Interviews | June 27, 2022

Cybersecurity is a Data Analytics Game

Cybereason | Darktrace | ExtraHop | Invicti | Rezilion

Yonatan Striem-Amit
CTO and Co-founder


Q1. What specific business issue is Cybereason DFIR designed to help organizations address? What's driving the need for these capabilities?

DFIR (Digital forensics and incident response) is a critical subfield of the overall security industry. As a practice, it is notoriously tedious and involves deep dive analysis into obscure artifacts and traces of attackers. Due to the global cybersecurity talent shortage, there aren’t enough Level 3 investigators to fill all the open roles. Cybereason recently introduced a novel architecture called ‘Forensics as Code’ to automate critical aspects of DFIR investigations.

Organizations will always need a person behind the keyboard to make decisions but automating mundane and repetitive tasks provides a great productivity boost to investigators– allowing them to focus on other projects or get through more of the security workload. Cybereason DFIR feeds a treasure trove of forensic data into the industry’s leading data analytics platform: the MalOp Detection Engine, which makes sense of the complex data relationships across users and endpoints. This helps Defenders better detect threats, understand patient zero and the chains of behaviors that took place after infiltration, and then shore up gaps so that vulnerable threat vectors can’t be exploited again.

Q2. What role do you expect machine learning and big data analytics will have in the enterprise SOC five years from now? In what cybersecurity areas do you foresee these technologies having the most impact?

Security is a data analytics game, and that is our primary strength and differentiator as a company. It’s even in our name - Cybereason. It’s what we do: make sense of complex data relationships. This is critical because the volume of data that needs to be analyzed vastly outstrips the number of professionals available to crunch it. Teams are generally small and under-resourced, and they have not been able to keep pace with the exponential growth in the attack surface driven by trends like WFH, BYOD, cloud computing, and the internet of things. Machine learning (ML) and data analytics are the only way to overcome the current gap: we need the machines to do more work due to the ongoing talent shortage.

Cybereason already excels at this, but in the industry, ML models will become more accurate over the coming years and should help solve the productivity issues in the SOC. The Cybereason approach is differentiated in the industry because it relies on an operation-centric, rather than alert-centric, approach. Most vendors alert individually for every suspicion or behavior, but most attacks involve multiple users, stages, and endpoints, and Cybereason is uniquely able to stitch those different components into a single operation (the MalOp) to consolidate alerts and help defenders work more efficiently and effectively.

Q3. What do you want customers at Black Hat USA 2022 to know about Cybereason and its strategy over the near term?

The two biggest market drivers we are seeing are consolidation and simplification. CISOs want to manage fewer products across an already-complicated stack, and they need those products to have a higher impact on enterprise security. When it comes to simplification, the challenge is that today’s threat detection and response products can be overly complex and often come with a challenging ramp-up period for junior analysts. CISOs want an easy button. Cybereason develops solutions with these requirements in mind.

On the consolidation front, our platform is delivered through a single sensor and console, and we are expanding platform coverage and extensibility with every release. XDR is a key investment area, and with our Google Cloud partnership, we can offer effective prevention, operation-centric detection, and guided remediation across the breadth of the enterprise. In addition, the Cybereason Defense Platform integrates with Office 365, Google Workspace, and Identity solutions. On the simplification front, we consolidate alerts into a singular view of any malicious operation and guide analysts with pre-populated and tailored response playbooks. Cybereason provides effective risk reduction solutions that support the business and cyber resiliency outcomes that CISOs are under pressure to achieve. We will continue to democratize powerful security workflows for Defenders worldwide.

Max Heinemeyer
VP of Cyber Innovation


Q1. How exactly will Darktrace’s recent integrations with Zscaler, Okta, and Duo Security help enterprise organizations? What issue is it that the integrations are designed to address?

While there is some debate about the strict definition of Zero Trust, at its core, the concept is both a practical methodology and a mindset for organizations; it is a fundamental part of modern security strategies. Zero Trust architectures often involve micro-segmentation, asset discovery, data classification, and granular role-based access controls.

