Interviews | June 17, 2016

Black Hat USA Sponsor Interviews: Forcepoint, Hewlett Packard Enterprise, LogRhythm, and Tenable Network Security

Matt Moynahan

Matt Moynahan


Q: As Forcepoint's brand new CEO, what are your immediate priorities for the company and for your customers?

Matt Moynahan: First, I want to express how honored I am to have the opportunity to lead Forcepoint. This is an incredible company that combines a very unique set of assets from the former Websense, Raytheon Cyber Products and Stonesoft Next Generation Firewall (NGFW) businesses. Our portfolio of capabilities – including content security, insider threat protection, data loss prevention (DLP), cloud security, NGFWs, Web filtering and cross domain solutions – are unmatched. Together, they provide building blocks that will underlie a deep and broad cybersecurity platform and solution set for our customers.

That said, my immediate priority has been to partner with the Forcepoint team, our customers and partners to learn the business, listen and keep the company focused on helping our customers to solve their most critical cybersecurity challenges.

Since joining Forcepoint, I have traveled the globe meeting employees, partners, and customers. I have always considered talking with customers and partners to be a gift; one that provides insights that will help ensure we drive our company and product strategies in the most meaningful direction possible.

My immediate priority since day one has been to paint a vision of where Forcepoint is going and what we stand for – and empower the more than 2,300 employees to do great things. We have the knowledge that comes from serving more than 20,000 customers in 155 countries. We're built on a heritage of more than 90 years of innovation, experience and financial strength.

This is an once-in-a-lifetime opportunity to build a truly transformative company. The Forcepoint team, our partners and our customers are all excited about where we're headed. My job is to make sure we can all get there as fast as possible.

Q: Where do you see the biggest opportunities for Forcepoint going forward and why?

Moynahan: The cybersecurity market is highly fragmented, with thousands of companies offering point products that aren't working well enough given the threat environment. This creates an unmanageable environment for security practitioners, business leadership and Boards. We believe Forcepoint's portfolio and expertise in understanding data and end users presents an opportunity for us to address this complexity head-on for both commercial and government organizations. The world is more connected and, at the same time, more fragmented than ever – Forcepoint is well prepared to address this new reality.

We feel strongly that organizations should have the ability to focus their time and attention on whatever their primary mission may be. But, today, that's not possible; security concerns keep a constant, distracting hum in the system. We see a future where security is so deeply integrated into the fabric of businesses and governmental organizations that executive teams aren't up at night worrying about the next breach.

Our vision of the future is ambitious. And, to be clear, this is a long-term journey we are embarking upon. We will continue to invest in innovation and technology that provide the greatest value to our customers. We have the financial strength and cutting-edge research that comes with being backed by Raytheon, with the independence, agility and speed of a commercial software company.

At the end of the day, the phrase "trusted partner" means a lot to me – and to the whole team at Forcepoint. Whether it's our customers, channel partners, technology partners or other organizations, we want to be the cybersecurity company CISOs turn to in order to help solve their most challenging problems.

Q: There was no Forcepoint brand at last year's Black Hat USA. What do you want attendees at this year's event to know about Forcepoint and its combination of technologies from Websense, Raytheon and Stonesoft?

Moynahan: Forcepoint is a new brand with a unique vision. We are at a great point in our history. Forcepoint brings together three organizations – Websense, Raytheon Cyber Products and the Stonesoft business – each with a very proud heritage – and each with a very unique set of skills and capabilities.

The team from Raytheon brings critical assets, such as network segmentation/cross domain solutions as well as insider threat and advanced threat capabilities. Over the years, this team has earned the trust of some of the world's most demanding customers in the Federal government.

The team from Websense offers a proud history in Web content security and DLP, among other technologies. DLP, in particular, is a strategic asset when you consider the importance of protecting intellectual property. In fact, you might change the "D" in "DLP" to IP and call it IPLP – Intellectual Property Leak Prevention.

The team from Stonesoft brings an application-aware and activity-aware firewall, as well as mitigation capabilities across an ever-changing perimeter. But, it's much more than that.

Only a little over a year ago, Websense was a stand-alone entity, Raytheon Cyber Products sat within Raytheon's Intelligence, Information & Services (IIS) business and Stonesoft was part of Intel Security. Now these teams and technologies form one company: Forcepoint.

I came to Forcepoint to build the number-one pure-play cybersecurity company in the world. We have the opportunity to be among the most respected cybersecurity brands in the world. We are proud of our heritage, but even more proud of what we've built so far, and where we're just getting going.

Steven Riley

Steven Riley
Senior Manager, Technical Product Marketing
Hewlett Packard Enterprise, Security

Hewlett Packard Enterprise

Q: There were several key themes in HPE's recently released cyber risk report for 2016. If you were to pick the three most important takeaways for enterprises from the report, what would they be and why?

