Interviews | September 25, 2020

Pandemic Drives Enterprise Interest in Cloud Managed Services

Google Cloud Security | Hack The Box | Infoblox | KnowBe4 | Microsoft | Mimecast

Dr. Anton Chuvakin
Head of Solution Strategy

Google Cloud Security

Q1. What are some of the biggest challenges facing SOCs these days? Why has a big data analytics capability become such a key requirement?

Today, even mid-sized organizations may generate petabytes of security telemetry. Most security operations teams, however, are not skilled in managing big data and the underlying hyperscale infrastructure required to keep up with these volumes. On top of this, budgets have largely shifted from capex to opex which means budgets won't be spent on more hardware to support the ever-growing security telemetry.

CISOs want their security operations staff to perform security operations, not infrastructure management. This has boosted the case for using SaaS-based security analytics with unlimited data storage. But here is the trick: unlimited scale of SaaS-based analytics should not mean unlimited rise in costs. Because enterprises need to vastly scale their security data and perform security analytics on it, we predict that the use of cloud-based security technology will grow dramatically for the next couple of years.

Q2. What are some of the key requirements for threat hunting from a technology and a process standpoint? What do you need to do to be successful at it?

Effective threat hunting is supported by having the right technology and processes in place - but it truly relies on the right people. From a technology perspective, you need to be able to collect and store as much security telemetry as possible - such as endpoint, network and log data - all in one place. By having this data collected - but also enriched and cross-correlated, threat hunters can discover and investigate threats that have been hiding over long periods of time.

Threat intelligence is also central for threat hunting as it often—but not always—provides the initial thread for the analyst to pull. Also, threat intelligence helps understand the impact of a potential threat on your organization by associating the activity observed with the threat actors type.

From a process standpoint, it's critical to have incident response processes in place so that you can escalate any threats discovered during threat hunting. The first step is to review the activity and a system deemed suspicious during the hunt. For this, you need to check the context data that was added to enrich the alerts such as system name, system users, running processes, and threat intelligence feeds. From there, you can look at the history of similar suspicious events in this system and in other systems, focusing on the nature of the uncovered suspicious activity.

Your incident response process should include identifying your compromised systems, as well as the systems that have connected to and from them, and reviewing activities on those systems to find further affected resources (hunting pivot). Lastly, security teams need to remediate all affected systems at the same time to avoid an attacker persisting in the environment. Note however that cutting off attacker access before you are confident that you uncovered the true extent of a compromise is a mistake as it tips the attacker that you are onto them.

Q3. What does Chronicle Security plan on highlighting at the Black Hat Asia 2020 virtual event this year? What can organizations expect to hear from Chronicle?

This year, we're excited to talk about the release of Chronicle Detect, a threat detection solution built on the power of Google's infrastructure to help enterprises identify threats at unprecedented speed and scale.

2020 has introduced complex challenges for enterprise IT environments. Data volumes have grown, attacker techniques have become complex yet more subtle, and existing detection and analytics tools struggle to keep up.

Chronicle Detect brings modern threat detection to enterprises with the next generation of our rules engine that operates at the speed of search, a widely-used language designed specifically for describing threat behaviors, and a regular stream of new rules and indicators, built by our research team.

With Chronicle Detect, you can use advanced rules out-of-the-box, build your own, or migrate rules over from legacy tools. The rules engine incorporates one of the most flexible and widely-used detection languages in the world, YARA, which makes it easy to build detections for tactics and techniques found in the commonly used MITRE ATT&CK security framework. YARA-L, a language for describing threat behaviors, is the foundation of the Chronicle Detect rules engine. Many organizations are also integrating Sigma-based rules that work across systems, or converting their legacy rules to Sigma for portability. Chronicle Detect includes a Sigma-YARA converter so that customers can port their rules to and from our platform.

Chronicle customers can also take advantage of detection rules and threat indicators from Uppercase, Chronicle's dedicated threat research team. Uppercase researchers leverage a variety of novel tools, techniques, and data sources to provide Chronicle customers with indicators spanning the latest crimeware, APTs, and unwanted malicious programs. The Uppercase-provided IOCs—such as high-risk IPs, hashes, domains, registry keys—are analyzed against all security telemetry in your Chronicle system, and let you know right away when high-risk threat indicators are present in your environment.

