Interviews | July 27, 2018

Black Hat USA Workshop Sponsor Interviews: Amazon Web Services, Citrix Systems, CrowdStrike, F5 Networks, NSS Labs, RSA

Stephen Schmidt

Stephen Schmidt
Vice President and Chief Information Security Officer, Amazon Web Services

Amazon Web Services

Q1. Security has long been a concern for organizations looking to migrate workloads to the cloud. Describe for us some of the controls and measure that AWS has implemented to help organizations address those concerns.

The security measures deployed throughout AWS services, and verified through our third-party audits, provide a high level of assurance to prevent and address security concerns. AWS aligns with thousands of security controls across dozens of compliance regimes, providing security capabilities and services to control network access, increase privacy, and allow for security at scale. AWS provides tools and features that enable customers to see exactly what's happening in their AWS environment, including deep visibility into API calls through AWS CloudTrail, including who, what, when, and from where calls were made, log aggregation options, streamlining investigations and compliance reporting, and alert notifications through Amazon CloudWatch when specific events occur or thresholds are exceeded. These tools and features give customers the visibility to spot issues before they impact the business.

AWS also provides identity and access management integration across many services - plus API integration with customer applications. Specific highlights of our access management suite of tools include the ability to define individual user accounts with permissions across AWS resources, multi-factor authentication for privileged accounts, including options for hardware-based authenticators, and the AWS Directory Service which allows customers to integrate and federate with corporate directories.

Additional protections for customers include network firewalls built into Amazon VPC, web application firewall capabilities in AWS WAF to create private networks, and connectivity options that enable private, or dedicated, connections from your office or on-premises environment. Finally, AWS offers customers the ability to add an additional layer of security to data at rest in the cloud, providing scalable and efficient encryption features, including flexible key management options, including AWS Key Management Service, allowing customers to choose whether to have AWS manage the encryption keys or enable complete customer control over keys.

Q2. How is AWS helping organizations meet compliance and data residency requirements particularly with respect to regulations like GDPR?

Regulatory sovereignty over data can be achieved while taking advantage of the cost and security benefits of AWS. Examples of such sensitive data include financial transactions and personal data (also referred to in some countries as Personally Identifiable Information, or PII). It's crucial to note that the customer retains complete control and ownership over the region in which data is physically located, making it easy to meet regional compliance and data residency requirements. As a customer, you choose the AWS Region(s) in which your customer content is stored, allowing you to deploy AWS services in the location(s) of your choice, in accordance with your specific geographic requirements. For example, if an AWS customer in Australia wants to ensure their data is located only in Australia, they can choose to deploy their AWS services exclusively in the Asia Pacific (Sydney) AWS Region.

Customers can also replicate and back up content in more than one AWS Region, and we will not move or replicate your content outside of your chosen AWS Region(s) without your consent. Additionally, data can be securely transferred over public Internet with the use of TLS, or using a VPN connection established between the Virtual Private Gateway of the VPC and the Customer Gateway residing in-country. Additionally, customers may establish private connectivity between AWS and an in-country datacenter by using AWS Direct Connect, which in many cases can reduce network costs, increase bandwidth throughput, and provide a more consistent network experience compared to Internet-based connections.

Q3. What is AWS' main security messaging going to be at Black Hat USA 2018? What are some of the topics that AWS expects to focus on the most at the event?

Visibility and awareness. Running workloads on AWS enables our customers to match and supersede their BU's pace of innovation with pace of security, enabling the BUS's to continuously evolve their services without security being a blocker. One key component for any security and compliance organization is visibility and awareness and knowing what is happening in your environment and what should be considered as an anomaly.

It is important for customers to understand how to gain the needed visibility into an ever-changing environment, how to take advantage of the same concepts that their BU's are using and being to not only secure things like CI/CD pipeline for application lifecycle but also to build their own secure pipelines. To help with this, AWS is running multiple workshops during Black Hat where customers and partners can join and learn more about how to detect anomalies using anything from managed services powered by Machine Learning to build your own detection and remediation framework.

