Interviews | June 22, 2018

Black Hat USA Platinum Plus Sponsor Interviews: Crowdstrike, Cybereason, Darktrace, SentinelOne

Dan Larson

Dan Larson
Vice President of Product Marketing


Q1. Describe for us CrowdStrike's new $1 million breach prevention warranty. What does it cover and what prompted the company's decision to offer it to customers?

If you step back and look at the security industry, you see a pretty fundamental problem. A lot of money and time is being spent on security tools, but security breaches continue to occur at an alarming rate. That means a lot of security products are not doing their job. We think it is obvious that if you truly believe in your product's ability to protect your customers and – ultimately - to stop breaches, then you should back up those claims with a warranty. This is the norm in other industries, and we believe it should be the norm in cybersecurity.

We made our warranty very simple. If a breach occurs in an environment that is protected by our EPP Complete product, then we will reimburse the customer for up to $1M in costs associated with responding to the breach. These costs include incident response, legal fees, notification, credit monitoring, forensic investigation, public communications expenses and more. Overall, our warranty program is much more comprehensive and much easier to use than other warranties in the cybersecurity space and we think customers will enjoy the additional level of assurance that it offers them.

Q2. What are some of the biggest trends driving enterprise need for predictive security capabilities such as those offered by CrowdStrike's Falcon X?

In recent years we've seen broad adoption of the "prevent, detect, respond" approach to endpoint security. This has driven positive and meaningful outcomes for security teams, but these approaches are fundamentally reactive. To take the next step, we need to pivot to proactive.

Cyber Threat Intelligence, as a discipline, holds incredible power to predict future attacks and deliver the information and indicators needed to deploy proactive countermeasures. Unfortunately, the traditional approach to cyber threat intel only worked for security teams at the very top of the skills pyramid. We think every security team should get the benefits of cyber threat intel, so we built Falcon X to make that happen.

With Falcon X we automate the threat analysis process and deliver custom intelligence and IOCs from the threats that we block on your endpoints. This makes it easy for security professionals to understand the threats they encounter, and gives them a unique set of IOCs that can be shared with other security tools. Thanks to the Falcon Platform's vast malware repository and sandboxing capability, Falcon X instantly delivers IOCs for the threat that was encountered and for all known variants. These custom IOCs are especially effective at blocking future attacks perpetrated by the threat actor that is targeting the organization. Falcon X empowers customers to learn from every encounter with the adversary so that they can be more effective in combatting them the next time they appear.

Q3. What is CrowdStrike's messaging going to be at Black Hat USA 2018? What topics or technology do you plan on focusing?

This year it is all about Cyber Threat Intelligence. CrowdStrike is a company built on threat intelligence and we've witnessed the incredible impact it can have on strengthening an organization's security posture. However, we've noticed that the people really succeeding with cyber threat intel are the security teams at the very top of the skills pyramid. With Falcon X and the Falcon Platform we automate, customize and simplify threat intel so that all security teams can get the benefits and pivot to proactive. This makes it faster and easier for security teams to learn from every encounter with the adversary and then use that knowledge to proactively deploy customized IOCs to other security tools in their technology stack. Whether you're just getting started with threat intelligence or trying to streamline your existing workflows, Falcon X simplifies the task of getting ahead of the next attack.

Yonatan Striem-Amit

Yonatan Striem-Amit
Co-founder & CTO

Israel Barak

Israel Barak


Q1. Yonatan, what do enterprises need to understand about the changing nature and scope of endpoint security threats? Where do you see some of the biggest gaps in capabilities when it comes to endpoint defenses?

Enterprises today still do not understand what attacks look like from the attacker side. A defense organization might think, incorrectly, that if they have a good prevention strategy that is able to handle a large fraction of malware, that organization might be secure, or at least more secure than it's peers. In reality, a much more holistic approach is needed. While an endpoint prevention strategy is absolutely critical, organizations need to plan, adjust and analyze for when these defenses are bypassed. The only solution for that is to combine an endpoint prevention strategy with a hunting strategy that looks at data access, automation, and focuses on the analyst. A defender should always ask themselves - Do I understand "How an incident happened, where else does it occur, what's the timeline of events, what's the underlying root cause and who's involved?"

Q2. Israel, what do you see as some of the biggest challenges that CISOs face these days in aligning security efforts with business requirements? What role can companies like Cybereason play in helping security organizations in this regard?

Aligning security efforts with business strategy and operations is first and foremost about making informed decisions that are based on business risk trade-offs.

The top security risks to enterprises originate from threat actors and adversarial activities that are only minimally impacted by compliance and general IT security controls. Cybereason's AI-driven Deep Hunting Platform empowers security organizations to detect and contextualize advanced adversarial activity in the enterprise network, allowing them to rapidly understand the complete extent of an advanced attack and its potential business risk, and efficiently remediate the effected systems.

Q3. Yonatan, what is the story that Cybereason wants to tell with its newly released documentary 'The Defenders'? What motivated the company's involvement in the documentary?

