) with DLP will allow enterprises to more rapidly identify anomalous activity which enable users to investigate faster. By combining EDR with DLP, users gain greater visibility when it comes to detecting advanced threats and stopping them before sensitive data is compromised.

It's also important to move data protection beyond the confines of a controlled desktop and into the supply chain where sensitive data can be difficult to control. Extending DLP to incorporate information rights management allows customers better protection from compromise by securely sharing data required to collaborate and operate their business.

Compliance standards like the Payment Card Industry Data Security Standard (PCI- DSS) and HIPAA aren't going away either. But it's the dawn of data protection laws like the GDPR that will push DLP solutions, which can provide unrivaled insight to a company's data, further into the limelight than ever before.

Varun Kohli

Varun Kohli
Senior Director, Strategic Marketing


Q1. What specific issue does Symantec's recently launched Targeted Attack Analytics (TAA) technology help enterprises to address and how?

Targeted attacks are one of the most dangerous threats to enterprise security today. Currently, there are 140 targeted attack groups known to Symantec with an average of 29 new groups appearing each year over the past three years.

We recently introduced Targeted Attack Analytics (TAA), a major advancement in cyber security innovation that helps enterprises combat adversaries who have evolved their attack techniques to avoid the latest threat detection and machine learning tools. TAA is a joint-effort between Symantec's Attack Investigation Team – responsible for uncovering some of the most notable cyber attacks in history, including Stuxnet, WannaCry and Bayrob – and a team of security experts and data scientists leading the industry in machine learning research and applications for security.

Unlike what's offered on the market today, TAA combines the human intelligence of Symantec's Attack Investigation Team with advanced machine learning to automate the discovery of these dangerous targeted attacks. The technology available in TAA is comprised of the same tools Symantec used to uncover Dragonfly 2.0, which targeted dozens of energy companies and gained access to operational networks. Since its internal inception, TAA has already uncovered attacks for more than 1,300 customers per month.

Further, by codifying the knowledge of the world's leading security experts into artificial intelligence, Symantec will deliver world-class expertise to millions of companies, both reducing the costs and the need to hire security experts that are a scarce resource in today's labor market.

Q2. What did Symantec's 2018 Internet Security Threat Report reveal about the effectiveness of current security tools to deal with modern cyber threats? Where exactly are the biggest gaps?

One of the biggest discoveries in our 2018 Internet Security Threat Report is about how cryptojacking attacks exploded by 8,500 percent. This is a newer type of attack with a low barrier to entry—only requiring a couple of lines of code to operate—in which cyber criminals can harness stolen processing power and cloud CPU usage from consumers and enterprises to mine cryptocurrency. Coin miners can slow devices, overheat batteries, and in some cases, render devices unusable. For enterprise organizations, coin miners can put corporate networks at risk of shutdown and inflate cloud CPU usage, adding cost.

We also identified a 200 percent increase in attackers injecting malware into the software supply chain last year. Hijacking software updates provides attackers with an entry point for compromising well-guarded networks. The Petya outbreak was a particularly destructive example. After using Ukrainian accounting software as a point of entry, Petya used a variety of methods to spread laterally across corporate networks to deploy its malicious payload.

Mobile threats also continue to grow year-over-year. We blocked an average of 24,000 malicious mobile applications each day last year. As older versions of mobile operating systems continue to be in use, this problem is exacerbated. In the ISTR, we noted that only 20 percent of Android devices were running its latest operating system, and only 2.3 percent were on the latest minor release. Mobile users also face privacy risks from grayware apps that aren't completely malicious but can be troublesome. We found that 63 percent of grayware apps leak the phone number from the device. With grayware increasing by 20 percent in 2017, this isn't a problem that's going away.

Q3. Symantec has a broad portfolio of security products and services. What is your main technology messaging going to be at Black Hat USA 2018?

Today's businesses have complex technology infrastructures that combine on-premises, cloud-based and virtual machine technology. Employees access corporate networks and data from a myriad of devices, and download apps using public Wi-Fi. This digital transformation means that simply setting up a perimeter or running anti-virus software on a machine is no longer an effective way to protect a company's sensitive data.

In the Cloud Generation, nearly everyone depends on cloud apps and services for nearly everything, at work and in their personal lives. Our identities and personas are spread across dozens of different services and platforms. Information flows freely across an ever-growing number and variety of devices, some of which are company-owned, most of which are not. The Cloud Generation is changing everything.

Our main message at Black Hat 2018 is around securing the cloud generation and how CISOs must future-proof their technology infrastructure to ensure they're protected against the rapidly evolving threat landscape. Our dedication to innovation means not only building new products and acquiring new technologies, but also seamlessly integrating these products to provide our customers with consistent and comprehensive protection.

With more than 500 security researchers around the globe, our team is always looking for new organized attack groups, studying how they work and predicting their next steps. We use that knowledge to power our technology, harden endpoints, isolate threats, control data access, beat the adversaries at their own game and ultimately better protect our customers.

At Symantec, our technology unifies cloud and on-premises security to provide advanced threat protection and holistic information protection across all endpoints, networks, email and cloud applications. Our Integrated Cyber Defense platform is powered by the largest civilian threat intelligence network, robust point-to-point integrations and a broad technology ecosystem, working together to improve visibility, enhance controls, accelerate response, and reduce ownership costs for more than 350,000 businesses worldwide.

