Interviews | July 13, 2018

Black Hat USA Workshop Sponsor Interviews: Accenture, Authentic8, Cisco, Dark Reading, Department of Homeland Security, McAfee

Justin Harvey

Justin Harvey
Accenture Security, Managing Director

Josh Ray

Josh Ray
Accenture Security and iDefense Security Intelligence, Managing Director


Q1. Justin, what has your experience as head of Accenture's incident response practice taught you about the evolving threat landscape and enterprise readiness to deal with them?

Most enterprises do not have the skills to respond properly to an incident, let alone the bandwidth to perform the actual response to a major incident. Enterprise readiness means keeping up with the evolving threat landscape – by understanding the organization's threat profiles and attack surfaces. Organizations have different priorities and initiatives which may affect their spend and maturity. And readiness is often most robust in those organizations that understand they are facing evolving threats and that having the awareness of these threats is often the differentiator between extended impact and timely resolution. Thus integrating Threat Intelligence into the Incident Response process is key to enable the acceleration of investigative work streams, broaden the scope of the response action, contextualize information and perform profiling of the attack and attacker to understand methods and motivations.

Q2. Josh, what do enterprises need to understand about operationalizing threat intelligence? What are some of the most common challenges that organizations face in this regard?

Operationalizing threat intelligence is one of the biggest security challenges organizations face today. While many companies have identified the need for external sources for cyber threat intelligence (CTI), be it open source or commercial, once that content is available, we often hear from clients "So now what do I do with this info?"

Part of the challenge is helping clients understand what they are trying to protect and what they expect to gain from access to CTI. This fundamental mismatch is perhaps the biggest roadblock to developing and/or maturing a cyber threat operations capability, which is so essential for modern security operations. Understanding the tactical requirements where the expectation is to identify "bad" things to detect or block, but also operationally, with integration of threat intelligence into programs such as vulnerability management or incident response, as well as a strategic viewpoint. This last area looks specifically at the likeliest group of threat actors who might be targeting an organization and their industry, to an understanding of the tools and techniques in use so as to develop a set of courses of action that are comprised of technical orchestrations, automation and operational processes that counters that particular threat.

Q3. Justin, what are some of the most essential components or the prerequisites of a good incident response capability? How much of it is about having the right technology and how much of it is about process?

The answer is: All of the Above. The right technology brings the right visibility to detect. The right processes bring the right workflows to respond. And experience is necessary to bring technology and processes together. Pre-deployed, high performance tools and well-practiced processes are essential accelerators for IR responders and should always be high priorities for IR support. But the experience of the people is key.

Q4. Josh, what does Accenture plan to talk about or highlight at Black Hat USA 2018? What do you want attendees at the event to know about Accenture's cybersecurity services?

Accenture helps businesses prepare, protect, detect, respond and recover along all points of the security lifecycle. Leveraging our global resources and next-generation technologies, we create integrated, practical solutions that are tailored to each organization's specific business goals and industry—solutions that clients can put in place immediately. Whether defending against known threats, quickly detecting and responding to the unknown or running an entire security operations center, we help harden organizations and make it extremely difficult for even the most sophisticated cyber adversaries to succeed.

Scott Petry

Scott Petry
Co-founder & CEO


Q1. Why is DISA's plan to acquire a cloud browser for its 3.1 million employees significant for the security market in general and for your market segment in particular?

When the organization that invented the Internet pursues a strategy whereby they disconnect from the underlying protocols, it's a noteworthy move. DISA has spent literally billions of dollars engaging in a rear-guard action to secure web content after it's entered their environment. They've tried end point anti-malware solutions, client-side sandboxing, deep packet analysis, gateway based filtering, and more. As the largest single network in the world, and as the most targeted network, they've spent significant resources trying to manage the web. With the adoption of a cloud browser, they get to disconnect.

Isolation is not a new strategy, but it has not been mainstream. With an organization like DISA moving in this direction for all DoD personnel, it sends a message to the industry that current course and speed isn't good enough.

