Interviews | July 9, 2015

Black Hat USA Sponsor Interviews: FireEye, Lieberman Software, Qualys, RSA, and Tenable Network Security

Tony Cole

Tony Cole, VP and global government CTO at FireEye, Inc., talks about what his company has learned from investigating high-profile data breaches, and what advice his Mobile Threat Report offers after analyzing some 7 million mobile apps.


Q: Tony, just recently FireEye became the first cyber security company ever to be certified by the Department of Homeland Security. What sort of certification was that … and what did FireEye do to deserve such a distinction?

Tony Cole: The U.S. Department of Homeland Security SAFETY Act provides important legal liability protections for providers of Qualified Anti-Terrorism Technologies -- whether they are products or services. The goal of the SAFETY Act is to encourage the development and deployment of effective anti-terrorism products and services by providing liability protections.

FireEye is the first cyber security-focused company to successfully go through the process and receive the "Certified" award. Certification is the highest-level award available under the SAFETY Act. In order for a product or service to become SAFETY Act "Certified," the provider must prove to DHS the product is not only effective, but also that it performs as intended, conforms to set specs, and is safe for use. SAFETY Act protections can only be earned after successfully completing a comprehensive and rigorous review process administered by DHS.

There are two levels of awards available under the SAFETY Act -- Designation and Certification. The awards correspond with different levels of liability protection and FireEye received the higher level of Certification. FireEye's MVX Engine and Cloud Platform, which covers the vast majority of our platform, are the first and only true cyber security technologies to be deemed so "useful" and "effective" by DHS that they are SAFETY Act Certified. Once again, FireEye has broken new ground with its products. We went through this process to give our customers an additional level of confidence that, here at FireEye, we're doing everything we can to continue our innovation and do everything we can to protect our customers.

Q: USAToday called you the "go-to company for breaches." Presumably that's because FireEye seems to be one of the companies frequently called upon to investigate high-profile data breaches, like at Target and Chase. What have you learned from these experiences that you can pass along to your customers?

Cole: FireEye has learned a huge amount during our incident-response engagements for the breaches that matter most. This focus has given us a wealth of information – from analyzing the intel from a variety of sources which includes not only our IR engagements and FireEye devices via Dynamic Threat Intelligence (DTI), and much more. It's also given our incident responders insight into the threat, threat groups, and their tools, tactics, and procedures.

Many companies are focused on the "how" -- who was phished, how was the malware dropped and placed, how did the attacker move laterally, etc. At FireEye, our Mandiant IR team answers the other questions like "who" was targeted? Was it state-sponsored? Which threat group launched the attack? "Why" and "what" is the attacker after? What actions did the attacker take in the environment from a system, application, and network level? We're able to go deeper into the breach and give the customer more thorough information based not only on our expertise from hundreds of thousands of hours of IR and our unique tools, but also from our deep repository of data on attackers and their TTPs.

We also have depth and breadth from responding to some of the largest breaches in the majority of verticals. Not only do our consultants know incident response, but have experience with the customer's business where we speak retail, critical infrastructure, system integrators, government, etc. Our consultants can articulate and frame up the response and damage in terms the customer will understand and frame it around their industry. The most important thing we can pass along to customers and the world is that breaches are inevitable. We have adversaries attempting to break into our systems on a daily basis. Sooner or later, your security infrastructure will miss something and an adversary will get in. It's important to know that and plan accordingly. Have an Incident Response plan in place. And if you don't have the expertise, get a contract in place to be ready when the breach is detected. Hunt in your environment. Our data shows that many organizations are breached and simply don't know it yet, and attackers on average have 205 days in a system where they go undetected. That's way too much time. We need to identify breaches quickly to minimize their impact, so plan accordingly.

Q: Your most recent Mobile Threat Report analyzed over 7 million mobile apps and came up with several disturbing findings. Give me some bullet points on what you found – and what advice you would offer for protection.

