Interviews | July 14, 2021

Transition to a SASE Framework May Take Time to Implement

AT&T Cybersecurity | Cisco Secure | Hunters | IBM | Palo Alto Networks

Rupesh Chokshi
Vice President, AT&T Cybersecurity and Edge Solutions

AT&T Cybersecurity

Q1. How will 5G impact security? How should organizations be preparing for a 5G future?

Standalone 5G is more secure than previous network generations but expanded attack surfaces will create opportunities for new threats and an increase in unpatched existing threats. In our annual AT&T Cybersecurity InsightsTM Report, we found that 56% of respondents believe that 5G may require a change to their security approach to accommodate network changes.

With 5G, a shared responsibility model, similar to the public cloud, is likely to emerge. This should enable enterprises to focus on assessing their cybersecurity posture and how they are going to address risks with IoT devices and other endpoints as well as applications that access the 5G network. Organizations also need to consider security for all the data being created and stored on the network.

The use cases for applications optimized for a 5G network are virtually endless including smart cities and remote surgery to others that are emerging for businesses including private 5G on campus, multi-access edge compute and industrial IoT. What is necessary to make these ideas a reality? Applications. The applications making these ideas a reality are no longer limited to back office business applications. These are now mission critical and in some cases life critical applications. The software behind these applications must function properly, perform fast enough, and be highly secure. Cyber adversaries will attempt to target these new applications through un-remediated vulnerabilities. Focusing on non-functional requirements, which includes security, is something organizations should be focused on. Disciplined software engineering practices should include security from the beginning.

Adopting a Zero Trust mindset allows organizations to be proactive about securing the data, users, applications, and endpoints attached to the network. Ninety-four percent of our Insights Report participants are on a Zero Trust journey – either researching, implementing, or completing it.

Q2. What are some of the security and business advantages of SASE? Why might a managed services approach be essential for SASE?

SASE allows organizations to modernize the network, simplify security, and improve the user experience and visibility. Network performance is accelerated while network reliability is improved, connecting remote users directly to the internet for faster access to business-critical data. Visibility is centralized across users, devices, and locations to apply granular security policies that follow users whether they are on or off the network to deliver a consistent, productive experience and reduce security risks. As a cloud-delivered solution, SASE is also highly scalable, allowing organizations to expand or contract as business needs change to add new users, locations, or acquisitions.

While the transition to a SASE framework may take time to fully implement, organizations that adopt this approach sooner rather than later will benefit and maintain a competitive advantage over other companies in the market. A managed services approach to SASE brings network and cybersecurity technical expertise together with design configuration, deployment and 24/7 management from a single provider. This helps provide consistent, high-performance access to applications while enabling and protecting the global workforce at the edge.

Our team helped architect and deploy a solution for dozens of [one] healthcare service provider's remote sites, including an international call center, and thousands of remote employees. The solution included deploying SD-WAN at the remote sites, which improved application performance within the clinics and the call center, and improved network performance overall. The customer also deployed a cloud-native, secure web gateway solution, which centralized and simplified security policy management and improved access management and control for employees and the business whether on site or working from home. By virtualizing its network and security controls, the customer can save on its infrastructure costs and quickly adapt to the needs of its business, whether by adding more remote sites to meet patient demand or provisioning new employees.

Q3. What is AT&T Cybersecurity's plans at Black Hat USA 2021? What can security leaders expect to hear from AT&T at the event?

AT&T Cybersecurity activities at Black Hat USA 2021 will kick off on August 3 with our participation in the Virtual CISO Summit as we present two sessions, "Safer to Innovate" and "Today's CISO – Leading a Resilient Enterprise." As the role of CISOs has evolved, these sessions will offer best practices for creating a security-first mindset across an organization and how a risk-based approach to cybersecurity can best help defend against increasing cybersecurity threats.

While this year's Black Hat is a hybrid event, AT&T Cybersecurity consultants and product experts are ready to meet attendees at our virtual booth and we will also have technical sales consultants and sales staff at the live event. Our virtual booth will feature our Managed Security Services and Consulting offerings for Threat Detection and Response, DDoS Defense, Vulnerability Management as well as content on protecting the remote workforce, Zero Trust, 5G and cybersecurity, and more.

