Interviews | July 29, 2020

Visibility and Attacker Dwell Time Continue to Pose Big Challenges for Organizations

nCipher | Secureworks | ServiceNow | Trustwave

Peter Galvin
Chief Strategy Officer


Q1. The 2020 Global Encryption Trends Study showed that 48% of organizations have an overall encryption plan applied consistently across the enterprise. That means more than one-in-two still don't have a consistent encryption plan. Why is that the case considering that almost everybody agrees encryption is essential to data security?

Everyone agrees that encryption is essential to data security, but some organization are reluctant to deploy encryption due to a lack of understanding of how encryption works, or the organizations don't have sufficient skills in place to deploy encryption successfully, or they just don't want to spend the money and are willing to take a risk that their data will not be compromised. One area were security vendors are helping these organization is thru managed services, so that a trusted third party can take on the burden and supply the appropriate skill to ensure encryption is deployed successfully. As for the budget concerns, the cost of a data breach continues to grow impacting an organizations brand and eliciting ever-larger fines from regulatory agencies.

Many organizations have been slow to change their security posture so they continue to spend a disproportionate amount of their budgets on perimeter security. The problem is the traditional perimeter no longer exists. Employees are now working from home on their own devices access corporate networks, SaaS applications and cloud services. The most secure method for protecting data is to use encryption – which even if a bad actor steals your encrypted data – it is useless to them as they don't have the ability to decrypt the information. The other key technology for data security is strong authentication and identity. Using multi-factor authentication, which goes beyond simple user names and passwords, can ensure that only the individuals with the correct credentials can access the data.

Q2. What are some of the biggest barriers to deploying a successful encryption strategy?

Encryption needs to be deployed well to be effective, with strong, industry-validated algorithms, keys of appropriate length, and well-implemented software playing crucial roles in the effectiveness of an organization's encryption process. Most importantly, assure that the encryption keys themselves are well protected. Encryption always must be accompanied by best-practice-based key-management in order to accomplish its purpose in protecting sensitive data. Encryption without protecting the cryptographic key is like locking your house, but leaving the key under the doormat.

The most effective method for securing those cryptographic keys is by storing those keys in hardware. A hardware security module (HSM), which provide a hardened, tamper-resistant environment for secure cryptographic processing, key generation and protection, and key management, protects the master key and prevents unauthorized users or applications from using the keys to de-crypt data. There are a number of cases where keys have been stored in software next to the data or application allowing bad actors to steal the keys and decrypt the data.

Q3. It's been more than two years since Thales spun out nCipher as a standalone organization. What do you want security professionals at the Black Hat USA 2020 virtual event to know about the latest developments at nCipher and what they can expect from the company over the next few years?

nCipher is now part of Entrust Datacard, allowing us to provide a comprehensive set of high assurance solutions for securing identities, communications, access, data and applications. We provide a unique set of solutions to protect organizations against evolving threats to their sensitive data, network communications and enterprise infrastructure. Our proven technologies also underpin the security of emerging technologies such as cloud, the Internet of Things (IoT), blockchain and digital payments as well as helping meet compliance mandates.

As more organizations have moved to the cloud, in many cases it has made their security issues more difficult and complex. Organizations now have to manage their corporate networks, public clouds and even multi-cloud environments each with their own security protocols. Solutions from nCipher and Entrust Datacard, protect, people, systems and things, providing a comprehensive set of security capabilities, that work cross platform, can be deployed on-premises, in hybrid environment, as a managed service or security as a service to meet the high assurance security requirements of the most demanding organizations.

Steve Fulton
Vice President of Product


Q1. How has the COVID-19 pandemic impacted demand for managed security services? What kinds of services are you seeing the most demand for and what's driving it?

During the COVID-19 pandemic, we've seen an incredibly rapid shift to remote work in almost every industry. This has resulted in increased demand from our customers to help them reprioritize their security initiatives, which helps them ensure that this expanded attack surface doesn't create new vulnerabilities for cyber threats.

