Interviews | October 24, 2018

Threat Intelligence Imperative to Successful Security Programs: Cybereason, Nominet, Qualys, Recorded Future

Sam Curry

Sam Curry
Chief Security Officer


Q1. How do you expect endpoint security threats to evolve over the next few years? What new challenges are these emerging threats going to pose for enterprises?

Different attackers will evolve a little differently and will influence each other to a greater degree than in the past by virtue of the number of players and the advanced development available to many of them. Cybercriminals will make incremental innovations and will develop small breakthroughs, while focusing on automation and refinement of their supply chains and cash-out models, while nation state and agenda hackers will invest in stockpiling breakthroughs and new attacks.

In the end, though, development will follow the skills of developers and the path of least resistance to results. Like squeezing a balloon and having the air bulge out in new spots, they will seek the new pathways to results in hardware, stepping up mobile attacks and driving into the seams in the cloud and the emerging world of powerful IoT exploits.

Q2. Endpoint protection has become a complex problem for many organizations. One study has shown that some organizations have up to seven independently managed agents running on their endpoints to address current threats. What's being done to reduce this complexity?

Security companies can be frightfully arrogant about having elbowroom. The expectation is that they can consume whatever they need and run any risks for the integrity of an endpoint. However, the arrogance has to stop. This is tech debt of the worst order for IT departments, and in some cases there isn't enough CPU or resources left on the most "protected" systems to run pesky business software and applications.

It's critical to remember that companies don't buy machines to run security software, they buy them for the business and while they will pay a small tax for security, it has to be respectful. The main principle should be, like a doctor, to do least harm possible. Kernel access is not a God-given right, and playing fast and loose with memory, disk space, bandwidth and system stability should be a cardinal sin. Any security company worth it's salt will seek operational efficiencies, will act in a Hippocratic-style with respect to the endpoint and will minimize IT tech debt or will risk going out of business. Arrogance will not be forgiven.

Q3. What is Cybereason's main focus going to be at Black Hat Europe 2018?

Cybereason is first and foremost about "reversing the hacker advantage," which is what we call changing the asymmetry that favors attackers in cyber conflict to favoring the defenders. We are people who understand, deeply, the offensive mindset and believe passionately in security as a discipline developing new tools and edges. As such, Black Hat Europe 2018 and the attendees are our people; and we want to at the show to talk with them, see what's happening, reach out and have a positive effect in the continued mission to reverse the hacker advantage.

Simon McCalla

Simon McCalla


Q1. What are some of the top trends in DNS security from a threat standpoint? How have DNS threats evolved over the last several years?

The biggest on-going DNS threat is still the DDoS attack - and over recent years, with the onset of the IoT enabled devices, the threat has developed a new potency. To draw one positive, the fact that the DNS continues to be a target is forcing businesses to take notice of this overlooked, yet increasingly important area of cyber security.

A prime example of this new level of threat is the Mirai botnet. By infecting IoT devices to form a botnet, they were able to launch a coordinated attack known as DNS Water Torture. A recursive, random-subdomain attack that simply floods a target's authoritative name servers, the result is popular sites becoming unreachable for hours despite being up and running normally.

And this is just the beginning. By 2020, there is set to be 20 billion IoT devices and IoT botnets are becoming more sophisticated already. Attacks peaking at 300 Gbps, 400 Gbps, and 500 Gbps were more common in 2018 than ever before. This says to us that the type of security threat is staying consistent - but the size of the attack or the intensity of it is growing in intensity and organizations need to beef up their security systems to deal with this.

Q2. What are some of the requirements for resilient DNS security?

To ensure resilient and strong DNS security, you need to combine protection, forensic analysis and mitigation. According to research, two-thirds of DNS traffic logs analyzed showed signs of malicious activity. Therefore, being able to monitor the DNS traffic in real time, or near time, is crucial to protecting your network.

By monitoring traffic going through your recursive server, you can reveal infected machines on your network. This could include those [systems], which may have become part of a botnet and are sending spam, or those contacting a command-and-control domain after they've been infected with malware. Data exfiltration through DNS tunnelling is another big security blind spot that many customers ask us to solve for them.

Secondly, being able to forensically analyze previous intrusions, spam runs, phishing campaigns, command-and-control malware and other attacks involving the DNS, means you will be able to mitigate against future attacks.

Q3. Why is being at Black Hat Europe 2018 important for Nominet? What are you hoping attendees will learn about your company at the event?

Black Hat Europe is the gold standard in events for the security professional and it's more important than ever that we are in attendance. The amount of industry insight, training, briefings, and information on offer is vast and invaluable in this era of the ever-evolving threat.

We hope delegates will learn that as the long-term guardians of the .UK namespace, we have unparalleled expertise in DNS technology. We want to communicate just how important it is for CISOs, Security Architects, Security Analysts and other cyber security professionals, to look to the DNS to understand and eliminate many threats that overwhelm their network and their resources. We can help organizations spot and block known and unknown threats regardless of how well hidden they are amongst the noise.

Darron Gibbard

Darron Gibbard
Managing Director, Northern Europe


Q1. Gartner expects the worldwide cloud-based security services market to top $9 billion in 2017. What are some of the primary factors driving demand for these services in Europe and elsewhere?