In addition, we will be presenting a virtual joint session on SASE with Palo Alto Networks that will cover the tenets of an effective SASE solution and benefits of a managed service. Also, attendees interested in understanding more about Zero Trust will benefit from our two virtual workshops, "Part 1: Zero Trust Fundamentals" and "Part 2: Zero Trust for the Mature Organization."

Gee Rittenhouse
SVP and GM

Cisco Secure

Q1. What's driving enterprise interest in the secure access service edge (SASE) concept? How does it enable better security for organizations?

Today, organizations are facing a growing challenge of how to secure "work from anywhere" where employees use devices that are both personally-owned and corporate-issued and rely on apps that reside in the cloud – all while not adding additional complexity. To address these dynamics, the concept of secure access service edge (SASE) has emerged. This approach converges networking and security functions in the cloud to deliver seamless, secure access to applications, anywhere users work.

But being cloud-delivered is not a cure-all on its own. Many models shift the complexity to there, which can be its own vulnerability. For a truly simple and secure experience, a SASE architecture must completely integrate networking, client connectivity, security, and observability capabilities into a single subscription service. With such a unified solution, customers gain operational efficiencies by simplifying deployment, management, and policy enforcement across all environments.

Q2. How will Cisco's recent acquisition of Kenna Security benefit customers? How does Kenna's technology build on, or complement Cisco's existing capabilities?

We have been on a journey to radically simplify security with Cisco SecureX, a cloud-native platform that connects our integrated security portfolio and customers' security infrastructure to provide simplicity, visibility and efficiency. The platform delivers a unified view of customers' environments, so they no longer need to jump between multiple dashboards, manage conflicting alerts or policies. Customers also can automate workflows across security products from Cisco and third parties to handle phishing threats and supply chain attack investigations. But when it comes to reducing vulnerabilities in an organization's environment, it is still a daunting task. There are too many alerts, and the lack of resources and prioritization makes it unmanageable for security and IT teams. We believe a new approach that prioritizes vulnerabilities based on threat intelligence and business impact in real-time is needed.

With Kenna Security as part of SecureX, we will bridge our leading threat management capabilities with its risk-based vulnerability management to dramatically enhance our platform approach for customers. Furthermore, the combination of Kenna Security and SecureX will allow customers to address critical challenges by generating prioritized lists of vulnerabilities; streamlining collaboration between security and IT teams; and automating remediation to improve their overall security posture. We couldn't be more excited about the addition of Kenna Security, and we look forward to demonstrating our combined value to customers in the coming months.

Q3. What do you expect will be top of mind issues for your customers at Black Hat USA 2021? What are Cisco's plans at the event?

Over the last year, we have seen the attack surface expand with remote work, and it created the perfect conditions for attackers to take advantage. As such, we have seen a dramatic rise in ransomware attacks that have compromised schools, hospitals, municipalities, energy pipelines and food supply chains. These types of attacks continue to be top of mind for companies, especially as they contend with an explosion of devices and a hybrid working environment that could make them more vulnerable.

With that in mind, Cisco will be offering more than a dozen sessions that will cover topics such as incident response, trends in ransomware, DNS-layer security and passwordless to help customers understand the best ways to protect themselves in this dynamic threat landscape. Additionally, we will have a virtual booth with on-demand demos, meetings, and live chat.

Uri May
CEO and co-founder


Q1. What's driving requirements for Open XDR? What security gaps and business issues does it help enterprises address?

The hardest problem in security today is the gap between threat detection and incident response: security teams have no shortage of alerts to investigate and in most cases, they have the data indicating an incident. What we're missing is the ability to identify and act on the signals that matter, to quickly investigate and clearly understand the context of an alert and prioritize real incidents from a broad mix of telemetry to gain clarity into the action needed and steps required for triage and containment. These capabilities are measured by MTTD (Mean Time to Detect) and MTTR (Mean Time to Respond) that are fundamental to organizations' ability to effectively handle today's security threats. But they cannot be improved without an improvement to the "Mean Time to Understand" - the time it takes the security analyst to know if an alert is true or false, to understand its context including root cause, affected assets, timeline, etc. Open XDR plays a critical role in addressing this gap.

To fill the security gap, an Open XDR must have the ability to:

  • Ingest all available security telemetry, from on-premises sources to the cloud
  • Normalize and unify all the data into a single, digestible schema to facilitate cross-correlation and analysis
  • Retain the data over time, using an affordable cloud-based data storage and retention model to ensure coverage for incident investigation
  • Package security expertise by including ready-to-use detectors built to identify known and unknown threats across the attack surface
  • Automatically investigate low-fidelity signals that would otherwise be dismissed by connecting them to other signals
  • Cross-correlate, rank, and prioritize alert and threat signals
  • Present the analyst with a contextual view of an incident for immediate understanding of the attack and its impact.

