Interviews | July 6, 2018

Black Hat USA Diamond Sponsor Interviews: Cylance, LogRhythm, Qualys, RSA

Eric Cornelius

Eric Cornelius
Chief Product Officer


Q1. AI and machine learning technologies are rapidly transforming security products and giving organizations better defenses against modern threats. How concerned are you about threat actors using the same techniques to enable much more sophisticated cyber-attacks in future?

Only mildly concerned. While it is true that many adversaries are sophisticated enough to use machine learning to enable cyberattacks, unfortunately there is so much available attack surface in the enterprise that it isn't necessary to do so. In general, decision-makers will choose the cheapest and easiest route to accomplish their tasks. This is true of cyber-attackers as well. Investing in AI to develop sophisticated cyberweapons seems like overkill for any threat group without government level resources. We continue to advance the use of AI for security, recently introducing the first ever EDR solution with embedded AI threat detection models on the endpoint, that targets entire classes of attacks, which is a real game changer for this behavior based threat detection.

Q2. A lot of vendors these days have begun claiming AI-driven security products. What is the value-add or the differentiator that Cylance brings to table with its AI platform?

Unlike most vendors who use AI in a few features in their product, Cylance is a true AI-first company and has invested very heavily in building an effective data science organization. The ability to quickly and effectively develop machine-learning models, which are tailored to a specific problem, allows Cylance to address any area in the cybersecurity domain in using a predictive and preventative approach. Recently we worked with an independent testing lab, SE Labs, to validate the predictive nature of our AI models for malware prevention. The test showed that, on average, our models were able to detect and prevent malware over 25 months after the models were trained, making Cylance ML models extremely resilient to new zero-day malware.

Q3. What do you expect will dominate the conversation around AI and machine learning at Black Hat USA 2018?

A few years ago we were the only company talking about AI for security. Now I'd expect most, if not all, vendors will have some kind of AI/ML message. This is a positive trend for the industry overall. Black Hat chatter also tends to gravitate toward science-fiction quality hacker scenarios. As such, I expect there to be a lot of talk about AI-powered machines taking over the world, AI-powered military robots being used by covert government agencies, and AI versus AI as the new good versus evil.

James Carder

James Carder
CISO & VP of Research


Q1. Describe for us LogRhythm's Threat Lifecycle Management approach to cybersecurity. What exactly is TLM and what's driving the need for this approach?

In the modern business environment, cyberthreats have become increasingly frequent and complex. Even if you've taken precautionary measures, the reality is a simple click can have devastating consequences for your organization. To avoid a damaging cyber incident — specifically a high-profile data breach — security teams have a responsibility to detect compromises quickly and efficiently.

Threat Lifecycle Management (TLM) is the principle workflow used by effective security operations centers (SOC) to quickly detect, investigate, and remediate security events before they become a reportable breach. Ultimately, TLM provides the investigative steps an analyst should take when working a security incident. We've broken those steps down into six key areas:

  1. Forensic data collection
  2. Discovery or detection
  3. Qualifying the event or incident
  4. Investigate
  5. Neutralize
  6. Recover

The TLM workflow proves effective with commonly used attack frameworks (e.g. MITRE ATT&CK), providing security teams a proactive plan that anticipates attacker's actions and implementing a corresponding response. Leveraging the TLM approach is paramount when you want to automate and orchestrate investigative activities and ensure you can defend your organization from a broad class of cyber-threats.

Q2. With AI and big data analytics approaches gaining ground in cybersecurity, what role do you see SIEM technologies playing in enterprises over the next few years?

I look at SIEM as the heart and soul of the modern security operations center (SOC). I don't see that changing over the next few years. The SIEM product category has continuously matured since its inception and has since adopted AI and big data analytics approaches into the technology. AI and machine learning (ML) can and has been a crucial element to enhance anomaly detection through a SIEM. From LogRhythm's perspective, AI and big data analytics will continue to be a major focus in the future.

Beyond AI and big data analytics, I also see SIEMs evolving in a number of ways to ensure they can continue to be the epicenter of the modern SOC. This includes:

  • More orchestration and automation capabilities
  • Advanced scenario-based analytics
  • Threat intelligence
  • Deep, integrated partnerships with other companies that offer great technologies — both security and non-security — to provide bi-directional capabilities

Ultimately, a SIEM should provide advanced threat detection and full set of capabilities to quickly contain and remediate events in an automated fashion.

