Interviews | June 24, 2019

The cloud has completely changed endpoint security

Dmitri Alperovitch


Q1. What do enterprise organizations need to understand about the threat posed by nation-state adversaries? What were the main takeaways for them from CrowdStrike's Global Threat Report earlier this year?

Nation-state adversaries were continuously active throughout 2018. Their activities were directed at a wide range of different target groups, including dissidents, regional adversaries and foreign powers, as well as private enterprises, with the intent to collect intelligence for decision-makers. Key examples from CrowdStrike's 2019 Global Threat Report include:

  • North Korea remained active in both intelligence collection and currency-generation schemes, despite participating in diplomatic outreach with the U.S. and other countries.
  • Iran maintained focus on operations against other Middle Eastern and North African (MENA) countries, particularly regional foes across the Gulf Cooperation Council (GCC). Additionally, it is suspected that Iranian adversaries are developing new mobile malware capabilities to target dissidents and minority ethnic groups.
  • As for China, CrowdStrike observed a significant rise in U.S. targeting likely tied to increased tensions between the two countries.
  • Russian adversaries were active across the globe in a variety of intelligence collection and information operations.

While most private sector organizations expect not to be targeted by a nation-state adversary, we see it happen with increasing regularity. There was a time when, as long as you weren't a bank or a defense contractor, you could probably consider yourself off the radar of nation-state adversaries. Today we see nation states targeting a wider range of industries, including a focus on telecom and hospitality in 2018. These are industries that hold a wealth of information and control over people and their activities in both the physical and cyber world, and this has a great deal of value to certain nation-state adversaries. Based on our broad, global view of the threat landscape, we see no signs that the risk associated with nation-state actors will abate any time soon.

Q2. Can there ever be such a thing as effective cyber deterrence at the national level? Is there even a use case for such a plan?

We have seen some real attempts to curb nation-state cyber attacks in recent years, both through bilateral agreements between countries (such as the 2015 agreement between the U.S. and China) as well as high-profile indictments against individuals linked to named, state-sponsored adversaries. Neither of these have had a lasting impact. In diplomatic channels and the media, several nation-states gave lip service to curbing their clandestine cyber activities, but behind the scenes, they doubled down on their cyberespionage operations — combining those efforts with further forays into destructive attacks and financially motivated fraud.

In the case of the U.S.-China agreement, attacks on U.S. industry for the purposes of intellectual property theft decreased significantly for a time, but have increased again in 2018, likely due to increased political tensions between the two countries. In the case of indictments, these public disclosures and stepped-up law enforcement activity drove ongoing tool development and changes in tactics, techniques and procedures, making 2018 a transition year for many adversaries. One thing was clear: Law enforcement efforts have not yet halted or deterred nation-state sponsored activities.

While we naturally hope for peace, we live in the here and now. Defenders need to remain vigilant in our defense against these increasingly bold and sophisticated threats.

Q3. What do you want those attending Black Hat USA 2019 to know about cloud delivered endpoint security? What have some of the significant developments been in this space over the last year?

The emergence of the cloud completely changes the game for endpoint security, and for the first time shows the promise of tilting the scales back in the favor of the defender, by delivering better protection, better performance, and better value.

The cloud delivers access to essentially unlimited resources for compute and storage, which means we can index, contextualize, and analyze data at a scale that was previously unthinkable. This unlocks the true potential of protection techniques such as machine learning, behavioral analytics and integrated threat intelligence. It is also fundamentally changes how you work with and what you should expect from your security vendor and the broader community. The cloud provides a common, consolidated platform where your endpoint protection provider becomes more than just a technology vendor; done properly, they become an extension of your team.

At the same time, offering a single lightweight agent and a single cloud-native platform offloads significant work from the endpoint and simultaneously eliminates the need for on-premise infrastructure. This greatly reduces the footprint of endpoint security in organizations of all sizes. It drives massive performance improvements at the endpoint when compared to legacy solutions and it allows organizations to deploy instantly and scale rapidly. It helps keep end users more productive, and saves enormous costs in the data center.

