Interviews | July 17, 2014

Black Hat Sponsored Workshop Interviews: TIBCO, HP, Fluke Networks and IBM Security Systems

Craig Hinkley

Craig Hinkley, VP and GM of the LogLogic business unit of TIBCO Software, talks about the two biggest challenges to all professional service firms, and what attendees can expect to learn at their "Spot The Hacker" workshop at Black Hat USA 2014.


Q: Craig, a recent TIBCO blog talks about using the TIBCO Vault as an on-premise alternative to cloud-based file-sharing services to protect corporate data from data snooping. Talk to me about how that works and why that's a better alternative.

Craig Hinkley: With the absence of an enterprise-grade file-sharing alternative, over 72% of users are resorting to unauthorized, free file-sharing services, according to a recent survey. When end-users go out and choose their own file sync and share, they compromise the security of the organization and their data because they do not consider issues that are critical to the organization.

These issues include:

  • Who has access to the encryption keys? With cloud-based offerings, the service provider managed the encryption keys. Are you open to unauthorized access by their employees?
  • If one of your employees leaves the organization, do you have the ability to instantly revoke access to all corporate data? Or the ability to instantly prevent other employees from sharing with the employee who just left?
  • Do you have visibility over who is transferring what information to whom?
  • What control do you have over the data on a lost or stolen device?
  • What implications does the sharing of confidential data information with third parties have on your regulatory requirements/audits?

TIBCO Vault gives both users and administrators all the capabilities they need to enable efficient and secure file-sharing and synchronization. Furthermore, it is designed to scale for the enterprise, so there is no risk of bumping up against a capacity or performance ceiling. For companies that have not yet made a decision about how to deal with employee file-sharing and synchronization, it's an obvious choice. For those that have blocked consumer FSS services for employees, it's also a productivity booster that will win praise for the IT organization -- a commodity that's often in short supply.

Q: In a recent report, TIBCO focused on the challenges of all professional service firms, saying that the two biggest are attrition and knowledge share. What sort of solution does TIBCO offer to deal with those hurdles?

Hinkley: tibbr is TIBCO's Enterprise Social Networking Platform that helps new employees contribute to a company's bottom line faster. It gives new hires a single place to find not only the typical training and on-boarding materials, but it also gives them access to answers to questions that were already asked and answered by other employees. It's a level of on-boarding efficiency that, according to Forrester Research, helps companies reduce the cost of getting new employees up to speed by 20%.

Q: TIBCO will be sponsoring a workshop at Black Hat USA 2014. What can attendees expect to learn there – and what will be the biggest takeaways?

Hinkley: The U.S. Department of Justice Web site states: "Cybercrime is one of the greatest threats facing our country and has enormous implications for our national security, economic prosperity, and public safety." In any organization, the inability to predict and respond to cyber threats can negatively affect your bottom-line, resulting in lost-revenue and incalculable damage to your brand. And this is personal; we're seeing direct accountability for such attacks at the CIO-level down.

TIBCO Loglogic takes an analytical approach to IT security, giving organizations the tools to easily and visually display any risks or threats located in their Machine Big Data. In our "Spot the Hacker" workshop, we invite participants to bring their own data where we'll show them how to easily and rapidly uncover the potential threats and opportunities hidden in their log data through real-time visual dashboards and predictive analytics.

Scott Lambert

Scott Lambert, director, HP Security Research, reveals the average cost of cybercrime in the U.S. per organization, and the company's "Deep Dive Into Zero-Day Security Intelligence" workshop focusing on software vulnerability information going for sale to the highest bidder on the black market.


Q: Scott, the HP Security Research Cyber Risk Report 2013 lists some pretty alarming findings. For instance, 74% of apps exhibit unnecessary permissions and 80% of applications are vulnerable to misconfiguration vulnerabilities. What sort of solutions does HP Security recommend to what I assume are growing problems?

Scott Lambert: People are more mobile than ever, which can mean increased risk for enterprises. As competition and market demands push for more mobile apps, newer features, faster releases, and broader distribution of these apps – often developed by third parties – the business' risk exposure grows exponentially. IT Security must ensure these apps are secure; however, the demand for qualified security experts who understand the mobile application security landscape makes it more challenging to find and maintain this expertise in-house. As a result, organizations are at risk of exposing their sensitive corporate data, employee information, and ultimately losing brand equity through breaches of their mobile apps.

To help ensure that applications are secure throughout their entire lifecycle, organizations must build security in from the start. With the uptick in third-party-built applications, a security assessment test can serve as a necessary tool to test mobile applications for security vulnerabilities. Nearly all vulnerabilities can be found and ultimately remediated by running a security assessment test before releasing or procuring a mobile application.

HP Fortify on Demand Mobile is a Security-as-a-Service (SaaS) testing solution that enables organizations to assess and remediate vulnerabilities quickly without the need for additional in-house mobile security and threat expertise. The solution tests all three layers of the technology stack -- client, network, and server -- to paint the truest picture of mobile application risk. Test results are prioritized and verified by some of the leading application researchers and testers. Vulnerabilities found in one component of the application -- such as the client -- can be used while testing the server in exactly the same way that an intruder would infiltrate an enterprise. The results are quick and precise for fast remediation, which is key in application security.

