This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.
Interviews | July 28, 2022
Executive Q&A Interviews: Akamai, Palo Alto Networks, Secureworks, Technology Innovation Institute, VMware
Q1. Akamai recently launched Audience Hijacking Protector. Why do organizations need it? What issue is it designed to help them address?
Akamai is very excited about the launch of Audience Hijacking Protector. This solves an important set of challenges that businesses face today. Visitors to websites bring with them a collection of browser plugins and potential malware. These browser plugins can intercept the intended conversion funnel by luring users to competitive sites via ads that are being served. These in-browser plugins can also abuse affiliate programs to pull affiliate payments to a fraudster-controlled account. Akamai Audience Hijacking Protector allows website operators to have visibility and control into which plugins are running for visitors to their website.
Q2. Akamai has been doing a state of the Internet report for some time. What were the main takeaways for enterprise organizations from your latest report?
Akamai’s research teams have produced several interesting reports. One report is focused on Akamai’s research into the Conti Ransomware gang. As members of the gang have turned on one another, they have provided researchers with a very detailed look inside the organization. This report reviews lessons learned about tooling, strategy, and operations of the ransomware gang. It offers many lessons for defenders. For example, understanding that the goals of these gangs are to establish network dominance before moving on to the final stages of the attack—encryption, exfiltration—gives defenders a good idea of how best to thwart these attackers.
Akamai has also published reports examining the trillions of DNS queries we see every day as well as a report focused on web application and API attacks. There have been some interesting shifts in web app attack trends, as SQL Injection has been dethroned by Local File Inclusion as the leading attack technique.
Q3. What’s Akamai’s main messaging at Black Hat USA 2022? What are you hoping customers will take away from your company’s presence there?
Akamai has a series of reports that have been produced by our Threat Research Teams that are being shared at Black Hat. This research shines a light on the inner workings of a Ransomware-As-A-Service gang to understand how they work. Akamai is also sharing insights from our unique perspective into Web Application and DNS threat Data. Additionally, Akamai is excited to share a variety of innovations that have been made to the Akamai suite of Security tools including the recently launched Audience Hijacking Protector.
Q1. When looking at the current and emerging threat landscape, what trend concerns you the most? What kind of changes should organizations be making to their security posture to prepare for it?
As I look at the threats Unit 42 has addressed over the last year, I think one of the more concerning trends is the evolution of the Ransomware as a Service business model that enables even the least sophisticated of bad actors to make large sums of money off of victim organizations.
In 2021 we tracked at least 56 active RaaS groups, some of whom have been operating since 2020. Due to the success of these groups, we expect activity of this type to continue to grow. Further, we expect that we will continue to see “entrepreneurial” threat actors looking to capitalize on a growing number of cybercriminals who want in, often offering RaaS as an easy solution. This affiliate business model will continue to expand with agreements that set the terms for providing actual ransomware to affiliates, often in exchange for monthly fees or a percentage of ransoms paid. RaaS makes carrying out attacks that much easier, lowering the barrier to entry and expanding the reach of ransomware.
In terms of changes organizations can make to improve security, we recommend they stay up to date on the threat landscape. In addition, we recommend the following:
- Ensure access to confidential information is on a need-to-know basis and conduct a business impact analysis to fully understand the risks associated with not having access to critical data both from an upstream and downstream perspective.
- Assess the most significant ransomware risks ahead of you within the context of your unique combination of people, processes, technology, and governance capabilities.
- Review, test, and update your incident response plan on a regular basis leveraging the latest ransomware threat intelligence to conduct tabletop exercises and purple team testing simulations.
- Eliminate implicit trust and continuously validate every stage of digital interaction. The Zero Trust Model has become increasingly top of mind for executives who need to keep up with digital transformation and adapt to the ever-changing security landscape.
- Implement a system of record to track every asset, system, and service you own that is on the public internet. This includes tracking across all major cloud service providers and dynamically leased (commercial and residential) Internet Service Provider (ISP) space, using comprehensive indexing and spanning common, and often misconfigured, port/protocols (i.e., not limited to the old perspective of only tracking HTTP and HTTPS websites).