This process begins with ensuring complete visibility into all users, data, and devices within the environment, often by investing in security tools capable of continuous monitoring across the complex digital infrastructure that can help validate and inform zero-trust policies. This total visibility is a fundamental capability that Darktrace offers. By building an understanding of “self” for an organization, Darktrace can identify when something out-of-the-ordinary occurs and autonomously respond to prevent attack escalation, data exfiltration, and more.

Darktrace’s zero-trust integrations add value for Darktrace customers and customers of our partners, including Zscaler, Okta, and Duo Security. These API integrations allow organizations to accelerate their adoption of zero trust architecture and identity management services by feeding data into Darktrace’s Self-Learning AI engine to identify and neutralize anomalous behaviors. Darktrace brings visibility into all coverage areas of a modern organization, from the cloud to endpoint, to SaaS and operational technology.

In addition to this visibility, organizations must shift their mindsets away from inherently trusting users. Instead, organizations must accept that every new user brings an additional element of risk and fold this risk into overarching business strategy. These strategies could include creating new policies to limit individual access to only what is required for employees to complete their unique job responsibilities.

By very definition, Darktrace is Zero Trust in nature; it does not assume trust for anything; rather, it builds a bespoke profile for each organization and detects what does not fit without pre-defined rules, expectations, or trust. For example, Darktrace can detect if an employee is downloading files that they usually wouldn’t or if their devices are communicating with a device operated by a malicious party.

Q2. Why should organizations not delay any longer in embracing Zero Trust as a fundamental part of their security strategy? What’s driving the need for it?

Adopting zero-trust architecture can be an extensive iterative process that requires constant reevaluation and adjustments to an organization’s bespoke digital environment. However, businesses can shift their mentality toward zero-trust initiatives almost immediately.

The shift also requires cybersecurity leadership to assume that a breach has or will occur within their environment, prioritize and patch existing vulnerabilities, and consistently evaluate and update their security postures to avoid coming threats.

The global threat landscape is becoming increasingly complex. While cyber defenses have progressed leaps and bounds over the last decade, unfortunately, so too have threat actors and attack methods. At RSA Conference and Gartner’s Security and Risk Management Summit earlier this year, much of the conversation focused on how attacks are becoming quicker, more dynamic, and harder to predict.

Regardless of size or industry, every company faces more known unknown attacks. Instead of trying to keep threat actors out of your organization’s infrastructure, business leaders should prioritize business resilience practices that consider cyber risk and incorporate technologies that contain a level of automation to stop attacks in their tracks - before they can disrupt operations and cause significant damage. To combat more sophisticated and machine-speed attacks, human defenders must embrace Zero Trust as one pillar of their cybersecurity programs, focused on cyber hygiene, minimizing risk, and augmenting human teams with artificial intelligence (AI).

The mass amounts of data and IT are too complex for humans to handle alone. Even the biggest companies with the most advanced technical and human resources still get breached. Cybersecurity is no longer a human-scale problem. AI is a fundamental tool to lower the barrier of entry for cyber defense, democratizing security and making it more accessible for companies. Security teams must rely on advanced cybersecurity tools like AI to instantly identify anomalous behavior indicative of cyber-threats across all these ecosystems and halt it before evolving into full-scale attacks.

Q3. What can customers expect to see and hear from Darktrace at Black Hat USA 2022?

Powered by Self-Learning AI, Darktrace’s new product family, “PREVENT,” delivers total visibility into digital assets, eliminates blind spots, identifies areas of vulnerability, and continuously hardens defenses to minimize cyber risk for organizations. This end-to-end solution provides continuous AI-driven insights, testing critical attack pathways and shoring up defenses to prevent attackers from reaching an organization’s most vital systems and data, or “crown jewels.”

PREVENT identifies and fortifies areas of high risk both internally and externally, making it possible to anticipate and avert attacks. PREVENT enables CISOs to prioritize vulnerabilities and strengthen defenses autonomously by feeding into Darktrace’s existing DETECT and RESPOND product families. This proactive approach to cybersecurity finally gives the upper hand to defenders over malicious actors.