Q: In last year's 2013 Fourth Annual Cost of Cyber Crime Study – U.S. , you report that the average U.S. company experiences more than 100 successful cyber attacks each year at a cost of $11.6 million. Give us a little peek at this year's report. Is the problem getting worse or better -- and by how much?

Lambert: Comparing the results of our annual Cost of Cybercrime study, we've seen the volume and cost of cybercrime climb steadily year over year. Based on a benchmark set of U.S. organizations, the average cost of cybercrime was a staggering $11.56 million per organization in 2013, which was a 78% increase since the study was first conducted four years ago.

These increasing costs go hand in hand with the amount of time it takes to resolve a cyber attack, which has also increased during this same period. As hackers become more sophisticated, many attacks remain undetected for weeks or even months. The average time to resolve a cyber attack was 32 days, and the average cost incurred to resolve a single security incident was more than $1 million.

Despite these alarming results, these findings also show us that these costs can be significantly reduced by the use of advanced security intelligence tools such as Security Information and Event Management (SIEM) solutions, network intelligence systems, and big data analytics. Since recovery and detection are the most costly internal activities, organizations using security intelligence technologies are able to reduce these costs by finding and containing the attacks earlier, saving nearly $4 million per year on average and a 21% ROI over other technology categories. Deployment of enterprise security governance practices -- including investing in adequate resources, appointing a high-level security leaders, and employing certified or expert staff -- can reduce cybercrime costs and enable organizations to save an estimated average of $1.5 million per year.

Q: You are sponsoring a workshop at Black Hat USA 2014 called "A Deep Dive Into Zero-Day Security Intelligence and Collaboration" that focuses on the fact that, despite the success of indie and vendor bug bounty programs, more software vulnerability information is going for sale to the highest bidder on the black market. Tell me a bit about what attendees can expect to learn.

Lambert: Over the past several years, the value of bug bounty programs has become increasingly evident to the security community. New programs have entered the market, and researchers are being further rewarded for finding and responsibly disclosing flaws in the programs being used every day by consumers and businesses alike.

Despite these successes, software vulnerability information continues to be sold to the highest bidder on the black market where it can wreak havoc on organizations, individuals, and the industry.

This workshop will help attendees gain a deep understanding of how to prepare to defend against a zero-day attack. The workshop facilitators will also provide an insider view into the creation and deployment of zero-day vulnerability filters. In addition, attendees will also learn how strategic threat intelligence feeds share threat data and analysis to help security researchers and organizations gain real-time intelligence on adversaries, attack vectors, methods, and motivations behind current threats.

David Coffin Fluke_Networks

David Coffin, CTO, Fluke Networks, discusses a system designed to detect attacks on large-scale WLAN networks to prevent major enterprise damage, and the company's Black Hat USA 2014 workshop focusing on typical wireless attacks and how they affect the wireless infrastructure.

Q: David, Fluke Networks recently recommended that all Apple iOS users install a new patch to fix what you called "a glaring SSL certificate handling error" that left over 700 million iPhones, iPads, Apple TVs, and Macs vulnerable to Man-in-the-Middle (MitM) attacks. Is this a new sort of attack and how dangerous are they?

David Coffin: This situation was most commonly referred to as the "goto fail" bug. It was caused by a programming error, an extra "goto fail" line in SSL/TLS library function code bypassed signature verification check of the ephemeral key. To exploit the defect, an attacker could setup a malicious rogue access point and use MitM techniques to capture and decrypt traffic from clients connected to the malicious AP since the client would not verify the key. This did create a fairly gaping hole for some time and the threat was real.

Upon learning of the defect Apple quickly released software fixing the issue. There is, of course, a timing issue in any defect>repair>update cycle where many clients can go for long periods before updating to new repaired releases. These clients would still be at risk of succumbing to a malicious attack. That WLANs in particular can be readily used to facilitate MitM attacks is also important -- a defect, malicious intent to exploit, and a MitM environment are what were needed to make "goto fail" dangerous.

Programming errors in general are not new and many security analysts work tirelessly to identify and expose such errors when new software is released. Nonetheless, detection and protection are worth a lot – especially while repairs are being prepared.

Q: Your AirMagnet Enterprise WIPS/WIDS system is designed to detect attacks on large-scale WLAN networks. It is said to prevent major enterprise damage. How so?

Coffin: WIPS/WIDS systems are an integral part of every wireless infrastructure. When properly deployed, they allow wireless administrators and security officers the ability to be alerted when a wireless attack against their WLAN is being performed. They also identify threats or openings even when these might not be being exploited. They have capabilities to contain an attack and even locate the source of the attack on a floor plan.

