Interviews | June 8, 2021

Web Application Security Took a Hit in 2020

Cybereason | Intrusion Inc. | Invicti | PKWare | Tenable

Sam Curry


Q1. What should we be taking away from incidents like the one at Colonial Pipeline in May? What should the appropriate response be—at a national level—to attacks like these?

Protecting our cyber infrastructure is as important as protecting physical infrastructure. That's how dependent we have become in the connected world, whether it be with financial systems, healthcare systems, air traffic control, energy, or food production. We will not prevent the next DarkSide, SolarWinds or Microsoft Exchange attack by relying on the same failed cybersecurity solutions that haven't worked in the past - the same ones that completely missed these attacks against tens-of-thousands of organizations for the better part of a year. We need to change the way cyber operations are addressed, because attacks like these are preventable with a proactive defense strategy that leverages behavior-based detection and prevention. Furthermore, ensuring that those responsible for these attacks suffer consequences is important, but what is perhaps even more crucial is what we do after that.

The extent of the potential impact to our critical infrastructure and national security is significant. So how do we, both as a nation and as a united cybersecurity industry, do everything we can to make sure this doesn't happen again? The future must include the US government drawing a line in the sand and sparing no resources in pursuing and prosecuting those responsible for attacks like these. We cannot allow these foreign threats to continue to operate without fear of reprisal or any threat of repercussions or consequences. The truth is that attackers still enjoy the advantage, but we can change that. The security industry needs to unite with the government, with private sector customers and partners - and even competitors - because we are all in this fight together. We may disagree on the methods, but not on the merits of our efforts: to work together to end these threats and prevent the next major attack.

Q2. A lot of security experts advocate the need for organizations to take an 'assume breach' approach to cybersecurity. What does that really mean in terms of changes that organizations might need to make at a technology level and operationally?

We have entered an era of continuous incident response, where the automation of initial attack stages means that organizations are constantly under attack with new tools and tactics, so they simply can't rely on Indicators of Compromise (IOCs) from known attacks to successfully defend against novel methodologies. Malicious actors who know what they're doing and uniquely compile their code to make sure it doesn't match with any known file hashes or malware signatures out there, rendering IOCs ineffective for detection and impossible for signature-based anti-malware solutions to provide sufficient levels of protection across multiple organizations using the same indicators.

The security community is not bound to protecting organizations using IOCs alone, however. They can turn to what's known as Indicators of Behavior (IOBs) - the more subtle chains of malicious behavior that can reveal an attack at its earliest stages. IOBs are not about anomalies or key indicators of malice at a moment in time, although that's part of it. This is about highlighting the chains of behaviors that are either rare or present an advantage to an attacker. Behavioral analysis can detect advanced attacks like we have seen with the SolarWinds campaign. This operation-centric approach to detecting and remediating attacks early by leveraging key indicators that other solutions miss was key in our development of the Cybereason Defense Platform. By looking at IOBs, it's possible to not only gain full visibility of an attack chain that's already happened, but to also use that same progression of threat behaviors to protect organizations against similar attacks in the future.

Q3. What does Cybereason plan to highlight at Black Hat USA 2021. What can security professionals expect from your company at the event?

Annual spending on security solutions continues to climb, but so do the major security incidents - yet is anyone asking why? Cybereason is on a mission to educate the security community and the organizations we serve on how we can all work to usher in a new paradigm for our collective approach to security.

Security incident investigations traditionally take a retrospective approach to identifying new Indicators of Compromise (IOCs) after the fact, or use known IOCs from a previous event to detect new malicious activity on a network. But this approach does not enable organizations to effectively hunt for novel threats in real-time to detect advanced malicious operations as they are unfolding. The most sophisticated attacks are not uncovered by counting things like failed login attempts, but tracking a successful login correlated against other seemingly benign activities as a single chain of behavior can surface malicious operations at the earliest stages. With advancements in prevention and detection strategies through frameworks like MITRE ATT&CK, we have the opportunity to take a more proactive approach to detecting attacks at the earliest stages based on these more subtle Indicators of Behavior (IOBs). These behaviors in isolation may be relatively common on a network, but in certain combinations are either extremely rare or present a distinct advantage for an attacker.