As digital transformation leads to more complex, hybrid IT infrastructures with assets increasingly hosted by cloud providers and organizations more reliant on third-party vendors in the post-COVID era, attack surface management has become more challenging. Red team security testing is typically conducted by a highly skilled, small group of individuals to simulate cyber-attacks. It’s a costly process, limited in scope, and typically conducted twice annually with imperfect results. In the case of penetration testing, it often leaves security teams with a mountain of information to work through.

Darktrace PREVENT for Attack Surface Management (PREVENT/ASM) continuously monitors an organization’s external attack surface, assessing all assets for high-impact vulnerabilities and external threats. Understanding ASM can help organizations avoid these threats and proactively manage risk.

PREVENT is a core component of Darktrace’s Cyber AI ‘Loop’, which orchestrates dynamically related capabilities that function continuously by preventing, detecting, responding, and healing from cyber disruption. HEAL is the final component of the Darktrace vision, creating a system that can leverage learnings from across the other product families to return your organization to a normal state after an attack.

Jeff Costlow


Q1. ExtraHop recently offered a complimentary Shields Up assessment service for qualified organizations to help them defend against potential cyberattacks related to the conflict in Ukraine. What do organizations generally need to understand about their exposure to spillover attacks/threats related to such geopolitical events? How should they be preparing for such attacks?

The Russian invasion of Ukraine has put the world on high alert for retaliatory cyberattacks. We’ve seen both noisy DDoS attacks and more targeted attempts and I can only assume that nation state actors will continue to take advantage of the situation.

Now is the time for enterprises to focus on their incident response plans. Teams should take a blue-sky day and run through a practice scenario, engaging with trusted partners and advisors to shore up any holes.

I would also guide organizations to heed the advice shared by CISA and other similar organizations and take actions to reduce the likelihood of a threat and impact, including disabling all ports and protocols that are not essential, identifying and assessing unusual network behavior, implementing strong cloud visibility and controls, and updating software, prioritizing those that address known exploited vulnerabilities. We know that cybercriminals continue to scan for devices vulnerable to Log4j, for example, at a high level. Security teams should focus on shoring up their defenses and creating a plan for when the inevitable breach occurs.

Q2. A recent ExtraHop survey showed that outdated protocols are rampant within many organizations. Why might that be the case and what challenges does it raise for IT security organizations?

Many commonly used protocols were developed decades ago, long before programmers had to worry about ransomware or other modern forms of cyberattacks. As a result, these protocols fail to provide the security controls that more recently developed protocols do. Yet the use of outdated protocols is still rampant even within sophisticated organizations. A recent ExtraHop survey revealed that 64% of organizations admit that half (or more) of their cybersecurity incidents are the result of their own outdated IT security postures while 68% are still running SMBv1, the protocol exploited in major attacks like WannaCry and NotPetya. At the same time, adversaries are actively avoiding detection with the use of increasingly sophisticated attack tactics, including hiding within encrypted protocols, to mask the exploitation of known but unpatched vulnerabilities.

There are a few factors that contribute to the reluctance or inability to stop the use of outdated protocols ranging from costs and resources to use of legacy systems that don’t support updated protocols and a lack of appetite and support for potential business disruption.

I caution organizations with the sobering fact that adversaries only have to gain access to one device. If your organization still has a business need for using outdated protocols, please have a tool and plan for monitoring the resources’ activity.

Q3. What does ExtraHop have scheduled for Black Hat USA 2022? What does the company plan on highlighting at the event?

The security industry is still defending for if and neglecting when. 75% of security budgets are spent on preventing intrusion—and we’re losing the battle. We think it's time for a new approach.

The driving force of our presence at Black Hat is our mission of helping enterprises take back the cyber advantage to achieve their own missions. When enterprises are caught between the drive for digital transformation and the need to reduce digital risk, they are slowed down and customer experience often suffers as a result. We’re excited to educate security leaders and practitioners about attackers’ techniques, including the evasion of fundamental security tooling like logs and agents, the use of encryption to hide malicious traffic, and the increased manipulation of third parties to piggyback into the network. Stop by booth 1540 to learn more.

