Interviews | July 2, 2019

Push Towards Digitization Has Impacted Vulnerability Management

Charles Carmakal
CTO of Mandiant


Q1. How will FireEye's recent purchase of Verodin benefit enterprises? What specific security gap does Verodin's technology help address?

This past May marked yet another significant milestone in our company's history. We're very excited about welcoming Verodin to the FireEye family.

With this acquisition, we're addressing one of the key problems in enterprise security: organizations simply lack systems to measure, monitor and report on the effectiveness of their cyber security program while facing increasing complexity in the environment.

Without validation, security teams make decisions about how well security tools are working and which solutions to use based on assumptions rather than evidence. The prevailing assumption is that technologies do what they claim, and security teams are in the dark about whether products are properly deployed and configured. Security effort and security effectiveness are not the same thing. Unfortunately, organizations often only realize this after a security breach.

Verodin is dedicated to helping companies understand and control their systemic cybersecurity risk and become more resilient organizations as a result. The Verodin Security Instrumentation Platform (SIP) adds significant new capabilities to the FireEye portfolio, enabling customers to identify the gaps in security effectiveness due to equipment misconfiguration, changes in the IT environment, and evolving attacker tactics.

The Verodin platform, in sync with FireEye frontline intelligence, enables organizations to automate the process of continually testing their environment using the same real world attacks that our red teamers emulate, and incident responders identify every day. Verodin SIP enables organizations to systematically, quantifiably, and rapidly rationalize and optimize their security infrastructure and share insights that demonstrate defensibility to key stakeholders including C-level executives and the Board.

To summarize, our customers now have the capabilities to monitor their security infrastructure against evolving attacker tactics before they face an attack. The ability to tell how security measures will fare at any given time, in real time, is extremely powerful.

Q2. As a CTO, what do you consider to be the most pressing challenge organizations face when it comes to implementing an incident detection and response capability? Why do so many organizations still have such a hard time detecting an intrusion/breach considering all the investments in cybersecurity in recent years?

Organizations struggle to implement and maintain effective incident detection and response capabilities for several reasons:

  • It is not easy to find experienced security talent. When leaders cannot find appropriately skilled talent, they are often forced to hire junior employees. Less experienced and untested staff can increase the risk of a cyber breach.
  • Many organizations do not test the efficacy of their security controls and program thoroughly or often enough. I often see organizations conducting regular penetration tests – however, they ask their testers to not exploit vulnerabilities they identify, only test during off-hours, and exclude large portions of their network from the test. Not only does this significantly inhibit the value of the test it [also] communicates a false sense of security.
  • Organizations often shy away from sharing intelligence about attacks with the community, out of fear of business or legal repercussions. Threat actors commonly leverage similar tools, techniques, and infrastructure in their campaigns. Quickly sharing intelligence can enable other organizations to effectively combat attacks.
  • Threat actor techniques and capabilities continue to evolve to address the improvements in defensive security technologies and teams. Actors will generally take the path of least resistance to attack organizations. The more mature an organization's security program, the more time and effort the threat actor needs to penetrate it.

The findings of our 2019 Mandiant M-Trends report show that only 59% of the organizations we performed IR work for detected their security breach on their own (41% learned of it from a third party). The median time to discover an intrusion was 78 days. This statistic has improved over the years (from 416 in 2011), and we expect it will get better in subsequent years.

Although security incidents are inevitable, impactful security breaches are preventable. By addressing the points above, organizations will become more resilient to attacks.

Q3. FireEye has a pretty broad product and service portfolio. What particular technologies and services do you plan on highlighting at Black Hat USA 2019?

FireEye's mission is to relentlessly protect security-conscious organizations and critical infrastructure from cyber threats with innovative technology and expertise learned on the front lines of cyber attacks. We collect, produce, and apply threat intelligence from across the globe to help organizations address today's rapidly evolving security challenges. This frontline expertise informs how we develop and build our products. Because our consultants use our own technologies, deploying and testing them in the most demanding scenarios, we're able to innovate faster while helping our clients catch the threats that others miss.