Staffan Treuvé

Staffan Treuvé
CTO, Co-Founder
Recorded Future

Recorded Future

Q1. How critical are machine learning and artificial intelligence platforms for identifying modern cyber threats? What are Recorded Future's plans for integrating these technologies into its products and services?

Machine learning and AI for natural language processing (NLP), signal detection, and predictive analytics is at the core of Recorded Future's Threat Intelligence Machine.

Never before has so much information been available in digital form, ready for use. All of humanity is, on a daily basis, providing more information about the world for machines to analyze. Not only that — through crowdsourcing and online communities, we are also able to give feedback on the quality of the machines' work at an unprecedented scale.

With billions of indexed facts, and more added every day, Recorded Future's Threat Intelligence Machine makes use of machine learning and NLP, to continuously analyze threat data from a massive range of sources. We give our customers unmatched insight into emerging threats relevant to their organization, delivering on the promise of intelligence-driven security.

Research in algorithms has seen huge strides in giving us the ability to use these new computing resources on the massive data sets now available. Ultimately, scaling human analysts to process the sheer volume of available threat data is impossible. That's why we built the Threat Intelligence Machine, combining the power of cognitive systems with experienced and expert analysts to deliver threat intelligence insights.

Q2. A lot has been said about the potential for AI and machine learning to positively transform cybersecurity. Talk to us a little bit about your concerns over the same tools helping black hats and criminals get better at what they do.

There are many concerns around attackers using AI/NLP to "improve" phishing attacks, to automate vulnerability detection, etc. in order to more quickly find gaps in organizations' security programs. While these are legitimate concerns, for better or worse, there's no turning back now. Focusing on how we can help defenders amplify their efforts, automate cumbersome, repetitive tasks, and use AI/NLP to more deeply understand their internal and external environments instantaneously will yield far greater results.

Q3. What are you hoping attendees at Black Hat USA 2018 will take away from Recorded Future's presence at event?

At Recorded Future, we're focused on making sure people walk away with a meaningful vision for how AI and machine learning can help them do their jobs more effectively.

Across the market, there has been a lot of hype around machine learning, AI, and NLP—in general and as it applies to cybersecurity. As a cybersecurity industry, we've made it really challenging for practitioners to know what's real, or to understand what makes sense for their organization. There's been a lot of fear mongering and also a decent amount of false expectation setting.

We feel it's our role to reverse that damage and provide practical, actionable applications of threat intelligence that showcase the impact of intelligence driven security powered by AI.

Hal Lonas

Hal Lonas


Q1. Why aren't legacy cybersecurity tools sufficient for dealing with ransomware, cryptomining and other new and emergent threats? Why is real-time threat intelligence needed for addressing these issues?

Legacy cybersecurity tools are only good for protecting against legacy cyber threats. A signature-based approach to cybersecurity isn't effective against polymorphic threats, which represent over 90% of the attacks we see today. What's imperative in today's cybersecurity landscape is information: having the right threat intelligence at the right time to identify and protect against cyber threats as they occur. A behavior-based approach grounded in automated machine learning can deliver real-time threat intelligence that adapts to modern attacks as they appear.

When businesses are looking for security solutions, they need to make sure that real-time threat intelligence is built into security platforms from the start, not as an afterthought. Additionally, threat intelligence needs to be incorporated into a multi-layered security approach including network URL and IP protection, anti-phishing technology, endpoint protection, as well as security awareness training.

Bottom line, threat intelligence is the basis for protecting all end users against today's rapidly changing threat landscape.

Q2. Talk to us about Webroot's SecureAnywhere DNS Protection service. What issue is it helping MSPs and SMBs address?

MSPs and SMBs need powerful cybersecurity that is easy to install and manage, which is why Webrooot SecureAnywhere DNS Protection makes so much sense.

With many threats entering SMB networks due to un-secure web browsing, filtering at the DNS layer can have a very significant impact in reducing infections and in actually stopping threats at the network level. Additionally, DNS Protection protects all network devices, including the growing number of IoT devices that can be difficult, if not impossible, to patch. DNS Protection also helps secure guest Wi-Fi networks, blocking malicious URLs and protecting customers—and the business itself- from a variety of cyberthreats.

For MSPs and SMBs, DNS Protection is incredibly easy to install, configure, and manage, and is another critical tool in a layered cybersecurity approach.

Q3. Why is it important for Webroot to be at Black Hat? What topics does Webroot plan to focus on at the event?

Black Hat is a critical event for us to network and share information with cybersecurity's best and brightest, helping keep our customers secure against tomorrow's cyber threats.

Most importantly, we're here to meet MSPs, SMBs, and technology vendors who come to Black Hat to further their knowledge on how to stay protected in the rapidly changing threat landscape. Our goal at the show is to listen to their pain-points and problems, and share how we can help. Specifically, we will be discussing our layered approach to cybersecurity, the importance of real time threat intelligence, as well as our endpoint security, DNS Protection, and Security Awareness training solutions.

Additionally, we send our growing cybersecurity and threat research teams to discuss the threat landscape and network with other leaders in cybersecurity. Sharing our collective knowledge on emerging threats helps Webroot anticipate tomorrow's security risks, and build them into today's products.

Sustaining Partners