To prioritize this shift in focus, our team has made rapid adjustments to our managed security services operation to keep customers protected and informed. We've found it important to share our own business continuity plans so customers can feel secure in our operations.

We've also seen increased demand in research and advice from our Counter Threat Unit (CTU), which monitors the deep threat landscape and provides customers with early visibility into emerging threats, and the tools to stop them before they happen. In addition, there's been increased demand for our incident response (IR) teams and continued momentum for our Red CloakTM Threat Detection & Response (TDR) product and associated managed services (MDR).

Q2. What exactly is software-driven threat detection and response? What problem is it solving?

A single security tool will never be the silver bullet that organizations are hoping for. That's where the software-driven approach comes in: blending human expertise with the power of software, focused on analytics and automation, helps organizations and security professionals accelerate detections, improve fidelity, and streamline investigations for rapid response.

For example, our Red Cloak Threat Detection & Response (TDR) security analytics platform helps customers modernize their security program with increased visibility across vulnerable areas such as endpoint, cloud and network. Combined with expert knowledge from our CTU, this enables customers to harness collaborative intelligence and analytics that provide them with the necessary knowledge to take a proactive stance against threats. The effectiveness of a software-driven investigation is probably best understood by seeing it in action. Those who are interested can sign up for a tour of Red Cloak Threat Detection & Response (TDR) through the month of August on our website,

Strong software tools together with the expert and continuously evolving knowledge of humans is a powerhouse combination for understanding a company's unique threats within the overall threat landscape, which creates an end-to-end security platform.

Q3. What do you want organizations participating in the Black Hat USA 2020 virtual event to know about Secureworks and its strategy for the next several years?

As we prioritize a software-based approach to security, our security software isn't designed to replace human expertise, but rather to help organizations and security professionals unite in their fight against the adversary. We are investing in technology by honing our software tools while retaining a strong partnership with customers led by our security expertise, open communication, and cutting edge-research.

Our purpose is to secure human progress by outpacing and outmaneuvering security adversaries, and we will meet those challenges with a software-driven approach and commitment to cutting-edge cybersecurity knowledge.

Jeff Hausman
VP and GM ITOM, Security & CMDB


Q1. Why did ServiceNow acquire Loom Systems earlier this year? How is the acquisition benefiting your customers?

ServiceNow has made eight acquisitions over the last 4 years specific to ML and AI. Loom Systems and Sweagle—which we announced in June—are just the most recent. The collective acquisitions give us the ability to do things as varied as natural language for virtual agents, multi-language support, and of course, advanced analytics on the wealth of data we have as a "platform of platforms." Loom Systems extends our AIOps capabilities to include analysis of log data and proactive remediation to ensure resilience. Sweagle adds capabilities for IT configuration management and automation and will further help with resilience across pre and post-deployment areas.

Many companies focus AI on data analytics, and we do as well. But we also see great opportunities for improving the process and experience of work—we are the company that makes work flow. We offer security orchestration, automation, and response (SOAR) and risk-based vulnerability management products. In a workflow, we can reduce incident volume by automatically classifying incidents in the queue to aggregate and relate similar events. This concept applies to many different types of incidents from malware to data breach investigations.

Another great use case recommends the right person for an investigation or remediation assignment based on similarity, expertise, speed, frequency, and other factors. This goes directly to improving MTTR. ML/AI can suggest the right next step in a playbook or opportunities for automation based on incident analysis and key metrics. Of course, ML can also help with the background work – such as predicting SLA breaches based on a group's track record. There are endless ways we can deliver customer value. Design partners and our product advisory council help us imagine and implement the best ones.

Q2. Given the intense economic challenges we are seeing worldwide, how are you helping the CISO protect the business while managing costs?

The pandemic has brought home the speed and efficiency gains of automated phishing and malware investigations, as well as expedited vulnerability response. These are the most "essential services" that security renders the business, and automation helps the CISO handle the spike in attacks without asking for more resources.