Q3. What are LogRhythm's plans at Black Hat USA 2018? What do you want attendees to take away from your company's presence at the event?

We're here at Black Hat to showcase our products and capabilities to the world! We're also excited to see what others in the industry—both vendor and researchers—are up to, what modern techniques and unique innovations are being developed, and to understand how the InfoSec community is adopting security products and technological innovations.

I am confident that LogRhythm is delivering the most comprehensive and complete feature set in the SIEM market today. We've built our product from the ground up and deliver a complete set of features to power the modern security operations center (SOC), including user and entity behavior analytics (UEBA), network traffic and behavior analytics (NTBA), security orchestration & automation response (SOAR), and comprehensive reporting metrics. Combine this feature set with the most bi-directional and fully supported integrations in the industry and you've found a long-term partner in security.

We also have dedicated teams building threat and compliance content, tailored specifically by industry — free for all our customers. Considering all of that, it's easy to see why we've been a Leader in the Gartner SIEM Magic Quadrant for years. Our customers already understand we're the preferred partner to help them defend themselves from cyberthreats, and I am looking forward to ensuring the rest of the world knows it too.

Sumedh Thakar

Sumedh Thakar
Chief Product Officer


Q1. What do organizations need to know about container security? What are some of the unique security challenges posed by the deployment of containers and container orchestration tools across hybrid environments?

Containers' inherent benefits help development and operations teams efficiently develop and deploy new applications for the business much faster, simplifying the DevOps model. However, the accelerated pace of development made possible with containerized applications means they are often developed and deployed insecurely, requiring CISOs and security teams to rethink how security gets embedded into the process. Container security needs to be agile and automated so it doesn't impede the development process.

In order to securely embrace the container movement, organizations must be able to do four things well. First, they must discover and track container environments across their sprawl and scale. Second, they need effective vulnerability management, compliance practices, and container-native intrusion detection/prevention. Thirdly, in order to achieve collaboration across security and DevOps teams, organizations also must have adaptive security frameworks that integrate into the DevOps practices and the CI/CD toolchain. Lastly, it is also important for organizations to update operational monitoring, rethink their patch and release strategy and overhaul their approach to incident response.

Along the way, there are several major threat vectors involved in the deployment of containers, which pose their own security challenges, and which security teams must keep on their radar as they deploy containers and orchestration tools.

First, the presence within container images of un-validated external software that has been downloaded from untrusted sources poses a challenge for security teams to effectively assess and manage the image integrity of containers which have not been curated by the enterprise.

Second, containers may have unstandardized configurations & deployment hygiene, which exposes IT environments to higher risks of breaches and potential loss of sensitive information.

Thirdly, security teams may also be challenged to monitor container-to-container communication (East-West traffic) via an exposed port, which bypasses regular host-based monitoring options and inhibits checks for lateral movement and breaches.

Finally, the ephemeral nature of containers can pose a challenge for security teams. Containers are intended to constantly spawn and disappear in keeping with the elastic demand of customer environments, requiring security to be more dynamic than ever before. This can lead to a lack of better governance and potential unauthorized access.

Q2. What specific business issue or security issue is Qualys helping organizations address with its recently launched Asset Inventory cloud app?

Digital transformation and the ever-evolving cybersecurity threat landscape are introducing new technology at increasing variety, scale and speed. Simultaneously, teams are trying to manage these resources across siloed security solutions and budget constraints. Asset Inventory helps Qualys customers tackle these challenges by delivering an automated, unified solution and a single source of truth for asset data that allows better interchange between the CIO and CISO to improve IT, and enables better collaboration and strategic planning across IT and Infosec.

Qualys Asset Inventory leverages Qualys sensors including network scanners and Cloud Agents to discover all assets across global hybrid infrastructure whether it has been acquired through typical or unofficial channels such as M&A or such as employee credit card purchase, then normalizes and categorizes the information gathered for each hardware and software asset, providing customers unprecedented level of granular visibility, detail and organization for IT assets spread across on-premises, endpoints, clouds and mobile.

By delivering customers consistent and uniform it asset data, Asset Inventory helps them overcome the essential labor, time and cost challenges of gaining initial inventory clarity and accuracy. It standardizes every manufacturer name, product name, model and software version by automatically normalizing raw discovery data to Qualys' ever-evolving technology catalog, saving teams the time and effort of cleaning up and massaging that data.

