Interviews | June 30, 2017

Black Hat USA Sponsor Interviews: Aruba, a Hewlett Packard Enterprise company, RSA, Skyport Systems, TrapX Security, and WhiteHat Security

Larry Lunetta

Larry Lunetta
Vice President Solutions Marketing
Aruba, a Hewlett Packard Enterprise company


Q: What are the security challenges posed by mobile and the IoT and how are Aruba's products positioned to help enterprises address these challenges?

It wasn't that long ago that enterprise security teams could see the perimeter they were protecting and work with the IT operations team to control the stack of resources that their employees could access and use—from networks to systems to applications.

Needless to say mobile, BYOD, virtualization, cloud and the emergence of things coming from Operations Technology have rendered that worldview obsolete. In this era of IT disaggregation, security strategies have struggled to keep up. Clearly a new approach is required.

For over 15 years Aruba has been at the forefront of delivering high performance, highly reliable and secure wired and wireless network infrastructure - from access points to core switches. As a security provider, Aruba has consistently introduced groundbreaking innovations in the areas of encryption, physical hardening, remote access, etc. to ensure that user, system and device traffic can be trusted. Chief Information Security Officers around the world have come to rely on the security "head start" that Aruba protected infrastructure provides. But IT disaggregation means organizations cannot stop with a secure networking foundation. Aruba also provides visibility and control. With the ClearPass Network Access Control family of products the enterprise knows what is on its network and what each device is authorized to do. ClearPass allows the enterprise to cover the entire set of access control use cases from wired to wireless, guest, BYOD onboarding and policy-based remediation and response.

Going a step further, in February 2017 Aruba added machine learning-based attack detection capabilities by acquiring Niara, now part of the Aruba security family under the name of IntroSpect. With IntroSpect's attack detection, combined with ClearPass' ability to take a range of either manual or automated actions in response to an attack, Aruba now delivers 360 degree, closed loop protection.

Q: How does HPE's recent acquisition of Niara benefit customers? How does Niara's technologies build upon or complement Aruba's core capabilities?

Let's use an example to illustrate the power of adding Niara, now called IntroSpect, to the Aruba security ecosystem.

Like most targeted and highly damaging attacks, WannaCry was not a single event. The initial infected system is simply the on-ramp to the real goal of compromising a large number of victims, especially business-critical file shares, applications and databases. IntroSpect's User and Entity Behavior Analytics (UEBA) solution monitors and profiles the "normal" baseline behavior of each entity inside the enterprise, and automatically detects anomalies using a combination of supervised and unsupervised ML algorithms.

For example, after a machine is compromised by something like WannaCry, it will communicate with the attacker via a command & control channel. To evade traditional IOC blacklist-based detection, WannaCry is observed to use a Domain Generation Algorithm (DGA) technique—which IntroSpect detects with laser-focused supervised machine learning models.

In addition, we've successfully detected multiple behavior anomalies from WannaCry compromised machine [such as] connections to excessive internal hosts, usage of a new port accessing new hosts, and attempts to access restricted network zones such as locations that contain patient health care records.

Detecting the presence of Ransomware is only the first step in a successful defense.

The infected system must be taken off the network before the malware finds another foothold in the network. IntroSpect is integrated with ClearPass Policy Manager and when a compromised system is detected, it sends an alert to ClearPass. ClearPass knows what and who is on the network and its policy engine can be programmed to respond to IntroSpect's "suspected Ransomware" alert by immediately taking the infected system off the network.

Q: What is Aruba's messaging going to be at Back Hat USA 2017 and why?

The key themes are Innovate and Educate. We see Black Hat 2017 as a great opportunity to educate the security community about not only the broadening portfolio of leading edge Aruba security solutions, but also to help security practitioners better understand some of the ground-breaking technologies that Aruba is marshaling to defend the enterprise.

In our booth on the show floor we will be featuring a very cool live demo of the ClearPass + IntroSpect 360 degree protection as well as in-depth demo's of each product.

On Wednesday, Aruba is sponsoring two security analytics workshops. The first is an overview of machine learning essentials by Aruba's chief security data scientist, Dr. Jisheng Wang. For any security professional thinking about adopting a product like UEBA, this is a great starting point to learn the key concepts. Dr. Justin Christian, Chief Data Scientist for Security, Aetna

Global Security, will share practical experiences in implementing and utilizing a variety of data science techniques across a range of security use cases. Both sessions will be very interactive and all are welcome.

Alex Cox

Alex Cox
Director, Engineering Technologist


Q: What has your focus on advanced and emergent threat tracking taught you about the nature of the threat landscape that organizations face these days? How is RSA using that knowledge to help customers better secure their environments against these threats?