Sonali Shah
Chief Product Officer


Q1. What are some of the biggest challenges organizations face currently when it comes to tracking, scanning, and securing open-source components within their applications? How should they be addressing these challenges?

Perhaps one of the most common urban myths about open-source code is that it’s more secure because it has more eyes on it from the vast developer community. Unfortunately, that’s not the case, and in reality, nobody takes responsibility for those security measures at all. It’s a widespread problem with compounding risk – according to a study by the Open Source Initiative and Perforce Software, 77% of organizations increased their use of open-source software in 2021. That lingering risk is not only dangerous to sensitive data, but also makes it trickier to respond to new threats and scale security efforts as business grows.

Without anyone truly owning the security of that code and without proper measures in place for consistent scanning, in-house teams suffer the brunt of the pressure when it comes to open-source threats. But there’s good news: organizations can take steps to improve the security posture of their applications while still using open-source software to speed up software delivery. Tools like Software Composition Analysis (SCA) eliminate the mystery and act as the myth buster, revealing those unseen risks in third-party code and guiding remediation efforts.

Organizations can also automate the creation of a software bill of materials (SBOM) for each application as a step toward securing their software supply chain. SBOMs can help get a handle on security posture while uncovering components that might have otherwise been missed, minimizing risk that comes from using open-source software with known vulnerabilities. With an SBOM for each application and consistent scanning with SCA, it’s much easier to identify and remediate problems quickly and effectively.

Q2. What were some of the biggest takeaways for security and development teams from Invicti’s recent study on the state of the DevSecOps professional? What, if anything, was surprising or unexpected in the data?

We partnered with Wakefield Research to survey 500 DevSecOps professionals and discovered some alarming trends in the work/life balance for those on the frontlines of secure development. The biggest takeaway: DevSecOps teams are feeling ongoing stress and they’re bringing it home with them. Often, they’re spending unnecessary hours addressing security issues that should have been identified and fixed earlier in the development process.

Most surprising was the amount of time DevSecOps professionals dedicate to security problems when they should instead be focusing their energy on building innovative applications that drive forward business objectives. Of note, 41% of cybersecurity professionals say they spend more than five hours addressing security issues every day – most of which could’ve been prevented with automated security testing tools. Additionally, half of respondents to our survey said they’ve logged in over the weekend or during personal time to manage a security issue, adding unnecessary anxiety and stress to their jobs.

These problems have only worsened because of the IT talent shortage and the “great resignation” we’ve seen in tech, with issues of vulnerability-related anxiety and overworked teams contributing to unhealthy balances between work and home life. In all, we discovered that 1 in 3 leaders in development and security have had to work on cybersecurity issues while with family or during a holiday meal. These men and women are often the “unsung heroes” of cybersecurity, with more than half noting that they’ve fixed a potentially disastrous cybersecurity problem on their own without anyone knowing about it. If your organization deals in sensitive data and cares about customer confidence, that’s an alarming and critical trend to take seriously.

Q3. Why is it important for Invicti to be at Black Hat USA 2022? If there’s one thing you would like customers to take away from Invicti’s presence at the show, what would that be?

For those keeping a pulse on the application security industry, there’s never been a more exciting (nor more critical) time for Invicti. Last year alone the cost of a single data breach jumped from $3.86 million to $4.24 million, according to IBM’s Data Breach Report 2021. Overall there was a 10% increase in the total cost of a data breach between 2020 and 2021, with healthcare, financial, pharmaceutical, and tech leading the charge for industries running up tabs on data breaches.

Clearly, the bad guys aren’t slowing down, but neither are we: Invicti was positioned as a Challenger in the 2022 Gartner Magic Quadrant for Application Security Test (AST). Over 3,500 customers worldwide trust us to help them cover their many thousands of applications and APIs at scale. Our combined dynamic application security testing (DAST), interactive application security testing (IAST) and software composition analysis (SCA) scanning technology means we offer more comprehensive results at enterprise scale. Invicti ensures that every corner of the application is tested and provides contextualized scan results in a single report so that customers have a unified view of their application security risk posture.

