Interviews | June 19, 2019

Point Products Have Complicated the Enterprise Security Challenge

Mike Viscuso
Co-Founder and Chief Strategy Officer

Carbon Black

Q1. How have requirements for endpoint security evolved in recent years? What role is big data and analytics playing in helping organizations address endpoint threats?

Modern cybersecurity is all about collecting, retaining and analyzing the data. To understand the data is to understand the attacker, as well as their evolving behaviors. That's the premise Carbon Black was founded on and it's one that continues to permeate our product philosophy and company strategy.

Long gone are the days of being able to rely on signature-based antivirus products to keep attackers out. That's a conclusion the market has largely accepted in recent years. However, in response, there's been a proliferation of point security products that attempt to address only a single component of the attack lifecycle. These point products have left security teams with too much complexity and not enough answers. That's one of the reasons we are continuing to see attackers succeed.

At Carbon Black, we're simplifying and strengthening security for organizations around the world. Our cloud-based endpoint protection platform (EPP) consolidates multiple endpoint security and IT use cases into a single platform. This platform collects and analyzes more than 500 billion security events per day — a massive amount of data that's providing critical insight into attack patterns and providing a level of insight that extends well beyond point products.

Rather than just address one component of the attack lifecycle, Carbon Black is empowering security teams to prevent, investigate, remediate and hunt for threats. I often say that data is the lifeblood of our cloud platform and that understanding attacker behavior by analyzing this data is how we're going to close the gap in cybersecurity.

Q2. Carbon Black's recent Global Incident Response Threat Report noted a substantial increase in attacks that leverage "island hopping". What exactly is island hopping and why should enterprise organizations be concerned about the trend?

Island hopping is something that both Carbon Black and its 100+ incident response partners are seeing at increasing levels. In fact, 50 percent of today's attacks leverage island hopping. With island hopping, attackers are going after a primary target by first targeting smaller, often more vulnerable, organizations in the supply chain. The term "island hopping" generates from World War II, as a tactic the United States leveraged in the Pacific. The U.S. would attempt to capture smaller islands and then use them as outposts to target mainland Japan.

The Target breach from a few years ago is a prime example of a successful island hopping attack occurring in cyberspace. As many of us know, this attack began with attackers first breaching Target's HVAC provider. The same thing is happening with other supply chain vendors in various industries — finance, healthcare, energy and government. The smaller supply-chain partners of these larger organizations often don't have good enough security programs in place to defend against attacks.

What's most concerning about island hopping attacks is that they're evolving beyond traditional leapfrogging from network to network. They now include attacks where websites are converted into watering holes to ensnare a business' customers, partners and overall brand. Modern island hopping attacks are also leveraging Reverse Business Email Compromise (BEC), a trend seen primarily in the financial sector, where attackers take over the mail server of a victim company and launch fileless malware attacks. It's clear the surface area for attacks is expanding and it's critical for businesses to acknowledge this risk.

Q3. What do you want attendees at Black Hat USA 2019 to know about Carbon Black's technology roadmap and strategy over the next few years?

Most importantly, the power of the cloud is transforming endpoint security and Carbon Black is leading this transformation. Today, only 15% of companies are in the cloud when it comes to their endpoint security. By 2025, Gartner predicts that more than 75% of companies will be in the cloud. Carbon Black is at the forefront of this shift with our cloud platform and our roadmap and strategy center around using the power of the cloud to keep our customers protected.

Over the past year, we've delivered four new services on our cloud platform and we'll continue to deliver additional features and use cases over the next few years. Our team lives and breathes cybersecurity and I love seeing that passion shine through with our product innovation. Our high-level strategy is one that we've been following since Carbon Black's founding: we want to make life easier for defenders and harder for attackers. We know the cloud gives us a big advantage in doing both, especially when it comes to collecting, retaining and analyzing big data.

Matt Moynahan


Q1. Cybersecurity spending has kept steadily increasingly recently yet most enterprise organizations appear to be as vulnerable to security threats as they were a few years ago. What are they doing wrong, or not enough of?