Once you have established a robust and scalable security cloud, you have a solid foundation that can be refined and extended to cover an infinite range of security use cases. At CrowdStrike we are focused on ensuring our customers have the broadest possible protection (including traditional endpoints as well as mobile devices) and the most efficient security workflows. We also recognize the importance of openness and extensibility of a platform, which lead to the recent introduction of the CrowdStrike Store.

The CrowdStrike Store provides a marketplace for a broad range of third-party solutions, which customers are free to explore without sacrificing endpoint performance and operational simplicity of our cloud-native platform.

Our industry is only now beginning to tap the value of cloud-native endpoint security. A scalable and extensible cloud platform, delivered in combination with world-class security expertise and threat intelligence, enables defenders to take control back from our adversaries and, ultimately, is the key to stopping breaches.

Stuart McClure
CEO and Founder

BlackBerry Cylance

Q1. It's been a few months since BlackBerry completed its acquisition of Cylance. What does the merger mean for your enterprise customers? What's your message for them?

Yes it's been almost 4 months now since the acquisition was completed and the teams have begun integration into the BlackBerry ecosystem. The merger has created tremendous excitement and uplift opportunities across the board for both sides. Prior to the acquisition of Cylance, BlackBerry had completely transformed itself from a struggling mobile handset company selling to consumers, to a cyber safety company selling to the enterprise. And now with Cylance as the leader in endpoint cybersecurity prevention, we merge both the embedded/IOT and mobile secure communications and safety worlds of BlackBerry with the cybersecurity prevention of the endpoint, server and cloud of Cylance.

With Cylance's mature AI platform, we can extend our predictive and preventative learning platform to mobile, embedded and even data. BlackBerry can empower all its solutions with a truly next gen approach to all its offerings. Equally, Cylance can bring its solutions to the world of compliance, mobile and embedded as well. With BlackBerry, we become both compliance and threat driven, across all platforms from embedded to mobile to desktop, server and cloud, all powered by AI. I know of no other company that can claim such a preventative platform.

Q2. The market for endpoint protection, detection, and response technologies is booming. Where do you see the greatest opportunity to innovate and add value over the next few years?

EPP and EDR are merging together to form the next gen EPP. BlackBerry-Cylance's solutions lead the pack in preventative EPP and we will continue to innovate beyond the competitors in major ways. Leveraging BlackBerry's expertise and customer base, we can drive our solutions to whole new compliance markets. Additionally, expanding and maturing the AI platform even more we can predict and prevent attacks in ways that the competitors haven't even dreamed of. We have already applied ML to files and fileless attacks, but now we can apply to identity based attacks along with behavior, activity, conduct and even auto-classification of attacks, giving the industry the first ML driven explanation of the "why". This age old challenge of ML is within our reach, explaining the "why".

The basic problem or limitation of all ML is that it cannot explain the "why". Us humans don't trust ML yet; we need to know why something was called one thing versus another. Why did you call this behavior bad or that file malicious?

ML cannot answer this simple question today. It can only tell you that it is bad or good, unsafe or safe. With BlackBerry-Cylance's advancements in ML we can now start to answer explicitly the "why". No one else can do this today or are even close to talking about it yet.

Q3. What does Cylance plan on highlighting at Black Hat USA 2019? What are the company's plans at the event?

BlackBerry-Cylance will continue to be contributing content and new innovative demonstrations as always to BlackHat this year. We are excited to also deliver partner led events that help drive our partner ecosystem and educate and inspire customers to solve big problems with supremely elegant ML driven solutions. We cannot wait to demonstrate our innovative approaches to age old problems like identity based attacks, lateral movement, living off the land, insider threats, mobile threats, among many others. We look forward to educating and inspiring the audience at BlackHat this year and peel back the facade of solutions that simply detect and respond faster. We can prove that we truly prevent the unknown unknown attacks across the threat landscape like no one else.

James Carder
Chief Information Security Officer & Vice President

LogRhythm Labs

Q1. What is your advice to organizations on getting the most out of their SIEM investments? What do they need to know about SOAR in this context?

First, any company that wants to get the most out of its SIEM investment needs to ensure it fully understands why it is buying a SIEM in the first place. To know this, the organization needs to answer a number of questions. For example, what use cases does the organization want to solve? What are its business drivers and risks? Where do the organization's most critical systems, users, and data reside? What operational problems and threats does the security team see regularly? Answering these questions generates the business context needed to appropriately architect a solution to solve the organization's problems.