Our industry, and this is apparent even in the name of this conference is constantly celebrating the attacker. We read about attacker's researchers, our heroes are those who discover amazing new vulnerabilities and weaponize them, and we generally hold to high degree of respect those talented individuals who demonstrate vulnerabilities and exploitation. At Cybereason, we know from first hand experience that building a good offensive operation is substantially easier than building a defensive one. When creating 'The Defenders,' we wanted to highlight the true heroes of the security world, and highlight the need for ingenuity, grit and passion among those who tirelessly build and protect their enterprises. We wanted to celebrate the defenders.

Q4. Israel, what are Cybereason's plans at Black Hat USA 2018? What can attendees expect from visiting your booth at the event?

Stop by Cybereason's booth for free candy and popcorn and plan on entering the movie theater at Cybereason's booth. Throughout the week at Black Hat, Cybereason will be showing the trailer to The Defenders, a new cybersecurity documentary produced and underwritten by the company. Hundreds of thousands of people have already seen the documentary and it is has been met with rave reviews.

Over the years a lot has been written about hackers and their motivations, but what about the people responsible for defending private and public enterprises? The Defenders is the first film made that shifts the focus away from the hacker to the security professionals who protect us 24/7 -- it reveals the curiosity and discipline behind their critical and noble work. The Defenders takes a behind-the-scenes look at four famous cyber attacks and spotlights the incredible people tasked with keeping our institutions safe.

Nicole Eagan

Nicole Eagan

Justin Fier

Justin Fier
Director of Threat Intelligence & Analtyics


Q1. Nicole, Darktrace's recent valuation at over $1.2 billion suggests that investors and others see artificial intelligence and machine learning as being critical to cyber security in the years ahead. Why has AI become so fundamental to cyber security? What kind of security products or services do you see benefiting the most from AI?

The attacks of the past several years have made it clear that global threats move too quickly for human security teams to keep up. Threats are evolving at unprecedented rates, with machine speed attacks that require action within milliseconds. Compounding this challenge, the attack surface keeps expanding as we migrate to the cloud, add IoT devices to our networks, and as OT environments become increasingly connected to the corporate network.

It's a new era, and cyber security has become an arms race. Threat-actors and defenders alike will be racing to deploy the better algorithms, and we'll soon see machines fighting machines on the battleground of corporate networks.

Companies across the globe have realized that legacy protections which rely on historical data will never be sufficient in this new age of pernicious threat. With each rule we write, hackers will only add another tool to their toolkit. The future of cyber security lies in automation and artificial intelligence, capable of defending against the unknown threats targeting our entire network infrastructure, including IoT, cloud and virtual environments, and ICS.

By understanding the normal ‘pattern of life' for a network, AI-powered cyber defense can identify and autonomously neutralize never-before-seen threats that are already inside the network. Whether threats originate from the cloud, an OT environment, or an internet-connected fish tank, AI is able to identify and respond in real time.

In a rapidly evolving threat landscape faced by stretched security teams, AI technology has established the future of cyber security: self-defending networks that can neutralize in-progress attacks within 2 seconds of emerging, without requiring human intervention.

Q2. Justin, what do you see as some of the biggest challenges organizations currently face in operationalizing threat intelligence?

One of the biggest challenges of threat intelligence comes down to utilizing it in a timely manner, before it becomes irrelevant. Threat intelligence feeds are retrospective – it takes time to discover new intelligence, reverse engineer it, and then share it. The data is entirely based on prior knowledge of attacks – it can't help if you get the information once you're infiltrated and perhaps more importantly, it can't predict future attacks. Threat intelligence is useful to protect against similar attacks that are circulating, but it must be acknowledged and interpreted in real-time.

The time and resources it takes to correctly understand and integrate the data presents [its own] a unique challenge. When threat intelligence comes in, it takes the right people and many hours of manpower to grind through the data and interpret it. The cyber skills shortage is an often talked about problem, but we rarely read about the solutions. Using AI technology to automate the analyst can help security teams cut through the noise and discern what's useful.

Ultimately, security teams should operationalize threat intelligence feeds by working in tandem with AI technology and automation to gain more valuable insights. AI can help separate genuine, timely information from the clutter without spending hours of analyst time. When working with threat intelligence, it's important to use these tools to work smarter, not harder. And finally, to always remember that yesterday's attack won't predict tomorrow's.

Q3. Nicole, will AI eventually reduce or even eliminate the need for human skills in cyber security some day or do you see it more as complementing and bolstering human capabilities in this space?

As an industry, we face a worsening cyber skills shortage, with the demand for skilled practitioners consistently outstripping supply. Companies struggle to find qualified people for the job, and the analysts they do have are tasked with sifting through upwards of 200,000 alerts per day. And beyond finding talent, security teams must combat the challenges of alert fatigue and burnout. AI technology has proven invaluable in meeting this challenge. But rather than replacing security teams, AI acts as a force multiplier by autonomously responding to threats – giving analysts critical time to catch up and focus their efforts on the most important initiatives.