Let's put this into an even starker perspective. In the last seven years, more than $1 trillion has been spent on cybersecurity with a 95% success rate – for the attackers. It isn't surprising that every CISO I speak to today doesn't feel any safer. And when we spend the next $1 trillion should we expect a different result?

The challenge organizations are facing today is in their race to take advantage of the $100 trillion competitive advantage that digital transformation represents, security architectures are breaking. Many organizations today are still operating within an infrastructure-centric security approach that has not kept pace with the rate of change that digital transformation requires.

Business and security leaders, and Boards of Directors, are realizing their organizations can't just spend their way out of the problem – even when security budgets are reportedly up 9%.

If you take a look at how security is applied in an infrastructure-centric paradigm, policies are applied from the infrastructure to groups, or departments or to the whole company. This results in security friction for employees and creates an opportunity for malicious actors to exploit loopholes in the policy or the rights that are applied. Due to the generic nature of these policies, the noise of events and log files makes finding the bad amongst the good extremely difficult.

Organizations today need to rethink their security posture, and look at it from an inside-out approach. Meaning, in today's mobile and cloud-first business environment users and data must be at the center of security design thinking. By making humans, and not events, the units of analysis, security teams can use events as data input to understand what each individual is trying to do by their behavior.

Based on that understanding, different policies can be applied to each digital identity based on the riskiness of that behavior. You can now get aggressive with automation to stop threats without breaking the environment. This one-to-one proactive security approach provides more user freedom and proportional security enforcement based on a dynamic risk-adaptive profile.

This is the disruptive thinking needed to mitigate risks in today's sophisticated threat landscape. And those organizations that embrace this modern cybersecurity approach will be the ones who can also drive significant business success through their digital transformation journey and beyond.

Q2. Enterprise interest in zero-trust security models appears to be growing. How can Forcepoint's human-centric approach help organizations enable a zero-trust model?

Introduced in 2010, the Zero Trust concept was one of the first times the industry started a conversation outside of the traditional model of "trust but verify" shifting instead to "never trust, always verify". Over the years this philosophy has evolved as the cybersecurity threat has matured. Yet it still exists closely within its original architecture, which utilizes a range of different technologies and best practices centered around identity verification.

Forcepoint's human-centric approach to security takes zero-trust one step-further.

Through our risk-adaptive security model we see an opportunity to enable connected trust. Meaning, for businesses and governments to flourish within today's digital transformation landscape, some level of trust is required. And in this context, levels of trust are nuanced based on the organization and its definition of what is considered acceptable risk.

To establish connected trust, understanding of human behavior and intent is critical. Creating a baseline understanding of all "normal" behavior of digital identities on a network enables faster identification and classification of outlier and risky behavior. In this model, anonymized digital identities that deviate from their "normal" behavioral patterns trigger an alert that security administrators can react to quickly, as well as a relevant automated enforcement response based on the identity's elevated risk score.

As a result, security teams also know exactly where the problem lies—with a specific digital identity—and can focus automated enforcement efforts on observing or blocking specific activities based on the level of risk the activity represents. And, important for security teams inundated with alert fatigue, this automation in enforcement increases [speed] and requires less human interaction. Monitoring each user's behavioral patterns—and streamlining security response to only those incidents that exhibit anomalies in baseline patterns—also helps keep systems secure without penalizing everyone. This enables a one-to-one security approach versus the one-to-many approach organizations have historically utilized.

Ultimately, Forcepoint views trust as a continuum between zero and permissive, and to be effective against today's threats modern security needs to be more personalized, while allowing people to still be productive and work unencumbered by security friction.

Q3. What are Forcepoint's plans at Black Hat USA 2019? What can attendees expect to hear from your company at the event?

As digital transformation reshapes industries, organizations of all sizes and across industries are rethinking their approach to innovation and how technology can help them compete more effectively. Black Hat attendees can visit Forcepoint Booth #622 to learn more about our newest security capabilities coming later this year to accelerate digital transformation, such as Forcepoint Dynamic Edge Protection.