Since joining Google Cloud over a year ago, the Chronicle team has been innovating on our investigation and hunting platform to bring a new set of capabilities to the security market—and we won't stop here. Chronicle has also added new global availability and data localization options, including data center support for all capabilities in Europe and the Asia Pacific region.

Aris Zikopoulos
Co-Founder & CCO

Hack The Box

Q1. It's been more than three-and-a-half years since Hack The Box launched. How has the platform evolved over that time? Who are the biggest users of HTB?

It's truly inspiring seeing both the platform and the community grow so dynamically over the last three and a half years. Last week, we announced our latest benchmark. We surpassed 400,000 platform members and this is what drives all our internal efforts across all company fronts. We listen closely to what the community has to say; in fact, the entire platform started back in 2017 by trying to solve a community pain point (virtual VMs that provide practical, self-paced training).

Our user base covers all the bits and pieces of the global map, from Brazil all the way to Australia, with our most crowded markets being US, Europe, and India. The diversity follows the same pattern across age, professional experience, and skill level. We welcome everybody. From cyber security beginners and enthusiasts who want to explore the basics and learn how to hack, all the way to the most experienced hackers in the world, including pentesters, blue/red/purple teamers, network engineers, sysadmins, even developers.

On the enterprise side, our client base is seen at the moment mostly in the US and Europe, with more and more companies from Australia joining lately. Ranging again vastly, from the Fortune-500s of the world with global security teams to smaller but security-oriented companies requiring advanced, up-to-date, tailored training.

Q2. What issue is it that you are helping enterprise organizations address with this platform?

We didn't start Hack The Box having enterprise in mind. However, individuals training through our platform wanted to utilize the platform even further at their workspace and that's how it all started.

There is a direct need for a new way of corporate cyber security training. The global market has been experiencing a shift during the last years, severely boosted during 2020 after the pandemic hit. Traditional cyber security training meant for years a theoretical, classroom-based, physical, usually one-off learning experience.

We are looking to disrupt this by offering to companies and organizations we work with, a wide range of services and products that turn cyber security training into a dynamic, ongoing, online, hands-on, self-paced, and fully gamified user experience. Training that employees enjoy and truly benefit from.

In a nutshell, our enterprise services include:

  • Dedicated Labs: Hands-on training only for your team
  • Professional Labs: Real-world simulating training labs
  • Business CTFs: Let your team learn while playing
  • Talent Search: Recruit top cyber security professionals
  • Workshops & Trainings: Tailored to your needs and on-premise
  • Cyber Range (NEW): Put your team's defensive skills to the test

Explore more here:

Q3. What can those attending the Black Hat Asia 2020 virtual event expect from Hack The Box? What are you planning to highlight at the event?

First of all, we are very excited to join BH Asia for the first time, even if it's virtually. Our goal is to present Hack The Box among the APAC cyber security community and share what we've been up to lately. We have been keeping ourselves busy during the last months and exciting product launches are on the way, for both individuals that use our platform to advance their cyber security skills but also global organizations that utilize our product portfolio to keep their teams trained and attack-ready.

For our global player base, Hacking Battlegrounds, real-time multiplayer hacking games, are loading on Hack The Box. The epitome of a thrilling hacking experience. Hacking is the new gaming, stay tuned!

While on the enterprise front, we are glad to present the upcoming beta release of Hack The Box Cyber Range! A virtual cyber warfare training environment that utilizes gamification to help companies assess and amplify their team's cybersecurity defensive skills through contrasting blue teaming scenarios.

Three giveaways are also being hosted through our virtual booth. 20 lucky winners will win cool prizes, including Hack The Box training service snad swag. Looking forward to seeing everyone there - virtually!

Kanaiya Vasani
EVP Products and Corporate Development


Q1. What impact has the sudden increase in remote working had on organizations from an information security standpoint? What are the most significant changes that security groups have had to make to accommodate the shift?

Organizations have had a dramatic shift in their infrastructure as large populations of workforces move from in-office environments, to at-home environments. Considering many organizations invest heavily in their security capabilities for office-bound employees, in an effort to keep them and their sensitive data secure, this change has posed a significant challenge. Unlike a corporate office environment, most home networks have little to any security, putting employees and their sensitive data at risk while they perform their daily duties.