Steven Riley: There are three main areas where we would focus attention, one of them being something I bring out in nearly every discussion with our customers. "Get a good patching infrastructure". Our report shows that the most exploited bug in 2014 was still the most exploited bug in 2015. This is mainly due to organizations not switching on automatic patching and for good reason too. Many software vendors have continued to perform a bad job at patching their product without breaking the user's PC. This causes many organizations to become very structured and regimented in patch deployment cycles, which can leave large open windows of time for attacks to occur.

Also the attackers have shifted focus and are attacking applications directly. This redefines the perimeter, which is now in the pocket of every user in the form of a mobile device. Attacks directly on applications are seen as the easiest way to exploit enterprise data. There is also a focus away from Windows towards Linux, Android and OS X, which means the overall attack surface for malware continues to grow.

All these areas show how important it is to continue to stay on top of the basics such as patching. Known vulnerabilities are still the number one way that a hacker enters the environment. Further, more attention needs to be given to application based monitoring, understanding what corporate assets are in place and which are critical to running your organization.

Q:HPE recently released a cyber reference architecture designed to help enterprises adopt a more "Build It In" and "Stop It Now" approach to cyber security. How exactly does the reference architecture help enable that goal for organizations?

Riley: These are basic concepts to building out any organization. It actually realizes a more cohesive approach between every day IT operations and security. Firstly, by "building it in" we are starting to focus more on security being part of every aspect of an organization rather than just an afterthought—from bare metal deployment of hardware to the creation of software within the SDLC. If it's a business critical asset, it should have the appropriate monitoring and profiling performed to ensure that risk is understood and managed. If it's a workstation, then network security, patching and core AV products are deployed and used.

With regards to "stop it now" the focus is then turned onto advanced threats. So we start looking at powerful integrated analytics to ensure more rapid detection of events within the organization. Remember with most APTs they are within our organizations for well over 200 days. Our concept here is about finding these and responding at a more rapid rate. So to summarize what we should be focusing on with this type of architecture:

Design with compliance and access in mind

  • Access to the right data at the right time
  • Identify business critical information assets
  • Enforce legal and regulatory laws as applicable

Build in Protection

  • Use the new Data Centric approach to protect sensitive data
  • Secure old SDLC with a highly integrated Dev/QA and OPS working as one group
  • Integrate NAC into your environment from the beginning so all devices are monitored or managed

Rapidly Detect and Manage Breaches

  • Ingest massive amounts of data
  • Perform real time correlation as well as post event analytics
  • Implementing the new Intelligent SOC enables us to move beyond the tradition SIEM

Q: HPE has a pretty broad portfolio of security products spanning application security, data security, vulnerability management and SIEM. Are there any specific areas of your portfolio that you plan on highlighting at Black Hat USA? What do you want attendees to take away from HPE's presence at the event?

Riley: The main focus for us at this conference is to discuss the technical aspects of live attacks and how they are monitored and managed by our software. We would want our customers to understand that HPE is a key player in the security market and we will continue to focus our attention to create key initiatives to drive innovation in the areas of detection and breach management.

One area in particular is our work on actively evolving the architecture of a traditional SIEM to support the intelligent SOC. We are working on providing our customers with a Security Operations Workbench, which will include the ability to perform hunts via a graphical interface and intelligence based on prioritizations. This will include a Correlation and Analytics engine to enable advanced analytics algorithms to run and data warehousing integration with third party products such as Hadoop. Finally, Ingestion at Massive Scale, both structured and unstructured sources allowing for enriched data for context and real time correlation. Our focus is strongly on where the new intelligent SOC is going. We will continue to focus our attentions and solutions on this market place in general.

James Carder

James Carder
LogRhythm Labs


Q: LogRhythm offers a Security Intelligence Platform, SIEM technology and a Security Analytics solution. How exactly do the technologies differ in what they are designed to do? How do they complement each other?

James Carder: I would first say that LogRhythm offers a Security Intelligence Platform, period. SIEM, security/behavior analytics, incident response orchestration, automated response, and case management, are all parts of our platform. Together, they're a necessity for our customers to detect, respond and neutralize threats effectively and efficiently.

One of the core features of any technology platform should be that other technologies [could] build onto and into the platform. This means that, while our Security Intelligence Platform is robust, you can easily integrate other technologies. Our platform works as the glue that connects each individual component within your security infrastructure. This ability to rally around a single product creates maximum efficiency and effectiveness.

Most people identify SIEM as log collection and basic A-to-B and B-to-C correlation. On the other hand, security analytics implies using more advanced statistics-based correlations. In general, I look at both the original intent of SIEM and the use security analytics as "getting visibility to the data" and then "doing something with the data." I think the buzzword hype has really blurred the definitions a bit as security analytics products are now touted as next-generation SIEM, when the intent of SIEM was to always be able to provide security analytics in the first place.

Q: You recently presented a webinar on strategies for defending against mass distributed and targeted malware. What do enterprises need to know about the threat?