This ability to work with complete, clean and organized data frees up those teams resources so they can spend time making better business decisions. For instance, teams can more quickly and easily detect a variety of issues, such as unauthorized software, outdated hardware or end-of-life software, which can help them properly operationalize security across the organization, support and secure critical assets powering today's digital transformation efforts.

Q3. What can attendees at Black Hat USA 2018 expect to see and hear from Qualys at the event? What is your company's big push going to be at Black Hat?

At Black Hat USA 2018, Qualys will showcase recent enhancements we have made to our cloud platform that are helping our customers unify all the necessary security and compliance detection, prevention and response capabilities required to organically build security into the new, hybrid IT infrastructure.

Digital transformation today is enabling significant changes in the way IT infrastructure is being developed and deployed — very quickly and at new scale. We realize that in order to keep pace with these changes, organizations must re-factor and simplify security by eliminating friction and making it as intuitive and automated as possible. This is why a main focus of our presence at Black Hat will be on helping our customers bring security and IT closer together by delivering increased visibility, accuracy, scale, immediacy and Transparent Orchestration of their security programs.

At Black Hat, we'll also be talking about how the latest Qualys Cloud Platform enhancements uniquely help organizations bring the capabilities of DevOps and SecOps together into a single view, integrating security and compliance visibility into the DevOps pipelines where digital transformation projects are built and deployed. This gives them a better ability to protect the entire DevSecOps lifecycle, from the development to the production stages.

Finally, we'll be discussing how CIOs and CISOs can avoid accumulating disparate, point solutions that are costly to manage, difficult to integrate, and ultimately ineffective at protecting hybrid IT environments, and will be showcasing the full breadth of security and compliance Cloud Apps that the Qualys Cloud Platform consolidates, along with how our customers are leveraging this unified platform today to drastically reduce their IT security spend.

Mike Adler

Mike Adler
VP Product, NetWitness Platform


Q1. Why are traditional SIEM approaches and tools no longer sufficient? How does SIEM need to evolve in order to be effective against new and emergent threats?

Even with increasing focus on security, breaches still occur at record rates. Whether it's outsiders stealing and misusing personal data, phishing or malware attacks through company emails, or nation-states trying to disrupt critical services, cybercriminals are constantly evolving their craft in attempts to stay undetected as long as possible.

The serious threats to your finances and reputation make it critical that your organization embrace an equally important mission: to continuously evolve security information and event management (SIEM) as the centerpiece of your security operations, moving beyond only log-centric SIEM.

Evolved SIEM gives you deeper visibility into endpoints and network traffic, accelerates and automates threat detection and response with machine learning, and incorporates business context to prioritize threats and security incidents. By breaking down the existing silos of security tools, an Evolved SIEM can increase the efficiency and effectiveness of security teams so they can stay one step ahead of attackers.

Q2. How will Fortscale's technology help complement RSA NetWitness Platform's capabilities?

The addition of UEBA to the RSA NetWitness Platform builds on the unparalleled visibility and acceleration of threat detection that RSA NetWitness is known for.

Several recent high-profile breaches have been triggered by malicious user activity or external attacks using compromised user credentials. Those attacks introduce significant organizational risk, and no perimeter defense or entirely rules-based system can be effective in detecting, let alone preventing, their malicious activity. As a result, insider threats and threats leveraging legitimate credentials and trusted paths are amongst the hardest to catch and most successful in exfiltrating valuable corporate and customer data.

By leveraging unsupervised statistical anomaly detection and machine learning, RSA NetWitness UEBA provides comprehensive detection for unknown threats based on behavior, without the need for analyst tuning. It is a central capability integrated directly into the RSA NetWitness Platform, minimizing overhead and management.

Q3. What are some of RSA's key talking points going to be at Black Hat USA 2018 and why?

While the RSA NetWitness evolved SIEM should be the centerpiece of any SOC, we want to make sure organizations understand that business context is also important to the success of any SOC. Our messaging, "Can Your SOC Do This?" asks organizations to not only look at their threat detection and response capabilities but also their ability to prioritize the mounds of data and alerts they're sifting through to focus on what matters most to the business – what can have the biggest impact.

Sustaining Partners