Interviews | June 10, 2019

Robust Insider Threat Programs Needed To Address LoTL attacks

Roger Thornton
VP of Products and Technology

AT&T Cybersecurity

Q1. What are some of the fundamental drivers for Unified Security Management (USM)? What specific business issue does it help address for enterprise organizations?

Global spending on cybersecurity will exceed $1 trillion cumulatively from 2017 to 2021, according to Cybersecurity Ventures research, which also predicts cybercrime damages will cost $6 trillion annually by 2021 — double the cost from 2015. The evolution of cybercrime coupled with digitalization makes cybersecurity a business level problem. Dispersed networks, an explosion of data, disparate technologies and complex security operations present cybercriminals with gaps or "seams" in organizations' security postures. Technology approaches to solving this problem have largely stayed the same, relying on reactive policy management, point solutions and complex workflows. The mismatch between changes in cybercrime sophistication and the relative stagnation in cybersecurity approaches is apparent as organizations continue to suffer data breaches. According to the AT&T Cybersecurity Insights survey, 88% of respondents had reported at least one type of security incident or breach in the last year. Fighting this requires a collaborative approach that efficiently orchestrates people, process and technology through Unified Security Management. With this approach, companies can identify their assets, drill down into what threats are exploitable, fix weaknesses, and have ongoing threat detection and response capabilities that are enhanced by reliable threat intelligence.

Q2. What are some of the biggest challenges MSSPs face these days in delivering services? What do you believe will separate the leaders in this space from the rest, over the next few years?

The biggest challenges facing MSSPs stem from the fact that their customers, especially SMBs, do not have the time, money or expertise to keep up with today's evolving threat landscape. There are 18.5 million new threat indicators per day according to our Alien Labs team. Even with an estimated $44.7 billion being spent on security in the US in 2019, 80 percent of US IT leaders anticipate a critical breach or successful cyberattack against their organization over the coming year, and there were already 281 reported breaches exposing more than 4.53 billion records in Q1 2019 alone. With threats evolving as fast as they are, this will only get worse.

Couple this with the significant lack of qualified security personnel, and you have an enormous challenge facing customers today. The MSSPs that are emerging as market leaders are those that can understand the challenges facing their customers now, in the future, and can adapt accordingly. MSSPs also have to be able to address these challenges through service offerings with a collaborative approach that orchestrates people, process and technology, which includes starting early to build the skills and talent needed to grow their security practices.

AT&T Cybersecurity is a new standalone division created in February 2019 through the combination of AlienVault, AT&T Cybersecurity Consulting and AT&T Managed Security Services. This combination of innovation and unrivaled visibility means that AT&T Cybersecurity is uniquely positioned to provide security without the seams through people, process and technology. Central to this mission is to help enable companies to remain protected while also pursuing their digital transformation needs.

AT&T started down this path years ago by building a best-of-breed Cybersecurity Consulting practice and Managed Security Services business serving customers of all sizes, across industries, and around the world. Combined with its network visibility across the threat landscape, AT&T has been well positioned to take a unique role in cybersecurity.

With the current offering, AT&T Cybersecurity will continue to deliver on our joint vision to address security seams and uniquely bring together people, process, and technology through a "software defined" unified security management platform. A platform that integrates, automates, and orchestrates a wide spectrum of best-of-breed point security products.

By abstracting much of the management of individual security products, we are automating deployment and ongoing operations, and operating them as a single unified solution – much in the same way AlienVault had done with the critical capabilities required for threat detection and response. This platform will use the technical capabilities and reach of AT&T's Edge-to-Edge intelligence in order to deliver solutions as on-demand digital services optimized to help protect customers through their own digital transformation journey.

We will accomplish this through collaboration with AT&T's industry-leading Chief Security Organization and through the integration and automation of AT&T Alien Labs threat intelligence into the platform. The combination of Open Threat Exchange now curated by Alien Labs and AT&T's incredible breadth and depth of threat intelligence will create one of the world's leading threat intelligence platforms.

Sam Curry
Chief Security Officer


Q1. Why has endpoint protection become such a big challenge for organizations these days? Why aren't traditional anti-virus and anti-malware tools alone sufficient any longer for addressing endpoint threats?

The endpoint protection industry, as a subsection of security, has become set in its ways. Traditional tools tacitly accept that aiming for slightly better than the status quo is good enough; it isn't. In the end, it's the customers and practitioners who suffer. At the heart of this, the adversaries are improving at a faster rate than the defender ecosystem. The industry is losing at innovation, which is why EDR and MDR are so disruptive.

