Interviews | June 15, 2018

Black Hat USA Platinum Plus Sponsor Interviews: Cofense, FireEye, Fortinet, NETSCOUT | Arbor, Palo Alto Networks

Rohyt Belani

Rohyt Belani


Q1. What do organizations need to understand about the nature and scope of phishing threats these days?

Organizations need to debunk the myth that most phishing attacks fall into extreme categories. Meaning, they're of the "Nigerian prince scam" variety or come from uber-sophisticated nation-state actors. While those types of phishing attacks certainly persist, they're the exception, not the norm. So, what is the norm? It's cyber-criminal activity. It's phishing campaigns whose aim is to distribute malware and steal data and intellectual property, or to lock down your systems with ransomware.

Of course, malware isn't the only threat your phishing defense needs to stop. There are also good old-fashioned scams—for example, social engineering tactics like tricking employees into making large wire transfers. Or emails that take users to webpages that look legitimate but are designed to harvest credentials. Though these types of attacks don't involve malware, they can still inflict great damage by giving attackers network access or, ii the case of wire fraud, siphoning off funds.

Tech defenses don't work as well against social engineering attacks. These technologies examine IPs or attachments as they search for malware. Ironically, the very targets of attacks, your employees, are your last layer of defense. Here's one example. Man in the Inbox attacks come from internal email accounts that have already been compromised. When your employees receive emails from trusted internal sources, they're naturally inclined to click.

Tech defenses like secure email gateways won't see these attacks, because they don't come from beyond the perimeter. Some technology goes as far as white-listing all internal accounts. When these attacks occur, your employees need to be skeptical and think carefully before they respond. We have seen employees successfully detect such attacks by realizing the tone or style of the email didn't quite match that of the sender, which in turn made the recipient suspicious enough to report the email to their security operations team.

Q2. What are some of the most important elements of an effective defense strategy against phishing?

The most important element is, simply knowing there are no silver bullets. There's no single technology that lets you push a button and sleep well. Phishing attacks are constantly evolving. Threat actors study your security controls and make very smart adjustments, so you need a comprehensive approach to counteracting them. That approach should be collaborative, too, meaning people throughout your organization, not just across the security teams, need to recognize and report phishing emails. It greatly helps your incident responders stop attacks in progress.

Here's why the human factor matters. If you program your technology to perform in specific ways, that's what it will do time and time again. While the detection capabilities of the technical controls may evolve over time if they incorporate machine learning, the speed of adaptation will be no match for innate human adaptive consciousness, or gut-feeling as most of us know it.

The unpredictability of your people actually becomes a strength because their collective response will vary, thus making it harder to beat a detection system. Human interaction, supplemented by technology, helps analyze and address threats to provide the strongest defense.

If you look at five users, one or two might fall for a phish, one might ignore it, and one or two might report it, even if they're not sure it's malicious. This is not to bash technology or suggest that human sensors, so to speak, are the only answer. It's simply to say you need both advanced technology and well-trained people throughout your company, not just in IT. Our phishing defense centers (PDCs) act as phishing-specific SOCs for our customers. They identify numerous phishing campaigns that slip past "reputed" email security gateways, every single week.

Q3. What do you want attendees at Black Hat USA 2018 to learn about Cofense? What is your company's main focus going to be at the event?

I'd like attendees to understand that Cofense is innovating as fast as the landscape changes. We are laser-focused on delivering a complete, collective phishing defense. To do that, we're improving our solutions as we listen and learn. We're very serious about customer feedback and market opinion in general.

Our legacy in phishing awareness is a great foundation for solutions that help incident responders act on reported emails. For instance, we recently added important new functionality to Cofense Triage, our phishing response platform. It not only automates email analysis and clustering of emails by phishing campaign, it also shows you who else received a malicious email, so your SOC can orchestrate response and mitigate threats faster.

At Black Hat we will unveil upgrades that improve our email clustering, further enhance automation capabilities in our Triage platform, rapidly and automatically identify all recipients of an identified, malicious email, and lay the foundation for an automated quarantining process that complies with the regulations and policies expected in large enterprise environments.

Our main focus at Black Hat USA 2018 is simple. We're going there to listen. We want to hear what customers and partners have to say about cyber-security and phishing in particular. It's an opportunity to get face-to-face feedback, share ideas, and advance our thinking. Everything I've talked about—best practices, solutions, technologies, and the importance of human involvement—starts with conversations between people trying to solve problems. It's an extension of our commitment to a collaborative defense. When the community collaborates, even informally, good things tend to happen.

