Interviews | June 27, 2023

Social Media Networks Have Become a Breeding Ground for External Threats

IBM | Mimecast | NextDLP | Sophos | Splunk | ZeroFox

Charles Henderson
Global Managing Partner and Head of X-Force Consulting


Q1. IBM's annual X-Force Threat Intelligence Index showed the average time to complete a ransomware attack dropped from 2 months previously to less than 4 days. What are the implications for enterprise security defenders? How should they be adjusting their strategies to deal with the new reality?

The implications of the operationalization of ransomware and extortion groups are serious. It’s an issue that organizations all around the world, of all sizes struggle to deal with. At the end of the day, defenders have a difficult path ahead, but all hope is not lost. Organizations should continue to improve visibility around data sources that would indicate an attacker’s presence, regularly drill their incident response plans, and go on the offensive within their own environments to find actors earlier by performing intelligence-driven threat hunting.

Q2. What are some of the most common methods threat actors use to deploy backdoors on enterprise systems and networks? What gaps or weaknesses in security controls are they exploiting most often?

In 2022, phishing was the number one way (by which) threat actors gained access to organizations, with 41% of incidents involving phishing as a pathway in. Exploitation of vulnerabilities was at second place, at 26% of attacks. This year, we’re seeing a lot of attention around the exploitation of vulnerabilities, but we still encourage organizations not to lose sight of how effective and reliable phishing is for these ransomware & extortion threat actors.

Q3. How does IBM X-Force plan to leverage its presence at Black Hat USA 2023 to drive thought leadership and contribute to the broader security community? What can attendees expect to see and hear from your team at the event?

We’ve got some great plans for this year’s conference, including phenomenal talks by folks from our Adversary Simulation team that you absolutely will not want to miss. We’ll also be showcasing our expertise in the booth with some eye-opening demos and talks. Whether you need help securing or organization or simply want to learn more, our experts in offensive security, incident response, threat intelligence, and adversary simulation will be ready to help.

David Raissipour
Chief Technology & Product Officer


Q1. You recently wrote about the need for organizations to take a "team sport approach" to combatting the phishing threat? What would it take to implement such an approach and what can top management/the board do to help support the effort?

Implementing a team sport approach against phishing threats requires a well-defined security architecture that drives universal alignment between people, products, and processes across an organization’s attack surface. Take the people element, for example. With companies increasingly adopting cloud-based hybrid work environments, threat actors are leveraging phishing and other forms of social engineering attacks to exploit vulnerabilities driven by human error.

A team sport approach helps alleviate human error by combining the powers of products and processes into a unified line of defense. It starts with products that are based on open and extensible platforms which share Threat Intel and Telemetry with other parts of your layered defenses. Leveraging AI-enabled automation tool (product) empowers understaffed IT teams to enhance the operational efficiency of their phishing defenses.

A robust user awareness training program (process) that is contextually aware and consumable empowers hybrid employees to identify malicious links and work protected. Compounded at scale, this universal alignment among people, products, and processes elevates the security posture of the entire organization.

From the leadership level, ensuring the organization has ample resources and budget allocations in place to defend itself is obviously a critical component to combat phishing.

But more importantly, security leaders and the Board can support a team sport approach by taking proactive steps to both articulate and understand the correlation between cyber risk and business risk. This generates a collective understanding of the threat landscape, which fosters a heightened sense of urgency at every level of the organization. As cyberattacks continually rise in volume and velocity, everyone must be pulling in the same direction.

Q2. What should security teams know about 'angler phishing'? Besides user awareness training what other measures can organizations take to protect against the threat?

Angler phishing is a relatively new form of social engineering that leverages social media to deceive users into providing personally identifiable information (PII) or sensitive credentials. Unlike traditional phishing attacks that are email-based, angler phishing encompasses fake social media profiles appearing legitimate in order to gain the trust of victims.

