Interviews | June 17, 2022

Organizations Prioritizing Attacks That Make Headlines Over Other Equally Impactful Incidents

Immersive Labs | Sophos | Splunk | Qualys

James Hadley
CEO and founder

Immersive Labs

Q1. What were some of the main takeaways from Immersive Labs' Cyber Workforce Benchmark report? What surprised you the most?

Our Cyber Workforce Benchmark report answers some of the industry’s burning questions about human cyber capabilities. We analyzed data from over 2,100 organizations, 500,000 exercises and simulations, and 1,500 incidents in order to provide data-driven insights into organizational cyber resilience.

Perhaps most surprising was just how long cybersecurity teams inside large organizations take to develop the skills necessary to defend against breaking threats (96 days, on average!) In just one example, a critical, actively exploited vulnerability in popular mail transfer agent Exim took over six months for security teams to master.

At the same time, four of the five fastest developed skills in 2021 were linked to Log4j, which was an especially high-profile vulnerability. These findings suggest that organizations prioritize the cyberattacks hitting headlines over others which could still be just as impactful. This also highlights the need for organizations to continually assess, exercise, and build their security capabilities in a structured and deliberate way that prioritizes measurable outcomes over activity.

In addition, we found that across all sectors, security professionals are much more interested in improving their skills on the left side of the MITRE ATT&CK framework, with 31% of all exercises focusing on Initial Access, Execution, and Persistence. By examining the time it took for certain labs to be completed, we discovered that security professionals found the high-profile compromise and initial access skills the most difficult and time-consuming to master.

Q2. What does Cyber Workforce Optimization mean? What does it take to get there?

Organizations of all types have found that tools and technology are not enough to ensure operational resilience and that cybersecurity capabilities of their workforce are just as critical to reducing risk. People deserve as rigorous an approach to evaluation and testing as technology and tools.

Immersive Labs is solving the world’s cybersecurity “People” problem by pioneering an entirely new approach to measuring, building, and proving cyber readiness and resilience in order to effectively respond to the latest cyber threats. We call this Cyber Workforce Optimization (CWO).

Cyber Workforce Optimization requires more than a renewed emphasis on improving cybersecurity capabilities. It demands a fundamental mindset shift when it comes to the human element of cybersecurity. Customers tell us that they want to stop thinking about training, certifications, and learning as “check the box” activities without tangible results. We believe that cybersecurity capabilities should be continuously measured, compared with benchmarks, and improved using real-world scenarios and realistic simulations.

Gaps must be identified, invested in, closed, and re-tested. Individuals and teams should have the opportunity to continuously exercise their skills to ensure they are prepared to respond to the latest threats. As organizations adopt this data-driven approach, they are better able to up-level their cybersecurity programs to achieve their business goals around risk reduction and cyber resilience.

In order to work towards true Cyber Workforce Optimization, organizations must follow a few steps, ensuring that measurement and evidence are at the heart of each:

  • Exercise. Provide teams and individuals with the opportunity to practice and demonstrate capabilities. Rather than unengaging, unrealistic tests and paper exercises, this requires realistic simulations that evaluate hands-on skills.
  • Measure. Analyze data on both individual and team capabilities and their impact on risk exposure. Benchmark current knowledge, skills, and judgment against industry peers.
  • Upskill. Plug any gaps the exercises expose. Armed with granular data, organizations can target specific business risks as well as individual needs. This will optimize the impact of exercises, providing much greater results than applying a blanket approach across the business.
  • Prove. Use individual and team performance data to provide evidence of cybersecurity capabilities and resilience. This can be used to demonstrate risk reduction and compliance to the Board of Directors, insurance companies, and other third-parties.

Cyber Workforce Optimization is never truly “achieved”. It is a goal to continuously strive towards with a relentless focus on measurement and improvement.

Q3. What do you expect customers will want to hear from Immersive Labs at Black Hat USA 2022? What do you expect will be top of mind issues for them?

In 2022, organizations are looking to do more with less and efficiently build their cybersecurity capabilities to measurably reduce risk and improve resilience. Given economic headwinds, CISOs are looking to focus their resources on areas that will generate results that they can prove to their CEOs and Board of Directors. Cyber security professionals want to bolster their capabilities so they can quickly and efficiently manage real-world threats when product resources may be limited.

Top of mind for our customers is their need to understand their human cyber capabilities and how they compare to industry benchmarks in order to identify gaps and areas of strength. They need to build their capabilities to improve their incident decision-making and response times. And they need to hire, build, and retain skilled cybersecurity talent while facing an industry-wide skills gap. According to Cybersecurity Ventures, the number of unfilled cybersecurity jobs across the globe grew to 3.5 million in 2021. That number will only grow.