We have customers who have knocked a digit or two off the number of incidents they have to spend time on. These are high volume, fast-moving situations. Automated playbooks and workflows can deflect simple cases to get clutter out of the queue. They also compress timeframes, prevent errors, and help provide visibility so managers can keep people fresh and functional.

Playbooks can orchestrate handling of problems that have come up even more often with work from home, such as failed logins. Once you start asking people how they really spend their time, and what they hate doing, you start seeing opportunities for more efficiency through automation.

Many scenarios are common at every business, and you don't have to recreate the wheel. Companies are using our COVID phishing and automated malware playbooks off-the-shelf (or as a template), and automating actions using our pre-built task library and no-code tools.

Cost avoidance is also a win these days. People ask us how they can get more value out of the security and risk tools they have, as well as their ServiceNow platform. Orchestration connects the dots of data and tasks across their systems and teams. We've seen a surge in demand here.

Those that have ServiceNow IT and GRC workflow products are discovering ways to integrate security requirements, risk indicators, and remediation workflows to be more efficient. Think about what happens during a zero-day–you want up to date understanding of what's vulnerable and how it could affect the business, and you want to get your IT guys to take action promptly, the right way. By tying into their processes, including change and exception management, that process stops being a fire drill. By generating a risk event automatically, the risk managers stay in the loop.

People are also looking at tool spending for 2021 to reduce their spending on redundant or shelfware tools. Pro tip: our asset management tool can help you understand what you are really spending so you can eliminate or downsize.

Q3. If there's one takeaway/message that ServiceNow has for organizations at the Black Hat USA 2020 event this year, what would that be?

Cyber resilience is the most valuable thing that a security team can contribute to its organization this year. It will be a gift that will pay increasing dividends over the next months and years, providing reliable infrastructure to permit businesses to endure through the pandemic, reinvent safely, and navigate the next, and the next, and the next upheaval.

So much of the security reality is about reacting. Cyber resilience happens when we take a step back – we anticipate what could happen, prevent what we can, prepare for response, monitor for the need, then leap into well-planned response. Afterward we debrief and adapt.

Easier said than done, you might say. But we are at this point as an industry. Cyber resilience is a strategic competence. It's a muscle that has to be developed and maintained.

We've got building blocks in place - prevent, detect, respond. Two things are missing: the advance planning and lifecycle integration. The anticipation stage starts with the things that matter to your business and makes the link to threats and attacks and vulnerabilities. Not everything matters the same to your business, naturally, but we often focus on what's coming from the outside, and not enough on what matters on the inside. That needs to change, because we just can't control everything. We have to prioritize.

To anticipate well, and then to tighten up the lifecycle, security has to work much more tightly with IT and risk and compliance teams. This isn't about meetings – although they can help – it's about creating a shared focus on what matters, then instituting the data and process integration to execute as efficiently and accurately as possible in planning, during day-to-day operations, and in a crisis.

Cybersecurity is always listed as a top IT and Board concern – Cyber Resilience is how we can satisfy these leaders. The CISO can demonstrate the contribution of security and risk in business terms.

Tom Powledge
SVP Products


Q1. What are the biggest challenges that organizations currently face when it comes to detecting and responding to threats that have breached the enterprise perimeter?

The security environment is becoming increasingly more complex, the attack surface is expanding, security tools continue to be siloed, cybersecurity budgets are being squeezed all while attackers continue to evolve their techniques. Combine this with the challenges the pandemic has brought, and many organizations are evaluating whether their cyber hygiene has slipped. Security leaders are asking: ‘what cracks are in our environment? Are there quietly hidden attackers in our environment?'

Thus, the biggest challenges organizations currently face are visibility and reduction in dwell time. Organizations are looking to improve their visibility across endpoints, networks, databases, and clouds and speed up their mean-time-to-detect and mean-time-to respond.

Realizing though, that security leaders may need to improve their security posture with some financial flexibility, Trustwave recommends that organizations start by enlisting a proactive threat hunting service. A threat detection and response services provider can work with you to quickly develop a defensive plan to validate environmental integrity and/or secure your high-value assets through a proactive threat hunt. The purpose of a proactive threat hunt is to seek out the quietly hidden attacker within the environment, with the goal of eliminating the threat before they can do damage. A proactive threat hunt can also reveal open threat vectors in the environment like outdated software, network misconfiguration and other concerns.