The rise of social media has enabled employees and consumers to engage with brands more directly – issuing public complaints and criticisms in the wake of mistreatment, poor customer service, or damaged goods. Anyone with a Twitter account has likely witnessed an angry airline passenger firing off a flurry of rage tweets after their flight got delayed for the second time that day. Considering public perception is critical to brand loyalty and in turn revenue, companies must urgently address and remediate complaints to display a sense of commitment to their customers. Opportunistic threat actors exploit these situations for angler phishing by spoofing company social media accounts to engage disgruntled employees and customers under the guise of a concerned HR representative or customer service specialist. Then, they trick them into clicking on a malicious malware link that infects their device or steals information.

User awareness training is the first line of defense, but you can also promote best practices like multi-factor authentication and installing anti-malware to add another layer of internal protection. In addition, organizations should be proactively and continually advising their social media audience to only engage with verifiable accounts for customer service complaints. Place a disclaimer in the bio of your account and send out push alerts notifying customers of potential threats. Communication is a key component to the equation.

Q3. How does Mimecast aim to showcase its expertise and solutions at Black Hat USA 2023? How can organizations benefit from Mimecast's participation in the event?

Black Hat USA 2023 is a unique opportunity for us to connect with customers, partners, and industry peers about evolving tactics, techniques, and procedures (TTPs) across the cyber threat landscape. Traditional email-based attacks like BEC and phishing are still widely leveraged by modern-day cybercriminals, but amid widespread shifts to cloud-based hybrid work, new collaboration tools like Microsoft Teams and Slack have emerged as highly dangerous threat vectors in single-platform security environments.

In fact, our company’s State of Email Security (SOES) 2023 report cites that 33 billion electronic records are expected to be stolen in 2023 alone, and cybercrime is expected to cost the world $8 trillion in that same time frame. This places organizations at a heightened degree of cyber and business risk, underscoring the need for more focused and comprehensive collaboration tool security approaches across the cybersecurity community.

At this year’s conference, we will be showcasing our latest product offering, Protection for Microsoft Teams to extend the security protections we offer for email to this essential collaboration tool. Collaboration tools are a fertile breeding ground for cybercrime and pose a huge threat to organizations regardless of size or sector. From Fortune 500 global conglomerates to small businesses and school districts, the impact of collaboration tool attacks can extend well beyond temporary operational downtime or monetary losses.

We will also have lots of fun opportunities to network at our booth – be sure to swing by. Can’t wait to see you there!

Chris Denbigh-White
Chief Security Officer


Q1. How has the data protection challenge evolved for organizations in recent years? What are some of the biggest factors driving change on this front?

In recent years, the data protection challenge for organizations has undergone significant evolution, with a growing emphasis on addressing insider threats.

While the risk posed by external cybercriminals remains substantial, organizations are increasingly realizing that their own insiders can also compromise data security and privacy. Insider threats occur when individuals within an organization, such as employees, contractors, or partners, exploit their privileged access to compromise the integrity or confidentiality of data.

Research and real-world incidents have shed light on the risks associated with insiders who possess legitimate access to sensitive information. These insiders may intentionally abuse their privileges or unknowingly become unwitting conduits for data breaches, underscoring the need for robust data protection measures.

Organizations now understand that insider threats can arise from various sources, including disgruntled employees seeking retribution, financially motivated individuals, careless or negligent personnel, and even well-intentioned employees who inadvertently violate data protection policies. Consequently, organizations have begun implementing comprehensive strategies to detect, prevent, and respond to insider threats. Moreover, regulatory requirements and compliance standards have contributed to the focus on insider threats. Data protection regulations like the GDPR and CCPA highlight the significance of safeguarding personal information against both external and internal risks. Organizations must demonstrate the implementation of appropriate measures to prevent unauthorized access, whether from external attackers or insiders. To mitigate insider threats, organizations are adopting a range of measures. These include enforcing strict access controls and segregation of duties, conducting regular audits and monitoring of privileged activities, implementing employee awareness and training programs, and utilizing technologies such as user behavior analytics to identify suspicious behavior.

In conclusion, although external cybercriminals and insider threats are both relevant in the threat landscape, organizations are increasingly prioritizing the mitigation of insider threats. Acknowledging the risks posed by insiders with legitimate access, organizations are implementing comprehensive strategies, technologies, and policies to prevent and address insider threats. By doing so, organizations are now seeking to enhance their overall data protection efforts and effectively safeguard sensitive information from both external and internal vulnerabilities.