Q2. People often talk about security operations becoming a big data problem. What exactly does that mean and what impact is it having on the ability of enterprises to defend against modern cyber threats?

Effective detection, investigation, and response to threats require complete access to an organization's data. Any form of compromise on data collection and retention due to the cost of data storage or limitations in data logging system architecture may yield blind spots for detection and response, especially as we are increasingly dealing with supply chain attacks and cloud breaches.

Open XDR platforms that provide a modern, scalable, cloud-based data logging platform are the foundation of an effective TD&R program. Hunters' Open XDR uses Snowflake as the backbone for its cost-effective data ingestion and retention. But data logging is only the start - XDR has strong built-in data engineering capabilities to normalize, cross-correlate, score, and analyze the terabytes and sometimes petabytes of data in real-time, for effective detection of threats.

Q3. What do you want security leaders at Black Hat USA 2021 to know about Hunters? What's your main messaging for them?

At a time when CISO priorities include simplification and reduction of tooling to alleviate budgetary and performance drain, Hunters' Open XDR provides the mechanism to tackle underlying gaps and challenges in security operations. Security teams can finally process all the data they have and use it to increase their performance, using out-of-the-box security knowledge that is always up to date to elevate the security talent on their teams. Hunters XDR removes the unnecessary and exhaustive rules-management workforce drain and accelerates analysts' understanding of the impact of incidents. Large companies are now using Hunters as their centerpiece of their SOC. Many of them replaced their SIEM with Hunters XDR. They all tell us that using Hunters XDR, their SOC became more confident in their ability to detect threats and properly respond to incidents.

Charles Henderson
Global Managing Partner and Head of X-Force, IBM Security


Q1. What were the main takeaways from IBM's recent global survey on consumers' digital behavior during the pandemic? What, if anything, was unexpected or surprising in the results?

With society becoming increasingly accustomed to digital-first interactions, our study found that preferences for convenience often outweighed security and privacy concerns, leading to poor choices around passwords and other cybersecurity behaviors. The majority (82%) of global respondents are re-using the same credentials that they have used for other accounts at least some of the time, with 45% always or mostly re-using the same credentials and could be using the same credentials they use at work. Consumers' lax approach to security, combined with rapid digital transformation by businesses during the pandemic, could provide attackers with further ammunition to propagate cyberattacks across industries – from ransomware to data theft. According to our research at X-Force, lax personal security habits may also carry over to the workplace and can lead to costly security incidents for companies, with compromised user credentials representing one of the top root sources of cyberattacks reported in 2020.

Q2. What are some best practices for getting the most out of external threat intelligence? What are key requirements for implementing a robust threat-intelligence driven response capability?

It's key to use threat intelligence not just for tuning SIEM rules, but for active threat hunting. It's relatively straightforward to use that intelligence to help your SOC get better fidelity out of their alerts. What can be harder is successfully implementing a hypothesis-first based method for threat hunting in any given environment. Taking the outputs of intelligence to ask the question of, "if this actor used these TTPs in our environment, what would it look like?" can be one of the hardest questions to answer. But it's what X-Force does every day, and what our experts are the best at.

Q3. What are some top reasons for security professionals to visit IBM's booth at Black Hat USA 2021?

The top two reasons would be to talk with our experts and see our demos. Whether it's our hackers at X-Force Red, our responders in X-Force IR, or other teams at IBM Security, we have the expertise to help guide you through the challenges of securing modern environments against the world's most sophisticated threats. We're also putting on some unique demos this year to highlight original X-Force research, including NFC payment attacks, attacks that turn speakers into microphones, and more. We'll also have t-shirt giveaways as well as an immersive game and music experiences.

Ryan Olson
VP, Threat Intelligence

Palo Alto Networks

Q1. What are the main takeaways from the 1H 2021 edition of PAN's Cloud Threat Report? Do you expect the same trends to continue in the second half of the year as well and do you expect a decline or increase in certain types of threats?