Phil Montgomery

Phil Montgomery
VP of Product Marketing


Q1. FireEye describes itself as an intelligence-led security company. What exactly does that mean? What's driving the need for an intelligence-led approach?

FireEye is on the front lines of cyber attacks every day, with more than two decades of experience and 700+ highly experienced threat researchers, platform engineers, malware analysts, intelligence analysts, and investigators. Combined, these assets and competencies allow us to operate with nation-state grade threat intelligence.

This is critical because we know that, for a variety of reasons, there will always be a security gap that can be exploited. We also know that defending against cyber attacks is becoming increasing difficult. The bad guys are highly sophisticated, well funded, well organized, and highly incentivized. Their tactics, techniques and procedures are constantly evolving and becoming more sophisticated. And they're more persistent than ever. Today, many organizations are finding themselves ill equipped to deal with these threats.

Our real-time knowledge of the threat landscape and how organizations are combating cyber attacks ensures that FireEye products and services directly address today's threat actors and the techniques they employ.

Q2. Why did FireEye acquire X 15 Software? How will the purchase help your customers?

The X15 Software team built an incredibly versatile, enterprise-grade big data platform that enables distributed, real-time access and ingestion of data at scale within a unified data model and modular query language. The integration of X15 Software's technology will enhance the ability of FireEye to collect and deliver the data organizations need to protect their most valuable assets, providing:

Big Data Management Capabilities – X15 Software technology solves the complex problem of collecting, querying and analyzing large volumes of machine-generated data in real-time.

One Management Console for Cloud, On-Premise and Hybrid Environments – As organizations expand their usage of different cloud platforms, X15 Software technology will provide the flexibility to manage security data from on-premise, hybrid and cloud environments.

A Platform for Innovation – X15 Software technology will accelerate the capabilities of the FireEye platform to better enable organizations to leverage security data to make expert decisions and keep pace with the threats against them.

As we build FireEye Helix into an automated security operations platform, one of our highest priorities is integrating X15's big data management technology with Helix. We view X15 as the basis for our analytics that is efficient to operate, deploy and extend. X15's technology enables us to support different environments in deployment options, including different cloud services and on-premise Helix. The X15 technology has the potential to transform all of our offerings and accelerate the ability to develop and deploy new features into Helix.

Q3. What are the specific technology and service areas that FireEye expects to focus on at Black Hat USA 2018, and why?

As most InfoSec professionals would agree, technology alone is not enough to combat cyber threats. For that reason, FireEye has created a unique learning system that harnesses the power of integrating high-end professional services and expertise with technical engineers who can innovate based on our frontline knowledge. This innovation cycle allows us to rapidly and continuously improve solutions as attacker tactics and techniques evolve.

FireEye plans to showcase this innovation cycle across technology, intelligence and expertise, demonstrating how each functional vertical works in cohesion to advance our customers' security posture. FireEye Enterprise Solutions will showcase the strength of our Network Security, Email Security, Endpoint Security and FireEye Helix, illustrating how these solutions enable rapid detection and remediation of an advanced threat. FireEye Threat Intelligence will showcase the breadth, strength, and fidelity of our intelligence, which is sourced from millions of MVX detonations from our security products, adversary intelligence from iSight analysts, and compromise intelligence from Mandiant consulting. Mandiant Consulting will showcase various incident response (IR) services and security assessment offerings, including ICS, Red Teams, and Compromise Assessments.

In addition, we'll have many of our consultants and technical experts on hand throughout the event to share their experiences and expertise regarding the latest information security risks and trends.

Phil Quade

Phil Quade
Chief Information Security Officer


Q1. You have recently expressed concern about western nations increasingly becoming targets for cyberattack by other nation states. What's behind those concerns? What sort of attacks are you most worried about?

Over the past century, adversaries used airplanes, missiles, and eventually intercontinental ballistic missiles as a means to project power from a distance. They offered a relatively small platform to unleash—or at least threaten to do so—significant physical destruction. Cyberspace offers a new delivery mechanism and the next evolution of the strategy of projecting power from a distance. Able to do so asymmetrically, a small entity can have a disproportionally large impact.

Attacks that affect physical things are the "prize" that adversaries seek. That means critical infrastructures—"things" that control oil and gas, water, electricity, transportation, and industrial automation—are attractive targets, particularly those with underpinning operational technology (OT).