Stan Black

Stan Black
Chief Security and Information Officer
Citrix Systems

Citrix Systems

Q1. Explain for us the strategy behind Citrix's people-centric security approach. What exactly does that mean and how actually is it being implemented in your security products and services?

Go to any security conference and see thousands of vendors trying to sell you some shiny new tech to solve all of your security challenges. They include IDS/IPS, AV/AM, next-gen tech, AI/ML/analytics, end-point, CASB, network, OS, app, cloud, etc. [Yet], 10,997,846,643 records have been breached since 2005. These point tech solutions have only treated symptoms, but never resolved the root cause of many security challenges. Unlike individual technology providers, Citrix technology integrates the network, OS, apps, cloud and device uniformly. This reduces layers of technology slowing people down from doing their job. Citrix provides guardrails to protect users while also protecting them from potential threats and allowing them to maintain productivity on the device, location and network of their choice.

Q2. How will enterprises benefit from the recently announced Citrix Analytics Service? What specific business or security issues are you helping enterprises address with the service?

Citrix analytics will enable enterprises an end-to-end view, which today requires numerous and complex layers of people, process, and technology. Our analytics solution is a unified source of IT and Security telemetry that will enable companies to filter out and allow "normal" behaviors, while focusing in on operational trends and anomalies that may pose a risk. Common issues of service degradation and asset/credential compromise can be identified and remediated quickly with little to no impact user activity. We're removing the complexity of finding threats to enable IT and security teams to find and remediate them faster.

Q3. Citrix offers a pretty broad range of security products and services. Are there any products or technology areas that you plan to focus on specifically at Black Hat USA 2018?

At Black Hat we will be offering demonstrations of our networking portfolio, namely the Citrix Analytics and application delivery solutions, as well as the Citrix Workspace. These demonstrations will show how we've incorporated technology like user behavior analytics, secure browsing capabilities, cloud application control and more to provide a more comprehensive, people-centric approach to solving security business challenges.

Citrix solutions move beyond point products to protect apps, data and infrastructure with a unified security approach. Other approaches to security are stitched together, ad-hoc, and include point products that create complexity and hinder visibility and control. As attackers change and adapt to threaten infrastructure, devices, apps, data, and users, organizations need security that's just as dynamic with a fine level of control over access that adjust to contextual factors like location and user behavior, and a broad and integrated view of distributed IT to help identify and stay ahead of threats.

Visit our booth #252 to learn more about the Citrix Workspace solution that provides Unified Endpoint Management, Enhancing EMS/Intune and Office 365 security, our Secure Mail client, and Secure Content Collaboration.

Sven Krasser

Sven Krasser
Chief Scientist

Austin Murphy

Austin Murphy
Vice President of Managed Services


Q1. Sven, what questions should enterprises be asking vendors when shopping for machine learning enabled cybersecurity tools in their environment?

First and foremost, it is important to understand Machine Learning (ML) as a tool that is available to us. It is not in itself a solution, and it cannot magically create value from nothing. For enterprises, the first question should not be if a vendor uses ML (which is table stakes at this point) but how said vendor uses ML to increase security.

ML works well when large amounts of Big Data are available, for example, in the cloud. Case in point, Netflix—think cloud—gives better movie recommendations than a local Blockbuster clerk—think appliance. Not just the sheer scale of the data matters, but also the richness. The more facets the data covers, the faster a cohesive and broad picture emerges. Solutions working on small datasets with few facets can perform reasonably well on variations of known threats but are unlikely to generalize well to new threats. Hence, important questions to ask are what data is the vendor able to leverage to train ML, what is its size, and what facets does it cover.