- Prevent known and unknown threats. To prevent known threats, you need to stop known exploits, malware, and command-and-control traffic from entering your network. Once those have been stopped, the cost of executing an attack rises and, subsequently, reduces its likelihood, by forcing attackers to create new malware variants and launch new exploits against lesser-known vulnerabilities.
- Consider implementing tools that support the automated remediation of events that leverage pre-made playbooks to respond and recover from incidents. Incident response (IR), SecOps, and threat intelligence teams can save many hours of manual labor trying to piece disparate sources of information together from multiple tools. Security orchestration, automation, and response (SOAR) products can automate the whole process of user investigation, endpoint isolation, notifications, enrichment, and threat hunting by orchestrating across security information and event management (SIEM), firewalls, endpoint security, and threat intelligence sources so that response teams can quickly shut down the ransomware, minimize the risk of losing data, and limit the financial impact of ransom demands.
- Secure Cloud Workloads. Ensure that all cloud infrastructure, Kubernetes, and container images are securely configured, and steps have been taken to minimize vulnerabilities. Check that standard policies, like encryption, MFA delete, versioning, and backups that are built into cloud provider offerings, but off by default, are turned on and properly configured. Check open-source packages and libraries for vulnerabilities that can be patched. Identify and remove overly permissive or unused IAM entitlements.
- Reduce Response Time with Retainers. Have an incident response retainer negotiated in advance. Also consider having crisis communications, outside counsel retainers in advance.
Q2. You are a member of the DHS Cyber Security Review Board. Why is it important for security vendor representatives to be a part of it? What changes do you hope, or expect, it will foster within the industry?
The Board’s mission is to conduct authoritative reviews and assessments of significant cyber events that impact both the public and private sectors and we want to provide best practice recommendations based on learnings from these breaches.
The CSRB’s first review focused on the vulnerabilities identified in the log4j software library that was discovered in late 2021. The Board ran an inclusive process focused on understanding ground truth and drawing lessons learned for the future; we obtained data and conducted interviews with nearly 80 organizations and individuals, including software developers, end users, security professionals, U.S. and foreign government agencies, and companies.
As a result of this community effort the CSRB issued 19 specific and actionable recommendations to address the continued risks of Log4j, drive better security in software products to avoid future vulnerabilities, and enhance organizations’ ability to respond more effectively in the future when severe vulnerabilities are discovered.
Q3. What can customers at Black Hat USA 2022 expect from Palo Alto Networks at the event? What have you got lined up for them?
We have exciting new Palo Alto Networks products and services on display at Black Hat.
As the industry’s first extended detection and response platform, Cortex XDR has continually reset the bar for security efficacy, visibility, and ease of use. The Cortex XDR 3.4 release takes these capabilities to the next level, offering organizations unprecedented management, scale and endpoint protection capabilities. New features like SmartScore incident scoring harness the power of machine learning and analytics to pinpoint the threats that matter most.
Cortex XDR 3.4 will be available on July 24th, and we are also excited to feature new Unit 42 services built on Cortex XDR during Black Hat.
Be sure to check out our booth #1332 if you are attending Black Hat USA in person. You can also hear Mike Sikorski, VP Engineering, Unit 42 share his thoughts on Wednesday, August 10 at 3:00pm in his session “Behind the Breach - Learning from Successful Attacks to Improve Your Security”. Learn more about our presence at Black Hat.
Q1. What are the requirements for true, cloud-native XDR and what’s driving the need for these capabilities?
Before discussing the requirements for XDR, it is important to first distinguish what a true XDR solution is, as there is a lot of confusion in the marketplace as to what it really is and what it isn’t. The XDR market is relatively young, there is a lot of buzz around it, and we are not at a point yet where there is broad consensus on a single definition.
Secureworks developed the Taegis XDR platform over 5 years ago, way before XDR became part of today’s tech nomenclature. Even back then, we built the platform with the goal of offering holistic protection across the IT and security stack, to make the work of security analysts more efficient and effective, and to future proof it, so that customers didn’t have to rip and replace their IT environment to get the best security outcomes.