Dynamic Edge Protection delivers an integrated network security solution that supports modernization of enterprise networks for cloud adoption. It does this by enabling enterprises to transform their network and security architectures with seamless connectivity to take full advantage of the cloud across distributed application and network environments. The solution will also offer converged capabilities for SD-WAN connectivity and next-generation firewall-as-a-service with security for Web and Cloud – all as a cloud-first, hybrid-ready service using Forcepoint's enterprise grade technologies.

Dynamic Edge Protection will deliver security that works everywhere employees are with solutions delivered from the cloud that take advantage of new advances such as behavior-centric, risk-adaptive security without on-site updates or redeployment.

Highly distributed organizations such as retailers, financial institutions, hospitality providers, and government agencies can use Forcepoint Dynamic Edge Protection to significantly reduce the cost and complexity of connecting their hundreds or thousands of remote locations in a highly secure and manageable way. The solution's "zero footprint" can also replace disparate hardware appliances deployed at each site with integrated, behavior-centric security services delivered from the cloud.

Black Hat attendees can also join Forcepoint experts in our booth for theater presentations and hands-on demos including our Risk-Adaptive Data Protection solutions, Web Security incorporating CASB capabilities, human-aware NGFW and cross-domain solutions.

We're moving fast to change the cybersecurity industry and we're also looking for the best talent to join us. Our recruiters will be at booth #CZ102 in the Career Zone to answer questions from anyone who'd like to learn more about job opportunities at Forcepoint.

Mike Adler
VP Product, RSA NetWitness Platform


Q1. How has the role of SIEM technologies changed within enterprises over the past few years? How are modern SIEM systems different from older versions of the technology?

Today modern enterprises need an evolved SIEM, one that not only captures logs and satisfies the compliance requirements but one that can serve as the centerpiece of advanced threat detection and response for a SOC. A modern evolved SIEM now collects data from multiple sources including logs, network and endpoints and applies a collection of detection technologies including threat intelligence, detection rules, and analytics to role individual alerts into complete incidents that allow analysts to quickly investigate and respond.

Q2. What are some of the key requirements for building a robust threat detection and response capability? What are the most common challenges organizations need to overcome when building a detection and response capability?

Security requirements have become increasingly complex to build a robust threat detection and response capability. Much of the complexity is driven by the increased digital risk enterprises have as they go through digital transformation. Organizations need to have the visibility across the computing platforms including private cloud, public cloud and end user computing areas from multiple sources of data including endpoint and network. Additionally, organizations need to have the right set of integrated technologies that can make use of the captured data to provide the insights necessary to provide advanced threat detection. Lastly organizations need the ability to act, which is the partnership between automation technology, orchestrated security processes and of course skilled security analysts. Many organizations are only beginning the journey of gaining the right level of insight across the complex environments where modern organizations are operating on business critical data, and building the skills, process and technology to respond to threats identified.

Q3. What is your main messaging going to be at Black Hat USA 2019? What do you want attendees to take away from RSA's presence at the event?

As increasingly digital business operations collide with an advancing threat landscape, organizations are struggling to not only detect sophisticated cyber threats, but just as importantly, to understand the real business risk they pose while coordinating response across the business, from SOC to the boardroom to front line employees. To mitigate the business impact from a cyber incident, organizations must not only detect a cyber threat across various domains (SOC, identity, and fraud), but also centrally manage and orchestrate technical and business responses across the organization to reduce the overall impact of the event. Our main messaging is focused on how SecOps teams can better leverage identity and business risk information in their hunting, detection and response procedures, while aligning to the risk function in their business to ultimately better protect their organization undergoing digital transformation.

Varun Kohli
Head of Strategic Marketing, PMO & Global Demand


Q1. What are some of the most important features and attributes that organizations should be looking for, when shopping for CASB technologies and services?

CASB is a cloud-based service that sits between an organization's local infrastructure and a cloud provider's application or service. The CASB needs to act as a gatekeeper, allowing the organization to extend the reach of their security policies and best practices in data security to those providers. The best CASBs will have information on tens of thousands of web and mobile applications and services, and help the customer find the right cloud tools to balance their combination of daily business need and business risk acceptance.

