Interviews | June 10, 2022

Understanding Attacker TTPs is Key to Mounting Effective Defenses

Axonius | BeyondTrust | Fortinet | Hunters AI | PKWARE | ReliaQuest

Etay Nir


Q1. The cloud cyber asset attack surface management space has attracted considerable investor attention recently. What issue is it that companies in this space such as Axonius are trying to help organizations address?

There are three drivers for increased investment in cyber asset attack surface management (CAASM):

The attack surface is rapidly expanding. Security and IT teams are struggling to keep up with an increasingly complex attack surface. An increase in cloud adoption and SaaS applications, a remote workforce, and an array of devices mean that point solutions don’t provide enough visibility. Security and IT teams have turned to cyber asset attack surface solutions that provide comprehensive visibility across the entire attack surface.

A focus on fundamentals is needed to improve security posture. Many security initiatives, such as vulnerability management and incident response, fail when asset information is incomplete, outdated, or missing. Asset management is a fundamental practice that has been often overlooked or only conducted as a periodic exercise. Security teams have turned to CAASM solutions to provide continuous, complete, and contextualized asset inventories, allowing for more effective vulnerability management and faster incident response.

There’s a need to improve security control coverage and validation. Companies continue to invest more and more in security tools, but often struggle to ensure they’re fully deployed and configured correctly. Cyber asset attack surface management solutions allow security teams to continuously identify assets missing security controls and ensure controls are configured correctly.

Q2. What trends do you foresee driving demand for cloud attack surface management technologies over the next few years?

Since cyber asset attack surface management technologies provide a complete view of a company's attack surface, they are often helpful in dealing with today’s emerging security trends. These trends include:

  • Zero-day vulnerabilities and open-source software attacks: Events such as Log4j demonstrate that cyber asset attack surface management platforms provide immediate visibility into which assets may be affected by a zero-day vulnerability. Since these platforms aggregate sources from numerous data sources, it’s faster and more reliable to identify potentially vulnerable systems with CAASM as opposed to point vulnerability scanners.
  • Zero Trust: As network infrastructure becomes more complex and data security becomes a business imperative, adopting a Zero Trust strategy can help organizations effectively secure devices, apps, users, and data — regardless of location. CAASM provides a unified view of all assets, users, installed software, vulnerabilities, and more. This provides organizations with the visibility that is required to progress with Zero Trust initiatives.
  • Automation: Security teams have started to automate repetitive tasks and more mature organizations are starting to experiment with workflow automation. Some CAASM solutions have extensive automation capabilities, allowing customers to automate repetitive and time-consuming tasks such as ticket creation, data enrichment, vulnerability assessment, user permissions, and more.

Q3. What can customers expect from Axonius at Black Hat USA 2022? What does the company plan on highlighting at the event?

We have plenty of content and new functionality to showcase! First and foremost, Etay Nir, our Deputy CTO, will be speaking about Zero Trust and Cyber Asset Attack Surface Management. In this session, Etay will cover how building and maintaining an inventory of assets helps as a first step to implementing a Zero Trust strategy.

We also have plenty of new functionality to demo. First, our SaaS Management solution was released earlier this year and it’s helping customers identify all SaaS applications (known and unknown), manage SaaS security risks, and inform IT and cost optimization. We’ll be doing in-depth demos on this solution at Black Hat this year.

There are also a few major enhancements we’ll be showcasing, including:

A vulnerability management module that helps customers easily understand the impact of any observed vulnerability across their entire fleet of devices, and filter on device data and security control coverage information to inform which vulnerabilities should be acted on first.

Asset Investigations, which helps accelerate investigations by surfacing device or user attributes that have changed over time.

Be sure to visit booth #2050 to check out the Axonius platform, including any of the above capabilities.

Morey Haber
Chief Security Officer


Q1. BeyondTrust's latest Microsoft Vulnerability Report identified elevation of privilege issues as the top category of vulnerabilities in Microsoft products in 2021, as they were in 2020. What are the implications of this trend for enterprise organizations? How, if at all, should they be adjusting their priorities to address the issue?

While vulnerabilities exist in every organization, the prioritization for remediation has been a constant struggle for decades. Which ones are the most critical, which ones can be mitigated, and which ones are an acceptable risk, requires insights into an environment and details on the vulnerability and potential exploitation. While an organization can make risk decisions based on the environment, the more information about the risk will help determine the best outcome for the business.

The Microsoft Vulnerability Report for 2022 helps address the gap in vulnerability information to make these decisions. Armed with the knowledge that elevation of privileges continues to be the most prevalent category for vulnerabilities, and that other statistics prove faults in browser technology and applications are the primary attack vector for exploitation, helps organizations make sound risk decisions for remediation, mitigation, and risk acceptance. Without this knowledge, trends in vulnerability classification are not considered when building your risk mitigation and prioritization strategy within a business.

Q2. How do zero-trust models impact privileged access management?