Q2. What emerging data protection trends or technologies should CSOs pay attention to? What advancements do you view as offering the best opportunities to bolster data protection?

CSOs should prioritize the adoption of technology that offers enhanced visibility while respecting privacy. Striking the right balance between data protection and privacy is crucial in today's digital landscape. Several advancements provide opportunities for organizations to bolster data protection while upholding privacy principles:

  • Endpoint Machine Learning: By leveraging machine learning algorithms directly on the endpoint devices, organizations can analyze data locally and extract insights without compromising privacy. This approach reduces the need for transmitting sensitive data to external servers, preserving privacy while gaining valuable insights.
  • Pseudo-Anonymization: Implementing techniques like pseudo-anonymization helps protect the privacy of individuals by replacing identifiable information with pseudonyms. This allows organizations to perform analytics and gain visibility into trends and patterns without directly identifying individuals.
  • Minimization of Data Collection: Organizations should adopt a "data minimization" approach, where only in depth investigations of user activity are only conducted when necessary and authorized. By analyzing only the required data, organizations can reduce the potential privacy risks associated with excessive data collection and storage.

CSOs should also place emphasis on partnering with vendors who can be agile, responsive, and grow alongside their evolving information security (InfoSec) needs. In today's rapidly changing threat landscape, organizations require vendor solutions that can adapt and scale to address emerging security challenges.

Q3. What specific insights, research, or expertise does your company plan to showcase at Black Hat USA 2023?

Legacy DLP is broken due to excess complexity, extended time to value, and misalignment with security and business goals. Next provides insider risk and data protection solutions for today’s distributed organizations with sensitive data that must educate employees, uncover risk, and fulfill security, privacy, and regulatory needs.

Next solves those challenges with:

  • A next gen agent with Machine Learning on the endpoint to categorize and protect data in real time and provide user education at the moment when data is at risk.
  • A cloud-native platform for rapid deployments, flexibility, and immediate visibility.
  • Expertise as an innovative data security partner that understands what it takes to be successful.

Recent innovations include:

  • Data Protection for Generative AI - The addition of ChatGPT policy templates allows security teams to understand the data risk from AI platforms and put controls in place if desired.
  • SIEM Streaming – A Splunk integration provides a simple way for insider risk and DLP activity to be pulled into Splunk and correlated with other cybersecurity data sets to improve incident response.
  • Scoped Investigations – Protects employee privacy by time bounding and restricting access to their activity data to only incident responders with an approved and legitimate need.

Joe Levy
President, Chief Technology Officer and Chief Product Officer


Q1. You were recently promoted to the role of President at Sophos. What are some of your immediate priorities in the new role?

For years, the industry has been asking the question “how is it that we can spend billions of dollars annually on cybersecurity technologies, yet continue to fall short of our goal of reducing risk and costly incidents?” If you allow that most leading endpoint, network, email, cloud, and identity security tools are generally within a few degrees of each other in terms of potential effectiveness over time, then it becomes clear that the main deficiency is not technological, but rather operational.

Detection and response technologies are essential complements to preventative technologies, but they tend to be more complicated to operate, whether because of the required skill set, or because of the 24x7x365 nature of effective security operations. But it’s not just a talent shortage, it’s also an attention shortage. Most competent and correctly configured technologies do a very good job blocking at least some stage of most attacks, but if there isn’t an operator paying attention to those detections, attackers will eventually figure out some path to success. Tools alone don’t get the job done, it requires the combination of effective, properly configured tools, and skilled and attentive operators at the console. My top priorities for Sophos are, therefore, as follows:

  • Shifting attitudes towards “shields up” approaches to operational security, where we don’t expect a tool to just keep us safe, but rather to buy us time (as they do) and provide utility for some combination of human and automated or adaptive responses.
  • Reorienting Sophos and the industry to a focus on security outcomes through competent and easy to understand Cybersecurity-as-a-Service offerings.
  • Specifically, optimizing our business to defend the “target rich, resource poor” mid-market, which tend to be greatly underserved relative to the large enterprise, and which also happen to make up vast parts of our critical infrastructure.
  • Delivering industry-leading products, threat intelligence, operational AI, and services to drive the achievement of these goals.

