Interviews | June 11, 2015

Black Hat USA Sponsored Workshop Interviews: BAE Systems, Booz Allen Hamilton, TrapX Security, and whiteCryption

Jim Anderson

Jim Anderson, president of the Americas for BAE Systems Applied Intelligence, talks about the current state of cyber security, and what actionable advice he offers businesses to improve their security posture.

BAE Systems Applied Intelligence

Q: Jim, not a day goes by when cyber security is not addressed in some way in the media. What is your point of view on the state of cyber security?

Jim Anderson: The scale and sophistication of cyber crime continues to grow at a pace that is faster than many organizations' abilities to defend against them. Prevention is no longer the only focus as cyber security has become an exercise of trying to connect the dots before "bad actors" can leave an organization with key assets. This challenge is becoming even more complicated due to the dearth of cyber security talent. In fact, according to Frost & Sullivan, the global information security workforce shortage is projected to be at 1.5 million in 2020.

Digital organized crime is well-funded and manned by determined actors. Meanwhile, many businesses are using disparate systems and platforms to prevent attacks to little or no avail. To really move the needle, top business leaders need to take a holistic approach and assess how their people, technology, and processes are hindering and hurting their company's security posture.

Q: Part of the new reality of cyber security is that organizations must deal with reputational damage, legal costs, and assets being lost on top of a breached network. What actionable advice can you offer a business looking to improve its security posture?

Anderson: According to Verizon's 2015 Data Breach Report, businesses face approximately five malware events every second. To address this concerning statistic, organizations need to take three crucial steps:

  • Find sources to automate and optimize information to ensure it is rapidly and effectively translated into intelligence. Turning information into intelligence that powers an effective defense, and therefore, response to an attack, enables businesses to mitigate risks associated with key assets being taken.
  • Security teams need an environment where they can find the expected and the unexpected. What we've seen is a lot of organizations that have built solutions on the premise that they know what they are looking for. However, in most cases, they don't know what they don't know. This is best accomplished through big data correlation, security analytics, and contextual information linking threat intelligence.
  • Organizations must have prepared incident response plans. It is important that organizations develop and implement the appropriate activities to take regarding a detected breach. These activities could include incident readiness exercises, leveraging a breach detection service, and leveraging enterprise incident response and management services.

Q: You recently announced that you were extending your delivery of cyber threat intelligence through an agreement with iSIGHT Partners. Of what benefit will that be to BAE Systems clients?

Anderson: Augmenting our threat intelligence solution means we can help organizations generate an enhanced picture of their threat landscape. Extending the breadth of information enables clients to proactively address threat issues on a real-time basis with a wider range of reporting.

As we know, cyber threats continue to outpace organizations' defenses. To understand which threats are the most significant, organizations must deploy an intelligence-led approach to cyber security, combining best-in-class monitoring and defensive technologies with actionable intelligence from both internal and external sources. Expanding the range of intelligence sources available along with necessary staff and processes ensures a better understanding of the threat earlier in the attack cycle. This leads to not only improved defenses but also more effective response and remediation.

Q: So BAE Systems Applied Intelligence needs to keep a finger on the pulse of digital crime. What are some predictions that address the future of cyber security?

Anderson: As mentioned earlier, while the attack surface is growing exponentially, one's ability to add resources to keep up with this threat is limited. Therefore, it is critical that organizations of all sizes must seek technology as well as trusted security service partners to ensure a healthy security posture.

Organizations must be prepared to dynamically structure their security environments around their business needs. To address this, organizations should look to build a layered response team. It's a triage system where each person/partner handles the problems they have the skills for, ensuring an efficient workflow.

Cyber risk, which until recently was only thought of as an IT risk, is now a very real business risk. We've seen that companies' reputations, share prices, and ability to operate effectively have been affected. All this makes security a boardroom issue. To address this, security professionals must engage their board members in a dialogue about security preparedness, current protections in place, proper expectations, and how the organization will respond.

Q: You'll be sponsoring a workshop at Black Hat USA 2015. What will be its focus and what will be some of the takeaways?

Anderson: Our workshop will illustrate how we translate a heritage steeped in providing threat intelligence to the world's largest governments -- including the United States and United Kingdom -- into cyber security to businesses of varying sizes.

We'll show the art and science of a cyber attack. Demonstrating how thieves can gather all of the pieces of information needed to set a breach in motion with little more than a browser will help organizations to turn the tables on digital criminals.

Christopher Ling

Christopher Ling, executive VP at Booz Allen Hamilton, describes the return of BAH's annual Kaizen Capture The Flag Event, and this year's entirely new set of cyber concerns and how companies will respond to them.