One of the key aspects of effective response to threat events is a holistic approach. The days of relying on stand-alone technologies to repel the ever-changing attack methodologies of advanced attackers are long gone. RSA combines a number of strategies into a concept we call "business driven security". This is a combination of knowledge of your environment, rapid insight and effective response via security analytics and threat intelligence, knowledge of identity and how it is used, all tied to process and function for business context.

The general idea with this approach is to tie the physical event itself to actual business risk. For example, if an ATM network at a bank is attacked, it is relatively easy to identify the technical indicators that are involved but tying that information to "actual" cost to the business can be much more difficult. If the bank doesn't have a solid handle on what the ATM network means to the business, who has access, where attackers can pivot to and likely attacker methodology, there is a gap between what happened and what the actual risks are to the business. RSA's approach seeks to fill in that gap by providing the customer with a measured and holistic approach to the entire situation and is uniquely positioned to do so in the industry.

Q: How does RSA help organizations operationalize the strategic and tactical threat intelligence they receive in order to better defend against threats?

RSA operationalizes threat intelligence in a number of ways. First, we conduct independent, collaborative and open source collection of Indicators of Compromise and publish them automatically via a system called RSA Live. RSA Live allows our appliances to have a rapidly changing "knowledge" of the threat environment that is the product of an active and talented research team. Second, RSA uses threat intelligence and current events to make our appliances "smarter", using data science and machine learning techniques to automate threat detection. In this sense, we remove the onus on the customer to have to actively "hunt" for threats, and the system automatically points out threats or suspicious activity for investigation. Third, RSA allows collaborative research across our customer base by a system we call LiveConnect. LiveConnect allows customers to crowd-source threat intelligence, in a source-agnostic way, to see what events other customers have single out for investigation. Lastly, our products are designed to easily allow inclusion of customer-sourced intelligence, which gives end users the ability to incorporate external intelligence sources that they may have access to. These approaches create a powerful mechanism for RSA customers to detect active and emergent threats on their network.

Strategically, RSA's research team continuously studies attacker methodology and process. This, combined with the flexibility of the product, allows us to tune our approach to those threats that customer are mostly likely to face. We also maintain an active customer community, where customers can both share information about their use of the product, as well as get guides on using the product to detect advanced threats.

Q: Tell us a little bit about the events that RSA has scheduled at Black Hat USA 2017 and what you are hoping attendees will learn from them?

First, we're thrilled to be protecting the Black Hat network in the NOC again this year. It's a great opportunity for our teams to put our technology to work and to share with attendees what we see, how we were able to detect it, and how we responded. We'll have several of our experts in the RSA booth as well as Black Hat sessions and workshops, sharing details about real-world experiences like deploying and protecting the NOC, insights from threat research, and how to speak security to the C-level. And, you'll see several fun ways to engage with RSA at Black Hat – both in our booth and beyond it. Essentially, we look forward to engaging professionally and having some fun with the attendees. We're proud to be a part of this community and enjoy the conversations we get to have at Black Hat.

Michael Beesley

Michael Beesley
Founder & Chief Technology Officer
Skyport Systems

Skyport Systems

Q: How does the recently launched Skyport Hybrid Cloud Edge technology build on your existing capabilities? What specific issues does it help your customers address?

We have extended the SkySecure system to facilitate easy, self-service deployment of edge virtual machines for the hybrid cloud enterprise edge with associated fine grained, application aware policy and micro-segmentation. This facilitates a co-operative model between infrastructure, network, security and app teams, with built-in analytics and telemetry for troubleshooting and audit/compliance reporting. The solution delivers a DevOps approach to the hybrid enterprise edge with industry leading application security and visibility along with fully measured and remotely attested infrastructure on which the exposed and vulnerable edge virtual machines execute. This creates uniform agility across hybrid enterprise, such that the main DC, the enterprise edge and public cloud IaaS/SaaS components can all safely move at the speed of business.

Q: What do organizations need to understand about the security implications and challenges of a hybrid cloud environment? How does Skyport help address those challenges?

The hybrid cloud environment has created two new edges for all enterprises. These edges are both an operational challenge and a security challenge. The first edge is best described as the "client to cloud" edge. As users, with their devices including laptops, tablets and phones, consume cloud services, the activity needs to be monitored and secured. Our enterprises employees no longer exclusively work on the enterprise network. They work at home, at partners, at trade shows, at customers and suppliers. A cloud access security broker (CASB) best addresses this new edge.