Pair all that risk-reducing goodness with our automation capabilities (50+ integrations), industry-leading accuracy (99.98% accuracy for direct-impact vulnerabilities) and scan speed, and it’s no surprise that we’re making waves as a Challenger in the industry.

We continue to add depth of experience to our global team, too, with the recent addition of Gerhard Watzinger – who serves on Crowdstrike’s board – as Chairman of the Board at Invicti. It’s an exciting and important time for us as we grow quickly, expand our team, and help our customers continue to secure their threat landscapes so they can refocus their energy on innovation.

Liran Tancman


Q1. What exactly is dynamic SBOM and why do organizations need it? What's driving the need for it?

A software bill of materials (SBOM) is essentially an inventory of all of the software in your environment. Organizations are increasingly looking to SBOMs because of the spotlight on the software supply chain, which we now know can be exploited, like in the SolarWinds attack. Last year the U.S. Cybersecurity & Infrastructure Security Agency (CISA) mandated SBOMs must be maintained by any organization that wants to work with the federal government.

But a regular, static SBOMs, which is what most security tools provide today, isn't enough. They are limited in terms of the scope of what they can see, and are often only available in specific parts of the software stack. A Dynamic SBOM is updated in real-time and reveals whether and how software components are being executed in runtime, providing organizations with the ability to understand where vulnerabilities exist. A Dynamic SBOM can also tell security leaders whether a particular software flaw could be exploited by bad actors.

Open-source code dominates today’s software landscape, and change is a constant. With every change in code, developers can inadvertently introduce new vulnerabilities. In some cases, cyber criminals can exploit these if they are not identified and fixed quickly. That’s where having a dynamic SBOM can be helpful.

Rezilion is aiming to provide a blueprint for others in the industry to follow that acknowledges the variable and constantly changing nature of software; one that creates an easily accessible path for developers, product security and software supply chain leaders to offer secure software to customers on a regular basis.

Q2. How will Rezilion’s recent integration with GitLab benefit customers? What issue will it help then address?

We are very excited about this integration because using Rezilion in GitLab CI gives customers the ability to instantly know what’s vulnerable, what’s actually exploitable, and where to fix first to eliminate risk fast and get back to building. The issue this helps address is the inherent tension between security and developers. That's because developers want to innovate and ship code fast, but security obviously needs that code to be secure. This means when security uncovers flaws in code, they have to send it back to dev to patch, which slows down the process.

Through this integration software developers can now deliver secure code faster and filter out unexploitable vulnerabilities to eliminate the inaccuracies and re-work that complicate the software security process and delay releases. Security analysts also benefit as they can easily Identify all of their software components, their associated vulnerabilities, and their real-time behaviors, to manage the risks that matter.

Simply put, it’s about giving people time back. Customers can expect to resolve actual risk six times faster instead of wasting time on un-exploitable vulnerabilities. They can use Rezilion’s runtime intelligence to validate vulnerabilities early in the build process within the GitLab UI, where non-exploitable vulnerabilities are marked as “false positives.” This can reduce patching work. In fact, our research shows we can reduce patching efforts by up to 85%.

Q3. What do you expect organizations will want to hear from Rezilion at Black Hat USA 2022? What is your main messaging at the event?

Several high-profile software supply chain attacks, such as SolarWinds and Kaseya, and the recently discovered flaw in Apache’s Log4j software, shows us how complex and difficult it is to find and resolve threats associated with the vast amount of software we use today. It takes a lot of time from developers, security, and IT to find and then patch these vulnerabilities. In fact, in the instance of Log4j, it is so difficult to detect that many scanners may not even find it.

Our message here is that we want to help you with the massive burden that is vulnerability management. In fact, we believe the industry has vulnerability management all wrong, and there is a better way forward. We are here to help security and dev teams uncover vulnerabilities quicker, and make them go away fast and seamlessly so there is no time for exploitation, and teams can get back to building and other mission critical work that helps drive business forward.

Sustaining Partners