Interviews | June 16, 2017

Black Hat USA Sponsor Interviews: Cisco Talos, LogRhythm, and McAfee

Craig Williams

Craig Williams
Sr. Technical Leader / Global Outreach Manager
Cisco Talos


Q: In recent months, we have seen some fast-moving and potentially damaging attacks, which left security teams scrambling to understand and protect against the threat as quickly as possible. Given this environment, are there some best practices for end users to gain the greatest value from industry researchers and threat intelligence and how can you determine who to trust?

Users need to follow best practices - patch their software and do what they can to limit their attack surface. This mean doing things like removing unnecessary browser plugins, patching required plugins, and ensuring your browser stays up to date. The recent WannaCry worm spread at an incredible rate despite the patch being out for months!

From a trust perspective we saw dozens of vendors try to rush a report out the door without doing the careful analysis to justify their claims. This is how we ended up with so much of the competition claiming WannaCry had an email vector.

Additional steps also need to be taken to secure the perimeter. In the instance of WannaCry and other SMB based attacks port 445 should not be open to the Internet. This is true for home networks and especially true for enterprise networks. However, this was not the case. Taking basic security precautions like ensuring that a firewall is setup and configured correctly is key.

Additionally, exceptions need to be made in existing policies to ensure that high visibility vulnerabilities and issues are treated differently.  Organizations have a patch process, however there needs to be an escalated component to account for these types of high-impact issues.  Preparation doesn't end with patching; these types of vulnerabilities need to be addressed across the enterprise.  Identifying the levels of protections that are in place and the ways the threats have been mitigated are key to mitigating these severe vulnerabilities.

Q: What has Talos' interdiction efforts against major threat actors in the past few years taught you about the changing nature and scope of threats that organizations face? How are you applying that knowledge in helping your customers?

From an interdiction standpoint what really stood out for me was the fact that we're all in this together. When Cisco moves against a threat actor, we will actively seek out parties to help us. This often includes competitors, law enforcement, and even backbone providers. The more people we can work with to help convey our message and take action against our adversary, the better. In essence we need an army.

Another key point is that adversaries are going to evolve and spend money to continue infecting users and generating revenue. This is a war of attrition and the bad guys and defenders are going to have to keep evolving and innovating to stay ahead of one another.

Q: Cisco Talos is a Diamond Sponsor of Black Hat USA 2017. What are you planning on highlighting at the event? What can attendees expect to learn from your presence there?

At the event we hope to give back to the community. We will be presenting several booth talks by the people who researched the threats, so that attendees can hear from the researcher directly. We hope to educate our customers and make further connections for future collaboration. We will also be conducting a sponsored session on the evolution of threat propagation techniques, which should help people defend themselves, by better understanding the current threat landscape.

James Carder

James Carder
Chief Information Security Officer & Vice President


Q: You have predicted there's going to be some kind of a major Internet shutdown this year as the result of a cyberattack. Why do you think that will happen? What has gotten us to this stage?

I believe a primary driver is the continued movement to, and reliance on, cloud service providers. If a major cloud service provider were to be targeted and successfully attacked, an outage could be significant. While this wouldn't be a wide scale Internet outage in the traditional sense, it would significantly disrupt Internet services and operations for large and small companies across the globe.

You can also look to the DDoS attacks of 2016 as a contributor. The attack against DynDNS, leveraging the Mirai botnet, could just be the tip of the iceberg. The explosion of IoT only compounds the possibility of even larger botnets that can be used to target critical internet services.

Finally, there's WannaCry and the impact it had on so many companies globally, some who even shut down their operations to attempt to minimize its impact and prevent its propagation. While WannaCry is easily thwarted by diligent patching of computer systems, that attack proved that the majority of companies across the globe are really bad at patching their systems or implementing mitigating controls for the things they can't patch, leaving them perpetually vulnerable. A ransomware attack that can spread as quickly as WannaCry did without bringing down the internet yet deliver an infection bad enough to trigger companies to shut down computer systems should certainly be seen as the equivalent of a major internet shutdown.