The security community has the opportunity to commit today to creating an open, extensible language to describe IOBs against frameworks like MITRE ATT&CK and develop an effective science for early detection and response. Cybereason will be focused on educating attendees on the nature of today's advanced attacks and how we can develop a common standard for detecting attacks earlier based on IOBs as an exciting new telemetry use case for improved security operations.

Jack Blount
President and CEO

Intrusion Inc.

Q1. You took over as CEO at INTRUSION last May right in the middle of the global COVID-19 pandemic. How did that impact your strategic vision for the company? What challenges did the pandemic present and what new opportunities did it present for Intrusion to prove its value?

The COVID pandemic had a huge impact on INTRUSION forcing employees who had spent years working in the same office, and communicating in real-time, to collaborate using cell phones, email and in particular video conferencing. The company immediately adapted, and many employees enjoyed working from home. Working remotely helped us focus on more flexible solutions for the prevention of cybercrime which now includes remote employees.

Q2. What drives the need for technologies such as INTRUSION's Shield? What issue is it designed to help organizations address?

INTRUSION Shield is designed to eradicate cybercrime, the greatest threat to business continuity in the world. Cybercrime has evolved and advanced from the hacker in the basement to people with PhDs in computing, using supercomputers and AI algorithms to successfully infiltrate every global company and government agency. Now cybercrime lives on your network, evaluating passwords, architecture, backup products and cycles until it is ready to effectively compromise your network by stealing new product designs, customer lists and/or money via ransomware. The large majority of ransomware gets on your network through either Zero-Day Attacks or Malware-Free attacks. INTRUSION Shield protects you from these attacks like no other firewall or cybersecurity solution addresses.

Q3. What are INTRUSON's plans at Black Hat USA 2021? What do you want customers to take away from your company's presence at the event?

To be recognized as the most advanced and successful, global AI-based cybersecurity solution in the market today. INTRUSION Shield is the only IDPS that uses AI real-time to identify and kill all dangerous connections attempting to enter or exit your network. Shield identifies and kills all types of malware, including both Zero-Day and Malware-Free attacks. From the Solarwinds breach of 18,000 businesses and 16 government agencies and the Colonial Pipeline to the most recent JBS breach, this proves that ultimately no business is safe without Shield installed on their network.

Ferruh Mavituna
CEO and President


Q1. What impact has the increased focus on remote workforce security over the past year had on web application security? What's your biggest concern about the current state of web application security?

The overall state of Web application security went backward during 2020. Our AppSec Indicator study indicates that web application security has suffered as organizations shifted focus to support remote work and business continuity amid the challenges of 2020.

As organizations shifted to support a remote workforce and to provide online services to their customers - attack surfaces expanded. Chat, web conferencing, and collaboration tools, as well as the increased adoption of eCommerce and web-based services, have created a much larger application footprint for organizations that were already experiencing cybersecurity resource constraints.

The truth remains - the largest percentage of breaches in 2020 began with a web application. At the same time, the number and severity of other types of attacks reached new highs in 2020. Capturing international attention and this diverting time and resources away from web application security. Ignoring web application security has an extremely high cost to companies in terms of lost customers, data, revenue, reputation, and more.

The bottom line is that attack surfaces are expanding exponentially but security teams aren't.

Q2. IAST is garnering considerable attention in the application security space. How is it different from DAST and why do organizations need it?

IAST is a great complement to DAST since it scans an application from the inside out while DAST is scanning from the outside in - increasing overall scan coverage and adding actionability to DAST results with IAST pinpointing the location of a vulnerability in the code.

We advise customers to strongly consider IAST for several reasons. Some web vulnerabilities can only be discovered from inside the running application. Secondly, some vulnerabilities can be proven only when you can see the behavior of the application from the inside. And thirdly, having an inside view can make it much easier for developers to fix issues.

A lot of IAST solutions in the market today are standalone tools that simply run in parallel to other security testing solutions - but this is not ideal. To really get the most from IAST, you need it to be communicating actively with a comprehensive security platform. IAST in our products is triggered by the DAST sensor, so it runs as needed and more frequently than standalone passive IAST. This gives the user a single pane of glass view into the scan results from both IAST and DAST. This orchestrated DAST+IAST approach delivers far more than the sum of its parts. The technology works in complement to add actionability to DAST results, confidence without false positives to IAST reports, and complete visibility into security risks in the entire application.