In our view, we define a true XDR solution as one that is purpose built from the ground up with the capabilities to prevent, detect, and quickly respond to threats via automation throughout the enterprise environment. A true XDR solution should be an open solution that can ingest all types of data, whether it’s from endpoint, network, cloud, or identity systems, and apply advanced analytics to detect things that no other solutions would have detected in the environment, and early in the kill chain. By tying telemetry together from existing systems and correlating data and prioritizing high-fidelity alerts, XDR empowers security analysts to take more meaningful actions to protect their organizations.
XDR cannot just be endpoint, network, or single vendor stack centric. Rather, it should be natively built, end-to-end, and holistic in terms of prevention, detection, automation, and threat hunting capabilities. Furthermore, a true XDR solution should be able to integrate threat intelligence, not only from a vendor’s own threat intelligence, but also from third-party threat intelligence, and correlate the data together to make it easy for customers to digest and understand in context of their organization’s needs. The end goal is to maximize security effectiveness of the Security Operations Center (SOC) and accelerate the time to detect and respond to a constantly changing threat environment. This is how we envisioned XDR when we built the Taegis platform.
To implement XDR effectively, it requires taking a cloud-native approach for agility, scalability, and flexibility. It also requires the right architecture. Security is a big data problem and with that, you need a big data platform designed and architected to support the security use cases for XDR. And by that we mean, a platform that can support the breadth and depth of detections and automated response actions while ingesting the volume of data at speed and scale to inform those detections. XDR ultimately means faster and better detections and faster meantime to response.
In terms of what is driving the demand for XDR, we see three main drivers. First, as the digital footprint of most organizations continues to grow, so does the attack surface. Digital transformation, the rise of cloud environments, and the pandemic-era shift to remote work has added a new level of complexity and risk. The network perimeter is no longer easily defined, and solutions such as endpoint protection are simply not enough.
Other solutions like SIEM haven’t lived up to the ability to quickly ingest data at large volumes with advanced threat detection and automated response actions without a lot of customization and ongoing maintenance. Second, the industry is facing a significant cybersecurity talent shortage and businesses are struggling to find qualified talent. And as 70% of SOC analysts experience burnout, many organizations are looking to make the job of the security analyst more efficient and effective. This is why many organizations are moving towards managed detection and response (managed XDR) services as well as technology solutions like XDR to help reduce alert fatigue (Source: Dark Reading). Lastly, budgets are not unlimited, and businesses are forced to contend with a growing attack surface, under-resourced security teams, various point products that don’t work well together, and a constantly changing threat landscape.
Q2. A recent market report has predicted substantial growth for the SOC-as-a-service market over the next several years. Where (what kind of organizations) do you see most of this demand coming from? What are some of the primary reasons for signing up for SOC services?
Enterprises with large budgets that can invest in their own SOCs and hire and retain talent at scale, often don’t have this issue. But that scenario is becoming increasingly rare. The combination of the current cybersecurity talent shortage and limited budgets has created the need for both managed detection and response services and solutions that are future proofed and scalable.
Organizations are looking for partners who have been delivering SOC-as-a-service for years and are maximizing their ability to deliver it in a more effective and streamlined way through XDR. This is about making a vital shift from basic monitoring to actively investigating threats, and then automating responses to reduce the risk of ransomware attacks or other breaches. The only way to deliver these services successfully is through partners who have the right mix of technology, experienced security staff, and business processes that make working together seamless. For example, Secureworks has delivered SOC-as-a-service for years and can help maximize customers’ ability to detect advanced threats through real-world threat research, automating response actions, and collaborating in security investigations. That experience is now incorporated both in the Taegis XDR platform as well as the managed services we deliver to those who need it. This level of experience is unmatched and is why organizations make the decision to partner with an outside entity for SOC services.
The demand for this is exceptionally strong, and it is coming from all industries. Managed detection and response simply delivers better security outcomes and optimum cost effectiveness. For example, a recent Forrester TEI study found that Taegis ManagedXDR reduced risk by an average of 85% while saving over $1 million over three years. Numbers will differ between companies, but that’s a pretty compelling story especially for companies struggling to find and retain staff that want to make sure they are not the next victim of an attack.