Next, with ML algorithms vendors have the ability to make trade-offs between false negatives—missed detections—and false positives or false alarms. The gamut of possibilities is generally expressed using a Receiver Operating Characteristic, or ROC, curve. It is surprisingly easy to achieve high detection rates when allowing for high false positive rates as well. However, in the security space, alarm fatigue will quickly erode any value of additional detections. Enterprises should ask their vendors how this trade-off is balanced and how the corresponding metrics are captured in the field.

Lastly, all hype aside ML is no panacea. Enterprises should evaluate how products avoid the "silent failure" scenario of long-standing undetected adversaries in the face of the inevitable missed detection.

Q2. Austin, isn't it risky for CrowdStrike to be offering a $1 million security breach warranty on its Falcon Endpoint Protection Platforms (EPP) Complete service when enterprises are getting breached through the endpoint all the time? What's behind the confidence?

EPP Complete represents CrowdStrike's most comprehensive solution with respect to endpoint security. We believe that an effective strategy brings together detection, prevention, and response and when you can do that effectively, you can resolve incidents early enough in the kill chain that they never become a data breach. We are able to have confidence in our solution because our technology is solid, and our approach is sound. Most managed service providers focus on triaging alerts and sending notifications over to their customers, but CrowdStrike puts in the additional effort to disrupt attacks and remediate compromises when detected, so we can be confident that incidents will be handled quickly and effectively.

Q3. Sven, what are some of the best use cases for machine learning in cybersecurity? In what areas within cybersecurity do you expect to see ML helping the most?

As we already established, ML works best with large-scale data with many facets. Such datasets also tend to be the ones that are most challenging to human analysts, for example, when manually reviewing data or when deriving rules and heuristics. Algorithms have no problems scaling to high-dimensional data with millions of facets while humans quickly bump into the limitations of a brain evolved for a three-dimensional world.

Moreover, Machine Learning also means constant learning. It's not about cranking out a single model, but about setting up processes that allow for continuous improvements. Areas in which ML works well tend to allow for the creation of virtuous feedback loops, which provide input on misclassifications and result in every iteration of ML becoming better and better. Being able to quickly and scalably evaluate the accuracy of detections is an enabling factor, which is found, for example, in the Endpoint Detection and Response (EDR) domain.

Finally, while lots of data is a good start, the quality of data is a crucial factor as well. Pre-filtered, noisy, or un-normalized data, some of which can be encountered in SIEMs or security data lakes, is harder to tackle than data sources that have been created with ML in mind.

Q4. Austin, why is it important for Crowdstrike to be at Black Hat USA 2018? What can attendees expect from Crowdstrike's presence at the event?

We want to help organizations stop breaches. At Black Hat this year we're doing that by educating customers on new offerings and solutions like EPP Complete, Falcon X and the new modules and enhancements to our Falcon Endpoint Protection Platform. You will definitely feel our presence at Black Hat this year. We're doing a major product launch, speaking in several sessions, hosting a party and of course we're demonstrating advanced attack and defend scenarios in our booth on the show floor. Visit the CrowdStrike Black Hat page.

Ray Pompon

Ray Pompon
Principal Threat Research Evangelist
F5 Networks

F5 Networks

Q1. F5 recently announced a new application services offering for multi-cloud environments. What are some of the specific security challenges within these environments that the service is designed to address?

The application development trend of "continuous delivery" has pressured many organizations into having per-app infrastructure models each with its individual, on-demand deployment capabilities. This can be a good thing since separate infrastructure can significantly lower the "blast radius" of any breach, however that also increases the chance that something will be misconfigured, like a security policy. BIG-IP Cloud Edition is designed to allow IT to deploy effective security policies for each application no matter what cloud or infrastructure they're built on. This allows app teams to deliver without having to wait on the security teams to implement protections.

Q2. What are some of the trends in the threat landscape that are driving changes in the Web Application Firewall space? How has F5 evolved its own technologies to address these changes?