Cole: The report highlights some very discomforting findings considering the increasing frequency of mobile device usage and proliferation of mobile devices. In February of 2015, FireEye discovered vast vulnerabilities in thousands of the most popular downloads. What we found reveals that Android malware is growing more pervasive, and iOS devices are also increasingly at risk. Based on our analysis of both Android and iOS platforms from January to October 2014, our researchers discovered a 500% increase in the number of mobile malware designed to steal financial data. We reviewed popular apps with more than 50,000 downloads to assess their exposure to a common vulnerability, and found that 31% of them were exposed to it. Of those, 18% were in sensitive categories, including finance, medical, communication, shopping, health, and productivity. From our analysis we found that over 5 billion downloaded Android apps are vulnerable to remote attacks. Some of them, such as the JavaScript-Binding-Over-HTTP (JBOH), are extremely risky and can be used for a number of different attacks. We found millions of malware samples for Android and the numbers are growing quickly.

Aggressive Adware is another significant issue since it gathers up very sensitive personal information and provides it to companies for targeted advertising. We also found that IOS has a number of security issues, including EnPublic apps (a term for enterprise IOS apps that bypass Apple's screening process) since they invoke risky private APIs. A simple text message can lead to a user installing malicious code via this route. iOS vulnerabilities have been rare, however their impact can be severe. Two examples are SSL/TLS cryptographic vulnerabilities and Universal Cross-Site Scripting vulnerabilities. The Masque Attack we reported on last year highlighted some of the challenges when enterprises potentially rely too much on their MDM solution for securing mobile devices. Mobile devices should be a significant and growing security concern for the enterprise and consumers alike, and it's definitely an area that CISOs should focus their attention on in 2015 and beyond.

Q: You were once a Platinum Plus Sponsor of Black Hat USA and now you're a Diamond Sponsor. Why has that become such an important part of your marketing strategy?

Cole: There are only a small number of significant conferences around the globe that truly matter to in-the-know cyber security professionals. While some of those conferences focus on new security products, Black Hat USA is in that list of must-attend events for the ground-breaking training that takes place and, even more importantly, the release of cutting-edge research into new vulnerabilities in software and hardware. We recognize this and being part of the event is a core focus for us as we work diligently to protect our customers from every newly discovered attack vector as quickly as possible.

Phil Lieberman

Phil Lieberman, president and CEO of Lieberman Software, warns that a devastating data breach can begin with a single compromised privileged account, and how security pros don't believe they are using their IT security products to their full potential.


Q: Philip, in one of your recent white papers, you warn that a devastating data breach can begin with a single compromised privileged account. What sort of advice do you offer your customers so they can protect themselves against advanced hackers and malicious insiders?

Phil Lieberman: We believe that there is no way to protect customers from advanced cyber threats. Perimeter solutions and end-point solutions have all failed to deliver the promised protection. The game has shifted to network and identity management redesign to provide acceptable and predictable losses with limits.

In our minds, you cannot steal what is not there and you cannot laterally move within an environment if you cannot exploit the credentials that provide lateral access. To achieve these objectives, we have designed technologies and processes to clean machines of cached credentials, reduce the lifetime of privileged identities to hours, and require users to use local escalation on the machine(s) they need to access -- and only for a limited amount of time.

The idea is simple: any credentials that are stolen have limited lifetimes and limited scope. The operation of our technology is automated, with the ability to adapt to the environment as it changes (i.e. new systems) and quickly remediate threats when under attack.

Going a step further, we believe that user end-points are compromised and that process injection/Remote Access Toolkits (RATs) are a way of life. To combat this threat, we have removed credentials (user names, passwords, SSH keys, pass phrases) from the end-points/workstations and use bastion hosts like Terminal Server to host client applications. With this architecture, we can securely launch applications outside of the control of the end-point, feed them with credentials, and stream back video to the compromised end-point -- depriving the attacker of credentials and implementing tamper protection.

Finally, we are big believers of multi-factor authentication as a useful method to make key loggers and RATs less effective. We have both free and commercial MFA support in our product, as well as re-challenge technology to help with man-in-the middle attacks.