Leveraging these different attack vectors, adversaries seek to affect the psyche of populations, attempting to cast doubt that established governments can secure their way of life. The stakes are high. The answer is that we need broad, integrated, and automated solutions for protecting OT systems used in critical infrastructures and industrial automation.

Q2. What is it that critical infrastructure organizations need to understand about the nature and scope of the cyberthreats they face and the measures required to mitigate those threats?

Critical infrastructure operators are quite sophisticated in ensuring the safety and reliability of their systems. They have successfully used the "air gap" as a means to preventing attacks except for those that use "close-in" or hands-on access.

But the air gap, as a primary means of defense, is dead or dying. OT systems are no longer physically disconnected from the outside world, but rather are tunneled over corporate networks, leverage common Internet protocols, run on general-purpose hardware and mainstream operating systems, and are increasingly connected via wireless technologies. This crossover can make OT an easy target for cyber criminals—97% of organizations acknowledge security challenges because of IT and OT convergence. The reality is that the vulnerability posture of OT systems has changed drastically in the past five years as OT and IT systems converge.

The good news is that, with the right domain expertise—and [Fortinet] has many decades of operational, defense, exploitation, and attack experience—strategies and technologies tailored for OT environments—and from other domains—can make immediate and significant improvements to OT security architectures.

For example, there are compelling reasons to implement strong segmentation and high-fidelity access control within OT architectures that collaborate defensively over a security fabric to detect and mitigate risks at multiple places. The effectiveness of this approach is amplified when combined with domain-specific protocol and content analysis.

Q3. What are Fortinet's plans at Black Hat this year? What can attendees expect to see/hear from the company at the event?

We have a booth at Black Hat this year where we are running several new demos as well as conducting theater-screening presentations from Fortinet and our partners. We will also have an Expert Bar manned by members of our Technical Marketing team to answer any and all security technology questions.

On Day 2, Fortinet Global Security Strategist Derek Manky will be presenting on self-organized swarms. Black hat swarms are about strength in numbers—working together toward a common goal. They accelerate the attack chain and reduce the time it takes to breach organizations, systems, and data. Cybersecurity as it is today has several issues with redundancy and trust—particularly in the areas of information sharing and interoperability with technology.

Multi-agent decentralized systems are the answer to combatting the swarm threat. Key stakeholders on the defense side need to work together in an open, trusted, and transparent environment. Derek's presentation includes findings from some actual cutting-edge swarm attacks and practical examples of collaborative threat intelligence sharing frameworks. In this case, cybersecurity that relies on collaboration, interoperability, and transparency ultimately makes it much more expensive for cyber criminals to operate.

Hardik Modi

Hardik Modi
Sr. Director, Threat Intelligence


Q1. What are the biggest challenges organizations face when it comes to acting on and operationalizing threat intelligence these days?

As the role of threat intelligence in cybersecurity is more widely recognized, there is a strong desire on the part of organizations to ‘operationalize' such intelligence at multiple levels, each of which present unique challenges. Tactical threat intelligence (such as) indicator feeds or signatures continue to be strongly coupled with product – network, endpoint, SIEM – capabilities. Even as newer technologies are emerging to address this gap, say products that can operationalize third-party feeds or platforms to aggregate such feeds, there's still a ways to go. I would contend that this both results in intelligence and product capabilities going unutilized.

At a higher level, while strategic threat intelligence is increasingly valued across a greater swathe of the enterprise landscape, numerous organizations that are more operationally focused still struggle to meaningfully use intelligence that cannot be operationalized immediately.

So even as situational awareness might be growing [the] methodologies for integrating such information into operational postures are still maturing. In both cases, even as the quality and focus of the intelligence is growing, the tools and processes for using this intelligence continues to be a key inhibitor towards operationalization. As a sector, we'll need to mature in concert across all these fronts in order for intelligence to have a transformational effect in terms of cybersecurity.

Q2. What do you see as some of the major trends in the threat intelligence space? How can threat intelligence be improved?

The biggest trend that I see is the maturing of the sharing platforms and organizations. A lot of what used to be shared on mailing lists has now moved to a variety of threat sharing platforms, both commercial and open source. These platforms themselves used to be fairly rudimentary—limited in functionality as well as requiring significant support on the part of the consumer just to keep it operational.