Q2. What are the key considerations for organizations when selecting an MDR provider? What questions should they be asking to ensure the chosen solution aligns with their specific risk tolerance and compliance requirements?

In order to get desired outcomes, organizations should be thinking about three key areas when selecting an MDR provider: Effectiveness, Responsiveness, and Investment Protection. The MDR provider’s tooling should be selected and configured to prevent as many threats as early as possible in order to reduce overall the cost of response. An MDR provider should also offer multiple levels of responsiveness from notification all the way to full incident response. This enables collaboration flexibility for the customer. And an MDR provider should be able to meet you where you are, supporting multiple vendor solutions for endpoint, network, identity, email, and cloud, enabling an organization to leverage their existing investments in cybersecurity tools. Listen to MDR vendors to see if they are focused on your outcomes or their capabilities to get a gauge on how service-oriented they are, and ask them questions like:

  • What is the high-level scope of use cases and services?
  • How does the provider deploy and onboard clients? How does the provider obtain situational awareness of the environment quickly?
  • What telemetry / data sources beyond the endpoint are used by the MDR service to detect and investigate threats?
  • What types of response are provided as a component of the MDR service, and what is the limit of those response activities?
  • What actions are out of scope for the MDR service? For the actions that the MDR service will not take, will they provide prescriptive guidance and/or recommendations?
  • What communication mechanisms are available and permitted with the provider’s analysts (e.g., email, phone)? Are there limits to levels of communication/support?
  • Does the MDR service provide a dedicated analyst or team during an active incident?
  • What business risks and threats is the MDR service able to mitigate?

Q3. What specific activities or presentations is your company planning to showcase at the upcoming Black Hat USA 2023 conference? Are there any particular initiatives or events that attendees should look forward to?

Sophos is thrilled to be a Diamond Sponsor at this year’s Black Hat USA. We have presentation in the conference track, we are sponsoring the CISO Summit Breakfast, and we are hosting an evening event at The Shark Reef. Stop by Booth 3466 to participate in a Red Team/Blue Team interactive experience, see our Adaptive Cybersecurity Ecosystem in action, and get your limited edition custom screen-printed shirt.

Ryan Kovar
Distinguished Security Strategist and leader of SURGe


Q1. What are some emerging trends and strategies in cyber threat hunting that organizations should be aware of?

We’ve seen an increase in interest in threat hunting over the last several years. Much of this is related to an increase in knowledge and visibility into cyberthreats, after all, you can often read about security breaches and attacks in mainstream news outlets. As these attacks increase, so does public awareness and a demand for threat hunting.

This is a continuously evolving space, so organizations should be aware of the various threat hunting frameworks and their adaptability. For example, my colleague David Bianco and the Splunk SURGe team, recently developed the PEAK threat hunting framework, which is designed to adapt and thrive in today's dynamic cybersecurity landscape. PEAK, an acronym for "Prepare, Execute, and Act with Knowledge," not only incorporates Hypothesis-Driven and Baseline hunts, it also includes Model-Assisted Threat hunts (M-ATH).

I anticipate that we'll have more threat hunters and frameworks utilize M-ATH and machine learning in the future. This type of framework can combine best of human intuition and practical machine learning to create a formidable threat detection methodology.

Q2. In the context of cyber threat hunting, what are some of the opportunities, and also the challenges, with AI and ML approaches?

The power of AI is becoming increasingly important given the growing complexity and distribution of tech infrastructure, the evolving and increasingly sophisticated threat landscape, the growing importance of digital systems for every organization, and ongoing talent shortages.

Ultimately, we need to recognize that AI, generative AI in particular, cannot and should not be used to replace human security professionals. AI is great at augmenting, automating, and scaling existing capabilities, but it can’t create entirely novel techniques. If we approach AI as an augmentation to our current security practices, more positive opportunities will arise.

