Interviews | July 21, 2020

EDR and SIEM will co-exist for years to come

Code42 | DivvyCloud by Rapid7 | McAfee | Synopsys | VmWare Carbon Black

Jadee Hanson


Q1. What do you see as some of the biggest challenges and also opportunities for CISOs in the current threat environment?

Despite the challenges and opportunities CISOs face today, one thing is certain – security's mandate did not change when the pandemic started. We are still charged with protecting the company and that remains our priority. That said, the two main challenges CISOs universally face are due to a widely distributed workforce – a lack of network visibility and now an increased focus on endpoint technologies. A byproduct of these challenges is that the risks to data coming from the inside are more heightened now than pre-pandemic.

While it always is important to have visibility into how our employees are moving and sharing files, right now with so many of our employees working off network, it's crucial that we maintain clear file visibility – a task which challenges many security organizations. The corporate office perimeter doesn't provide the same level of security control it once did. At the same time, endpoint tools are now providing security teams with much more valuable data.

Among the opportunities? There are a fair share of CISO roles open right now. Importantly, I'm seeing more CISOs gaining a role at the executive table. Thankfully, they aren't there only to discuss black and white security controls. Rather, they are a part of larger conversations about balancing risks to the business as a whole. As a security leader, we must tune the right level of security for the organization. You have to balance what the board, CEO and customers want and, at the same time, match the culture of the organization. And when a CISO is at the table, they are in a position to more effectively counsel or guide the executive team when it comes to business risks.

Q2. Over the next two years, what kind of capabilities/technologies are security organizations absolutely going to need to adequately protect against emerging cyber threats?

Moving forward, workforces will likely continue to be highly distributed and fluid and the use of cloud and collaboration technologies will continue to soar. I believe that inside risks to data, whether malicious or not, will also continue to grow and harm organizations. With these market forces in mind, endpoint technologies, especially those that provide visibility to file movements, are going to play an increasingly important role in security programs.

In the next few years, attack surfaces will likely continue to expand, attacks will grow in sophistication and data and systems will continue to be at risk. Security teams not only need to be involved early on to identify risks, they need to be enabled to fix those risks themselves through integration and automation. It will be critical, then, to automate security – and that means automating mundane tasks to free up security engineers for more important, strategic, value-added work. Automation can ease the security talent gap, alleviate alert fatigue, speed up time to incident resolution and reduce errors.

When automating, work on improving processes for software testing, vulnerability management, malware incident response, and more:

  • Automate security tasks in the development workflow to save time, enable speed and scale, and solve key issues faced by security professionals.
  • Move to DevSecOps so that security processes are an automated part of the development lifecycle.
  • If you don't know how to code, take a class today. Automation will simplify some of your work and give you a better understanding of what you're working to secure for your developers.
  • When vulnerabilities are identified from an automated scan, it's possible—sometimes—to automatically patch and, other times, gather all of the necessary context and package it for admins so they can get to work instantly.
  • If there's an alert to malware, automatically grab the necessary context from a source, such as Virus total and, when necessary, possibly quarantine the infection. If a remedy cannot be automated, gather the associated content so analysts can quickly make a decision and respond.

Q3. What's likely going to be top of the agenda for most CISOs and other security leaders at Black Hat USA 2020?

Securing data in the post-pandemic workplace – which will mean distributed and fluid workforces who are often off network and using cloud and collaboration technologies to stay productive – will be one topic that is top of mind for most CISOs. In particular, CISOs will be looking for better, newer or smarter endpoint technology or anything sort of technology that protects users working remotely and still allows the security team to have the visibility they need.

"Secure collaboration" has been thrown around a bit, but it's worth calling out that secure collaboration is about much more than simply encouraging collaboration and monitoring data flow. It's about partnering with employees to help them use file-sharing tools more securely. The critical part for security is having visibility, like being able to know definitively where a file was sent. That's crucial information for security teams who are responsible for safeguarding company data.

Brian Johnson
Co-founder and SVP

DivvyCloud by Rapid7

Q1. What's likely going to be top of the agenda for most CISOs and other security leaders at Black Hat USA 2020?

What are some of the biggest security concerns (and misconceptions) organizations continue to have when it comes to migrating business critical workloads to the cloud?