We want to help those at Black Hat take part in this unique advantage. Attendees will be able to come and speak with the same FireEye experts that are on the frontlines every day. While there's certainly a time and a place for booth presentations, that's not what we're about this year. At Black Hat 2019 we're debuting what we're calling FireEye Expertise Unplugged. Come by the FireEye booth (#504) to have one-on-one conversations with our threat intelligence experts in a brand-new way we think attendees will really enjoy.

On the product side, we'll be introducing a whole new set of capabilities to protect customers' server infrastructure. We see how damaging these attacks directed at servers can be, which is why we're changing the game around how organizations detect, investigate and remediate these advanced attacks.

Philippe Courtot
Chairman & CEO


Q1. Many organizations have adopted a best of breed approach to deploying security controls. How has the deployment of multiple point products complicated the security challenge for enterprise organizations?

Until recently, security professionals have acquired best-of-breed solutions to protect their environments mostly due to the multi-faceted nature of security and the extreme need to use solutions that generate the least false positives or where false negatives were naturally rising to the top.

This approach became overwhelming fast as attackers discovered new ways to penetrate network defenses, which resulted in a proliferating number of solutions that companies had to deploy and integrate with to have the global visibility needed to respond effectively to cyberattacks.

Now these same security professionals are looking at cloud-based platforms as only cloud-based solutions have the necessary scale to provide full visibility across the new hybrid environment.

In today's environment, the perimeters have been pushed out, blurred and almost erased. Now telemetry data can be pushed continuously to a single place where the data collected can be normalized, correlated, and enriched thus allowing for the development of a suite of fully integrated best-of-breed solutions. Furthermore, this approach drastically reduces the staff needed to deploy, maintain and operate the plethora of traditional best-of-breed solutions. This is a welcome relief to an industry that faces a significant shortage of talent at a time when it is extremely difficult to attract and retain such talent.

Q2. You have talked in the past about simplifying security through "transparent orchestration". What exactly is that? What's a good starting point for it?

With traditional enterprise security solutions, you not only need to integrate them to correlate and enrich the data, but you also need to add another layer of software so you can orchestrate the response, which obviously adds additional complexity and cost.

With a cloud-based approach to security, instead of bolting on solutions, you can build security orchestration in from the start. This is what we mean by transparent orchestration as the orchestration has been already built in which simplifies security by making workflows as intuitive and automated as possible for users.

A new important trend in security we must mention is meshing and automating security into DevOps pipelines, which power digital transformation projects by continuously and quickly developing and delivering code. This is now were you want to start - with security built in so you can test at the point where you develop the application.

At the macro level, security starts with knowing, at all times, what is connected to your network and applications, and by identifying the security threat they present so you can respond in real time.

Q3. What are Qualys' plans at Black Hat USA 2019? What's your main messaging at the event?

At Black Hat, we will unveil a major community initiative that will serve the industry well. In addition, Qualys will showcase how the Qualys Cloud Platform continuously assesses an organizations security and compliance posture, with instant visibility across all IT assets — on premises, in clouds, and at remote endpoints allowing for continuous monitoring and response. This addresses a major pain point - not truly knowing what is connected to their networks, and thus not being able to adequately protect it from unauthorized or compromised assets. You can't secure what you can't see and don't know. We will also show how Qualys can uniquely help to automatically categorize devices, OS, databases, and more, spanning across on-premises, endpoints, cloud, and mobile environments, as well as expanding into OT and IoT.

Renaud Deraison
Co-Founder & CTO


Q1. What does it take for an organization to gain an understanding of the full scope of its cyber exposure these days? Generally speaking, where do the biggest gaps in capabilities exist?