Q3. What does SecureWorks plan on showcasing for customers at Black Hat USA 2022?
We’re really excited about showing the continued growth and effectiveness of the Taegis platform, which includes Taegis XDR, Taegis ManagedXDR, and Taegis VDR for vulnerability management. Visitors who stop by our booth (Nr. 2634), can see live demos of the products in action, and will be treated to some excellent presentations by Secureworks® experts covering the latest developments from our product team. They will also get insights from members of our Counter Threat Unit™ and Adversary testing teams, who have speaking spots at both Black Hat and Defcon right after.
Q1. What are some of the more exciting or significant projects that your team is currently working on in the fields of automated vulnerability analysis and remediation capabilities?
Within the Digital Science Research Center (DSRC), our Security Unit is mainly focused on research activities towards cyber reasoning systems handling software and systems security, infrastructure security, and finally applications and platforms. [The focus is on] addressing the different related challenges with help of latest breakthroughs in advanced Machine Learning and Deep Learning techniques. We’ve decided to tackle software binary aspects, via innovative graph representation and similarity detections, given the increasing software complexity in vertical markets such as automotive, either via telematics capabilities, or ADAS/DMS, or even media content. This is usually combined with massive FOTA (Firmware Over The Air) campaigns to update partial parts of the software. This thus requires brand new approaches.
Q2. How far away is the industry from having truly self-healing technologies to safeguard against malicious attacks? What would a true self-healing network be capable of doing against new and unseen attacks?
We believe the first level of self-healing machines, systems or networks is something that can be mature enough in terms of commercial availability in the coming three years or so. This means machines, systems (such as IoT/EdgeAI) with the capability to detect both at network level (intrusion detection) and at the lowest levels (firmware/binary code) any suspicious activity and then to trigger, automatically, a security state fallback, either at network level, or simply a fallback to a former ‘recovery’ version, authenticated as safe.
Pushing yet a step further, beyond this mechanism of safe recovery, would mean reaching a commercial maturity regarding automatic binary patch generation—and thus automatic Root Cause Analysis with reliability—taking into account mutation mechanisms, while also increasing resilience/hardening for instance. This is something that we’d target for the next three years at research level, and let’s say two years more in terms of commercial availability.
Ultimately, we strongly believe that with AI being more and more natively available from any system design stage together with the outstanding advances in Large Language Models (LLM), and the revolution from quantum computing, the next decade will see the emergence and birth of the first self-healing/autonomous cyber-reasoning security systems. And Of course, TII will do its best to play a key role in this journey.
Q3. TII conducts research on a relatively wide variety of fronts. Which research areas do you plan on highlighting at Black Hat USA 2022? What are you hoping security researchers and practitioners will learn about TII at Black Hat USA?
At BlackHat, this is mostly the Security Unit, from Digital Science Research Center (DSRC) which is represented. During our Workshop session, we plan to take a UAV drone example to promote the reverse engineering know-how from our Application & Platform security team. UAV/Drones are an important research domain also for our Telecom Unit focusing on B5G/6G Wireless networks.
This will allow us to demonstrate that TII (Technology Innovation Institute) is an applied Research Institute. This means it’s always important for us to demonstrate our technology’s feasibility on to the real world, to “future-proof” our society. That’s the reason why we have some balanced and complementary teams composed of both Researchers, and Engineers, with great laboratory capabilities.
We’d like the Black Hat community to identify TII as one of the fastest growing multidisciplinary advanced research centers that they’d like to collaborate with on leading technologies, or that they’d like to join thanks to our talent acquisition program, or ultimately to follow our seminars, and publications
Q1. VMware has described Contexa as a full-fidelity threat intelligence cloud. What exactly does that mean? What security issue is it that Contexa is designed to address?
Think of VMware Contexa as a massive online brain that leverages the vast amount of telemetry collected by VMware platforms, across endpoints, workloads, users, and networks, and applies powerful machine learning techniques to quickly sniff out subtle anomalies and the most well-disguised attacks.