Second, I'm a big believer that the only way a company can truly protect itself efficiently and effectively is through integration and automation. There isn't enough human capital to go around, so companies need to start relying more on technology to take on as much work as possible. In particular, SOAR capabilities — which are built in to certain SIEMs — are excellent for enabling quick and efficient detection, response, and containment of incidents — before they become catastrophic breaches.

Ultimately, the time it takes companies to get through the investigative workflow determines the success of the security program. Therefore, companies should focus on using their SIEMs to reduce the time it takes to complete that workflow. Doing this will concretely demonstrate a return on investment.

Q2. How have requirements for SOCs evolved in recent years? What are some key attributes of a modern SOC?

Long gone are the days that SOCs simply alerted others to incidents; now, they are empowered to actually do something about them. This means that most companies are looking for SOCs to be proactive, reactive, and driven by business optimization.

To enable this, the key attributes of the SOC should always boil down to people, process, and technology. And when it comes to modern SOCs, the people have specialized expertise in areas like malware analysis, forensics, and threat intelligence; the processes are formalized and practiced; and technology frameworks like MITRE ATT&CK are adopted.

More specifically, the core of the modern SOC's technology stack should focus on the ability to detect and respond at the user, network, and endpoint levels. Example technologies that can accomplish this include SIEM, UEBA, SOAR, endpoint detection and response, and network detection and response solutions. But for SOCs to reap the most benefit out of these technologies, they should be integrated and automated through a single platform.

And today, I'm pleased to see more SOCs increasing the level of integration and automation that's incorporated into their workflows as well. They're leveraging playbooks and practice some of them almost daily — especially those focusing on commodity and known attacks. They're also taking advantage of advanced security analytics capabilities and anomaly detection to enable threat hunting. Alongside centralized visibility, these activities have evolved from optional to basic requirements for SOCs that want to truly succeed.

Q3. What can attendees at Black Hat USA 2019 expect to see and hear from LogRhythm?

We're excited to be able to show everyone the latest and greatest that the LogRhythm NextGen SIEM Platform has to offer. We've added a lot to our platform since Black Hat USA 2018, especially when it comes to SOAR capabilities. Customers now have access to prebuilt Case Playbooks and over 100 automated response actions. Attendees can demo these features and more at our booth, as well as chat with LogRhythm experts about particular use cases or general best practices for security operations maturity. And if anyone simply needs a fun break in between sessions, we'll have plenty of games and giveaways to participate in!

Rick Howard
Chief Security Officer

Palo Alto Networks

Q1. You have talked about 'cyber hygiene' as a top concern for CSOs. What exactly is that and why does it matter?

Cyber hygiene and Zero Trust are the practices of thinking proactively about cybersecurity and taking the necessary steps to reduce the attack surface and stay protected against the latest cyberthreats. The challenge is that many organizations are overwhelmed with security tools and are rarely using them effectively—creating a false sense of security as they're simply checking a box.

It is critical that CSOs—as well as CISOs and CIOs—take caution not to fall into the "shiny tool syndrome," where we think that every new cybersecurity problem we encounter can only be addressed by the latest and greatest new tool. Of course, cybersecurity tools are great and are getting better all the time.

Sometimes, however, it's best to stick to the basics. Regardless of size, industry, budget or security challenge, organizations must have cybersecurity deeply ingrained into their day-to-day processes. Good cyber hygiene practices are absolutely essential and crucial to defending your information.

So, what constitutes good cyber hygiene?

  • Committing to a robust vulnerability pathing process. Within 24 hours of identifying a vulnerability, all critical systems should be patched. Within 72 hours, all systems must be patched.
  • Compensating controls for unpatched systems are a must.
  • Automating detection, prevention and remediation is essential. Humans no longer can keep up with cyber risk and the relentless wave of incursion attempts—most of which are automated.
  • Adopting a Zero Trust security architecture, where every piece of network traffic is inspected before being granted access.
  • You must know when and where applications are being used, and who is using them. Suitable controls must be put in place to improve visibility and automated steps have to take immediate action when issues are identified.