Authentic8 likes this move a lot, not just for the validation of the cloud browser, but because the RFI covers a number of different use cases; everything from personal browsing for morale to restricted access to mission-critical web apps. A cloud browser can be configured to meet all these requirements. These are specific use cases that our patented browser policy framework is uniquely positioned to meet.

Q2. What are some of the factors driving the need for technologies such as yours and how do you see cloud browsers evolving over the next few years?

If I were to sell a CIO on the greatest productivity enhancement ever - giving their employees real time access to information, applications, corporate data, and more - but all they needed to do was open their firewall and allow third party code to execute on their systems, I'd get laughed out of the room. But that's exactly the way the browser works, and that's the tradeoff that every CIO, CISO, CEO or other leader has made. The inherent design of the Internet is insecure and unmanageable. But the utility of the Internet has made it indispensable in business.

The security industry has convinced the market that they need to spend more to be secure. Yet breaches continue unabated. 2017 saw records in both numbers - $90 billion spent on cyber security, yet 2.5 billion data records breached and a 167% increase in ransomware exploits. These two trend lines - dollars spent and security breaches - seem to be in lockstep. There's none of the boom-bust cycles like healthy markets have. IT is screwed.

We think that the only answer is for customers to disconnect from the web. When you factor the hard and soft costs, the risk, and the potential for reputation damage, you can't make a compelling case for the web. Organizations should disconnect. That's where the cloud browser comes in. With a cloud browser, you still get access to web content as normal, but no web code ever enters the organization. The attack surface area shifts to disposable servers out in the cloud.

In addition to the inherent security and cost benefits, cloud browsers also give organizations the management and compliance capabilities they are currently missing.

Q3. If there were one thing you would like attendees at Black Hat USA 2018 to know about Authentic8, what would it be?

Disconnect from the web. It's impossible to secure and puts your organization at risk. Use a cloud browser instead.

Meg Diaz

Meg Diaz
Head of Product Marketing and Insights
Cisco Cloud Security


Q1. What are some of the most popular use cases for Cisco Umbrella? What business or security issues does it help organizations address?

Popular use cases for Cisco Umbrella include malware & breach prevention, off-network coverage, and extending threat protection to branch offices. Despite having an existing security stack, malware infections and other threats continue to plague organizations. On top of that, organizations have to protect roaming users (who often don't use the VPN) and branch offices (that are connecting directly to the internet). Umbrella helps address these gaps by providing safe access to the internet anywhere users go, even when they're off the VPN or connecting directly to the internet.

Q2. What are your biggest concerns with regards to DNS security? How is Cisco evolving Umbrella to meet new and emergent DNS threats?

Our number one concern is that DNS is often a major blind spot for organizations. Every single device uses DNS, but often times an organization will rely on their ISP's DNS resolvers or a public DNS service. These recursive DNS providers don't share any insights into DNS activity and, most importantly, they do not provide threat enforcement for DNS requests. Umbrella is the simplest and most effective way to get DNS visibility and protection.

Thanks to our massive global footprint, we're able to constantly evolve and improve Umbrella's efficacy. Every day, Umbrella processes 140 billion DNS requests across 90 million users. By analyzing and learning from this activity, we can automatically uncover infrastructure staged for current and emerging threats, and proactively block requests before a connection is established. But we don't stop at DNS. As a secure internet gateway, Umbrella goes beyond DNS to protect users. One example of this is Umbrella's intelligent proxy, which selectively provides deeper inspection (including file inspection) for risky domains.

Q3. What do you want attendees at Black Hat USA 2018 to know about Cisco's strategy for helping enterprises address network security issues? What is your workshop about?

The cloud has changed everything – how we work, where we work, and how networks are built and managed. We understand that security needs to change to address this evolution. Our strategy is straightforward: build simple to use and easy to manage products to protect this evolving workforce.

Tim Wilson

Tim Wilson
Editor In Chief
Dark Reading

Dark Reading

Q1. Dark Reading's upcoming INsecurity conference in October will focus on best practices for data defense, incident response, privacy and cyber risk measurement. What are you hearing from organizations about the biggest issues and challenges they face with regard to implementing these practices?