Booz Allen Hamilton

Q: Christopher, I understand that, as last year, you'll be running another Kaizen Capture The Flag Event in which your Cyber Training Center professionals provide challenges designed to build participants' scripting, network forensics, and Web/binary exploitation skills. How does that challenge work and why would Black Hat conference-goers be interested in signing up?

Christopher Ling: Each year we've changed the style of Kaizen to keep it new, fresh, and interesting, even to former participants. This year, Kaizen is providing a penetration-testing-style Capture the Flag (CTF). This style speaks to the skills that are in high demand in today's cyber security market. Participants can expect to hack "live" infrastructure to solve a variety of reversing, forensics, and crypto challenges. We encourage participants of all skill levels to attend Kaizen. Our Kaizen developers focus hard on making sure they build a wide variety of challenges that cater to all types of varying skillsets and skill levels from novice to expert.

Black Hat conference-goers sign up for Kaizen year after year because of the fun, challenging, and competitive environment that it creates and because it introduces them to real-world technical challenges. Additionally, these challenges tend to push participants beyond their current skillsets, leaving them with a great feeling of fulfillment. There is no better way to build a technical skillset than to participate in a live training event such as Kaizen. Participants will learn new skills on-the-fly and gain valuable skills that can immediately be applied to their current work environment. Finally, the top three participants will win prizes.

Q: BAH has said that, if the past 12 months saw a dramatic increase in data breach activity, the year ahead promises to bring an entirely new set of concerns – and a shift in how companies are responding to the cyber threat. Exactly what is that new set of concerns and what will be the new way companies respond?

Ling: The scope and long-term damage associated with cyber incidents are continuing to escalate. Connectivity in an IoT world is expanding the "attack surface" and adding another dimension of risk, complexity, and exposure. This is forcing the c-suite to rethink cyber response and move to an anticipatory defense – one that looks over the horizon at emerging threats. And as companies witness or experience the inevitable business impact of a cyber event, some are assigning to a business leader within the c-suite the responsibility of driving response activities across all facets of the organization. This is a departure from assigning the multi-dimensional job to a technology executive. This leader spearheads corporate resiliency efforts, which includes rigorously training on the full range of corporate and public issues that may result because of a breach.

Q: Analysts are forecasting a shortfall of 1.5 million IS professionals by 2020 and your EVP Angela Messer is offering strategies for addressing that shortage. Give me a rundown of the top strategies for closing that gap.

Ling: That question is a great one and it's best to parse it into the two underlying issues: (1) How can I solve the talent shortfall for my own organization, and (2) What can be done at the macro-level to address this continued shortfall moving forward?

Many leaders are concerned with how we can more readily protect our systems and meet the needs of both our clients and customers. Here we need to identify which cyber functions or responsibilities can be automated or outsourced and the ones that are truly mission-critical to our organization. After we identify the critical functions, each CISO and CIO must ask: "Do I really have the talent and capability in-house to meet this critical need, and if I don't, does it make business sense for me to hire or train the talent internally?" If the answer is "yes," then the organization really needs to identify the talent with the highest probability of impact and ability to meet rapidly evolving cyber threats through valid assessment of personality, aptitude, and skills predictive of success in cyber roles.

We're using our cloud-based CyberSim, which has over 275 challenges based on up-to-date cyber and threat intelligence, to identify the individuals who are the "smart bets" for limited training, development, and stretch assignment resources. At Booz Allen, we work in concert with our client-facing cyber experts and real-time threat intelligence center to rapidly update our Cyber University offerings to the benefit of both our clients and ourselves. Over time, the wagering of multiple "smart cyber talent bets" will translate into a force multiplier of sorts. Fundamentally we seek to "bend the client's demand curve." From precision-guided, surgical threat-based cyber workforce planning to specialized career paths to retention strategies, we aim to position our clients to compete for and win the war for scarce cyber talent.

Second, we know we will not solve the talent shortage alone. Rather, we advocate for a variety of strategies and initiatives requiring close collaboration among industry, government, and academia. No one sector has the magic bullet to solve the talent crisis. Thoughtful investment in the early identification of potential sources of cyber talent across geographies, public and private investment in these sources at both the local economy and educational institution (e.g., high school, community college) levels, and implementation of an agile curriculum development strategy are fundamental to success. Likewise, internships, apprenticeships, and entry-level pathways for post-secondary education students will ensure the sustainment and continued investment into this talent pipeline.