With cloud adoption, many organizations believe they must choose between security and innovation since the ever-evolving nature and complexity of the cloud makes it impossible to prevent misconfigurations and other security issues. But, this is a false choice.

An asynchronous approach to cloud adoption and the security that should go with it creates tremendous risk. Enterprises are accepting this risk in order to reap the benefits of speed and agility that cloud offers, and they are doing so needlessly. As long as organizations take a comprehensive approach to cloud security, including ensuring the right people, processes and tools are in place at the time of cloud adoption, innovation and security go hand-in-hand.

Q2. A recent survey that DivvyCloud conducted found that a majority of organizations believe cloud adoption is necessary for innovation but is not prepared for the security challenges. Where do the biggest security challenges exist and why?

Enterprise cloud adoption has largely been driven by companies eager to take advantage of its agility. Their developers are often under pressure to rapidly bring new products to market that provide competitive advantages.

Embracing self-service access to the cloud is how companies stay agile and innovative. But the speed of development combined with a lack of cloud security expertise often results in engineers and developers bypassing certain security and compliance policies. A common byproduct of bypassing these policies is data breaches, thanks to misconfigurations and other security glitches.

Shutting down self-service access to the cloud, however, is not the solution. The cloud offers huge benefits for companies looking to get—or stay—ahead of their competitors, and developers being able to spin up new services quickly are key. To allow developers the freedom to innovate without sacrificing security and compliance, enterprises should establish, and enforce, a full lifecycle cloud security strategy.

This starts with enterprises implementing a continuous and automated cloud security solution to detect and remediate threats, such as misconfigurations and compliance violations, in real-time. This allows companies to either automate the remediation of those vulnerabilities or alert the appropriate personnel of the issue before a devastating data leak or breach occurs.

These organizations should also include a more preventive approach by integrating cloud security into the CI/CD process and evaluating Infrastructure as Code (IaC) templates before a build. By shifting security left, they will be better equipped to address many security and compliance issues. Developers are empowered to participate in addressing any security issues because decision-making on how to fix the problem is now at the level that has the most context.

Additionally, companies should strive to adopt the principle of least-privileged access when provisioning IAM permissions in the cloud. While this isn't easy to accomplish, companies can start by using behavior analytics and automated cloud security tools to adjust privileges to include but not exceed the needs of a role.

Lastly, organizations that are not prepared to employ the necessary people, processes, and systems concurrent with cloud adoption (not weeks, months, or years later) will not be prepared adequately. It is only when enterprises address security during cloud adoption can they ensure continuous security and compliance in the cloud from the start.

Q3. What is DivvyCloud's main focus at Black Hat USA 2020? What do you plan on highlighting at the virtual event?

At this year's Black Hat, DivvyCloud plans to focus on how cloud identity and access management (IAM) is the new perimeter. In cloud and container environments, everything has an identity: users, applications, services, and systems. While cloud provides enormous flexibility, it also requires careful and specialized governance, as every service is potentially reachable by every other one.

With a rapidly growing remote workforce, organizations will need to focus on IAM in their cloud infrastructure. This will ensure employees and users are able to securely access the tools and resources they need to do their jobs or access the resources and services they need to access while thwarting fraudulent, unauthorized attempts from bad actors and even well-intentioned but menacing insiders.

Protecting the identity perimeter at scale requires automated monitoring and remediation around access management, role management, identity authentication, and compliance auditing.

Furthermore, in our session on August 5th at 1:30 pm PST, DivvyCloud's VP of Technology, Chris DeRamus, will discuss Augmenting Native Cloud Security Services to Achieve Enterprise-Grade Security. During the session, he will take a deep dive into what CSPs offer in terms of security and how organizations can use and augment these native CSP security controls to fulfill their security objectives.

Raj Samani
Chief Scientist and McAfee Fellow


Q1. What have the lessons of COVID-19 been so far from an enterprise cybersecurity perspective? What security changes do you see it driving within organizations over the next few years?

Criminals are not truthful! We saw claims from threat actors about their intention to not carry out attacks against certain sectors during the pandemic and yet unsurprisingly we have seen a spate of attacks targeting health care and its associated supply chain. These lessons are critical when determining whether a criminal will, for example, provide a decryption key if a ransom is paid, or other extortion related activity is carried out. Also, with the growth in malicious files and domains that our propensity to fall for such lures are particularly likely during times of great upheaval.