The INsecurity Conference will take place at the Sheraton Grand Chicago Oct. 23-25 We are really excited about the conference this year because we are partnering with Black Hat, which will be offering a full slate of its well-known Black Hat Training sessions as a precursor to the conference. The Black Hat Trainings will provide a level of depth and technical content that INsecurity has not had before, and will enable technical teams and IT security strategists to go to a single event and get a wide variety of practical knowledge and comprehensive cybersecurity training.

In answer to your question, one of the reasons that Black Hat and INsecurity are teaming up is the critical need for improving both strategies and best practices in IT security. Both Dark Reading and Black Hat have conducted surveys in the past year which indicate that security professionals feel they are still losing the war, despite increased investment in technology and people. Many organizations feel that they spend too much time firefighting – trying to shore up their defenses against the latest attacks – without having time to step back and think about their overall IT security strategy – their architecture for data defense. Both INsecurity and the Black Hat Trainings are designed to help them think more carefully about not just what they are doing with data defense, but how they are doing it. Security teams and professionals need to get some perspective and concentrate on defenses that are broader and more strategic, rather than fighting one threat or vulnerability at a time.

Q2. What's preventing more organizations from approaching cybersecurity as an enterprise risk management issue rather than purely a technology /IT concern? Are we as an industry focused too much on technology?

Over the past decade, enterprises have consistently spent more money on security than they did the year before. The number of cybersecurity professionals continues to grow, and the technology continues to improve. Yet, we also have seen consistent growth in the number, size, and scope of data breaches over those same years. For the business, it's becoming a question of how to limit the damage – you can't stop everything – and how to minimize the risk of unexpected costs and brand damage due to data compromise. Today's security department is focusing not on total prevention, but on risk mitigation.

That said, there's a greater need now to look at security as a strategic problem that is based on business priorities, rather than just a tactical question of how to stop today's attacks. Security executives in large enterprises often play a role on the executive board. They are there to give the business a sense of how much risk they will face if they take on a merger or a new line of business. And the security pro – who once was mostly faced with technical problems – now has to be able to assess risk and the potential impact of those technical problems. It's less about trying to defeat the hacker and more about managing the risk in a way that the business can assess and predict.

Q3. What do you want attendees at Black Hat USA 2018 to know about INsecurity 2018? What's new and fresh this year?

At Black Hat USA, attendees will get an unprecedented opportunity to learn about the latest threats and vulnerabilities that enterprises face. They will learn what cyberattackers do, and what they might do in the future. It's a lot to absorb in just a few days. At INsecurity, security pros have an opportunity to take what they've learned about current threats and talk with colleagues about what they can do about them. There are tons of sessions about the practical aspects of running a security effort on a day-to-day basis. They'll hear about best practices and methods for raising new defenses. But just as importantly, they'll have a chance to talk with each other in closed-door discussions and learn from others who face the same problems. They'll have a chance to ask what works and what doesn't. And they'll see some new technologies that are designed to improve their defenses. INsecurity is a great way to talk about those "blue team" operations that are focused on everyday data defense – and this year, we'll have the Black Hat Trainings to provide more depth and a level of technical material that isn't found anywhere else.

Dr. Douglas Maughan

Dr. Douglas Maughan
Cyber Security Division Director, Science and Technology Directorate
Department of Homeland Security

Department of Homeland Security

Q1. What do you see as some of the biggest opportunities for blockchain technology in the enterprise? Conversely, what are your concerns—from a security and privacy standpoint—with blockchain technology?

Blockchain technology offers significant promise to the government and private sector. From a government perspective, the technology has the potential to improve transparency and auditing of public service operations, greater supply chain visibility to combat the distribution of counterfeit products, and automation of paper-based processes to improve delivery of services to organizations and citizens.

Conversely, the challenge with blockchain technology is the potential for the development of "walled gardens" or closed technology platforms that do not support common standards for security, privacy, and data exchange. [This can] limit the growth and availability of a competitive marketplace of diverse solutions for government and industry to draw upon to deliver cost effective and innovative services based on blockchain and distributed ledger technologies.