Enterprises have had to accommodate a work from home environment with little to no warning, and security teams have seen the biggest impact, not knowing what users have in their home networks, and what devices they may be using to access corporate applications. Furthermore, because many of these corporate applications are cloud hosted or SaaS delivered, employees do not need to use VPNs to access them, rendering the corporate security stack completely ineffective for such traffic. This has required IT teams to think differently about security, and the best way to go about ensuring sensitive data remains protected when accessed from sanctioned or unsanctioned devices. Even with corporate sanctioned devices, which often include endpoint protection, it is still up to the employee to remain vigilant in keeping the endpoint software current. Any lapses in allowing updates can minimize the integrity of their security capabilities. We have seen a significant spike in IT teams looking for SaaS security solutions to address some of these challenges.

Q2. Why have cloud-managed services become such a priority since the pandemic began? What cloud security tools and services appear to be garnering the most interest and why?

The need for a remote workforce to remain productive has fueled the need for cloud-based applications and services. As employees are now accessing sensitive data housed within SaaS-based corporate applications from their home networks, it is even more critical to adopt SaaS services to enforce policies and security capabilities. The adoption of cloud-managed solutions that offer visibility, automation and security are paramount for IT teams that have lost all of these capabilities that were standard within their office infrastructures. Cloud-managed services that can help IT teams regain these capabilities are of the highest importance and adoption.

From a threats perspective, since the pandemic began, attackers have taken advantage of the constant fear and need for information by launching relentless phishing campaigns to distribute infostealer type malware to unsuspecting users. These campaigns are then used to steal credentials and security tokens from compromised machines. The pandemic related malware campaigns further accentuate the need for cloud-based security solutions to protect the remote worker.

We have seen increased interest in cloud managed DNS network infrastructure that can provide DNS-based protection. Unlike other solutions that rely on the user to keep updated, or other cloud solutions that require the redirection of all traffic, cloud managed DNS security has allowed users to remain productive with the optimal SaaS/Application experiences, while keeping their systems protected at all times. Cloud managed DNS security can also enable security admins to efficiently block access for a remote worker to any website not in compliance with company policy (social media, gambling, etc.).

Q3. What does Infoblox plan on highlighting at the Black Hat Asia 2020 virtual event?

Infoblox will be highlighting the cloud-managed DNS security solution that can be deployed for office environments, as well as individual users that are working remote. This solution – known as BloxOne Threat Defense, offers best-in-class malware/ransomware protection, along with DNS-based threat protection (including DGA, Fast-Flux detection/blocking, and lookalike domain detection) and the ability to identify and block DNS-based data theft which is a new technique being used by attackers to avoid detection from traditional security tools.

Stu Sjouwerman


Q1. What prompted KnowBe4's recent decision to launch a new security research group? How will your customers and others benefit from it?

Having a vendor-neutral research arm that can provide organizations with an independent view of security culture related metrics that they can use to benchmark themselves is a needed and wanted data source for IT people that are under constant attack from the bad guys.

Q2. What are the biggest challenges that organizations face when it comes to providing security awareness training for users?

I'm sure this isn't surprising for many security leaders -- the biggest challenges organizations face when providing security awareness is simply changing the status-quo. Rolling out any new program requires executive buy-in; and awareness training is no different. But here's the thing: we are *also* asking to take a few minutes of every employee's time across the organization. That means that security awareness leaders need to be prepared with great stories and statistics that will amplify their case for the program.

Other challenges revolve around the need to be aware of and sensitive to regional differences and interdepartmental differences. If the training provided isn't in the best language for the end-user, or if it is seen as irrelevant to their role or life, then you've missed the mark. So translations and variety are key! Plan accordingly.

Lastly, leaders who don't plan out their metrics and reporting strategy are setting themselves and their team up for potential pain. Always set clear expectations with your executive team, sponsors, and your Board (if applicable) about what you are hoping to accomplish, what 'good' looks like, and how you plan to measure/report. If you don't set proper expectations, then you may end up with an executive team that is expecting one thing while you are delivering something completely different. Reconciling that disconnect mid-program is way harder than starting off with everyone having shared expectations and an agreed-upon path.