Q2. What are the security implications of 5G networks? How should organizations be preparing for it?

Well first of all we should disassociate any connection being made between 5G and the spreading of coronavirus, I realise that this may not seem like a necessary requirement to the readership but we have to recognise that these claims have reached a great many people. Now as we move to 5G it is not necessarily the technology itself, but rather what it enables. We all observed Mirai with astonishment that it was caused by connected cameras, amongst other devices. However, this was only the introduction of that type of attack and we can expect rapid innovation in the world of IoT associated with availability of 5G. To be clear, this rapid innovation is a good thing. We absolutely want an environment that will enable devices to improve farming, our energy network, our homes, and almost anything else we can think of. However, there is a need to globally develop support between the private and public sector to ensure such devices have a minimum baseline of security and privacy. No more usernames or passwords of admin, admin. No more implicit consent on the capture and use of PII. Organizations must ensure they consider the level of intrusion such devices can have and help drive a global effort to improve not just security related to IoT but also within their own environments.

Q3. What should attendees expect from McAfee at Black Hat USA?

Every year we present our latest security research and this year promises to be out of this world!! Ahem... I don't want to give too much away but you can expect some tremendous new findings from the McAfee Advanced Threat Research team. Also, get ready for more SOC options from McAfee with a unique solution that shifts cybersecurity left, as well as even more advanced device to cloud protection.

Simon King
VP, Strategic Program Management


Q1. What can developers do to better ensure the security of open source components in their software? Where do the biggest capability gaps exist with regard to testing open source components during the software development life cycle?

When developers work on features, compliance decisions like acceptable licenses and component age can be secondary to getting something into a working state. While prioritizing feature development makes sense, it shouldn't come at the expense of security or expose the business to potential legal issues. That means developers need to ensure they understand the ramifications behind selecting specific open source components. Accomplishing this requires development teams cultivate strong relationships with their appsec and legal teams.

It's important to also know if the code is secure and how long it takes for vulnerabilities to be resolved when selecting an open source component. When looking at the life cycle of third-party components like those from open source communities, the selection criteria must include patch and update information. In other words, when a new update is released, how would you know about it and how would any patch be applied? Additionally, consider building a pre-approved list of components in a repository.

Unlike commercial software, authors of open source components likely won't know who is using their software. That means they have no method to alert users to patches, which in turn mean that unless users proactively engage with the open source development community creating their components, they can quickly become out of date from a patch perspective.

With development teams incentivized to turn out new features, any open source component meeting the desired functional requirements will likely be cached in a binary repository to ensure consistent successful software builds. Without proper management, this process can also be a leading contributor to long-tail vulnerabilities, which then become opportunities for exploit.

Open source software is no more or less secure than commercial variants, with the primary difference being the ability to inspect the underlying source code. Being that open source components are fundamentally third-party code, most commercial development teams won't invest their tooling to directly look for security weaknesses in the open source they use. It's also worth noting that open source is no longer just the source code—containers are often built on open source such as the Linux Kernel or by adding Ruby support. As such, the breadth of open source software is expanding.

Q2. What do you see as the future of application security testing? What kind of capabilities and tools are organizations going to need to ensure their software is secure against threats and compliant with regulatory requirements?

The current state of application security testing is similar to the early days of performance monitoring with discrete tools in a variety of ways, including:

  • Hard coded checkers looking for language-specific patterns (e.g., C++ SQL injection)
  • UI driven tools with very distinct skillsets required (e.g., IAST for QA and SAST for developers)
  • The nature of the tools and the roles to use them dictate where it can be applied within the pipeline
  • Organizations often abdicate security responsibility to the tools without considering other options such as blameless post-mortems

However, none of this is scalable. Performance isn't fast enough for modern pipelines and there simply aren't enough skilled resources. DevOps needs to be augmented with:

  • Soft coded, tunable checkers with uniform configuration
  • Policy-driven activation to run the right test at the right time within the pipeline
  • APIs that integrate with CI/CD tools that also offer feedback loops with the developer through the IDE
  • Manual and automated flagging of checks with automated workflows to check and reduce the number of false positives

The future is that security is an invisible component of software pipelines, actively helping developers build more secure software. Customers will require a platform, which provides a common user interface for findings, the ability to filter those based on relevance, and supports automated remediation actions.