Q3. What is your messaging at Black Hat USA 2021? What do you want customers to know about your company and its plans over the next few years?

Security teams are facing massive challenges of scale and an increased threat landscape, but they will never be able to solve the problem through people power alone. They need truly modern tools to carry them into the future.

At Invicti, we're committed to helping security teams future-proof their security posture [and] achieve application security that scales at the pace of their innovation. We will continue building a platform that automates everything that can be automated, integrates into development workflows, and implements machine learning to reduce the amount of repetitive manual work and allow security teams to focus on what's around the next corner.

Jason Dobbs


Q1. How has the shift to a remote and hybrid work environment over the past year complicated the data discovery challenge for enterprise organizations?

Many enterprise organizations built their data discovery programs around on-premises use cases for databases and file shares on servers that lived inside the company's firewall. When people worked at their desktops in the office, data had a harder time leaving an organization because the physical device never left the building.

Removable/portable devices like laptops and mobile devices meant that data began to travel more outside the organization's four walls. Most recently, remote and hybrid work environments have resulted in an organization's data being remote along with its users. More data resides outside the firewall to cloud storage and SaaS applications, and users pull data from multiple sources onto laptops and other devices. There is an increased challenge in understanding not only who is accessing company data, but where that data is being preserved.

Now, in addition to being able to discover data in structured environments like on-premises databases and applications, the enterprise needs to be able to discover sensitive data in the cloud and on user laptops or other devices. Because users are constantly creating and manipulating data on those devices, data discovery then needs to be executed in near real-time.

When sensitive data is discovered, decisions need to be made on what to do next. Should the data be encrypted, masked, quarantined, deleted, or otherwise protected? It is critical that an enterprise's data discovery be paired with policy-driven remediations to automate the protection in all locations, especially on endpoints that are increasingly likely to be outside the organization's walls.

Q2. What do enterprises need to understand about the difference between data protection and data security? Why does it matter?

There are similarities in data protection and data security, and many people use the terms interchangeably. But, if you look at the promises of protection versus security, you can see that they are geared toward different goals and outcomes.

Data security measures are in place to protect your data from unauthorized access that could lead to data compromise. In contrast, data protection measures are employed to keep your data safe in the event of unauthorized access or distribution. Basically, if there is a breach of data security measures, data protection kicks in to keep your organization's data safe.

Traditional data security measures are typically geared at external threats – the type of attacks that make the news. However, it is the threats that originate from inside an organization that are more challenging to detect and prevent. One reason is that insiders aren't always intentionally posing a risk to data security. Therefore, a more holistic approach that incorporates elements of data security and data protection can offer the most peace of mind.

Data can be protected in many ways, including logging access, data encryption, data masking, redaction, and quarantine. As with any security program, it is important that data protection is automated and driven by policy to prevent the well-intentioned user that makes a bad decision from putting an organization's data at unnecessary risk.

Q3. What do you expect will be top of mind issues for your customers at Black Hat USA 2021? What does PKWare plan on highlighting at the event?

Technology continues to grow and improve, and its heightened use naturally increases vulnerabilities for hacking and data theft. We've already seen a 300 percent increase in ransomware attacks in the last 12 months. But that doesn't mean that a breach or a hack should be considered an accepted business risk. It's all preventable, and cyber resiliency is possible—if you have the right systems, training, and mindsets in place.

At Black Hat, PKWARE is specifically highlighting the ability to build cyber resiliency for financial services institutions. In 2019, financial services companies were targeted for malware attacks more than any other industry. Of course, financial institutions must have the proper defenses in place to protect data. But it's also vital for these organizations to take precautions that will ensure security and data teams can minimize the total financial and brand impact if a breach does indeed happen.

PKWARE knows It is possible to defend against the multitude of cyberthreats aimed at financial services. Awareness is key: knowing what data you have and where it is, who it belongs to, the financial risk of each independent system where data resides. When organizations can be proactive rather than reactive to data threats, there is a much better opportunity for data privacy and security success. Our VP of Privacy and Security will demonstrate to users how our full suite of data protection and security products can keep their most vital and sensitive information safe no matter where it lives or moves.