In the context of threat hunting, M-ATH hunts use machine learning (ML) techniques to create models of known good or known malicious behavior and look for activity that deviates from or aligns with these models. Think of this as almost like a hybrid of the hypothesis-driven and baseline types, but with substantial automation from the ML.

Q3. Can you share some insights into your company's participation at Black Hat USA 2023. What are your main objectives? How do you plan to engage with attendees to showcase your technologies and expertise in your domain?

The primary ways that Splunk interacts with attendees is via our booth, 1-1 meetings, and special livecasting events like Coffee Talk with SURGe at BlackHat. Splunk sends our best and brightest cybersecurity experts to be available to our customers but also to learn from the sessions and events that surround them.

James C. Foster
Chief Executive Officer


Q1. How will customers benefit from ZeroFox' recent purchase of LookingGlass? What drove the acquisition decision?

LookingGlass is the industry leader in the External Attack Surface Management and Threat Intelligence space. They are also a longstanding partner of ZeroFox. The acquisition was a natural fit for ZeroFox, as LookingGlass’s intelligence and attack surface management capabilities serve as cohesive modules to ZeroFox’s leading external cybersecurity platform. Together, our combined platform will increase visibility across the external attack surface, providing proactive intelligence and protection to organizations across the public sector, financial services, retail, media and more.

Q2. What are some of the key social media trends—like deepfake technology and influencer fraud—that technology executives should be monitoring closely? How should they be preparing for those threats?

Social media networks are a rapidly evolving threat landscape and can serve as a breeding ground for external threats - from impersonations to account takeovers to social engineering attacks. By nature, social networks offer the ability to reach a wide audience at little to no cost, and threat actors are taking advantage of that. In the past year, we’ve also observed significant changes in the social media market with changes in leadership and the rise of foreign national-owned or influenced platforms. With those changes, ZeroFox has observed an increase in threats targeting businesses and high-profile individuals on those platforms as well as increased sophistication of those threats. Deepfake technology is a good example of this. What once may have appeared as a harmless duped video has been leveraged to spread mis and disinformation, and the expansion of generative AI will only make these technologies more accessible and easy to use.

What we have found is that threat actors' end goals have not changed: they want access to your information, your people, your reputation, and your revenue. And in a lot of ways their methods haven’t changed; phishing and social engineering continue to run rampant on social media and across digital platforms. But these methods have become more sophisticated over time and will continue to evolve. Security teams need to treat social media platforms the same way they do other platforms leveraged by threat actors to plan and conduct attacks. Harden your defenses, ensure your accounts are secured with multi-factor authentication, and continuously monitor social channels for malicious content or impersonating accounts leveraging your brand and/or executives’ likeness.

Q3. How does ZeroFox plan to leverage its participation at Black Hat USA 2023 to build relationships with industry peers, partners, and potential customers? Can you elaborate on any networking events, workshops, or interactive experiences that ZeroFox has planned for the event?

We can’t wait to be back at Black Hat this year. The value of being physically present, directly interacting with our community and customers, cannot be understated. We’ve expanded our booth presence and are offering multiple ways to engage on and off the show floor. Stop by Booth #1950 for a demo of the ZeroFox Platform, including new generative AI capabilities, expanded executive protection solutions, and much more. We’re excited to meet customers and partners face-to-face, whether at our booth or in our meeting lounge space at the Rivea.

And of course, any show in Vegas can’t be all work and no play so ZeroFox has exciting activities planned beyond the show floor perimeter. As we have done for the past several years, ZeroFox hosts the largest party - Level Up - at the Skyfall Lounge on Wednesday, August 9th. It’s retro arcade themed and offers the chance for attendees to network and have some fun playing throwback video games. You can register for the party here. We encourage attendees to stop by booth #1950 to learn more about the ZeroFox External Cybersecurity Platform, grab an iconic ZeroFox t-shirt and to join us for the Level Up party. We’re looking forward to spending time with the security community at Black Hat USA 2023.

Sustaining Partners