The second new edge is the "cloud to ground" edge. As application stacks have evolved to consume both on-premise datacenter compute and storage as well as public cloud based IaaS and SaaS resources, a new cloud-to-ground edge has evolved represented by a large set of edge virtual machines that execute on-premise but speak to both the outside and the inside.

This set of VMs represents the new edge for a hybrid enterprise. SkySecure provides infrastructure designed to run these edge VMs safely and easily, allowing the enterprise to move at DevOps speed without sacrificing any security or visibility.

Q: What is Skyport's main focus at Black Hat USA 2017? Why is it important for your company to be there?

We are focused on describing our vision for the next generation hybrid enterprise edge, the challenges that we see, and the value we think our SkySecure solution brings to this difficult and pivotal layer in the hybrid Enterprise architecture. We feel Black Hat is an idea opportunity for us to engage with a knowledge community to discuss and validate the challenges and to test the effectiveness of SkySecure in addressing these issues. We also seek to hear constructive feedback on how we can improve our solution going forward.

Ori Bach

Ori Bach
Vice President Products
TrapX Security

TrapX Security

Q: Why has deception-based cybersecurity become such a hot topic? What do organizations need to know about the approach?

Deception-based cybersecurity has gained traction as a result of high-profile cases were it was shown effective in stopping highly sophisticated attacks that bypassed other solutions. Various reports such as the recent Iranian nation-state OilRig attack against a government office installation successfully detected and defeated by deception are causing more organization to look at it.

The economy of cybercrime is rigged in the favor of the attackers that only need to succeed once while the defenders must address every breach and vulnerability.
Security professionals are leveraging deception to take a more proactive stance, forcing attackers to show their hand by giving up valuable information about their intentions, technics and attack tools, significantly changing the economy of cybercrime

It's no secret that cyber criminals are becoming more sophisticated and bolder in their attack methods, consequently, security solutions must stay ahead of the attackers, not only anticipating their next move but their next series of moves. With this intelligence security teams can make much more of their exiting investment bringing it to use where it is needed and matters the most.

Q: What enhancements does Version 6.0 of your DeceptionGrid platform offer over previous versions of the technology and why do they matter for enterprises?

Version 6.0 offers the new industry leading Deception-in-Depth architecture, significantly deepening deception capabilities designed to bait, engage, and trap attackers throughout all stages of a breach.  The new architecture allows generating a step-by-step picture of the attack from patient zero to its final stages with the option to trigger automated response at any point.

Part of the enhanced platform, features new built-in intelligence capabilities that allow the user to automatically determine if the attack is sourced to a human perpetrator or malware moving through the network. This elevated intelligence helps security teams better analyze the threat by providing detailed answers to critical questions about whether an attacker has penetrated a network, their intentions once they're inside and how quickly an attack could be stopped. The version also has expanded templates for specialized devices based on industries.  These templates include, ATM's and SWIFT assets for financial services, or Point of Sale (PoS) devices for retail, as well as devices for medical, manufacturing and many more, allowing customers to determine if attackers are targeting specialized systems that are often vulnerable to attack.

Q: What can attendees at Black Hat USA 2017 look forward to seeing from TrapX at the event? What do you plan on showcasing there?

At the event we will reveal a new tactic called "active threat hunting" that allows proactively gathering intelligence about potential attackers attempting to breach the network. We will also showcase the ability of the platform to protect IoT, Point of Sale (PoS), medical, and industrial controls devices

Ryan O'Leary

Ryan O'Leary
Vice President Threat Research Center & Technical Support
WhiteHat Security

Eric Sheridan

Eric Sheridan
Chief Scientist
WhiteHat Security

WhiteHat Security

Q: Ryan, in a recent blog you talked about OWASP planning to highlight the need for organizations to have some sort of a Web Application Firewall (WAF) and a Runtime Application Self-Protection (RAS) capability. Why have these capabilities become so crucial for enterprises?

That's a great question. If you look at application security comprehensively, WAF and RASP capabilities are the mitigation elements of [application security], complementing the identification and remediation of vulnerabilities provided by other application security solutions. WAF and RASP technologies offer a temporary stopgap while the organization fixes the vulnerable issue. Without this mitigation technology, organizations would be vulnerable to an attack from the moment the code is released and the vulnerability found, to the time the vulnerability is fixed, passes QA and is released into production. This time gap can be quite substantial given the complexity of the vulnerability and the resources in the organization to fix it.