More breaches start with application attacks than any other target—identities, networks, physical, loss, insider—[and account] for between 33% and 53% of breaches. In 2017 we found that 58% of global attacks were targeting PHP, and 56% SQL. Forty-six percent of the PHP attacks were SQL Injection themselves. There is continued effort to exploit well-known and widely deployed frameworks using tried and true attack vectors such as SQL injection and XSS. We've also seen a marked increase in DDoS targeting the application layer. Volumetric DDoS has become so prevalent that mitigation services have become part and parcel to conducting business online. As a result, attackers have had to adjust tactics and find new ways to cause outages. As a recent case with ProtonMail showed, it is still feasible for inexperienced attackers—aka script kiddies—to launch fairly effective attacks using YouTube tutorials and free toolkits online.

F5 has remained at the forefront of WAF technology development and was the first to market with many significant defensive capabilities such as client/device fingerprinting using Javascript injection, Proactive Bot Defense to identify non-human clients, and Layer 7 Behavioral DoS protection. We've made advanced features, once relegated to financial-services markets, available for broader adoption by moving them into our mainstream WAF solutions. We've also made WAF technology more accessible to more application owners through our various offerings and initiatives including F5 Advanced WAF, BIG-IP Cloud Edition, Silverline WAF Express, F5 WAF for Microsoft Azure Security Center, and F5 Rules for AWS WAF.

Q3. What is F5's messaging focus at Black Hat USA 2018? What do you want attendees to know about your company's security offerings?

What makes an app an app? Is app security, as we've known it, keeping pace with today's threats? Exploring and answering those questions is the driving force behind what we do at F5. After all, you can't secure what you don't understand. With the majority of data breaches happening at the app level, knowing what an app really is—how it's comprised and what makes it vulnerable—is crucial for securing it.

The F5 Labs threat intelligence team delivers leading up-to-the minute research that not only informs our experts and our larger security community but also F5's next-gen products. Our integrated security solutions proactively mitigate threats targeting every tier of the app—from the network layer to the app infrastructure itself (DNS and TLS), the access controls, and app services.

F5 security solutions protect against the primary risks associated to your apps, no matter how or where you choose to deploy them.

Vikram Phatak

Vikram Phatak
NSS Labs

Gautam Aggarwal

Gautam Aggarwal
NSS Labs

NSS Labs

Q1. Vikram, what do you see as NSS Labs' biggest contribution to the cybersecurity industry? How are enterprises using your company's services to bolster their security capabilities?

NSS Labs' mission is to advance transparency and accountability in the cybersecurity industry. Security vendors can make some pretty outlandish claims. We arm enterprises with the facts about what products do and what they don't do so that they can make informed decisions.

Enterprises read our independent Group Test reports, speak to our analysts and subscribe to our continuous security validation service to better understand where they stand and how their security products are performing.

In 2018, enterprises are expected to spend $96 billion on cybersecurity products and services. The World Economic Forum estimates that global losses due to cybercrime have reached $0.5 Trillion in 2017 and over the next five years are expected to reach $8 Trillion. For the sake of argument, even if losses increase by just 2x, they will exceed $1 trillion by 2022. As our world becomes increasingly connected, we're going to have to move from cybersecurity being a dark art to a data-driven, scientific and scalable discipline. This is where NSS Labs can help.

Q2. Gautam, it has been a year since NSS Labs rolled out CAWS 3.0. What has the response been so far? What impact do you see regulations such as GDPR having on demand for services like it?

First, we realized CAWS was a step on the journey to continuous test and continuous security validation. Enterprise customers have responded with strong interest, consistently remarking that it meets an otherwise unfilled marketplace need to continuously measure the effectiveness of security products. Customers using our service see better security efficacy, performance, and cost of ownership from their existing security products. Many have also said its real-time analysis enables them to optimize their IT spend, rationalize their investments and focus resources on the areas that will most improve defenses in real-time.