While legacy training is unable to guarantee hands-on skills relevant to current threats, everything Immersive Labs does for our customers is measurable and focused on building skills according to the latest threat intelligence. We’re looking forward to talking to organizations at Black Hat USA 2022 about how they can leverage the principles of Cyber Workforce Optimization to efficiently measure, build, and prove cyber readiness and resilience.

Joe Levy
Chief Technology and Product Officer


Q1. What prompted Sophos' recent purchase of SOC.OS? How will it benefit your customers?

With cyberattacks, such as ransomware, becoming increasingly prevalent and complex, security operations teams are under constant pressure to monitor every aspect of their organization. One of the most common ways that attackers succeed is by targeting assets in a customer’s environment that are unknown, unprotected or under-protected. Combine that with 24/7 threat activity, high volumes of security alerts and false positives, and understaffing, and you can see why organizations are increasingly adopting solutions like XDR or MTR.

The enhancement that SOC.OS brings to Sophos customers is the ability to ingest and operate on data from sources across their entire IT environment, better exposing the dark corners, and then it further helps to focus and optimize the attention of operators by better organizing and prioritizing those signals. If security analysts are getting the right signals, getting them earlier, and with the right prioritization and organization, they can reduce the amount of damage and costs incurred by an attacker. We find the SOC.OS does an extraordinary job at this, and we’re excited about the advancements Sophos is making with SOC.OS.

Q2. Why has ZTNA become such an important requirement for enterprise organizations? What do you see as some of the main differentiators in Sophos' ZTNA offering compared to similar offerings from others?

The best way to address these questions is by looking at users’ and attackers’ behaviors in today’s “borderless” digital world. Firstly, people, applications, devices, and data aren’t constrained to offices anymore – they’re everywhere, regardless of organization size – and we need more modern ways to secure them. Zero trust is a very effective cybersecurity principle, and ZTNA embodies it in a practical, easy to use way, ensuring that users have secure access to only the resources that they need. Unlike VPNs that provide broad network access, Sophos ZTNA eliminates implied trust and only authorizes user access to specific applications and systems on the network. By trusting nothing and verifying everything, Sophos ZTNA improves protection, simplifies security management for IT managers, makes it easy to activate multi-factor authentication, and creates a smooth experience for remote workers.

Secondly, many traditional remote access solutions, like remote desktops and IPsec and SSL-VPN, provide strong encryption, but very little else in defense against modern threats. Sophos knows that attackers are increasingly exploiting these limitations, stuffing credentials into RDP and VPNs to gain access to victim networks, and then moving freely once inside, all too often culminating in costly data theft and ransomware incidents. Sophos ZTNA provides the defenses organizations need to manage this access, so that attackers have less surface area to scan and leverage to break into the network.

Q3. What can organizations expect from Sophos at Black Hat USA 2022?

At Black Hat 2022, Sophos is hyper-focused on “Cybersecurity as a Service,” an initiative we feel is critical because cyberattacks have become too frequent and too complex for organizations of any size to be able to keep up on their own. Between dealing with the clean-up from the recent barrage of attacks we’ve all seen leveraging commercial software (ie., Follina, Atlassian and Log4J, to name a few) and handling basic security hygiene during their “day job,” security analysts need help.

We want all Black Hat attendees to learn more about how our Managed Threat Response (MTR) services, including threat hunters who monitor networks 24/7 for malicious activity, is an ideal solution. We also have a complete portfolio of cloud-based products, including our anti-ransomware defender Sophos Intercept X with XDR, that users manage lookups and other threat detections on their own. This is just a sampling! Stop by for more information and check out Sophos’ speaking sessions.

Patrick Coughlin
GVP, Security Market Strategies


Q1. Why would organizations that have invested either in a SIEM platform or in an XDR technology, require the other? Do you perceive them as complementary technologies or as competing ones?

Compared to SIEM, XDR covers a closed subset of the data sources, use-cases and outcomes required to drive enterprise-grade cyber resilience. There are some customers that will be comfortable with a "good-enough" coverage model from XDR, while our customers are demanding more not less coverage. We deliver through our market-leading threat detection, investigation and response products built on Splunk's platform with the largest, open ecosystem of integration partners.

Q2. What were the main security takeaways for enterprise organizations from Splunk's State of Observability 2022 research report?

Our customers are taking a more holistic view of enterprise resilience than they were even a couple years ago. Security, IT, and DevOps leaders care less about whether an incident was the result of a performance taxation in an application, failure in the infra layer, insider threat or external threat actor; they are asking, 'how quickly can you help me find it, fix it, and automate it so I don't have to keep doing it'.

Jonathan Trull


Q1. What's your advice to CISOs for responding to zero-day vulnerabilities in a timely and organized fashion? What kind of processes do they need to put in place to ensure an optimal response?