Once this pipeline has been identified and established, we need to maintain it by reaching out early to tomorrow's cyber leaders and professionals through active outreach programs such as hack-a-thons or government-sponsored competitions. Most importantly, we want to open up new sources of talent or expand use of talent that is still untapped (community college students, returning service members, minorities, and women).

Q: Each year BAH signs up to present a sponsored workshop. Why has that become an important part of your marketing strategy?

Ling: The Booz Allen Hamilton team truly enjoys and looks forward to sponsoring the Black Hat USA conference every year. People are at the center of our company, and we thrive on building broad and deep technical knowledge. We get excited about engaging with like-minded attendees on a technical level. For three years in a row -- and as the first to provide a CTF workshop -- we've showcased and shared some of our technical expertise and tradecraft with other information security professionals, all while still allowing a flexible "choose your own adventure" environment. We've received rave reviews year after year and, consistently, it's a standing-room-only event.

>Carl Wright

Carl Wright, executive VP and GM of worldwide sales at TrapX Security, chats about how his company is handling "offensive deceptions," and its take on IoT vulnerabilities.

TrapX Security

Q: Carl, 2015 has been called the year of "offensive deceptions" with a new emerging technology response capability. I know you have a few videos that explain the technology. Give me some specifics on how TrapX is handling deception.

Carl Wright: Offensive deceptions empower the user and move them to a pro-active status in dealing with attackers and long-term persistent threats. Deception technology automation mixes malware traps (fake computers, routers, database servers, etc.) within your information technology assets. They are virtually indistinguishable from your real assets. As attackers and advanced malware penetrate an organization's primary cyber defenses, the attackers continue to navigate through the organization's internal networks (vlans) looking for valuable assets to steal or damage. When they touch even one of our assets, you have caught them. If the attacker is using a zero day, it is immediately captured, observed, and analyzed. The alerts issued are of the highest fidelity with virtually no false positives, which means no mountains of alert data to sift through and no missed events. Deception enables security teams to aggressively neutralize an attacker and review forensics to understand the attacker's identify and location. Offensive deception moves the cost of the attack back to the attacker.

Q: Your latest Anatomy Of An Attack Report confirmed design flaws discovered in the Nest Learning Thermostat. What is TrapX's take on IoT vulnerabilities? What advice are you giving IoT manufacturers to improve the security of their devices?

Wright: Our review of the security infrastructure of the internet of things (IoT) provided a considerable wealth of information for us. We have several recommendations and findings that flow from our assessment of the Internet of Things risks. This is based upon TrapX Security Lab's (TSL's) experience, our constant dialog with other leading security experts on a global basis and our views of current and emerging trends within the marketplace:

  • Do a design review on all of your OEM components, especially those manufactured overseas. This will take a lot of work, but we view it as essential for anyone in the defense industry and highly desirable for most manufacturers that integrate electronic components and chips.
  • Consider your strategy to rapidly integrate and deploy software fixes and/or hardware fixes to your end-user customer base, especially if you have a two- or three-tier supply chain.
  • Avoid allowing any of these devices to be bootable from a USB port in the production versions.
  • Sign the software. This is a mathematical technique used to validate the authenticity of the software.
  • Run security tests to discover vulnerabilities and help with the design review of OEM components. We'd recommend use of an outside security penetration firm.
  • Implement firewalls to resist hacker attacks and only allow specified IP addresses in or out. Every device needs one.
  • Protect the project management interface from attackers and only allow limited access to the management server.

Q: You were recently named to Gartner's 2015 list of "Cool Vendors In Security Intelligence." What makes TrapX a "cool vendor?"

Wright: Within my microgblog we note some of the key conclusions of the report. Deception technology puts a new and complementary cyber defense in your cyber arsenal. We enable many of the existing components in your cyber architecture to work better and more effectively. Most importantly, we enable security operations to retake the initiative back from their attackers and to regain the momentum to protect their corporate information and computing assets.

Q: You are presenting a sponsored workshop at Black Hat USA 2015. What will some of the takeaways be for attendees to that workshop?

Wright: We will enable attendees to understand – hands on -- the deployment of several types of deception technology. They will learn how these technologies work, their strengths and weaknesses, and the benefits and opportunities they present.

Thorsten Held

Thorsten Held, managing director at whiteCryption, talks about his company's solutions for protecting against malicious attacks on IoT applications, and why he's a sponsor of Black Hat USA 2015.


Q: Thorsten, your Cryptanium solutions are designed to protect such IoT applications as connected cars, wearable devices, and in-flight entertainment. Have areas such as these really seen many malicious attacks or are you just suggesting that there is a need to guard against future attack?