From the Department of Homeland Security (DHS) Science and Technology Directorate (S&T) perspective, this is the course we see for the future of blockchain and distributed ledger technologies:

  • Awareness of blockchain and its potential is part of the mainstream business and government discussion. Organizations are looking for vendor-neutral guidance and best practices on when, where, why, and how this technology can be used.
  • Blockchain technology lacks best practices for determining the most suitable technology type to be used in an organization. There are a variety of blockchain technologies, which have varying degrees of support of classic security principles such as confidentiality, integrity, and availability as well as support of privacy principles such as pseudonymity and selective disclosure. In the race to achieve an advantage and market share, the decision to evaluate the most appropriate blockchain technology is neglected.
  • There is an increasing tension between business/system owners, and their technology and solution providers as a technology provider's implementation may go against a business/systems' owners expectation of having an open architecture environment for their systems, rather than vendor-specific approaches to prevent technology lock-in.
  • Private industry is leading blockchain development through significant investments and the ability to adopt technologies quickly. The government must be informed and ensure blockchain technology supports standardized approaches for security, privacy and data exchange. The government must also consider partnership opportunities with the industry to bring solutions to market.

Q2. Describe for us briefly DHS S&T's work around blockchain technology. What is the main focus of your efforts?

Blockchain and distributed ledger technologies are rapidly moving to application domain areas where DHS S&T is currently working. For the past three years, DHS S&T has been evaluating the security and privacy implications of blockchain technologies specifically in architecture, standards, and interoperability. We are focused on applied research and development (R&D) technologies that have critical significance to DHS Component and Homeland Security Enterprise partners. Currently, we are pursuing two broad paths to encourage a more open and inclusive future for blockchain technology.

  1. Supporting the development of global available specifications that are open, royalty-free, and free to implement to ensure interoperability across systems and no vendor lock-in.
  2. Actively working with our DHS Component customers, such as U.S. Customs and Border Protection, to understand their potential blockchain use-cases to help them achieve positive outcomes, such as developing best practices and decision criteria on when and how to implement blockchain technologies, understanding the support for security and privacy principles in commercial blockchain implementations, developing a decentralized identity broker that separates authentication and attestation services, defining best practices for connecting legacy systems with blockchain enables capabilities, developing specifications to ensure standardized approaches for decentralized identities, and more.

Q3. What ongoing research projects at DHS S&T CSD do you expect to highlight/focus on the most at Black Hat USA 2018 and why?

Threats to the cybersecurity ecosystem are rapid and complex. The DHS S&T mission is to ensure our nations systems and networks are secure and resilient from attacks, but to do this requires a proactive and collaborative approach. While at Black Hat we will highlight three research and development (R&D) areas: mobile security, cyber-physical system security and Internet resilience.

  • Mobile Security: DHS's workforce has become increasingly mobile, driving the need for secure mobility solutions and a coordinated approach and framework to guide the selection and implementation of common enterprise mobility solutions. To accelerate the safe and secure adoption of mobile technology within DHS and the federal government, S&T is developing technology solutions in mobile device security and mobile application security. In the coming months, we will add technology solutions in mobile network infrastructure.
  • Cyber-Physical System Security: Cyber-physical systems are smart network systems with embedded sensors, processors and actuators that sense and interact with the physical world and with the rapid development of these technologies security is often overlooked. S&T is developing technology solutions to build security measures into the design before a technology goes to market.
  • Internet Resilience: Internet attacks are intrusive, often leaving organizations to rely on response teams and other intrusion-response capabilities to manually triage the event. S&T is developing innovative technologies to provide a system to identify, classify, report, predict, provide attribution and potentially mitigate Network/Internet Disruptive Events (NIDEs) that cause a degradation of service, reduction of resilience or manipulation of traffic flows with adverse consequences.