The primary purpose of zero trust, regardless of the model, is to ensure separation of the control and data planes for continuous authentication and behavioral monitoring. When this is applied to Privileged Access Management, the most sensitive accounts in an environment are managed with strict controls to ensure that all activity is appropriate when applied to the most sensitive assets and data within an enclave.

The difference between this implementation and activity with standard user accounts is worth noting. When Zero Trust is applied using the Principals of PAM, the following characteristics can be implemented to strengthen authentication models: secrets are managed (including passwords) are managed, rotated, and obfuscated from end users, dynamic enforcement of least privilege can be implemented based on environmental attributes, and remote access into the data plane can be managed by session, activity, and for federated and unfederated identities. Zero Trust and Privilege Access Management together ensure that the most sensitive accounts in an organization are protected with the best strategies that identity and access management technology can offer.

Q3. What are BeyondTrust's plans at Black Hat USA 2022? What is your company's main messaging at the event?

At Black Hat, BeyondTrust will demonstrate that it is the worldwide leader in Privileged Access Management, offering the most seamless approach to preventing data breaches related to stolen credentials, misused privileges, and compromised remote access. BeyondTrust solutions empower organizations to easily scale privilege security as threats evolve across endpoint, server, cloud, DevOps, network, and the need for remote access in a work for anywhere world device. BeyondTrust unifies the industry’s broadest set of privileged access capabilities with centralized management, reporting, and analytics, enabling leaders to take decisive and informed actions to defeat threat actors.

With these in mind, BeyondTrust will discuss a new book called Cloud Attack Vectors, the fourth in the Attack Vector series from Apress Media, and author Morey Haber, CSO at BeyondTrust, covering the latest attack vectors and mitigation strategies to protect the cloud and hybrid cloud environments from malicious activity.

Derek Manky
Chief Security Strategist & VP Global Threat Intelligence, FortiGuard Labs


Q1. What are the implications for organizations of the increasing speed with which attackers can weaponize newly disclosed vulnerabilities? How should they be responding to the trend?

The Log4j vulnerabilities that occurred in late 2021 got a lot of attention because they demonstrated the rapidly increasing speed of exploits that cybercriminals are using. For example, despite emerging in the second week of December, exploitation activity escalated in less than a month to make it the most prevalent IPS detection of the entire second half of 2021. In addition, Log4j had nearly 50 times the activity volume compared to ProxyLogon, the well-known outbreak that happened earlier in 2021.

As the rate of exploit (RoE) accelerates, organizations need to essentially put SLAs on vulnerabilities to meet patching deadlines before it’s too late. As is often the case, the damage associated with these high-risk vulnerabilities can often be large so it’s essential to be able to respond with agility for SOC/defense.

The RoE data points are important because given the speed that cybercriminals are working to maximize opportunity, organizations have little time to detect, react, mitigate, or patch systems. There are many things that organizations should consider, but high on the list to reduce their risk, organizations need intrusion prevention systems powered by artificial intelligence and machine learning. Also, threat intelligence visibility is key to be able to prioritize the threats propagating most quickly. The combination of AI and machine learning, along with a sound patching strategy as well as actionable threat intelligence visibility will go a long way.

Other things like segmentation, consolidation of security tools and platforms will also help. The key is to proactively consider the implications of speed and make a defense plan.

Q2. You recently advocated the need for security organizations to think like cyber-criminals when it comes to stopping them. How should they be doing this from an operational and process standpoint?

Organizations should be thinking about the TTPs (Techniques, Tactics, Procedures) and targeted assets by cybercriminals. High risk assets—critical data or services—are targeted by modern cybercriminals and their playbooks, so hardening these high risk assets should absolutely be a priority. When organizations gain a deeper understanding of the goals and techniques used by bad actors, it allows them to better align their defenses to react and adapt to quickly changing attack techniques. From an operational standpoint, this looks like smarter solutions that can ingest real-time threat intelligence, detect threat patterns and fingerprints, correlate massive amounts of data to detect anomalies, and automatically initiate a coordinated response.

Criminals are always looking for the one gap, the one vulnerability, the one open port. Defenders need to be just as nimble and be methodical. A strategy that does not get discussed much is deception. This is one solution that is a little bit different from things like EDR, Secure SD-WAN, ZTNA or others which are of course still critical. Deception can often lure adversaries into being found. It can also help learn about adversary behavior to better protect networks going forward. In fact, if done right you can learn a lot from deception---knowing behavior is half the challenge when fighting cyber criminals.

Q3. What are Fortinet's plans at Black Hat USA 2022? What do you plan on highlighting at the event?

Fortinet will once again be attending Black Hat to showcase our broad, integrated, and automated Security Fabric platform. In addition, this year we will be showcasing the value of a cybersecurity mesh platform given the hybrid networks of today and evolving threat landscape. Of importance for the BH crowd, we will also highlight our FortiGuard AI-power Security Services and other services. Our FortiGuard Labs team will be present as well discussing the latest threat research trends to help our customers and partners keep on top of the dynamic threat landscape.