Without comprehensive WLAN threat detection and mitigation, an enterprise, agency, or any network owner is exposing their or users' network-connected assets to malicious misuse. Our media is filled with stories of unresolvable damage to companies that have suffered security breaches -- not just in fines or lost assets but in the ongoing loss of confidence in those organizations' systems and brands. Wireless intruder detection and prevention is no less important than firewalls or any other security system; WLANs have been a stealthy vehicle for certain security exploits.

In AirMagnet Enterprise, threats can be manually or automatically remediated with a combination of both wired and wireless threat suppression techniques. It offers 24x7 WLAN monitoring and protection, delivering:

  • Full-time dedicated packet and RF scanning of the air so costly threats are not missed.
  • Power to actively test, diagnose, and remediate problems remotely, saving time and travel.
  • Dynamic threat updates which ensures the network is always protected as new threats emerge.
  • Flexible deployment options ranging from lower-cost software sensors to dedicated high-performance sensors with spectrum analysis, including cellular.

Q: The workshop you are sponsoring at Black Hat USA 2014, "Defending The New Perimeter: Wireless Attack Landscape And Defense," will discuss typical wireless attacks and how they affect the wireless infrastructure. What will be some of the takeaways?

Coffin: Defending a wireless network can be more difficult than defending a wired network. Given the inherent nature of wireless propagation, a network perimeter extends beyond the walls of buildings and into the parking lots and possibly farther. Security administrators are now tasked with monitoring and protecting a larger and often physically uncontrolled area. The prevalence of personal mobile devices and policies allowing network access for them exacerbates the risk.

Getting to know the wireless hacking tools is an important piece of the puzzle in protecting your wireless network. Fluke Networks will talk about a few of the most popular tools, explain how they are used and what they mean to wireless networks. We will demo these "tools of the malicious trade" live at Black Hat.

Furthermore, we will go over some best practices for configuring and tuning your WLAN and your WIPS/WIDS system to detect and prevent these hacks and threats, including those borne from the tools described.

Andy Land Patrick Vandenberg IBM

IBM Security's Andy Land, program director and product marketing, and Patrick Vandenberg, program director, segment marketing, talk about the two workshops the company is sponsoring at Black hat USA 2014 – one on "Breaking Cybercriminals" and one on "Combatting The Inevitable Attack."

Q: Andy, I know IBM is sponsoring two workshops at Black Hat USA 2014. The first -- entitled "Beating Cybercriminals: Preventing Compromise In The Face Of Advanced Attacks" – will discuss the fact that advanced malware is now capable of evading antivirus applications and you'll be focusing on new solutions that you say have "some merit." But have any of them really proven effective at stopping dynamic threats? And if not, why not?

Andy Land: In today's market, most security companies are giving up on prevention and focusing on other disciplines. We believe prevention is not only achievable but mandatory for stopping advanced threats at the endpoint. It's a forgone conclusion that anti-virus solutions cannot stop advanced threats because they were designed to only catch known threats. The challenge today is stopping unknown and zero-day threats. Apex, our endpoint advanced threat solution, provides a multi-layered defense approach to block unknown and zero-day threats. The approach results in multiple opportunities for customer success against adversaries that need only be successful once.

Q: Give me a taste of some of the most recent cybercrime developments and compromise techniques that you'll be describing.

Land: Cybercrime is moving toward being the most lucrative form of crime and, as it becomes more organized, it is becoming an easy form of crime. We are dealing with organized and well-funded criminal organizations; not just script kiddies and disgruntled folks. Thus, we are seeing all kinds of sophisticated attacks that involve various forms of weaponized content. Here are some of the most common threats we are seeing:

  • Stealing of corporate credentials which gives the criminal access to the crown jewels of the enterprise.
  • Application exploits against zero-day vulnerabilities to establish persistence of the malware in the enterprise.
  • Rogue Java Applications and Native Java exploits to attack the most prevalent set of applications in the enterprise (50% of attacks are against Java and 96% of these attacks are from rogue applications per our X-Force Q1 Report).
  • Zombie processes to hide and establish command and control so that the valuable data can be taken out of the organization.

Q: Patrick, your second workshop, called "Combatting The Inevitable Attack: Intelligence And Integration Are Critical," will focus on new strategies to combat the evolving attack landscape and to thwart insider threats. What will be some of the takeaways for attendees who need to protect their organization from Web and mobile application attacks?

Patrick Vandenberg: In this workshop, attendees will see the latest trend details, including data from IBM X-Force, showing attack success that has made use of both technically and operationally sophisticated methods to breach enterprises. As the attackers' tactics have evolved, so have the strategies that can combat them. While detection continues to be a hot topic (and one covered in this workshop), prevention cannot be dismissed and is shown to be a powerful element to a stronger enterprise IT security approach. Across the IT domains, enterprise security must employ critical integrations to transform insights from any domain into necessary actions to protect users, applications, infrastructure, and data. This workshop will show how an intelligence platform provides that visibility and context to help restore balance against the complex challenge facing IT security teams.

Sustaining Partners