The threat landscape has changed dramatically over the last 10 years. The number of vulnerabilities disclosed each year is on the rise and emerging technology, such as containers and IoT devices, has made its way onto corporate networks. For organizations to fully understand their cyber exposure in this digital era, CISOs and security teams must have breadth of visibility into cybersecurity risk across the modern attack surface, including IT, Cloud, IoT and operational technology (OT); and deep analytics that translate vulnerability data into business insights for the C-suite and Board of Directors.

Unfortunately, the tools and approaches many organizations are using to understand their cyber exposure were designed for the world of on-premises data centers and a linear software development lifecycle. But, as organizations have embraced digital transformation, their infrastructures have become much more complex and dynamic. An asset is no longer just a laptop or server. It's everything from a short-lived container to a connected coffee pot, where the assets themselves and their associated vulnerabilities are constantly expanding, contracting and evolving. This creates a massive Cyber Exposure gap.

Organizations must evolve their security approaches to address the challenges of today's threat landscape head on. This means transforming security from static and siloed to dynamic and holistic across the modern attack surface.

Q2. How have vulnerability management evolved in recent years? What have some of the biggest changes been and what are the requirements for effective vulnerability management?

Over the last few years, vulnerability management underwent a profound transformation. The digital infrastructure has never been so decentralized, with multiple management areas for some portions of it, the perimeter continues to fade away and the interconnection continues to grow. In parallel, the headline-grabbing data breaches and cyberattacks draw the attention of the C-suites and board of directors across the world, leading them to ask more precise questions about their organizations' state of security.

As a result, the need to identify and have visibility into all devices connected to corporate networks, as well as their security health has never been so critical, and the amount of data collected has never been so large. Whereas in the past our customers would mostly rely on vulnerability management to audit some of their servers, today they deploy our solutions throughout their environments to identify everything from servers and workstations to endpoints, cloud infrastructures and connected devices.

Not only has the push towards digitization impacted vulnerability management, but the sheer volume of new flaws has also created a massive challenge for many organizations. In 2018 alone, 16,500 new vulnerabilities were disclosed, but only a small fraction had a public exploit available and even fewer were actually leveraged by attackers. Effectively prioritizing vulnerabilities is a critical and strategic business imperative for reducing cyber risk, but the barrage of new, high-priority flaws has made this much more challenging. In today's digital era, organizations need actionable intelligence to decipher noise from signal and focus their often-limited resources on the flaws that pose real risk to the business.

Q3. What can security professionals expect from Tenable at Black Hat USA 2019? If there's one thing you would like them to take away from your company's presence at the event what would that be?

Tenable remains laser-focused on our Cyber Exposure mission, helping organizations manage, measure and reduce their cyber risk in the digital era. With the launch of Predictive Prioritization in and, we're evolving customers' vulnerability remediation efforts from reactive to predictive by focusing on the three percent of flaws with the greatest likelihood of being exploited in the near future. This innovation helps organizations answer foundational questions about where they're exposed, to what extent and which vulnerabilities should be prioritized based on risk — all questions that are critical for achieving Cyber Exposure.

At Black Hat, we'll also be discussing newly-unveiled innovations to our Cyber Exposure analytics capabilities in Tenable Lumin. These innovations will enable organizations to evolve from a technology- to a risk-based approach to prioritize remediation, communicate to the business and make data-driven decisions to reduce cyber risk.

The innovations include the Cyber Exposure score, which is an objective measure of cyber risk, derived through data science-based measurement of vulnerability data together with threat intelligence and asset criticality. With Cyber Exposure Benchmarking, organizations can leverage the Cyber Exposure score to benchmark themselves against industry peers and measure their overall cyber risk posture. Finally, Remediation Guidance Workflows provide security teams with a list of the top recommended remediation actions to reduce the organization's cyber exposure.

Each of these capabilities will be available to customers starting in Q3 2019 as part of the Tenable Lumin beta. Tenable Lumin will be generally available in the second half of 2019.

Sustaining Partners