For example, during a recent threat hunt for a global technology vendor client, Trustwave SpiderLabs threat hunters discovered a new malware family dubbed GoldenSpy, embedded in tax payment software. This threat was well hidden and had bypassed industry-leading endpoint detection and response (EDR) security controls. Trustwave SpiderLabs contained and remediated the threat before data exfiltration thereby minimizing the financial and reputational impact to the business.

Q2. Where do you see the biggest opportunities for companies like Trustwave to add value around enterprise threat detection and response over the long-term?

A single security company or technology cannot protect everything across the evolving digital landscape. Integration and partnership across the landscape requires collaboration and employing help from different sets of perspectives.

Managed Threat Detection and Response service providers can help organizations match up active perimeter defense capabilities with orchestrated response capabilities for attacks. Providers like Trustwave can help organizations quickly detect and eradicate threats because we have the depth and breadth of expertise coupled with the tools, technologies, strategic partnerships, and methodologies to provide full threat lifecycle capabilities to an organization. We focus on threat detection and response, all day every day, so we are evolving our expertise and capabilities with the changing landscape.

Trustwave also leverages Trustwave Fusion, a cloud-native platform to give a customer consolidated visibility across their diverse and distributed security environment. Trustwave Fusion easily integrates with a customer's security ecosystem whether on-premise or in the cloud for a single view of security findings and events across complex security infrastructures. We have best-in-class native integrations with many technologies like Palo Alto Cortex XDR, AWS, and Microsoft security services. Additionally, Trustwave Fusion has out of the box integration with 700+ data streams that allow a customer to combine multiple detection sources, existing investments, and best-in-class cybersecurity tool vendors. Technology will come and go, and the environment will be forever changing. Organizations need to come at security from a defensive standpoint with a team of experts and capabilities behind them for the long-haul.

Threat detection and response (TDR) providers like Trustwave help customers detect and respond to threats with flexible services and products from TDR Consulting to database security solutions to cloud security solutions. We actively engage with our customers on their security journey and we want our customers to be actively engaged with us.

Q3. What do you expect your customers and other organizations at Black Hat USA 2020 will be most interested in hearing about from Trustwave? What are Trustwave's plans at the event?

Typically, our customers are most interested in speaking to our elite threat hunting team, Trustwave SpiderLabs, but especially considering the recent publication of the new malware family, GoldenSpy, discovered by the team, we think this will be the biggest source of intrigue this year. GoldenSpy was a hidden backdoor discovered in required tax software for any business operating in China, so it really became a global source of interest – and risk – that drew in a lot of attention. Having the ability to coordinate direct interactions at Black Hat with the Trustwave SpiderLabs, we're really expecting the majority of conversations to be around the details of the threat, how it was discovered, and remediation advice.

The team is comprised of experts with extensive experience in the dark web, threat hunting, and data forensics, so if you haven't had a chance to engage with them at previous events, I'd highly suggest taking advantage of our "Ask My Anything" or "Ask the Expert" sessions at Black Hat to pick their brains and really hear some interesting stories.

Trustwave has a lot going on at the show this year. On Wednesday, August 5 at 12:30 p.m. you can hear from our VP of Cyber Threat Detection and Response, Brian Hussey, talk about GoldenSpy and the risks it proposes. We will have an on-demand session available throughout the event focusing on the evolution of MSSPs and what is next. Additionally, we will have downloadable content and demos available at the booth, as well as a Capture the Flag competition. This is the attendees chance to demonstrate their technical expertise in sophisticated challenges specifically crafted based on field experiences from the elite global threat intelligence teams at Palo Alto Networks and Trustwave SpiderLabs. During this 48-hour competition, participants will work to solve a variety of different exploit challenges for the chance at various prizes.

Link to register:

Sustaining Partners