Q2. Palo Alto Networks has made several cloud acquisitions recently. What is the strategy behind these acquisitions? What can enterprise organizations expect from them over time?

With Prisma, Palo Alto Networks provides the most complete cloud security suite with a broad set of capabilities in all critical areas of cloud security. Both container and serverless security are emerging spaces, and the addition of Twistlock and PureSec to the Prisma suite will uniquely position Palo Alto Networks to secure today's modern applications throughout the entire life cycle, enabling organizations to deliver innovations that are secure, reliable and scalable.

The proposed acquisition of Twistlock, as well as the addition of PureSec, will further advance Palo Alto Networks' ability to offer the most complete and comprehensive cloud security suite in all critical areas of cloud security.

Q3. What is the one thing you are hoping customers will take away from Palo Alto Network's presence at Black Hat USA 2019?

Security teams are suffering from information overload, which renders them inefficient at best and ineffective at worst.

Palo Alto Networks believes in an integrated approach as evidenced by our industry-leading network security platform, Prisma (the industry's most complete and comprehensive cloud security suite) and Cortex (the industry's only open and integrated AI-based continuous security platform). An integrated approach helps to reduce the complexity that security teams face: prevent what you can, detect what you don't know, investigate and respond with speed and automate what you have learned.

We hope that anyone who visits one of our booths at Black Hat (#814 or #1138) will walk away with a greater sense of what Palo Alto Networks is doing to achieve its vision of a world where each day is safer and more secure than the one before.

Carol Meyers


Q1. What are the main takeaways from Rapid7s recently released quarterly threat report? What if anything,was surprising or unexpected in the data?

In our latest quarterly threat report, we took a closer look at threat events across a number of dimensions, including industry segments and organization size. Additionally, we took an expansive view of inbound activity across the entire internet, dove deeper into a number of common services across the internet, and aligned our findings to the MITRE ATT&CK framework, essentially combining data with a structure used to better understand attacker methods.

Through our analysis, we found that remote entry still remains a top threat, particularly among large organizations. Whether it's from attempted access from different countries, attempted access from purported third-party sources that your organization might have some sort of working relationship with, or any other variant that might suggest an attempted incursion from external origins, organizations of all sizes should be wary of the potential risks remote entry poses to a network.

Additionally, credential theft and replay continues to be a major issue for organizations. As 2018 proved to be the year of "Credentials Gone Wild", and a constant heartbeat of security news about ransomware hitting municipalities and SMBs, it was somewhat unnerving to see that attackers are still relying on credential replay as a primary tool in their arsenal. In fact, we found that credential replay was the number one threat event across all industries. The continued use of this technique is a sign that it continues to be effective, which also likely means that users are still abusing their credentials by consistently reusing them.

Q2. What are some of the top requirements for a robust incident detection and response capability these days?

Security teams remain notoriously short staffed and under resourced. So a successful incident detection and response program today, is both more robust than ever, but also more optimized than ever before as well.

This is achieved through three key things:

  • Centralized data visibility across the modern network that's easily consumable across SecOps teams. In particular, visibility into user data and user activity that will help identify threats early in the attack chain, before things get critical.
  • A pragmatic approach to detection through benchmarking against a trusted framework like MITRE ATT&CK, paired with strong analytics and intelligence to drive these detections.
  • Automation to expedite incident response to extinguish threats as quickly as possible and minimize manual investigative work.

Q3. Rapid7 has a relatively wide range of products and services. What does the company plan on highlighting at Black Hat USA 2019?

We will highlight how visibility, analytics and automation across hybrid technology environments can radically improve security teams' productivity and ability to stay ahead of attackers. As organizations accelerate their adoption of cloud services, addressing misconfigurations and vulnerabilities has become increasingly more complex, making it more imperative than ever that Security, IT and DevOps teams work together. Hybrid environments can be difficult to navigate and most security teams are resource constrained and inundated with endless security alerts, making it near impossible to prioritize what's important and maintain productivity.

Our main focus at Black Hat this year will be helping attendees navigate these issues in their own hybrid technology environments. We'll be showcasing the capabilities of our Insight cloud, which provides visibility, analytics, and automation across these kinds of environments to help radically improve security teams' productivity and ability to stay ahead of attackers.

Sustaining Partners