Q3. What are KnowBe4's plans at the virtual Black Hat Asia 2020 event? What can those at the event expect to hear from your company?

KnowBe4 is thrilled to be a Diamond Sponsor at Black Hat Asia 2020.

We have two IT Industry experts speaking at the show, Perry Carpenter, Chief Evangelist and Strategy Officer and Roger Grimes, Data-Driven Defense Evangelist at KnowBe4.

They will dive into important topics for security leaderstoday around social engineering and phishing with their sessions "The Mind's Lie: How Our Thoughts and Actions Can be Hacked and Hijacked" and "Incredible Ways You Can be Hacked Using Email & How to Stop the Bad Guys". You won't want to miss these informative and actionable sessions.

Also, be sure to stop by our virtual booth to meet our staff and discuss how we can help you manage the ongoing problem of social engineering, spear phishing and ransomware attacks by securing your last line of defense.

Attendees can check out all the KnowBe4 activities by visiting:

Avinash Lotke
Director of Cybersecurity, Microsoft Asia


Q1. Why do a majority of organizations still take so long to detect a data breach or network intrusion? Where do the biggest gaps in capability exist with respect to intrusion/breach detection times?

While most enterprises have multiple tools in place sprawled across the environment, it may seem counter-intuitive that this approach may actually be impeding their ability to quickly detect breaches and intrusions.

What happens more often than not, is that each tool works independently, gathering data and telemetry in a single area. Without the ability to effectively share signals and visibility, security teams end up being inundated by alerts and false positives resulting in alert fatigue. The lack of automation to help triage and gather additional insights to validate preliminary findings also takes a toll on the security teams. All these fundamental issues add up and get in the way of effective alert triage, allowing attackers to thrive and move through the noise.

As security teams struggle to sift through the daily alerts, we also notice it leaves them little to no time to implement a regular threat hunting program. This is detrimental to enterprises as regular threat hunts enable the detection of attackers in the earlier stages of the kill chain (for example during reconnaissance, attempts to escalate privileges etc.) resulting in a substantial reduction in dwell time.

Our approach to solving this is thus to have a fully integrated and unified security platform, embedded with automated investigations and response actions - allowing security teams to focus on the essential and qualified incidents and having the capacity to conduct proactive threat hunting as well.

Q2. How is Microsoft helping organizations address security issues?

Microsoft works with enterprises to identify and protect against threats in the areas of Security, Compliance and Identity. Especially as the technology landscape rapidly changes and digital estates grow, managing and achieving cyber resiliency becomes a highly dynamic and complex problem.

Adopting a modern approach to cyber risk management necessitates integration across people, devices, apps and data, wherever they may reside. It also has to take into account the unique circumstances each enterprise faces - whether that comes in the form of internal governance policies or broader regulatory controls.

As such, in order to develop an efficient and effective cybersecurity strategy, forming an understanding of pertinent risk and threats will help determine the relevant solutions, policies and configurations required. Microsoft facilitates this process, with the eventual goal of empowering enterprise security operations. With the right technology in place, processes can then run more efficiently and security personnel can focus their efforts where it is needed the most.

Q3. What does Microsoft plan on highlighting at the virtual Black Hat Asia 2020 event and why?

The impact of COVID-19 has been evident across geographies and industries - while the overnight shift to remote working has brought about new threats and cyber risks, it also presents enterprises a unique opportunity to rethink what modern security and productivity could and should look like. Especially in Asia Pacific, which has been experiencing a higher-than-average encounter rate for malware and ransomware attacks than the rest of the world (as published in the 2019 Microsoft Security Endpoint Threat report).

Now more than ever, Zero Trust has become an essential approach. A recent Microsoft customer poll indicated that 94% of companies report that they are in the process of deploying new Zero Trust capabilities to some extent. Traditional notions of securing the enterprise via the perimeter and a controlled enterprise network are unable to secure and keep pace with the modern and distributed workforce. With the acceleration of digital transformation, Zero Trust has to be prioritized as a security and business imperative, securing all users and data regardless of where they physically are.