Renaud Deraison
Co-founder & CTO


Q1. What business issue specifically is Tenable helping organizations address with Tenable.ep? How has the pandemic impacted the need for this kind of capability?

As organizations undergo rapid digital transformation and continue to operate in work-from-home models, the ability to quickly spin up and connect modern assets to the corporate environment is critical. This brings increased efficiency to new business models, enables more collaboration, and allows organizations to move from concept to market more quickly. However, this also introduces new vulnerabilities and threats to the corporate environment.

But until now, gaining visibility into all the exposures across these dynamic environments required organizations to purchase multiple, single-purpose products, each with different licensing and pricing models. This created challenges for security leaders who had to manually parse through massive amounts of security data — from all these disparate solutions — to stitch together a story to try to understand vulnerabilities in context. Tenable.ep's comprehensive solution removes all of this complexity.

Tenable.ep is a risk-based vulnerability management solution that includes, Web Application Scanning, Container Security and Tenable Lumin to help organizations understand the exposure of every asset, everywhere, on every platform, at all times. Tenable.ep enables security teams to see and assess all assets and vulnerabilities from across the attack surface — all in a unified view, thereby making it easy to assess and accurately prioritize vulnerabilities and assets that matter most to your organization.

In addition, with Tenable.ep, security teams can simply start assessing different asset types at any time — including web application scans and container image assessments — without the painful procurement or deployment processes that are common in the industry.

Q2. Why did Tenable acquire Alsid? How does the acquisition benefit your customers?

Active Directory is used by 90 percent of Fortune 1000 organizations as their primary method for authentication and authorization, according to Frost & Sullivan. Its ubiquity makes Active Directory a favored attack vector for bad actors who use its misconfigurations to move laterally across systems and escalate privileges. This risk has never been more acute than it is today, with so many people working remotely and often using personal devices to connect to corporate systems. Recently, we saw Active Directory gain global attention after it was reported that the SolarWinds attack leveraged the directory service to escalate privileges and move laterally through environments. But it also gets abused every day with common attacks like ransomware.

Unfortunately, most organizations struggle with Active Directory security due to misconfigurations piling up as domains increase in complexity, leaving security teams unable to find and fix flaws before they become business-impacting issues.

With Alsid's deep expertise in securing Active Directory, we've added a new and innovative approach to disrupting cyberattacks. Tenable's industry-leading risk-based vulnerability management solutions enable organizations to predict which vulnerabilities an attacker could leverage to gain an initial foothold. From there, enables users to find and fix existing weaknesses and detects ongoing attacks in real time without the need to deploy agents or use privileged accounts.

Q3. What do you think your customers will be most interested in hearing about from Tenable at Black Hat USA 2021? What are Tenable's plans at the event?

We're excited to participate in Black Hat again this year. In addition to showcasing both and Tenable.ep, we're also hosting a number of sessions with our experts who will discuss everything from Active Directory attacks to disrupting attack paths to operational technology (OT) risks.

Derek Melber, Tenable's technical director, will host a lunch and learn on August 5 where he'll discuss securing entry points and Active Directory to prevent ransomware attacks. Active Directory is commonly leveraged in ransomware attacks as a way to move laterally and escalate privileges. Stopping these attacks starts with hardening Active Directory and other points of weakness. Attendees are encouraged to join us for the lunch and learn to walk away with a clear list of security recommendations to address your network environment.

In a sponsored session, Gavin Millard, Tenable's vice president of product marketing, will also delve into tips and best practices for integrating Active Directory security capabilities into risk-based vulnerability management programs. Knowing that insecure Active Directory systems with known flaws and misconfigurations allow attacks to propagate, Gavin will discuss how to make it difficult for attackers to find a foothold in your network.

Following a string of high-profile attacks on critical infrastructure, including oil & gas, water, food production and transit systems, operational technology (OT) security has never been more important. In his sponsored session, Tenable's Senior Director of OT Solutions Michael Rothschild will draw from these recent incidents and offer best security practices to secure these mission- and safety-critical systems.

Sustaining Partners