GDPR presents some tough questions and uncertainties for global enterprises. One potential challenge organizations may have to contend with is the race to "real-time." Many businesses have been able to meet compliance specifications by undergoing regular, periodic security assessments. However, under the GDPR [Article 5(2), 30, 32, 25, 36], an organization must show they are "using technology for continuous monitoring of data and continuous evaluation of vulnerabilities." Affected businesses now must demonstrate they have the ability to make risk management decisions guided by up-to-the-minute cyber risk data. This is one impact we anticipate that GDPR may influence demand for the NSS Labs' service.

Businesses generally measure success using key performance indicators (KPIs) for marketing, sales, operations, HR and product quality. However, good KPIs for cybersecurity have been hard to come by. In most cases, security KPIs report that work is getting completed and are good for capacity planning – how many logs do we process? How many will we process next year? However, they are not good measures of risk.

GDPR presents an opportunity for security teams to adopt a continuous measurement and validation approach that establishes metrics and KPIs that assess the true effectiveness of their security programs. This puts security professionals in a better position to measure their effectiveness in ways that are meaningful and impactful to the business and drive effective decisions and actions.

Q3. Vikram, NSS Labs recently initiated group test coverage of the Endpoint Detection and Response Market. What drove your decision to initiate test coverage for this space? In general what is your process for deciding when it is time to start covering a particular technology or product?

NSS Labs' decision to initiate group test coverage of EDR was driven in large part by enterprise customer feedback and inquiries for guidance on these technologies. While EDR will eventually be incorporated into AEP, enterprises have a need to buy product today. In 2017, NSS Labs did an extensive study of enterprise architectures. We discovered that 93.6% of US enterprises currently deploy endpoint security products; of those, 18.4% currently deploy stand-alone EDR products.

Our process for deciding when it is time to initiate coverage of a particular technology or product category is determined by a number of factors, the most important of which is enterprise customer interest. When we see an uptick in inquiries about a specific technology or our analysts learn about an interesting technology, those are factors we consider when determining which product categories to cover.

Q4. Gautam, if there's one thing you would like attendees at Black Hat USA 2018 to learn about NSS Labs at Black Hat USA 2018, what would it be and why?

I would like Black Hat 2018 attendees to learn more about NSS Labs' journey to advance transparency and accountability in the cybersecurity industry. At Black Hat 2018, there are multiple ways for attendees to engage with NSS Labs. This year we are hosting workshops for attendees to learn more about how to obtain real-time metrics about the efficacy of their cybersecurity products, and they'll also hear about the results from two of our most anticipated group tests (Next Generation Firewall and Software-Defined Wide Area Network).

NSS Labs is most widely known for its independent group tests and this expertise is foundational to other information services we offer such as our Continuous Security Validation solution. At Black Hat, attendees can see a live demo to learn more about how an international bank and a top-five management-consulting firm are leveraging NSS Labs to make metrics-based cybersecurity decisions.

There are multiple ways for enterprises to engage and transact with NSS Labs beyond our group tests. We're excited to share those with attendees at Black Hat.

Grant Geyer

Grant Geyer
SVP, Products


Q1. How will the Fortscale acquisition expand RSA's capabilities? How will enterprises benefit from it?

Ask any CISO about the jobs they must get right and they'll broadly talk about two: keeping the bad guys out – the responsibility of the Security Operations Center (or SOC), and letting the good guys in - the responsibility of the Identity and Access Management (IAM) team. At RSA, we believe these two jobs aren't different processes, but really are two sides of the same coin tied together by identity. You see, almost every breach consists of the takeover of user credentials, giving hackers easy access to critical resources.

Both the SOC and IAM teams have a critical role to play in thwarting a breach. The SOC must be able to detect suspicious user activity and stop the hackers before they steal critical information. The job of the IAM team is to prove that users are who they claim to be and deny access if they're acting suspiciously. Therefore, with the right insights into identity, the SOC and IAM teams become heroes in protecting the enterprise. As part of RSA's product vision, we believe the way to connect the SOC and IAM disciplines is with User & Entity Behavioral Analytics (UEBA) – a capability that benefits both functions by baselining user behavior and providing insight when anomalies occur.