Lital Asher-Dotan
Chief Marketing Officer


Q1. Hunters has positioned its SOC platform as a SIEM alternative technology. Why are organizations looking for SIEM alternatives? How does your SOC platform build on SIEM capabilities?

SIEMs are based on older architectures, designed for log collection and not analytics, so organizations tend to become frustrated by the limited detection capabilities, critical blind spots, missed alerts, and costly, siloed data that come with SIEMs. It can also be tedious to do threat investigation in those environments, requiring additional time from analysts. Hunters SOC Platform provides unlimited data ingestion, built-in detection engineering, and automated data correlation and investigation to overcome volume, complexity, and false positives at a predictable cost. Hunters saves SecOps teams time and money, while providing contextualized attack stories that allow teams to easily see the bigger picture without sifting through alerts.

Q2. What exactly is the Hunters Risk Score? What issue does it help SOCs address, and how?

The goal of the Hunters Risk Score is to pair confidence and severity to evaluate the urgency and fidelity of attacks on organizations. The score helps SOC teams understand potential risk and prioritize attacks by providing a more precise evaluation of threats. By combining the confidence level - our understanding of how malicious an activity is - with the severity level - a ranking that reflects potential damage to the organization - we produce an overall Risk Score that enables analysts to assess specific threats to the organization, helps them to clearly understand the necessary urgency of responses, allows them to prioritize incidents based on urgency, and adds business context to increase precision and reduce the noise.

Q3. What are Hunter's plans at Black Hat USA 2022? What are you hoping customers will take away from your organization's presence at the event?

We will have a booth and a happy hour, and we’re looking forward to engaging with customers and prospects about how we can help their SOCs get better outcomes. Hunters is also hosting a fireside chat between Rohan Singla, Director, Cyber of Security & Privacy at ChargePoint, and Ofer Gayer, VP Product at Hunters. Between skills shortages and the escalating sophistication of threats, security teams are looking beyond traditional tools to overcome data volume, complexity, and false positives. The session will explore modern approaches to data ingestion and retention and automation of threat management for increased SOC effectiveness. Look for Supercharging Security Operations - ChargePoint’s approach for removing SOC overhead and improving security outcomes.

Craig Irwin
Vice President Global Sales


Q1. You took over as VP of Global Sales at PKWARE in March this year. What do you see as some of the biggest use cases for your company's technologies over the next few years?

I made the move to join PKWARE because I believe in the vision and mission to identify and protect the world’s most sensitive information. The biggest use cases I see over the next few years are focused on helping organizations establish ethical use of data and a responsible use of technology. In order to achieve this objective organizations will need to adopt both a cybersecurity and data governance program. I see organizations will be leveraging our technology to provide the real identity to data that works in concert with existing IGA, IAM, DAG and Business Impact assessments.

Q2. How has broader adoption of cloud services and remote work models complicated the data protection challenge for organizations? What capabilities does it take from a technology standpoint to protect data in the modern enterprise?

While broader adoption of cloud services and expanding hybrid work models have complicated data protection, the fundamentals remain. PKWARE automates the discovery and protection of structured, unstructured data across the cloud, on premise and on virtual or physical desktop environments. To protect sensitive data, you must first accurately know where it is before you can protect it. Your protection options should be deletion, redaction, masking or encryption at the file or cell level within a table or database.

Q3. What does PKWARE have lined up at Black Hat USA 2022? What do you expect to highlight at the event?

PKWARE is excited to demonstrate how we automate and solve both business and technical challenges organizations have with sensitive data. Business challenges come down to the liability organizations take on with the consumption of data to the way leading global organizations are modernizing their data governance initiatives within the rails of regulatory compliance requirements. We will be demonstrating how some of the most sensitive organizations find sensitive shadow data across real world environments in today’s hybrid workforce.

Joe Partlow


Q1. How will ReliaQuest's planned purchase of Digital Shadows benefit customers?

The purchase of Digital Shadows will be a huge win for ReliaQuest customers by now expanding our Threat Intelligence capabilities even further, better covering the deep and dark web space. Digital Shadows will allow for more focused and applicable intelligence and threat indicators to be used by our existing security detections and incident response functions.

Q2. What are the biggest challenges organizations face when it comes to measuring the effectiveness of their security program and the impact of their security investments? How does GreyMatter's recently added support for risk scenarios and MITRE ATT&CK V10 help in this regard?

Measuring the effectiveness of a security program is challenging due to most enterprise organizations having over 25 different security technologies in their environment each only measuring a small portion of the overall security program. Grey Matter’s ability to aggregate and measure health, visibility, and efficacy across all these technologies along with how well the team is performing from an incident response, risk and MITRE coverage standpoint, give customers a holistic view of the enterprise security program as well as [that of] individual business units.

Q3. What does ReliaQuest have lined up for Black Hat USA 2022? What do you want customers to take away from your organization's presence at the event?

Reliaquest looks forward to Black Hat every year since it is an excellent opportunity to talk with security leaders, customers, and partners around our ever-evolving capabilities with Grey Matter, especially our upcoming Digital Shadows integrations.

Sustaining Partners