The need for Integrated and Cloud-Based Security is also a key theme. The proliferation of threats and abundance of data and threat intelligence have warranted the need for deep analytics, automation and solution interoperability. By leveraging cloud computing and artificial intelligence, enterprises will be able to efficiently detect and respond to threats at scale; the sharing of signals and telemetry between solutions also result in greater visibility and enhanced detection. On top of that, an integrated security solution stack will enable quicker response actions to be taken, reducing the dwell time by containing and eradicating threats.

Matthew Gardiner
Principal Security Strategist


Q1. What are the biggest takeaways for enterprises from Mimecast's "State of Email Security 2020 Report"? How has the pandemic complicated the email security challenge for organizations?

Overall, the state of email security remains extremely challenging. We have been conducting this annual survey for the last 4 years and have not come across anything that looks like "light at the end of the email security tunnel". From the 2020 report, more than half of all organizations reported being impacted by ransomware in the last 12 months. 60% of respondents reported that their organization was hit by an attack that was spread from one infected user to another. And 85% of respondents believe that the volume of web or email spoofing attacks will remain the same or increase in the coming year. I think it is safe to say that remote users are even more vulnerable to phishing attacks, given the higher level of distraction and the further blurring of personal and business use of IT systems.

Some other key takeaways from the 2020 report:

  • 60% of respondents believe it's inevitable or likely they will suffer from an email-borne attack in the coming year
  • The impact of ransomware continues to hit hard, with an average of 3 days of downtime reported in each of the past 3 years that they survey was conducted.
  • Only 21% of respondents reported providing security awareness training monthly or more often.
  • While 97% of respondents were aware of DMARC, separate investigations have shown that only a minority of organizations have deployed it to date.
  • Organizations reported experiencing an average of 9 web or email spoofing attacks in the last year.
  • While 77% of respondents reported having a cyber resilience strategy in place or in process, significant portions of them reported data loss, security related hits to employee productivity, and business downtime due to lack of resilience.

Q2. How will the acquisition of MessageControl earlier this year benefit Mimecast's customers? What specific security need does the acquisition help Mimecast to address?

The acquisition of MessageControl strengthens Mimecast's Email Security 3.0 strategy that is designed to improve cybersecurity at the email perimeter, inside the organization and beyond the perimeter. The combination of Mimecast and MessageControl is engineered to provide customers using productivity apps, such as Microsoft 365®, with stronger protection against advanced phishing and impersonation attacks. Additionally, it is designed to prevent the inadvertent loss of sensitive and confidential data, while also serving as an additional data source to further enrich Mimecast's threat intelligence.

The addition of MessageControl brings the following key capabilities:

  • Machine learning identification of anomalous behaviors. MessageControl's graph technology is engineered to inspect email attributes and content and then apply machine learning to build a library of known and unknown patterns for an individual user. The technology is designed to get smarter over time and has the ability to make real time decisions on 1 billion plus unique user behavior related data points.
  • Contextual, real-time warnings in email. MessageControl helps employees make better choices by providing them with more intelligent, contextual, and dynamic warnings of potentially untrusted senders or content in emails
  • The ability to prevent misaddressed outbound email data leaks. Leveraging the graph technology, MessageControl can notify employees before they accidentally send information to the wrong recipients by using historical sending patterns to detect potential mistakes.

Q3. What does Mimecast plan on highlighting at the Black Hat Asia 2020 virtual event, and why?

A few things that Mimecast will be highlighting at this event are:

  • Four recently discovered and patched Microsoft Office vulnerabilities. What is particularly interesting about these vulnerabilities is that they were resident in the Office applications for many years. So why did they take so long to discover? And why do Mimecast researchers spend so much time analyzing Office? Hint: because Office files are so heavily used by malicious actors.
  • Why email-related controls need to be thought of in three interrelated "zones" of control, at the perimeter, inside the network and organization, and beyond the perimeter. And yes, whether you are using a cloud-based email system or not, you have an email perimeter that needs to be defended. Not all perimeters have gone away with the transition of IT to the cloud!
  • The need to generate, surface, integrate, automate, and action threat intelligence gleaned from all your security controls, including, of course, your cloud-based ones. Why? Organizations don't have people or time to waste. Having dozens of independent, un-integrated, and thus underleveraged security controls weakens security and is annoying and time wasting to boot.

Sustaining Partners