Carder: I feel that a company needs to make sure to spend equal time on both knowing the threat (the enemy) and knowing their own business (themselves). If your resources are limited, I'd lean more toward knowing your own business first. If we can't master knowledge of ourselves, then we'll never know how best to protect and defend against a threat that hasn't changed much in the past 20 years. The threat will always be one step ahead.

If you understand the core of how your company operates, what the people, data, and the technology looks like in your own network, you would be significantly stronger, regardless of who or what the threat is.

The Industry seems to spend significant time, energy, and money chasing the latest threat in the news instead of establishing what normal looks like on their network, with their users, and their endpoints and looking for deviations from it. You have to constantly ask, is this suspicious? By establishing your baseline, you will be able to know how to identify what isn't normal very easily.

Q: LogRhythm organized a packet capture analysis challenge at Black Hat USA last year. Do you have plans on doing anything similar this year? What is your main theme going to be at this year's event?

Carder: In short, I think we will put together another "capture the flag" challenge for Black Hat USA this year. We most recently ran a similar challenge at RSA, Black Hat Asia, and for a Colorado University hackathon event that we sponsored.

We've heard nothing but good things on the level of expertise needed to get all the way through the challenge. These challenges have been very successful at bringing folks to our booth, raising awareness of our brand, and showing off some of the technical expertise we have in house. Any time you combine a complex technical challenge with a cool prize, there really isn't a way to lose.

As for what our main theme will be, I think that is still up in the air. As you can imagine, putting these things together just doesn't happen overnight. We have a reputation to uphold. If we make the challenge too easy or not interesting enough, people might start to wonder if we are losing our edge.

Matt Alderman

Matt Alderman
VP of Strategy
Tenable Network Security


Q: Tenable CEO Ron Gula recently declared the Defense in Depth model as being irreparably broken. What exactly is the model that Tenable is advocating instead and how does it address the shortcomings of the Defense in Depth model?

Matt Alderman: We know defense in depth doesn't work. Layering point solutions and technologies keeps data siloed across various teams, creating gaps in an organization's defenses. It's these gaps where hackers hide.

Instead, we believe it's time to transform security to a holistic program - one that unites security across six core domains of capabilities to create a cohesive, continuously adapting program that protects organizations against a rapidly changing threat landscape. The six core domains are:

  • Discover, which is the ability to identify what's on the network. You can't protect what you don't know about.
  • Assess, which is to understand the security state of devices on the network. You have to understand local vulnerabilities, misconfigurations and malware, as they are still the main attack paths for most major breaches.
  • Monitor, which is to understand what's going on in the network. Log collection, packet inspection, and the integration of actionable threat intelligence help you understand activity, both normal and malicious.
  • Analyze, which is the ability to find malicious activity and anomalous behavior, and not only identify it, but prioritize it according to how it is affecting, and how it will affect, your environment.
  • Respond, which is the ability to act quickly to mitigate threats. You need to respond appropriately and quickly with the resources you have to minimize exposure and loss.
  • Protect, which is the ability to enable proactive protection of devices, automating remediation and response.

We believe you need all of these capabilities working together to continuously improve your security program.

Q: What do enterprises need to know about Tenable's recently introduced solution for unknown and shadow assets?

Alderman: Having visibility across your environments is fundamental to having an effective security program. But it's challenging for practitioners to gain the full visibility they need. Organizations are rapidly adopting new technologies, including cloud, virtualization, containers, and cloud applications, and workforces are increasingly mobile, with BYOD policies to help with productivity and flexibility. So, unfortunately, this is a big problem; organizations face challenges identifying assets across different computing environments, and they often don't have the visibility they need to secure and manage them.

Tenable helps organizations solve these challenges by continuously finding and monitoring unknown and shadow assets. Tenable's continuous listening of network traffic and event monitoring tools detect all devices, services and applications in use, analyzing how they are communicating and affecting your network and computing environments. It helps users identify problems - including vulnerabilities, misconfigurations, malware, and abnormal/suspicious activities - quickly across assets, including transient laptops, personal mobile devices and rogue cloud applications. Tenable dashboards provide a lens into these unknown assets, breaking down detection information in context of your greater security program, helping users make informed decisions for effective and rapid response.

Q: What is Tenable's main message to attendees at this year's Black Hat USA event?

Alderman: At Black Hat USA, we are looking forward to demonstrating our latest solutions that help customers deal with today's biggest security challenges, from discovering and securing shadow assets, to helping them continuously improve their security programs to follow security frameworks, to helping them with threat hunting and exposure response, and communicating their security program metrics and results to business leaders. Tenable experts will be hosting interactive workshops in the booth, where customers can ask questions and share their best practices.

We are also looking forward to sharing the latest innovations behind our solutions. Our engineers and architects will be demonstrating our next generation cloud platform, which utilizes a state of the art architecture leveraging leading cloud services and technology platforms including Docker, microservices, and elasticsearch.

We believe these innovations will help our customers transform their security programs from unmanageable, layered technologies, to a manageable, unified, scalable security program that can rapidly adapt to stay ahead of new, emerging threats.

Sustaining Partners