This is a major advance relative to how most companies check lateral movement today. Today, most companies cannot afford the sheer computing power to look deep within all that rushing East-West flow, so they do the next best thing: examine small portions of the traffic. Many use network taps that typically look at the traffic that crosses a particular network switch. However, in a virtualized, cloud world only a small fraction of the East-West traffic touches a physical switch, most of it stays within VMs on a single server. These tapped network portions are typically analyzed after-the-fact in a separate “sandbox” or with an Intrusion Detection System (IDS), and the findings are recorded in a security information and event management system (SIEM) that serves as a kind of digital library.
Such sampling is no longer a realistic option for stopping attacks - you can’t look at a small sample of east-west traffic and think you are protected. Modern cloud architectures are making the blind spots worse. New silicon and virtualization capabilities can run well over 100 VMs in a physical host, meaning only a small fraction of that VM-to-VM traffic would hit a physical network tap.
VMware Contexa is built for this virtual cloud world. It works on live, “in-band” data where it sees every packet and every process, without relying on a physical network tap. As a result, Contexa can understand the context of the data in real-time, to spot subtle anomalies that could hide malicious activity.
Combining VMware Contexa with our architectural advantage, VMware exclusively sees every process running in an endpoint, every packet crossing the network, every access point, and the inner workings of both traditional and modern apps to identify and stop threats others can’t.
Q2. You were recently quoted as saying the ongoing move to the cloud is an opportunity for enterprise organizations to think differently about security. What is your advice on how they should go about doing that? What exactly do they need to approach differently?
As businesses embrace multi-cloud, they’re confronting a new level of complexity that creates new pain points, including driving consistent governance across all the clouds, driving consistency in app design and in data portability across cloud and designing and operating networking and security in this complex environment. And, as every enterprise company is embracing the cloud operating model in a significant way, security has an opportunity to lead the conversation - not follow it.
As we’re moving towards the cloud operating model, we can’t take the old tool sets and try to graft them on. We are going to have to think differently about how we instrument our VMs, and how we instrument our containers so that we can protect applications from within. In the cloud operating model, we want the private cloud, to look and behave like the public cloud. Public cloud providers aren’t buying expensive firewalls and proprietary load balancers. They are investing in racks and racks of x86 systems with scale out architecture with high level API's that understands the topology of an application. When this is your foundation, security becomes code.
The cloud operating model gives us the combination of operational efficiency and better security. Because all our infrastructure is implemented as software - core switching, routing, firewall, IPS, load balancer, advanced threat protection, etc. - under these high-level API's, we have freed it from the dependencies of proprietary hardware, which means we can pick it up and move it.
Workloads that were born for VMware environments are better protected in that VMware environment with east-west capabilities, and then you can take the workload and the security and move it at any time from private cloud to public clouds. This message is resonating, and customers understand it.
Q3. Why is it important for VMware to be at Black Hat USA 2022? What do you want customers to know about the company’s cybersecurity plans and strategy in the coming years?
Over the past year, security professionals have witnessed an unprecedented rise and sophistication of cyber-attacks. I expect there will be a lot more emphasis at Black Hat this year around the community coming together to share information, expertise, and best practices to operate in a world seeing increasing cyber risks (I published a blog on this earlier this year here).
When it comes to security, our mission at VMware is to fundamentally transform how customers think of and consume security, allowing them to realize the agility and efficiencies of the cloud operating model. We are driving innovation across each of our networking and security products and are stitching them together into a set of well-integrated, API driven and SaaS oriented offerings that allow our customers to embrace the cloud operating model.
Our strategy remains focused on building solutions that are highly differentiated because they leverage the intrinsic attributes of our platforms, and to deliver these unique solutions in a consumption-oriented manner. This means leveraging our core technical attributes; excellence in scale-out software design, excellence in threat understanding and detection, excellence in innovative connectivity solutions, and excellence in delivering ultra-reliable, mission critical software that touches every packet in our customer’s applications.
It also means leveraging the unique attributes of our platforms that allow us to transparently insert services, to protect, manage and operationalize services at scale, and to have an intimate understanding of the end user, as well as a detailed understanding of the operation of the application. Furthermore, our platforms allow us to bring networking and security into the software development life cycle from the build phase to the run phase to the manage phase.