Q: In a recent survey which measured the attitudes of nearly 170 IT security pros, you found that 69% of respondents don't feel they are using their IT security products to their full potential and 71% believe this is putting their company, and possibly customers, at risk. Were you surprised by those findings -- and why?

Lieberman: This did not surprise us at all. Beginning more than 10 years ago, we started to see that IT had lost count and control of the infrastructure due to scale and complexity. Management's general position of IT security has been to purchase a product, install it, and let it do its job.

The fly in the ointment of buying a security solution or appliance is that management frequently does not provide the training and resources necessary to fully implement what has been purchased.

Our philosophy is to provide solutions that immediately automate privileged identity security and operations to achieve scale and coverage. Our strategy to deploy in hours, and immediately shrink the surface area of attack, is in direct conflict with a security industry that is dependent on long professional services contracts and projects that take years to achieve little -- if any -- ROI.

Our competitor relishes their business model that uses a vault for passwords and requires professional services to manually wire everything up to a customer environment. If anything changes in the customer environment, there is another charge incurred for rewiring.

Our philosophy is to make the wiring happen automatically and forego the manual labor of setting up vaults in the first place. With our strategy, there is time to value in hours and an ROI achieved in less than 30 days, without humans being responsible for the care and feeding of the security solution.

Q: Lieberman was named the 2015 Microsoft Application Development Partner of the Year which is quite an honor. What are the implications of winning such an award?

Lieberman: The 2015 Microsoft Partner of the Year award that Lieberman Software received was an acknowledgement of the scale and scope of our existing technology's market penetration and its real world impact for both Microsoft and its customers.

Our technology for managing privileged identities has been transparently woven into the lives of millions of people each day. We all depend on the conveniences of modern life and its services, such as power, communication, Internet, financial service, and national defense. All of these systems are part of our Critical National Infrastructure, and our technology is used every day worldwide to help the leaders in these areas protect their systems by securing their privileged access and identities. Our technology and work distributing this technology has made a significant impact on people's lives by protecting the services that they use and minimizing the consequences of cyber attacks.

Many people outside of the security industry are unaware of our company and its products, but almost everyone is affected by our technology. This award provides well-deserved recognition of the work we have done. It also points a bright light at the need for customers of Microsoft to think about how automated privilege management is critical to the success of their companies and to their societies.

Q: What do you feel you get out of being a Black Hat USA sponsor year after year?

Lieberman: Our yearly cyber-defense campaigns are there to shake up the security industry with a wake-up call that perimeter solutions cannot make up for fundamental weaknesses within the interior.

Most companies have minimal to no automation of privileged identities and there is little thought given to processes that pollute the environment with cached credentials that can be picked up and used by attackers with little to no skill. This situation can be remediated by changes in the behavior of IT and users given an understanding that some conveniences (i.e. common static passwords, fixed SSH keys, use of domain administrator credentials for management of systems) are too expensive.

We also want to alert attendees that defenses simply don't work most of the time, and the game has evolved to one of "acceptable loss" and planned resilience with the minimization of down time from attacks. The amount of loss is a matter of organizations planning and execution as well as the use of appropriate technologies and processes that regularly sweep the environment to remove credentials that can be exploited.

We feel that by educating customers about the risks of privileged identity misuse at our booth, and by guiding them to safer processes and appropriate automation technology via demonstrations of our products, we can help them incur the minimum amount of losses when their perimeter defenses fail.

Wolfgang Kandek

Wolfgang Kandek, CTO of Qualys, discusses its new Cloud Agent Platform which is said to be a new way of looking at vulnerability management and continuously assessing IT security, the new version of its WAF solution, and the company's focus at its booth at Black Hat USA 2015.


Q: Wolfgang, you recently unveiled your Cloud Agent Platform, which is said to be a new way of looking at vulnerability management and continuously assessing IT security. What does that platform offer that competing platforms do not?