In our own annual stats report we've found that, year after year, it's taking months to remediate vulnerabilities. In the 2016 report, we found it took enterprises an average of 150 days to fix a vulnerability. That's five months! As I mentioned in the blog you referenced, the security industry needs to get in the development mindset and become much more agile to changing threats. If WAFs and RASP technology can help organizations become more agile in their reaction to threats by mitigating them and reducing the load on the remediation effort, that's a win. A vulnerability open for any amount of time represents a huge danger to a company. The quicker we can mitigate that vulnerability the better. WAFs and RASPs allow an organization to have some time to properly fix a vulnerability while still mitigating the risk to the business.
Q: Eric, why did WhiteHat launch the WhiteHat Certified Secure Developer Program earlier this year? What specific issue is it that you are hoping to help organizations address via the program?

DevOps is becoming a very real phenomenon, and with the speed of application development and deployment accelerating to such a fast pace, it's becoming imperative that security be built into the development process. There's no time for security teams to test and report back to developers on vulnerabilities in code; developers have to take responsibility for security testing as they're writing code. But the challenge is, developers generally don't have any security training. You can build all the security capabilities you want into a developer's existing toolkit, but without some foundational training in application security, it's difficult for a developer to really incorporate it into their workflow.

WhiteHat launched its Certified Secure Developer Program to provide the foundational training developers need to be able to understand and fix security vulnerabilities and adopt secure coding best practices.  We want to help cultivate the new generation of DevSecOps practitioners and practices. With the proper training and easy access to a security solution that lives in the tools developers already use, developers can be the heroes that stop attackers from compromising an organization through its applications.

By offering our certification and training program for free, we're also hoping to eliminate any issues with regards to who pays for security training. When you're training developers and not security practitioners, is it the IT department that covers the cost of training? The Ops team? The security team? We don't want cost to be a barrier to securing the apps at the heart of the digital business.

Q: Ryan, talk to us about WhiteHat's Threat Research Center. How does it complement your current portfolio of products and how do customers benefit from it?

WhiteHat Security's Threat Research Center (TRC) team is comprised of 150 of the industry's top security experts who are a critical and integral component of the WhiteHat Application Security Platform. All vulnerabilities reported by the platform are verified by the TRC experts using cutting edge vulnerability tests and proprietary algorithms to ensure that our customers get actionable, confirmed results and near zero false positives. False positives and false negatives are inherent to automated appsec solutions. So the manual verification services built into our [Dynamic Application Security Testing], [Static Application Security Testing] and mobile solutions are highly valued by our customers, who would otherwise have to spend a lot of time and money on the resources to get to the real vulnerabilities they need to care about.

The TRC team is also available at any time to our customers through the "Ask a Question" feature in our platform. Anyone using the WhiteHat platform, whether it's a security practitioner or developer, can ask a question from within our product and get a response from a TRC member.

The TRC team also defines rulepacks that decide the conditions under which vulnerabilities should be flagged by the scanning engine. TRC engineers update these rules on a daily basis, keeping our appsec platform up-to-date and able to identify any late-breaking vulnerabilities and zero days.

In this era of DevSecOps, it's important to note that our TRC team supports any development model, including agile. Our platform is integrated with the most popular development tools and our TRC experts provide significant help to developers, who generally lack the kind of security expertise that would enable them to integrate security into their process.

Q: Eric, what are WhiteHat's plans at Black Hat USA 2017? What are you hoping attendees will learn about your company at the event?

WhiteHat will have a big presence at Black Hat this year, including a booth in the Business Hall (#840), leading two Workshop sessions, doing a joint presentation with F5 in their booth, and being a co-sponsor of the ZeroFox party at Skyfall. The show will give us a good opportunity to talk about WhiteHat and DevSecOps, and to collaborate with partners who are a critical part of the application security ecosystem.

I'm especially looking forward to the Workshops we'll be delivering on Wednesday afternoon, July 26, because we're going to share with participants a case study of a real organization that uses all of the tools of the application security trade to secure the entire SDLC. The organization at the center of this case study has seen dramatic improvements in the security of their applications, including many fewer vulnerabilities and much faster time-to-fix. Participants will take away a blueprint, based on this real-world case study, for engaging developers in the effort of securing applications throughout the SDLC. 

We're also going to give workshop participants a "gift license" to the "OWASP Top 10 for Developers" computer-based training course that they can give to a developer in their organization towards the end goal of creating security advocates – and heroes – in the development organization.

Applications drive digital experiences. Almost everyone has digital experiences every day, whether at work, home or play. Between our booth programs and the Workshop session, we want Black Hat attendees who spend any time with us to understand in very concrete terms why and how an application security platform should be used to bridge the gap between security and development.

Sustaining Partners