There are today two main strategies for protecting endpoints. The first is a control that riskily hooks the operating system and looks conservatively for things known to be bad or reasonable permutations on them. Whether touting machine learning or not, this is the predominant strategy with only a few outliers. The second is an attempt built around SIEM to post-facto collect all the trace evidence in an environment and CSI-style find the culprit. But this strategy suffers from punishing noise-to-signal ratio, lack of relational context and painful latency technologically and procedurally.

The answer is to get out of machine-centric fetishism and to look cross-system, to look at behavioral data rather than all logs and to focus on the defender's efficiency. The star of this show is the analyst who has to understand in close-to-real time what is happening and make decisions. One or more of these elements are at the heart of EDR, and ideally all of them.

Q2. What are some of the key attributes that organizations should be looking for when shopping for EDR technologies or services?

When shopping for EDR, realize that a new data type needs to be collected and is missed by almost all endpoint protection products and SIEM tools alike: behavioral telemetry. With very little exception, everything else is noise. In a sense, this is subject-verb-object descriptions of what is happening: process spawning, process injection, user privilege, file touches, registry events, service and daemon information and so on. It is not every failed logon or OS security message.

Once that is collected and put in a data structure that lends itself to cross-system analysis and querying, EDR should minimize noise and alert fatigue as a primary job. Efficiency is critical not just for management, cost savings and a learning rates but because it enables better risk reduction. EDR should detect fast, with context and assure a readiness to take action. Finally, it should be focused on rapid, coordinated response and then automating. Every time something is dealt with or an action is taken, there's a learning opportunity. EDR should also not be collecting extraneous information, which is largely noise, and shouldn't be a front for a Mechanical Turk where people on the back end are putting on a security front.

Q3. What do you want attendees at Black Hat USA 2019 to know about Cybereason's strategy for helping organizations reverse the hacker advantage?

Our primary mission is to reverse the hacker advantage — that means we should all expect to win in any cyber conflict. It's not acceptable to hit a benchmark in line with everyone else. It's not acceptable to produce a commodity and call it differentiated. Cybereason will work in an environment with utmost respect, doing least harm possible to CPU usage, bandwidth, usability, service levels and the business. Further, Cybereason will prevent the preventable and will build a real EDR, not just a service held together by Mechanical Turks. Organizations that we work with will catch attacks to the left of the kill chain, reliably, and in time to take coordinated, concerted action. Learning will lead to real improvements and automation, and our system of record will be the simplest, complete record of what's really happening.

In short, organizations using Cybereason can truly hunt and can find the advanced attackers and frustrate them again and again, in a repeatable way. Finally, Cybereason is committed to out innovating the adversary. Cybereason will continue to do this and get better at doing it over time.

Phil Quade
Chief Security Officer


Q1. You recently talked about the world entering a new 'cy-phy' era where devices and data in our physical spaces have begun converging with cyberspace. From a security standpoint, what does this trend mean for enterprise organizations?

As much as it seems we're almost permanently engrossed in our computer's or smart phone's screen's portals to the cyberspace we've come to love, the physical environment around us is being rapidly instrumented to gather data about the places we actually live and breathe. Enterprises now have the opportunity to use data from both the virtual domain of cyberspace and the physical domain (of IoT, OT, building automation, smart cities, and so forth) to find more insights on how to make our work more efficient and our life more enjoyable. That opportunity does not come without a responsibility.

As enterprises use data from that physical domain, and also correlate it with data from the cyber domain, there is an increased responsibility to ensure that it is both protected and private. After all, it's one thing to lose your privacy within the virtual world of cyberspace, but quite another to lose it within the actual environment where you're living, walking, or even functioning (think, healthcare IoT monitoring your body's functions).

The privacy and security (integrity, authenticity, availability) of such data can't be afterthoughts. Enterprises must plan for the handling of such data with the right visibility, segmentation, and access control, doing defense through integrated and fast security technologies.

Q2. Adversaries are employing dual-use tools and 'Living off The Land' (LoTL) tactics in a growing number of cyberattacks these days. What challenge does this trend pose for organizations? How should they be addressing it?

There are two ways for an outsider to get unauthorized access to system: Find and exploit a vulnerability (an unintended hole that enables an attacker to achieve a security effect), or; use existing system feature to achieve an unintended (to the legitimate user of that feature) security effect. For example, I could discover and use a vulnerability to spoof integrity/authentication (e.g., via pass the hash) and then steal data, or I could steal the data directly after appropriating an authorized user's password.

The problem for the security professional is that they've been trained and conditioned to look for exploited vulnerabilities, using sophisticated analytics to find evidence of that (e.g., memory leaks; timing attacks). Yet there are nowhere near as many (nor sophisticated or scalable) analytics that detect the misuse of valid functions. This leads us to "the insider problem."