Additionally, we will be exhibiting at the conference, booth 1336, and will demonstrate 10 mature transition-ready technology solutions available for pilot deployment and commercialization. These technologies vary from mobile security, firmware scanning security, malware prediction technologies, and more.

Raja Patel

Raja Patel
Vice President & General Manager, Corporate Products

Rajiv Gupta

Rajiv Gupta
Senior Vice President, Cloud Security Business Unit


Q1. Rajiv, what do organizations need to understand about the security risks of container environments? How should they be mitigating the risks?

First, organizations need to know that it is their responsibility to secure workloads and containers in IaaS/PaaS environments such as AWS and Azure. Second, they need to understand that it is also their responsibility to ensure the IaaS/PaaS configuration is secure and that user access and enterprise data are protected. To mitigate risks, enterprises need to deploy both a CASB platform and a Cloud Workload Protection Platform that will give them real-time visibility into their IaaS/PaaS configuration, workloads, containers all the way to their data and users. Once they gain visibility, companies can then leverage these platforms to enforce security policies to adopt cloud with the peace of mind that their enterprise data is secure.

Q2. Raja, what are the limitations of conventional endpoint security products with regard to dealing with fileless malware, targeted attacks and other new and emergent threats? How has McAfee evolved its products to help organizations address the threats?

It is important to understand that there is no single technology that is effective against every type of emerging threat. Conventional security was focused primarily on signature and reputational-based protections. As the industry has advanced, so have both attacks and countermeasures. McAfee has delivered a platform approach to endpoint defense for a number of years now, while continuing to maintain our industry leading manageability with ePO. We have remained true to the fact that we want to deliver tools that help alleviate security friction and do not add to operational overhead. As our products have evolved with the threats, we have incorporated a strong data science approach to cyberdefense and use machine learning, deep learning and Artificial Intelligence in multiple products and at multiple levels.

Specific to fileless malware McAfee takes a unique multi-pronged approach to detect fileless attacks. We use different technologies to detect and mitigate the critical stages of the fileless attack chain. For example, most fileless attacks involve stager deployment activity during their early phases to setup a reverse "meterpreter" style channel for carrying out the subsequent stages of the attack. McAfee uses a combination of attack detection heuristics and AI models to detect different stages of the attack chain. The subsequent stages of the fileless attack will usually involve running an exploit from the memory of an existing benign or suspicious process followed by privilege escalation and lateral movement across additional victim machines.

The optimal strategy to protect from these stages is McAfee's concept called "attack behavior blocking". The basic premise is that determined actors will find a way to penetrate their victims: whether by malicious files, existing tools like PowerShell, exploits or code executed directly from memory. The common theme is that the observed malicious behavior itself can be detected and blocked. Our solutions have capabilities to automatically learn such new behavioral patterns of attack without needing any signatures and thus proactively stopping large portions of previously unseen fileless and targeted attacks.

Q3. Rajiv, what exactly is McAfee's CASB Connect program? What security or business issues does it help organizations address?

McAfee CASB Connect is industry's first self-serve program that enables any cloud service provider or partner to rapidly build lightweight API connectors to McAfee Skyhigh Security Cloud to secure any cloud service, without writing a single line of code. With this program enterprises can leverage McAfee Skyhigh Security Cloud to confidently adopt any cloud service from the McAfee CASB Connect Catalog and enforce the same set of security policies for all their cloud applications to accelerate their business.

Q4. Raja, McAfee has a broad portfolio of security products. What specific product areas or technologies does McAfee plan on focusing on at Black Hat USA 2018?

McAfee is investing engineering resources to ensure that our customers can leverage and extend existing McAfee technologies into the cloud by closely integrating with the McAfee Skyhigh Security Cloud. The areas worth mentioning are DLP and Web Gateway. By integrating McAfee DLP Endpoint with Skyhigh Cloud DLP, we are giving our customers data and threat protection capability that spans from the device to the cloud, the two most important pillars of the modern enterprise architecture. Moreover, with the integration of the McAfee Web Gateway with Skyhigh, we are helping organization detect shadow IT usage and provide the policies they need to bring it under IT control.

Sustaining Partners