In our Cloud Threat Report for the first half, we identified three key trends. The first was that industries, which were critical in responding to the COVID-19 Pandemic (Retail, Manufacturing and Government), all experienced spikes in cloud security incidents. As life returned to normal after the pandemic, we expect this spike may recede, but the choice to move operational to the cloud remains. If organizations don't move to secure this infrastructure, these incidents will continue to rise.

The second trend we identified was a decline in illicit cryptocurrency mining in the cloud. Attacker's mining cryptocurrency on hijacked cloud resources is a trend that rose through 2019 and early 2020 but declined at the start of this year. This can be a big money maker for attackers, but their success depends on getting many systems mining the currency—typically Monero—over time. Public cloud providers have improved their ability to detect and shut down miners quickly which has made this attack more difficult. We expect illicit cryptocurrency mining to continue to decline, but if the price of the currencies increases, we may see increased incentive to launch more of these attacks.

The final trend we noted was the most persistent one; organizations continue to move sensitive data and operations to the cloud using improper cloud security configurations. The advantages of using the cloud are clear for many organizations. Simple scaling and ease of deployment can make transitioning very fast, but if security isn't built into the plan from the start, the resulting data may be at risk. These risks can be contained by cloud security automation tools that audit for oversights such as improperly configured access controls. We expect that most cloud breaches will still be preventable through proper configuration for the rest of 2021.

Q2. What are the lessons to be learned from attacks like the one on Kaseya this month? What are some best practices for mitigating fall out from these types of third-party breaches?

High profile, third party breaches should serve as a wake-up call for any organization, not just those who've been directly impacted. The software and services we bring into our network can be compromised. Whatever systems and data those services have access will also be compromised until that access is tightly controlled and monitored. The core at the issue of any of these large attacks, including Kaesya, or SolarWinds late last year, is that organizations have put their trust in a software or service provider and given them broad access inside their network. This issue was exacerbated by the quick move to remote working due to the COVID-19 pandemic, as many organizations found themselves quickly racing to implement widespread remote access technologies.

One way to mitigate the impact from these attacks—and fortunately, nearly all other attacks—is implementing a complete Zero Trust security architecture. Zero Trust is not a new concept—[it was ]introduced by John Kindervag at Forrester over a decade ago—but software supply chain attacks show how critical it is that organizations implement this strategy. Building a network with Zero Trust at the heart means that every transaction across the network is authenticated, inspected, and explicitly allowed by policy. This isn't a single technology but incorporates many aspects of what security experts have been recommending for years into a unified architecture. Implementing multi-factor-authentication would help prevent many attacks we see today, but if the software already inside your network is compromised, you need to go further. It is possible today to strongly identify users and devices, automatically develop and apply strict security policies that prevent them from accessing data and systems they shouldn't while still allowing them to perform necessary tasks. There will be more software supply chain and service provider attacks, this year. There is no silver bullet, but now—or 10 years ago—is the right time for any organization to begin building out their own complete Zero Trust architecture.

Q3. What do you expect your customers will be most interested in hearing about from PAN at Black Hat USA 2021? What do you have planned for them at the event?

Ransomware has dominated the headlines, and conversations, among CISOS/IT/Security professionals in 2021 and there's no sign of it slowing down. The Unit 42 Security Consulting team is on pace to conduct over 1,500 investigations this year and has already responded to over 200 ransomware attacks. That's almost a call every day from clients asking for help. Looking at trends across the other cases, we're seeing more business email compromise and website compromise than ever before. However, the trend that has us most concerned, as mentioned above, are cloud breaches. Our research indicates that cloud security incidents increased by an astounding 188% in the second quarter of 2020 and that, although a result of organizations quickly moving more workloads to the cloud in response to the pandemic, they struggled many months later to automate cloud security and mitigate cloud risks. Palo Alto Networks advises Black Hat attendees to think like an attacker. How would you hurt you? What would you target and how would you get it? Think about the changes you would make in the wake of a ransomware attack and take action to make those changes, now. Palo Alto Networks will be ready to answer questions in our live sessions, virtual sessions, and will be showcasing our technology to help you:

  • Stop tomorrow's threats with Complete Zero Trust Network Security, the industry's most complete SASE solution, and cloud-delivered security services.
  • Protect the cloud from container security to threat detection to web application and API security.
  • Monitor and fix your attack surface and protect your assets with next-gen security analytics and automation.
  • Take a step ahead of attacks by validating your current incident response playbooks with proactive assessments and cybersecurity consulting services.

Sustaining Partners