Wolfgang Kandek: Enterprises today are challenged with identifying and prioritizing vulnerabilities on their entire network, internal, at cloud providers, and mobile machines. While conventional host-based scanning methods combined with network scanning have long been the de facto way for organizations to identify vulnerabilities and verify patches in internal networks, it's common that security teams have difficulties in scanning assets that aren't always connected to the internal network. In addition, the challenges of acquiring authentication credentials and establishing scanning windows have proven harder than expected for many companies.

To address these difficulties, Qualys recently announced the Qualys Cloud Agent, a revolutionary new platform that extends our existing Cloud Security and Compliance Platform with lightweight agents that solve the problems of mobile workstations, cloud-hosted servers, and scan windows, while requiring no authentication credentials. This new platform provides organizations with a flexible solution to assess the security and compliance of all IT assets in real-time, whether on-premise, cloud-based, or on mobile endpoints.

We see this as the next step in how organizations tackle vulnerability management and represents the next phase of innovation in Qualys' portfolio of security solutions. By integrating seamlessly into Qualys' Cloud Architecture, the Cloud Agent provides an entirely new security assessment platform that was built to scale millions of devices from the get-go. The Qualys Cloud Agent is a lightweight program (1Mbytes) that can be installed on any host be it laptop, desktop, server, or virtual machine. Qualys Cloud Agents extract and consolidate vulnerability and compliance data and update it continuously with the Qualys Cloud Platform for further analysis and correlation. The Qualys users gets a continuous view of the security compliance posture of the global network without the management effort of scheduling scans and credentials.

Q: I've heard your new version of your WAF solution described as "the tip of the spear" in terms of bringing WAS and WAF technology together in an end-to-end solution. Be a little more specific about what sort of solution that entails.

Kandek: Many organizations are struggling to address Web applications vulnerabilities as fast as infrastructure vulnerabilities. Many times, the original developer of the application in question is allocated to other projects, if available at all. At the same time, Web apps have become the de facto standard of delivering new applications to your users, a fact which has not escaped the attackers, which have focused their attention on this new field of enterprise vulnerabilities. WAFs are a critical component in detecting, alerting, and blocking known attacks on these Web apps. Unfortunately, traditional WAF solutions are too complex to set up and manage.

Our approach to solving this problem was to integrate security scan results from our Qualys WAS solution with Qualys WAF rules and policies, and provide our customers with an end-to-end solution that accelerates the application of scan results to WAF rules, buying the organization the time necessary to work on a programmatic fix. It's a significant step towards complete automation of Web application security and where we believe the WAF market is headed.

Specifically, the new release of Qualys WAF includes integrated virtual patching capabilities to enable organizations to fine-tune security policies, remove false positives and customize rules using the vulnerability data from Qualys WAS scans. The new Qualys WAF service also includes customizable event response, helping customers evaluate and create exceptions to Web events to better prioritize and mitigate vulnerabilities, making it one of the first end-to-end Web application security services to combine WAF security rules and policies with WAS data to address web application security threats.

Q: As a Sustaining Partner and Diamond Sponsor of Black Hat USA, what will you be focusing on at the conference?

Kandek: As always, Black Hat continues to be the premiere security research event and we believe it's a great opportunity to connect with our customers and partners. The conference also enables our team to keep our ear on the pulse on what's going on in our industry today and trends that will drive the security market in the future.

We invite attendees to join us at the Qualys booth to see our solutions in action. We will be showcasing some of our newest offerings, including our new Cloud Agent solution. In addition, Qualys customers will present case studies and best practices and we'll have Qualys subject matter experts to answer any questions. So come by and see us at the show!

Zulfikar Ramzan

Zulfikar Ramzan, chief technology officer at RSA, discusses the Advanced SOC, RSA Security Analytics, Incident Response, and how RSA ECAT hunts down and blocks malware that other tools miss.


Q: We hear RSA talk a lot of about the need for a Security Operations Center in order to have the visibility needed to defend organizations. Can you tell us more about that philosophy?