Generally, the more integrations that a CASB has to help create a zero-trust model from identity to control and compliance, the more effective it will be as part of enforcing the cloud security strategy and solution. This includes native abilities in DLP as well as integration with encryption solutions, MFA, content classification, and compliance reporting.

Organizations looking into CASB solutions should look for:

  • Ability to take a wide range of data sources – endpoint security, firewalls, WAF, SWG proxies, SIEM, IDaaS and more
  • Ability to apply controls for any endpoint (Windows, Mac, iOS, Android), managed or unmanaged, attempting to access any cloud service or IaaS
  • Breadth of coverage, with information on tens of thousands of cloud applications and services – including mobile
  • Depth of coverage, with hundreds of content classification and document types, including the ability to customize and define privileged data particular to the customer's business and privacy definitions
  • Out-of-the-box policies to police compliance relating to GDPR, PCI, PII, and external exposures in sanctioned applications
  • Customizable and flexible reporting capabilities, appropriate to any shareholder in the customer's cloud migration strategy including incident responders
  • Integration with a zero-trust Software Defined Perimeter (SDP) solution for access and control

Q2. What are some key trends to watch out for in the email security space over the next year or so?

We expect a few key trends to impact the email security industry. First, phishing attacks will grow more sophisticated. We also expect to see more extortion scams sand cybercriminals leveraging advanced credential theft attacks to take over email accounts.

Until recently, attackers used high volumes of phishing emails to trick users into downloading malware or clicking on a malicious link. Since most email security solutions have responded to these threats by strengthening their defenses, attackers have shifted their tactics by using more complex and targeted email threats. We expect this trend to continue, as phishing attacks will become more complex, with growing use of social engineering and obfuscation techniques to evade detection. Adversaries will also target fewer users by turning to highly crafted phishing attacks that are customized for specific individuals.

We also expect cybercriminals to use more extortion scams to blackmail users. Also known as "sextortion scams," these attacks use stolen credentials from past data breaches to trick users into believing that attackers have a compromising video or photo. Attackers then threaten to release the information unless the victim makes a payment to them (typically via cryptocurrency). These types of attacks increased by 242% last year alone and have proven to be lucrative for cybercriminals.

On the solution side, one trend we're seeing is the ability to detect and prevent fraud over email and add isolation capabilities, generally applicable to the web today. This allows email security solutions to rewrite URLs coming in via email to go through an isolated sandboxed to avoid malware and credential phishing attempts.

Lastly, attackers will utilize advanced credential theft to perform more account takeovers. These threats will become more targeted and advanced, as many email security vendors now have protection in place for basic credential phishing attacks. It's more profitable for cybercriminals to specifically target VIPs such as executives rather than lower-level employees, since these accounts are usually more valuable. For instance, compromised VIP accounts can be used to launch attacks such as Business Email Compromise, especially since legitimate accounts can bypass detection by email security solutions.

Q3. What does Symantec plan on highlighting at Black Hat USA 2019? What can attendees expect from the company at the event?

At Black Hat USA 2019, Symantec's booth will highlight its Integrated Cyber Defense (ICD) Platform – the strongest cyber defense platform powered by the world's largest and most dynamic civilian threat intelligence network. A recent study showed that 93% of customers are looking to consolidate security vendors to reduce cost and complexity of operations.

Symantec's ICD Platform unifies products, services and partners to drive down the cost and complexity of cyber security, while protecting enterprises against sophisticated threats. ICD combines information protection, threat protection, identity management, compliance and other advanced services, powered by shared intelligence and automation across endpoints, networks, applications, and clouds.

Did you know that 7 minutes is all it took for NotPeyta to cripple the world's largest shipping company? A lot of damage can be done in just minutes. With this in mind, guests at the booth will hear from Symantec's team of world-class researchers who will perform live 7-minute hacking demos including one on the dangers of misconfigured S3 buckets.

Additionally, guests can play a unique "Escape the Cyber Labyrinth" game and join Symantec's Capture the Flag competition for a chance to win exciting prizes.

Sustaining Partners