Thorsten Held: The number of connected devices is growing rapidly and many industry pundits expect these devices to be targets of attack, motivated by the desire to do harm, potential financial gain, or just the recognition. Security should be designed into connected devices from the beginning, and code protection can provide a useful and affordable layer of security in these designs.

It's not just the devices, though, that need protecting. Much of the personal data generated by the IoT will end up on users' mobile devices and in cloud servers. These mobile applications, which provide a rich UI to visualize and act on this data, are often extremely vulnerable to attack. The cloud-based databases, with large amounts of personal information, will also become increasingly attractive targets of attacks. Mobile applications and cloud servers will likely be more attractive targets than the devices because the amount of data and the potential for reward is much greater. Still, the weakest link in the IoT will get the attention of hackers, and each element of the system should be protected with an appropriate amount of anti-tamper technology. Our code and key protection products are effective tools to protect connected devices and the mobile applications they communicate with.

Q: I understand that your Cryptanium solutions are also designed for app developers who need to add tamper resistance and self-defense mechanisms to their apps. What sort of attacks should app developers be concerned about? And what do your solutions do to stop them?

Held: Software, hardware, and content industries lose millions every year because of piracy, intellectual property theft, cracked copyright mechanisms, tampered software, malware, and so on. We've seen retailers experiencing loss of customer data which destroyed brand equity and burned cash. We've seen CEOs apologizing in public after data breaches and coffee chains reading their company name in the news because "hackers are stealing money via the company's mobile app." This is not good news. The basic problem lies in the openness of the underlying architecture of today's computing systems. With the right expertise and tools, anyone can gain control over software running on their devices. There will always be users who will attempt to analyze and break software protection mechanisms, out of personal gain or pure curiosity. Therefore, a robust and efficient software protection scheme is an absolute must for all modern software applications in virtually all business areas. It is a fundamental factor in ensuring long-term profitability in today's distributed software markets.

The war zone between software applications and adversaries who want to crack them is very broad and diverse. An application can be attacked at various layers, on different hardware, and with very different goals in mind, creating a very complex problem for companies who want to protect their intellectual property.

whiteCryption offers a comprehensive and integrated software protection solution called Cryptanium that's designed to protect applications at all levels from all sorts of attacks. Cryptanium allows developers to protect the entire application code and all sensitive data processed by that code. This integrated security is achieved by applying the following main features to the application: integrity protection, code obfuscation, anti-debug, root- or jailbreak-detection, and cryptographic key protection.

The following list highlights some of the most common applications of Cryptanium:

  • Hardening DRM systems and licensing modules.
  • Protecting personal data on mobile devices.
  • Protecting intellectual property by obfuscating on source code level.
  • Securing proprietary algorithms against analysis and reverse engineering.
  • Hardening firmware and OS.
  • Protecting cryptographic keys.
  • Protecting the client side of encrypted communication; the server side is secure.
  • Preventing malware intrusion.

Q: For those attendees who may want to visit your booth #IC8 at Black Hat USA 2015¹s Innovation City, what can they expect to see or learn? What will some of the highlights be?

Held: Most companies do have a strategy for securing their internal mobile applications by applying Enterprise Mobility Management solutions offered by the known providers. But what do they do about securing their customer-facing apps such as payment apps, customer loyalty program apps, or apps that connect to IoT devices? Usually the security level of these apps is weak at best. Isn't their customer data valuable enough to protect them securely against abuse and loss?

Attendees who visit us at our booth at Black Hat will learn about whiteCryption's robust software security solution, Cryptanium, and its two components, Secure Key Box and Code Protection. In addition, they will learn why whiteCryption is the leading provider of code and data protection to top companies in financial services, infotainment, and automotive as it is the only FIPS 140-2 Level 1 white-box crypto library solution for Android on the market today.

whiteCryption's Cryptanium security solutions are available for all popular platforms including Android, iOS, Windows, OSX and Linux.

Q: Why have you decided to present a sponsored workshop at Black Hat USA 2015? What specifically is your return on investment?

Held: whiteCryption was a sponsor at Black Hat 2014 for the first time and found it to be a very productive event to build awareness, drive demand, and network with fellow security professionals. To get more out of our sponsorship this year, whiteCryption will have an afternoon workshop on Wed., Aug. 5h in Mandalay Bay K. The workshop will again help to generate awareness and demand around application security technology and provide a concentrated forum for networking. As for a specific ROI, the attendee base at Black Hat is our target audience. Nearly 55% are manager-level and above with two out of three attendees having a role in purchasing decisions, and, with information security, IT/telecom, and financial Services the top three industries represented, Black Hat has the right target audience for our business.

Sustaining Partners