In the end, the explosive growth of internet-enabled/connected technology and services, combined with the fact that most don't go through rigorous security testing and the inability to keep those systems maintained, ensures that companies will remain in a constant vulnerable state for any type of attack, including those that could be used to shut down the internet.

Q: What is LogRhythm's Technology Alliance Partner program about? How will it benefit your customers?

LogRhythm's Technology Alliance Partner (TAP) Program is meant to facilitate interoperability with our platform and ensure a seamless experience for users while navigating the plethora of products that encompass a typical security stack.

Our [Number One] goal is to help companies around the globe rapidly detect and respond to threats.  So minimizing the obstacles to neutralizing those threats is vital to our mission. Some of the obstacles we see include swivel chair analysis, data silos, alarm fatigue, or lack of automated response. Think of our TAP Program as a conduit to a broader alliance with market-leading vendors across various segments in the security space—whether that's around endpoint security, next-generation firewalls, vulnerability management, identity & access management or threat intelligence.

It's one thing to be able to collect logs or event data from various sources but it's a completely different game when that data is added to the overall environmental context and automated response actions occur with little to no analyst involvement. LogRhythm's TAP program is all about developing and refining bi-directional product integrations to foster closed loop security use cases. Once those are built, then the next critical piece is building awareness and driving widespread adoption.

Q: What are LogRhythm's plans at Black Hat USA 2017? What are you hoping attendees will learn about your company at the event?

We want to showcase ourselves as the heart and brain of the security operations center (SOC). You will see a ton of niche players at this event and at the end of the day, we don't believe that companies are optimized to detect and respond to any threats effectively—let alone advanced threats—by stacking a bunch of niche players together.

You need a solution that empowers your own data to work for you using built-in threat analytics and security orchestration and automation functionality to help you detect, respond to and neutralize events and incidents before they become breaches. I think Black Hat attendees will see that LogRhythm does much more than just help you see events and alert you to their existence.  LogRhythm seriously empowers you to act on that information—automatically.

If you can't operationalize security effectively, you don't stand a chance.

Steve Grobman

Steve Grobman
Senior Vice President and Chief Technology Officer


Q: McAfee recently became a standalone cybersecurity company once again. What can customers expect from the new McAfee? What do you see as your core differentiators?

As one of the largest cybersecurity companies in the world, we are 100% dedicated and focused on cybersecurity. We are no longer a cybersecurity unit inside a large semiconductor company. What we're committing to is the creation of a strong pipeline of capabilities that is constantly looking at how to defend against the latest threats, including working on things that will counter some of the most difficult problems that we have in the industry today.

One major differentiation is our Open DXL framework. Last year we opened this data exchange layer framework to the industry, which means it can be built with and even extended beyond McAfee and McAfee Security Innovation Alliance partner solutions to include any number of other third-party solutions. Our platform and Open DXL architecture allow us to tie in existing infrastructures while connecting both our products and even competing technologies.

We think about our value to our customers differently than we have in the past. Our customers are not looking at us to just provide products and move on. We are working to provide outcomes, which is a big evolution in our model. At the end of the day we are helping customers manage their cyber risk. We want to be an extension of their business. We are delivering an architecture designed to help customers drive outcomes.

Q: What did WannaCry teach us about the evolving threat landscape? How have threats like these influenced McAfee's own product decisions and design in the last few years?

WannaCry's success came down to its ability to amplify one attack through the vulnerabilities of many machines on the network, and do so with very little or no human involvement. This attack emphasizes the criticality of an aggressive patch or security software update plan. For McAfee, our belief is that an effective defense is built on a dynamic cybersecurity platform that is both open and integrated to accept new technologies and allow them to work together as a cohesive defense. This integrated defensive architecture is a long-term strategy that will enable customers to protect against the threats of today, and tomorrow.

Q: McAfee is a Diamond Sponsor of Black Hat USA 2017. Why is it important for you to be at the event? What is McAfee's main theme or focus at Black Hat USA 2017?

McAfee is proud to sponsor Black Hat, where cybersecurity professionals from around the world gather to challenge each other with new ideas and collaborate for industry success. With new, original research and presentations, Black Hat will bring fresh perspectives on partnership across cybersecurity to protect us all against our common adversaries.

Sustaining Partners