RSA NetWitness Platform has integrated Fortscale's User and Entity Behavioral Analytics (UEBA) engine, strengthening our evolved SIEM and threat defense platform by identifying deviations from normal user behaviors and uncovering risky and previously hard-to-detect threats. By understanding behavior, RSA NetWitness Platform can highlight potential threats, such as shared user credentials, privileged user account abuse, geolocation, and remote access anomalies.

We also plan to leverage the Fortscale UEBA capability to help the IAM team. Any suspicious user activity that the SOC detects becomes another set of insights to help the RSA SecurID Access risk engine determine the right level of assurance to prove that the user is legit. If the RSA NetWitness Platform can either trigger a workflow – or even better, an automated feed – that provides input to RSA SecurID Access, we can enable the SOC and IAM team's day-to-day activities to help each other.

Q2. What are some of the biggest challenges organizations faces when it comes to quantifying the financial risks of cybersecurity events? How does RSA Archer Cyber Risk Quantification help?

Digital risk has become the greatest facet of risk most organizations now face, driven by this global acceleration of digitization we're experiencing. It's an issue that has risen well above the security group, and is forcing executives and boards to think beyond the core competency of their organization; because in many cases, they've transformed into a digital business.

Meanwhile, the security function, which has largely evolved from the technical ranks, is racing just to keep up with the forces of modernization, malice, and new mandates. They're struggling to just keep up with alerts, but also prioritizing where to focus their resources, and answering broader, business-level questions such as "How is this affecting our overall exposure?" or simply "Are we doing enough?"

There's a gap (in both competence and communication) between the business and the security function, and its stifling forward momentum and sound decision-making. RSA Archer Cyber Risk Quantification utilizes a purpose-built platform leveraging the Factor Analysis of Information Risk (FAIR) methodology – the de facto standard for quantitative risk management for IT and cybersecurity. It helps CISOs prioritize based on business and financial impact, and communicate the impact of cyber risk in financial terms to senior management and boards of directors.

It's also built for fast returns with a set of modular apps to help organizations quickly begin quantifying cyber risk in financial terms, including mathematical simulations to build a risk profile with limited data. It operates on-demand, answering questions on the fly, eliminating the need to create time-consuming and outdated reports. We're really excited about how this enables security teams to be more organizationally impactful, and promote better risk-informed decision-making.

Q3. What are RSA's plans at Back Hat USA 2018? What are some of your key focus areas at the event?

At Black Hat USA 2018, we're asking a provocative question: "Can your SOC do this?" When I use the term SOC, I'm referring to a set of capabilities and not a place. With so many organizations embarking on a digital transformation, the SOC capabilities have never been more critical to spotting threats that put the corporation at risk. Additionally, it can no longer function alone in a security silo. Critical integrations are now required across business functions, especially with IT, and risk and compliance functions to ensure analysts have the right context to determine the criticality and urgency of incidents they are investigating.

To that end, we'll be spotlighting critical capabilities such as pervasive visibility of logs, packets, netflow, and endpoints, UEBA, integrated hunting and forensic capabilities, and new orchestration and automation that make security analysts more efficient and effective. We'll also demonstrate how the SOC has a critical role to play as part of a broader, integrated digital risk management function. We have a unique, phased approach to providing visibility, insights, and action across organizations to better manage digital risk. We'll be featuring our newly introduced RSA Risk Frameworks, a set of advanced maturity models, we use to help organizations develop and execute strategies to improve risk management in areas such as cyber-incident readiness, third-party risk, privacy risk, and business continuity. Of course, we'll be demonstrating the combined power of RSA products for enabling digital risk management across organizations.

Sustaining Partners