"Insiders" have a bad name. Far from defending insiders who abuse their trusted employee status, what I mean is that the term "insider" has too narrow/confusing a meaning (i.e., it's not just 'the good employee who has gone bad').

The 'insider threat' includes:

  1. The trusted employee who now acts maliciously (i.e., deliberately causing harm);
  2. The trusted employee who acts with poor judgment/recklessly (i.e., putting the organization at risk due to risky online behaviors), or;
  3. Non-employees who have penetrated external defenses and now pose as a legitimate trusted employee (i.e., penetrators that now can simply use the full suite of system commands to commit malicious activities).

With those things in mind, organizations need robust insider threat programs that take on the scope of all three of those definitions of "insiders", since if you have the analytics in place, you can use those analytics to find & kill the LoTL tactics.

Organizations should pick security companies that have the ability to prevent, detect, and mitigate all kinds of attacks, whether they are rooted in vulnerabilities, legitimate commands, or executed by outsiders or insiders.

Q3. What can attendees expect from Fortinet at Black Hat USA 2019? What do you plan on highlighting at the event?

Black Hat is an important event that we attend and we have a lot going on at the show this year. Our booth (#630) will focus on many items of interest to attendees. We will be running several demos of our products and threat services. We are also conducting theater presentations from Fortinet and our Fabric-Ready partners throughout the event. We will be hosting our Expert Bar again staffed by members of our Technical Marketing team to answer security technology questions. From a topical standpoint, we will be highlighting our Secure SD-WAN solution, as well as our multi-cloud security, IoT security, and security operations offerings, showcasing the need for a broad, integrated, and automated Security Fabric. As for the threat landscape, Black Hat is always an ideal event to discuss the latest trends in cyberthreats, we will of course share our latest FortiGuard Labs threat research and our global Threat Landscape Report.

Hardik Modi
Sr. Director, Security Research


Q1. What were some of the key takeaways from NETSCOUT's 2019 Worldwide Infrastructure Security Report? Was there anything in it that was unexpected or surprising in any way?

That report, as well as the biannual NETSCOUT Threat Intelligence reports, reveals numerous changes to the threat landscape as experienced by our customers.

Chief among them are:

  • The targeting of key elements of the digital transformation movement such as SaaS providers, which saw a threefold increase in the number of DDoS attacks
  • The surge in the number of attacks in what we consider the 'juicy middle' – 100Gbps-400Gbps, a range that were at the top end of attacks some years ago but now are a common occurrence across the Internet
  • The speed at which IoT devices are targeted via brute-force and exploitation attempts – within 5 minutes and 24 hours on average, respectively
  • The growth in the number of nation-states using cyber as part of their toolcraft

All of these findings are based on ATLAS, our program that gives us worldwide visibility into traffic and attack data, coupled with the analysis conducted by our threat research team, ASERT.

Each of these were surprising to us – even as we anticipate growth across each of these dimensions, we had to look hard at the data to validate the intensity of the activity we were seeing across the landscape. Everyone in this space recognizes that we're up against an intelligent and adaptive adversary and even as systemic fixes to the Internet and new defenses help contain activity, newer techniques and exposures continue to emerge.

Q2. How have DDoS attacks evolved in recent years? What, if any, new mitigation challenges do they pose these days, compared to a few years ago?

The ongoing weaponization of more sophisticated DDoS techniques means that even minimally skilled attackers are able to 'punch above their weight' in terms of both attack impact and operational complexity for the defenders. DDoS in particular attracts opportunistic attackers who are able to leverage a mature ecosystem to inflict damage against their targets. What isn't always apparent is the collateral impact of such attacks, so somebody trying to gain an advantage against a rival on a gaming platform by launching an attack might push a Service Provider into applying costly mitigation in order to not cause disruption to a broader customer base.

We routinely see multi-vector attacks which have been launched via so-called 'booter/stresser' services, which are now key to the ecosystem I referred to above. These can involve large botnets or high-powered servers in 'bulletproof hosting providers, which can be used to launch a variety of attacks against specified targets. These services have built user-friendly interfaces and accept a variety of payment methods, including cryptocurrencies. Further, the turnaround time for the weaponization of new and/or improved attack techniques seems to be growing shorter, as well. This has essentially led to a democratization of the attack landscape, allowing a wide variety of participants to launch attacks against targets of their choice.

Other forms of online attacks, such as credential stuffing, can have a DDoS-like impact, where the repeated login attempts using botnets result in system responses slowing down or ceasing altogether.

These have led to growth in all categories of DDoS attack – volumetric, resource exhaustion as well as application layer attacks. From a mitigation standpoint, they can trip up naïve implementations that might be filtering on a small set of fields, or that rely extensively on thresholds.