Finding an indicator of the next global attack is like trying to find a needle in a haystack for security teams. But not only do analysts need to find the threat among hundreds of thousands of alerts, they need to find it in real time, before it starts to do damage. AI technology works to effectively visualize and prioritize threats in order of their severity, proving the difference between finding a threat as it emerges and finding it hundreds of days later.

Stretched security teams are also working in tandem with AI by relying on autonomous response technology to take precise and proportionate action against cyber-threats. This breakthrough technology is capable of autonomously neutralizing more than 7 threats per minute, giving security teams ample time to catch up and focus on the most serious incidents.

Ultimately, AI won't replace the analysts but instead allow them to be more productive, proactive, and focused on strategic priorities. Using AI as a force multiplier, security teams of all sizes can rapidly investigate, remediate, and move on to the next incident – resulting in upwards of ten hours a week saved per security analyst.

Q4. Justin, what do you expect will be some of the key conversations around the use of AI and machine learning in cybersecurity at Black Hat USA 2018?

As Nicole said, I think a big part of the conversation at Black Hat USA 2018 will be about using artificial intelligence to augment the human. We're faced with a dramatic cyber skills gap, and I think Black Hat will be where we stop talking about the problem and start talking about solutions.

Integrating AI into the SOC will be critical to staying ahead of new, sophisticated threats – humans need the help of machines. Hackers only have to succeed once, but security teams need to guarantee a continuous defense of their entire infrastructure. There's no way to do this without working in tandem with AI-based detection and autonomous response.

Once integrated into the SOC, it will take some time to fully operationalize AI into the analyst workflow, and I think this will be part of the conversation too. The kind of alerts produced by AI-based early detection is fundamentally different from signature-based alerts. It requires an updated investigative workflow based around contextual validation and probabilistic judgment calls.

Now that AI has become such a mainstream topic, I think we'll also start talking about using its capabilities in non-traditional networks like virtual environments and industrial control systems. We live in an era of networks without borders, and it's important that we use the best technologies at our disposal to provide defense across all types of infrastructure, including in the cloud, ICS, and IoT.

Tomer Weingarten

Tomer Weingarten
CEO & co-founder


Q1. What are SentinelOne's biggest focus areas for the moment? What are some of the trends driving that focus?

The SentinelOne team is laser focused on redefining security in the enterprise - we provide unparalleled protection, visibility, automation, and integration into the fabric of a security posture. Our big focus areas are:

Protection - we're committed to delivering the very best protection capabilities on the market - static and behavioral AI drive our autonomous protection engines; we're seeing more diverse attacks which our unique behavioral AI model excels at thwarting

Redefining applied EDR - we're focused on providing a highly automated, relevant EDR experience, showcasing the widest breadth of data, but doing so in a way that's highly contextualized and curated.

Automation - with more than 250 APIs, SentinelOne is the most integratable and automated solution on the market. For us, "endpoint protection" has always been the convergence of EPP and EDR - but it's becoming so much more. What we're building and where we're positioned to add the most value is becoming a platform for enterprises to manage and protect much more than just their endpoints. Through SentinelOne, enterprises can streamline the management of other security products, gain newfound visibility, and achieve unrivaled efficiencies across the pieces of their security program.

Q2. Do you see AI and machine learning as essentially helping organizations address the human scalability issue, or can they enable entirely new offensive and defensive capabilities?

Both - AI and machine learning scale human capacity in a number of ways:

Detecting more: our machine learning algorithms provide convictions based on petabytes of data modeling. We're able to automate what a human once had to spend time detecting and analyzing through AI. Even if the specimen is net-new or never seen before, or even requires noticing an articulate pattern of activity, our robust static and behavioral AI models yield correct determinations with high accuracy.

Faster and rational decisions: AI allows for precise and detailed decision making capability at machine speed. Whereas humans are inconsistent, bounded, biased and often slow, AI model outputs are exacting, precise, rational, and nearly instantaneous. Machine learning helps humans solve data and detail driven problems.

Just as any other technology, it can be harnessed for good or bad. At SentinelOne, our mission is to keep our customers safe through a multilayered strategy that leverages AI and ML models to autonomously prevent, detect, and respond to threats.

Q3. What do you want attendees at Black Hat USA 2018 to know about SentinelOne's AI and automation strategy?

Try us. We encourage Black Hat attendees to put us - and every other vendor - to the test. It's easy to use buzzwords, easy to do events, and easy to make headlines. It's much harder to build technology exclusively in-house that mitigates threats without creating a huge false positive problem - that works at parity online and offline across the widest variety of operating systems - and that's 100% API-driven. SentinelOne has been selected by two of the Fortune 5 because of sound strategy, tireless execution, and adherence to delivering a product that does what it says and more.

We're going beyond the convergence of EPP and EDR with new approaches to securing the endpoint in conjunction with managing other security assets in a completely automated fashion. With over 250 documented APIs, we automate collaboration, threat sharing, and operational intelligence with other tools to the point that deploying SentinelOne EPP isn't just about the endpoint. SentinelOne is about a new end-to-end automated approach to managing risk: it's an integrated security platform.

Sustaining Partners