Some key capabilities that will ensure software is as secure against threats and regulatory requirements as possible includes:

  • Integrating multiple tools addressing various security aspects to enable full coverage
  • Handling multiple results sets from different testing tools for an integrated perspective
  • Correlating findings to recommend automated triage and remediation workflows
  • Anonymizing findings across multiple pipelines to generate data volumes for machine learning
  • Supporting a community of application security champions sharing ideas and increasing engagement

Q3. What do you want organizations that participate in the Black Hat USA 2020 virtual event to know about Synopsys and its capabilities in the application security space?

Synopsys is focused on helping teams build security into DevOps. You can see this in our technology solutions including the Code Sight IDE plugin as well as the Polaris platform which integrates static application security testing (SAST), software composition analysis (SCA), and interactive application security testing (IAST) into the DevOps toolchains.

We also address the people and process aspects of DevSecOps with a variety of application security services including risk assessments, program development, and security testing services. This holistic approach, also encapsulating eLearning and instructor-led training, helps teams build more secure software consistently—without compromising velocity.

Scott Lundgren
VP and CTO

VMWare Carbon Black

Q1. Endpoint detection and response technologies are becoming increasingly SIEM-like in capabilities. Are we getting to a point where they overlap so much that EDR replaces SIEM? Or, do you foresee a need for both EDR and SIEM for the near-term at least?

The reality is, EDR and SIEM will co-exist for years to come. At Connect 2020, VMware Carbon Black's annual cybersecurity conference, we announced the creation of a Next-Gen SOC Alliance. The alliance empowers SOC teams with visibility, prevention, detection and response capabilities that can uniquely leverage the VMware fabric and features industry leaders: Splunk, IBM Security, Google Cloud's Chronicle, Exabeam, and Sumo Logic.

The Next-Gen SOC Alliance brings a critical mass of XDR (Extended Detection and Response) context and capabilities to SOCs in a fully intrinsic way. In partnership with the industry's leading SIEM and SOAR players, our vision is to establish the modern SOC, delivering unprecedented visibility and remediation capabilities across endpoints, networks, workloads, and containers.

Additionally, VMware Carbon Black is looking to expand beyond EDR into XDR by pulling telemetry across the VMware infrastructure, cloud and network portfolios.

Q2. What do organizations need to understand about approaching security as a big data problem and the reasons for it?

The threat landscape continues to present new and complex challenges and as a result, security technology is advancing to meet the unique needs of these environments. As security teams enhance their threat hunting capabilities, the ability to utilize unfiltered security data is critical in providing high levels of visibility into attacker activity.

Next-generation endpoint security today is all about keeping pace and staying ahead of attackers. And one of the only ways to do so is through comprehensive insights that can only be derived from big data analytics. Without big data analytics, companies can only focus on finding and stopping known methods and attacks, which leaves them vulnerable to new and emerging attacks. Security people must be able to predict and prevent not only known attacks, but future and unknown ones too.

Q3. What are VMWare Carbon Black's plans for Black Hat USA 2020? What do you plan on highlighting at the virtual event?

This year has presented a number of unprecedented challenges for security professionals. At Black Hat USA 2020, we will unveil the VMware Carbon Black Global Incident Response Threat Report, which explores the evolving surface area for cyberattacks amid COVID-19. Specifically, reporting on the increase of counter incident response and island hopping. Additionally, VMware Carbon Black will host a Threat Hunting On-Demand Workshop, offering conference attendees a virtual hands-on threat hunting experience with the Endpoint Enterprise bundle on the VMware Carbon Black Cloud and a chance to learn about the unique challenges facing security teams as workforces shift to remote work.

Our cybersecurity strategists and threat researchers will also be hand for a number of featured sessions, including:

  • Third Party Risk in 2020: How Island-Hopping, Third-Party Applications and Supply Chain Vulnerabilities Are Leading to Data Breaches
  • Mitigating Cyber Escalation: Modernizing Cybersecurity with Intrinsic Security

Sustaining Partners