Zulfikar Ramzan: One of the most fascinating developments in the security industry over the past few years has been the rise of the Security Operations Center (SOC) or closely related concepts such as the Critical Incident Response Center (CIRC) or the Critical Emergency Response Team (CERT). At the heart of any SOC is the ability to have complete visibility into what is happening in your environment. This is why we continue to invest in adding the broadest and deepest visibility possible into RSA Security Analytics which we build to be the heart of the advanced SOC. The visibility that RSA Security Analytics provides includes the ability to see everything happening on the network with full packet capture, information and event data from logs (by acting as or supplementing an existing traditional SIEM tool) as well as deep endpoint views. The ability to correlate data across these different data types and combine them into one unified investigative view is an incredibly powerful tool for any security analyst. When you combine the right technology with a talented team and well-thought out process you can really fight back against attackers.

This is why we have an entire suite of products in our Advanced SOC solution built for exactly this purpose that we're featuring at our booth at Black Hat USA. We will also have members of the EMC CIRC talking about their day-to-day roles and responsibilities as well as some of the cutting-edge work they're doing with the help of components from the RSA Advanced SOC solution.

Q: If you don't have the internal resources to thwart an attack, what options do you have?

Ramzan: Many organizations are struggling to keep up with the threats they face. Some are looking into partnering with a Managed Service Provider to either lead or supplement their security team. We also offer Advanced Cyber Defense services and training courses so security teams can stay on the cutting edge. Unfortunately, that is not always enough. In those cases, it's important to have an Incident Response team on call to help immediately. At RSA, we have a large team of incident response practitioners with over 30 years of experience in the security industry. The RSA Incident Response team can help investigate and respond to security incidents. In fact, we have helped hundreds of organizations react to and recover from advanced attacks. Along the way, the team has gone head-to-head with some sophisticated adversaries. You can read about how they defended against actors that were relying on malware that used a unique method of determining their Command and Control (C2) server in a blog entitled "Wolves Among Us: Abusing Trusted Providers for Malware Operations". I'd also recommend you watch an interview with Jared Myers from our Incident Response team speaking with CNN about how they stopped an attack from Shell_Crew (a.k.a. Deep Panda) while it was happening

Q: There are a lot of endpoint protection tools on the market today. What makes your offering--RSA ECAT--different than other solutions?

Ramzan: There certainly are a few endpoint tools on the market today, but they don't have the same functionality as RSA ECAT. RSA ECAT hunts down and blocks malware missed by other tools by harnessing the power of memory analysis. This technique allows ECAT to detect suspicious endpoint activity, such as zero-days and targeted malware that bypasses other tools, by comparing files found in memory to files on disk. It can quickly identify attacker methods such as code injection, hooking and other advanced techniques without having to retrieve large memory dumps.

RSA ECAT also helps reduce the time it takes to respond to an attack from days to minutes by instantly finding all infected machines and showing exact location of malicious files. In our own CIRC, ECAT has helped narrow down a 12-hour analysis to 10 or 15 minutes.

Additionally, RSA ECAT is part of the RSA Advanced SOC solution offering that provides visibility from the endpoint to the cloud when combined with RSA Security Analytics. This approach results in faster threat detection and the ability to correlate endpoint data with network packet and log data.

Stop by our booth for a demo and learn how you can get a free 30-day trial of RSA ECAT.

Q: What is the prime benefit of being a Sustaining Partner and Diamond Sponsor of Black Hat USA?

Ramzan: We love Black Hat! One of the best aspects of being a sustaining partner is the ability to interact with the community. The knowledge and talent that the briefings bring together -- researchers, practitioners, front line incident handlers, and the opportunity to learn, collaborate, and share information.

Ron Gula

Ron Gula, CEO of Tenable Network Security, chats about how a "cyber essentials program" would have protected the U.S. Office of Personal Management from the recent cybersecurity breach, and the advice Tenable gives customers to avoid a "recipe for disaster."


Q: Ron, your continuous network monitoring platform, SecurityCenter 5, just recently added a feature called Assurance Report Cards to "enable CISOs to measure, analyze, and visualize the security posture of their IT enterprise." How do these report cards work?