Log4Shell, SolarWinds, Colonial Pipeline, MSFT Exchange — these names have become synonymous with infamous cybersecurity events. We keep calling every new zero-day exploit a “wake-up call,” but all we have been doing is collectively hitting the snooze button. To stop hitting the “snooze button” and wake up and deal with zero-day vulnerabilities, CISOs must establish a documented standard operating procedure and create a detailed standard operating procedure that includes step-by-step activities tailored to the vulnerability type. The following information must be included:

  • Process flow for responses. If you need help, the U.S. Cybersecurity & Infrastructure Security Agency (CISA) has created an excellent guide to help -
  • Categorize the vulnerability by the type, severity and required response times. There should be a specific category for critical zero-day vulnerabilities.
  • Pre-determined service level agreements for each response team– e.g., cybersecurity incident response team, security operations, system administrators, SRE engineer, DevOps engineers, etc.
  • Procedure for declaring and communicating an incident (this could be a reference to the incident response standard operating procedure).
  • Steps for tracking, reporting, and concluding the incident and returning to normal operations.

The most successful organizations spend time updating and testing their standard operating procedure yearly to ensure it is accurate and contains the specific steps needed to be effective.

Attackers are taking advantage of the complexity and lack of asset visibility that the migration to the cloud has introduced – with attack surface management tools discovering more cloud assets than security and IT teams even know they had. Simply put, you cannot secure what you cannot see, risk to the organization lies in unknown assets. The most mature organizations maintain a comprehensive and up-to-date inventory of all technologies and third-party vendor relationships, as this is often where vulnerabilities exist. Mature organizations have developed processes to automatically identify IT assets whether they are on-prem, mobile, cloud, containerized, or in a non-traditional format such as OT or IoT.

Organizations with the swiftest and most effective response to zero-days usually have a team dedicated to gathering and analyzing threat intelligence from multiple sources. These teams typically receive intelligence from vendors, government entities and information sharing and analysis centers. The information collected and processed should then be used to identify the existence of zero-days and kick-off the company’s overall response. In the same vein as inventorying, gathering and analyzing threat intelligence is crucial to provide the necessary foundation for security teams to take calculated and intentional steps.

Q2. What are some of the requirements for a mature cloud security program? What kind of security controls and processes are required to manage risk in cloud environments?

No matter the difference in size, geography, or industry, a CISOs number one job is to manage cyber risk. But with organizations facing an influx of internet-shaking vulnerabilities that are being weaponized at speed, catastrophic breaches, and increasingly sophisticated bad actors – managing cyber risk and ensuring security hygiene has become more complex and overwhelming than ever before.

So where to start? Step 1: You cannot secure what you cannot see. You need a baseline before taking any action to simplify – e.g., move towards a platform and consolidate as much as possible. Shifting certain use cases into a consolidated solution versus keeping them siloed allows you to evaluate your risk posture. It also enables you to dig deeper into how data flows and how you interact with customers and shareholders. If you have too complex an infrastructure with huge technical debt, then it is nearly impossible to truly understand your security posture.

Step 2: Based upon the baseline information gathered, organizations must develop their “cyber balance sheet.” Like the financial industry, cybersecurity must create a model by which all CISOs and boards can measure each aspect of their security infrastructure. In doing so, you’ll develop an understanding of what is a priority to the organization, which crown jewels are most important to protect and where the holes in your security infrastructure are.

Step 3: Come up with a strategy to build in more automation. CISOs must consolidate and leverage their platforms with minimal integration. The end goal is to have an end-to-end solution that can monitor, detect, remediate, and measure compliance.

Q3. What do you expect will be top of mind issues for your customers at Black Hat USA 2022? What does Qualys plan to focus on at the event?

All types of cyber-attacks are becoming “commonplace,” and bad actors are taking advantage of whatever vector they can, whether that is a phishing campaign or a ransomware attack. This year’s Black Hat will speak to how hackers are growing increasingly smarter and sophisticated, executing all types of attacks with more precision and success than ever before. Governments around the world are starting to make moves to defend against hacking gangs, but even as heightened focus turns to protecting digital assets, bad actors have had a head start and continue to evolve alongside new legislation.

Through automation, today’s bad actors are maximizing the impact of their attacks at scale – e.g., during the March 2021 Microsoft Exchange breach, it was estimated that 250,000 servers fell victim to the attack (30,000 organizations affected in the US alone). Attacks like these continue to underscore how hacking gangs successfully leverage automation to inflict severe damage. Qualys’ focus is around fighting automation with automation. If attackers are using automation to disrupt the business operations and continuity of every type of organization, why would defense mechanisms not use the same tactic?

Companies – both private and public, government agencies and critical infrastructure organizations alike – are beginning to have their hands forced. Automation across security infrastructure is no longer a choice, but a necessity for every cyber arsenal. The risk of automation breaking something within the company’s IT infrastructure will now be fully outweighed by the risk of not automating at scale.

Sustaining Partners