A lot of these challenges have been overcome and I'm continuing to see investments in the tooling, in part egged on by the various sharing communities that have matured in recent years. The range of enterprises that are members of an ISAC or similar entity has steadily grown and the quality and nature of the intelligence that is shared has grown considerably. As someone who cares about the research that leads to intelligence, I can't help but marvel at the sheer number and range of individuals and organizations that care enough about the problem to share information, even where it isn't their day job or key business focus.

Even in the security research community, the number of research teams with key findings around prominent threat actors has grown considerably in the past few years and this only bodes well for the future. Further, where threat intelligence used to have a strong focus on the classic enterprise, this past year has seen a lot of reporting around other categories such as cloud, ICS and even consumer premise equipment (CPE) such as cable modems. If I had to pick one area where I'd like to see improvement, it'd be around the topic of strategic threat intelligence. Even as the research and products have matured in this area, the processes around the consumption of such intelligence are still in its infancy.

Q3. What do you expect will be some of the key topics of conversation relating to threat intelligence at Black Hat USA 2018?

I fully expect that the momentum behind the sharing of intelligence will be evident at Black Hat. This includes the platforms themselves, commercial and open source; the nature and quality of the intelligence, including the fuller use of rich syntax specifications such as STIX; and the operationalization opportunities, in part driven by users and promoters of products such as Endpoint Detection and Response (EDR) and Threat Intelligence Gateways (TIG). Most importantly, the [focus will also be on] participants in various sharing communities, who recognize that they face common adversaries and have a strong incentive, to further integrate their views of the landscape.

I do think that the targeting and exploitation of newer technology platforms—cloud, ICS, IOT etc. –has been widely reported on and discussed in the past year and I expect that this will move to a more central place in the threat intelligence discussions, which have traditionally been more focused on enterprise monitoring. There are entire new communities of vendors and service providers that are becoming aware of such threat activity and will need to mature in the area of threat intelligence as we've seen other sectors have done in the recent past.

This might be just me, but there have been a string of research findings around key actors in cyberspace and I'm looking forward to more of these in the build-up to the show. The publishing of these findings can severely impact infrastructure and live operations and further fuel new discoveries around their activity and victims. The impact that can be inflicted through operations in cyberspace – espionage, disinformation and disruption – is now public knowledge and as primitive a method for sharing as it may be, a simple blog that blows open such an operation remains a powerful vehicle for threat intelligence.

Rinki Sethi

Rinki Sethi
Vice President, Information Security
Palo Alto Networks

Palo Alto Networks

Q1. You have advocated that organizations regularly conduct "purple teaming" exercises—where Blue Teams partner with Red Teams—as a way to bolster overall security. How exactly does purple teaming improve security?

Despite the best efforts of the cybersecurity industry to keep pace with evolving threat trends, data breaches are occurring at a relentless pace. The power of purple teaming is for red teams and blue teams to join forces to beat the attackers at their own game. The goal of purple teaming is to realistically test an organization's security posture and response readiness.

First, the red team conducts a thorough analysis of unknown or overlooked gaps in the enterprise security preventive and monitoring capabilities by embracing the mentality, strategies and tactics of the adversaries. Next, the red team works closely with the blue team to correlate the red team execution timeline with the blue team detection timeline to evaluate the overall business impact and explore opportunities to improve the detection and recovery metrics. This purple teaming process empowers the team to leverage cross-functional talent to strengthen the organization in a rigorous and iterative manner.

Q2. How will Palo Alto Networks' recent acquisition of Secdo benefit customers? What new capabilities does Secdo bring to the table?

The acquisition of Secdo will help accelerate delivery of our endpoint security strategy, and will expand the types of data that can be shared with the Palo Alto Networks Logging Service. Applications built for the Application Framework will use this rich data to more precisely find and stop cyberattacks for organizations around the world.

Q3. What are Palo Alto Networks' plans at Black Hat? What does your company plan on showcasing at the event?

For us, Black Hat has always been about building relationships and engaging with the security community. This year, we are showcasing our capabilities to deliver consistent and frictionless cloud protections for all notable public cloud providers. You can also swing by the Black Hat NOC to see us. For the second year in a row we have been hand selected to participate as part of the Black Hat NOC, collaborating with a team of top security vendors and experts to provide stability, visibility and security to an extremely demanding environment.

We have many ways for attendees to connect with us - Listen to our Chief Cloud Officer, Tim Prendergast talk about the latest enterprise cloud security challenges in a speaking session on Wednesday, August 8th, at 3 PM in Business Hall Theater A. Visit us at our booth #904 for product demos, technology integrations or get some coffee and start a conversation with our technical experts.

Sustaining Partners