Ron Gula: In today's world of breaches and threats, CISOs have to manage cyber risk effectively and communicate information to the executive suite and the board. Executives need a big-picture view that gives them confidence that cybersecurity and compliance controls are working, but security leaders often respond with statistics about new vulnerabilities discovered, blocked attacks, and the patch rate.

Available in Tenable's SecurityCenter 5, Assurance Reports Cards (ARCs) allow CISOs to provide dashboard reports that show real-time status and details in easy-to-understand, intuitive visual presentations.

SecurityCenter CV, our continuous monitoring platform, comes pre-packaged with five ARCs that automate Tenable's 5 Critical Cyber Controls, which draw from industry standards and are the five best-practices all organizations should implement to have a secure network. These five ARCs help companies ensure they are:

  • Maintaining an inventory of software and hardware
  • Removing vulnerabilities and misconfugurations
  • Deploying a secure network
  • Giving users access to only those systems and data that they need for business reasons
  • Effectively searching for malware and intruder

ARCs summarize the status from potentially hundreds of controls but also retain the underlying data so it can be readily examined. Organizations can customize the ARCs by adding any policy measurement or indicator that is critical to business needs. Organizations can also create their own ARCs to support enterprise-specific security and compliance requirements and objectives.

Q: When the U.S. said it believed China was behind the cybersecurity breach at the U.S. Office of Personal Management, Gavin Millard, your technical director, was quoted as saying that a "cyber essentials program" would have protected against such an attack. What sort of solution is he describing and how would that have been protection enough?

Gula: The White House told OPM to apply all critical patches as well as their most recent indicators of compromise to their systems. OPM is facing criticism that they failed to do so even after having multiple breaches since 2014 as well as breaches targeting their sub-contractors, including USIS. What we're really talking about here is the need for good cyber hygiene. As outlined by the Center for Internet Security (CIS) and the Council on Cyber Security (CCS), cyber hygiene means appropriately protecting and maintaining IT systems and devices and implementing cybersecurity best practices. When good cyber hygiene is built upon a continuous network monitoring platform, you continuously visualize the security posture of your entire IT infrastructure and better protect your organization against advanced cyber attacks.

More specifically, Tenable's continuous network monitoring supports good cyber hygiene by discovering devices and their vulnerabilities, performing configuration audits, tracking remediation progress, monitoring the network for unauthorized or malicious activity, and measuring compliance. It's not about counting your missing patches faster. It's about measuring your real level of risk continuously so you can react to it and take action.

Q: Dick Bussiere, your principal architect, was quoted as saying that, on average, it takes an organization 200 days to find out it's been compromised mainly because most organizations perform vulnerability assessments only once a quarter or less. What advice do you give your customers to avoid this "recipe for disaster," as he put it?

Gula: Organizations need to realize that modern vulnerability audits find risks in security defenses, intrusion prevention coverage, authentication, firewalls and, of course, deficiencies in the patch management process. Performing vulnerability scans more frequently to figure out when patches should be applied is not the answer. Leveraging technology to identify your biggest risks continuously -- whether those risks are an unmanaged laptop, a patch management system not deploying Adobe patches, or an intrusion prevention system deployed in detection mode -- requires a different outlook than the traditional scan, patch, scan again cycle.

Q: What is the return on investment when a company like yours becomes a Sustaining Partner and Diamond Sponsor of Black Hat USA?

Gula: Black Hat gives us the opportunity to connect with the information security community face-to-face about the latest threats and best practices to stay ahead of them, and to support the community through our sponsorship. We hear that attendees return to our booth year after year to catch up with colleagues and our security experts, and get information at our presentations.

This year, attendees can find us in Shoreline A, Booth #419. In addition, I will be presenting on automating executive-level cybersecurity monitoring, including a walk-through of our ARCs. For those who would like to join me, my session is scheduled for 1 PM on Thursday, August 6 inside of the exhibit hall. Please consult the event guide for details.

Sustaining Partners