Q3. What does NETSCOUT plan on highlighting at Black Hat USA 2019?

To start with, we intend to share our overarching security strategy and demonstrate how NETSCOUT is a key partner to enterprises and service providers worldwide who use our products to defend themselves against the adversary.

Also, we are going to demonstrate services around situational awareness, leveraging our vast collections and analysis to help users understand the landscape around them – both affecting them directly as well as others in their 'neighborhood', broadly meaning verticals and geographies of interest to them.

To support both of these, we expect to be announcing new products as well as enhancements to existing ones. These products and the solutions that they are part of will be on display at our booth.

Further, and most exciting to me personally, we plan to publish the third installment of our biannual NETSCOUT Threat Report just prior to the show and then use it to frame our conversations around our visibility and research in the space. We find that a large number of stakeholders in the health of the Internet are present at the show and it becomes a great opportunity to share our findings. The report will continue to draw on our observations across the DDoS, cybercrime and nation-state slices of the landscape. We expect to present on our findings as well as engage in education with members of our research team present at the booth and other venues at the show.

It's going to be quite the show and we're looking forward to engaging in a serious dialogue around the need to clean up the Internet and our contributions to that effort.

Nicholas Warner
Chief Operating Officer


Q1. How have requirements for endpoint security changed recently? What's driving the need for those changes?

The endpoint space is one of the most dynamic in cybersecurity. Buyers have become vastly more sophisticated in the last few years as well as attackers. Competition between vendors brings out the best for customers. Here are a few unequivocal changes:

Signatures are dead. For real
What started as marketing became proven; static AI has replaced signatures across the industry. Customers don't want daily updates and scans. Legacy AV companies continue to lose share because of their inability to adapt and abandon their bloated technology stacks.

Fileless attacks will only continue to rise
The new attack frontier is live and fileless attacks that leverage techniques to evade both legacy and many of the next-gen players. Detection and response become imperative for buyers in a post-prevention world. While prevention is possible, it's not and never is 100% (nothing ever is).

Performance matters
Buyers have become much more particular about system resource utilization; endpoint technology can't get in the way of end user computing or server performance. Solutions that are heavy on the endpoint are the first to be disqualified in competitive bake-offs.

Cross-platform solutions win: a Windows-only approach isn't sufficient
The world isn't flat - customers demand parity across all major operating systems including Mac and Linux. Too long AV companies have treated these two operating systems as stepchildren. In reality, much of the world's most important computing, design, creation, storage, and operations happen across Mac and Linux. Securing the datacenter, containers, and mac devices is more important today than ever before.

The definition of the endpoint is changing
What used to be limited to laptops and PCs is taking on a new identity: today's endpoints are cloud workloads, datacenters, servers, VDI environments, and most importantly IoT devices. Enterprises demand visibility and protection across the gamut of these attack surfaces. Customers are looking to balance the desire for cutting-edge and deploy-able solutions that answer their most critical questions across the modern-day endpoint fleet.

Q2. What is the role of EDR in zero-trust models?

In a world where the endpoint, cloud, and identity are the core architectural elements of the network, EDR takes on a more focal role than ever before. The EDR space is decades old, however, legacy EDR products kept EDR away from most of the market because of technology and people requirements. The opportunity we see and have acted upon is democratizing EDR so that the technology is both autonomous and scalable; customers are able to hunt on pre-indexed data to see what would have previously taken hours of time and years of experience to see.

In a zero-trust model, the premise is to not trust any person, device, or action. Thus, in a perfect world, an EDR would record all activity inside and outside the network. SentinelOne's ActiveEDR [uses this dataset to make] detection and response real-time and digestible for cybersecurit and for IT operators without sacrificing any capabilities. Zero-trust models demand having EDR capabilities to better understand and action endpoints, the cloud, and users.

Q3. What are some good reasons for security professionals to meet with SentinelOne at Black Hat USA 2019?

SentinelOne has seen unprecedented triple-digit growth since Black Hat 2018. Why? Our technology is differentiated and brings unmatched capabilities in both the next-gen and legacy spaces.

See why 3 of the Fortune 10 and hundreds of G2000 companies selected SentinelOne over the rest - better yet, see why we replace other next-gen technologies with our single-agent platform that prevents, detects, responds, and hunts in realtime. Whether it was showcasing efficacy, cross platform support, system performance, or visionary development with SentinelOne's Ranger IoT solution, customers see us as their go-to AV replacement.

Technologists appreciate having the most cutting edge tools; executives need assurance that they've deployed technologies that win on effectiveness and ROI. SentinelOne marries the mix of capabilities and ROI creating unprecedented customer success across all industries and geographies.

Sustaining Partners