There are a number of factors that have influenced organisations to make the move into the SaaS world from conversations that I am having with CISO's, CIO's and CTO's. From these conversations skills shortage is in many of their top 3 concerns. There simply is not enough security compliance, regulatory and operational skilled people in the industry to be able to maintain a compliant and secure organisation. I strongly believe that CIO's etc will be facing more and more security risks and threats in the next five years. But the risks to the organisations will not be due to the ever growing threat of cyber security and cyber attacks but due to the fact that CIO's can't actually recruit the right people. One of the other factors I come across is cost and the savings generated by not having the the burden of upgrading, maintenance, and safeguarding data and systems. Seamless upgrades are done by your cloud and SaaS provider, which ensures you're using the most up-to-date version of the security software without needing to reimplement or lose any of your custom features. This in turn means that CIO's are finding ways to remove legacy applications from their environments. CIO's are being forced to look elsewhere for solutions to address these factors and this is driving the move to cloud services. This is where Qualys can help with our ability to simplify the complexity associated with managing multiple security solutions, while at the same time increasing the automation, effectiveness and proactive nature of security.

Q2. How have requirements for endpoint security and compliance changed in recent years?

Various studies have put the number of security breaches coming from endpoints at between 70 and 95 per cent. Endpoint security and compliance in recent years has been focussed on consolidation and the move away from communication with physical servers. With more and more organisations moving to the cloud and using SaaS approaches, the endpoint technology is now communicating directly with the SaaS management platform. Another reason for the consolidation has been forced upon CISO's due to tightening budgets, mainly CISO's are suffering with too many security and monitoring tools. There has been an improvement in endpoint technology, that does benefit the organisation, in that one agent can now perform a number of critical security functions. For example using the Qualys cloud agent will consolidate asset management, vulnerability management, threat & risk protection, indication of compromise, file integrity monitoring, policy compliance and security configuration assessment. What would have been multiple agents is now one.

Compliance on the endpoints has become a critical moving target for CIO's and CISO's. The reason for this is down to the workforce being more and more mobile and accessing critical information from anywhere in the world at anytime of the day. As the stereotypical corporate boundaries are being completely knocked down and the data is being moved through cloud and SaaS providers the corporate boundaries no longer exist. This in turn causes a challenge for the CISO in that they need to know where all critical and personal data is being used and the need to keep track of this. The next stage in endpoint evolution is the use of artificial intelligence, AI is many times faster than any security analyst could ever be, calculating literally millions of possibilities every second. This is space to watch over the coming years.

Q3. Qualys offers a pretty broad set of security services. Which of these services do you expect attendees at Black Hat Europe 2018 will be most interested in learning about?

The areas that will be of interest will be the free tools CertView and CloudView. In the case of CertView it allows admins to take back control of any internet facing certificates. The main benefits of CertView are gaining visibility into all of your Internet-facing certificates and SSL/TLS configurations, stop expired certificates from interrupting critical business functions, achieve compliance and identify certificate issuers and lastly centrally control and visualise prioritisation of certificate and configuration remediation. With CloudView it allows admins to gain visibility of all your public cloud assets and resources from a single-pane interface. The main benefits are comprehensive visibility into Cloud workloads and infrastructure, track and understand impact based on topology and relationships, set up immediately with no interference to your workloads and then instantly perform continuous assessments with Qualys Cloud Security Assessments (CSA).

Another area of great interest for Qualys at the moment is the DevOps area. We have made great strides with our product set and can now provide everything you need for security and compliance in application development. At the top level Qualys provides four main features that are of vital importancel for developers. Comprehensive bug, misconfiguration detection, this catches coding and configuration errors throughout development, early and often, before launching apps into production. Remediation prioritisation, this pinpoints the most critical vulnerabilities present in code being written, so you can eliminate the biggest risks right away. Compliance assurance, this verifies that as applications are developed, the code is compliant with your internal policies and external regulations. And lastly intrusion vigilance, this identifies indicators of compromise so your combined development, operations, QA and security team responds and secures systems immediately.

Staffan Truvé

Staffan Truvé
CTO and Co-founder

Recorded Future

Q1. What do you see as some of the biggest drivers for threat intelligence services over the next few years?

We're seeing two primary drivers of growth for threat intelligence right now: recognized need for increased impact and performance of traditional security solutions; and increased partnership with traditional security players across the ecosystem.

In reality, these two points are different sides of the same coin. Security teams now understand that the lens of threat intelligence isn't just a nice to have — it's imperative to successful security programs and fast decision making. In other words, threat intelligence is really the only way to stay one step ahead of attackers. They're also recognizing you don't need a dedicated analyst team to use threat intelligence. Security vendors are seeing this desire and looking to partner with threat intelligence providers to meet this need. So, on one hand, you have a widening scope of security professionals looking to use threat intelligence to bolster their work, and on the other, vendors looking to enhance their own offerings with threat intelligence.

Threat intelligence has the capacity to significantly increase the impact and ROI of nearly every one of today's security functions. Whether you're a SOC analyst, handling a vulnerability management program, or responsible for incident response, threat intelligence is the key to acting quickly with confidence. Rather than digging through hundreds of SIEM alerts or guessing at which vulnerabilities are most likely to impact your organization, you already know what threats to mitigate and which machines need to be patched based on personalized risk.

Q2. What capabilities do organizations need to have in place to be able to leverage cyber threat intelligence fully? Is cyber threat intelligence something that only large enterprises can truly benefit from, or is there value in it for smaller organizations as well?

There has been a long-standing misconception that organizations must have dedicated analysts to benefit from threat intelligence — we cannot more strongly disagree. Threat intelligence is the layer of external context that brings into focus what security teams should be most concerned with. It doesn't matter what size your organization is — you can implement a threat intelligence strategy that works for your maturity level.

Q3. What is Recorded Future's plans at Black Hat Europe 2018? What's your main message going to be for attendees at the event?

Demonstrating just how usable threat intelligence is — and the sheer power of impact — at any level, is our core message. We want people to understand that effectively any security team can increase effectiveness by adding a threat intelligence strategy as part of their day-to-day operations.

We're also working hard to give teams the tools they need to get started. Just this October, we released two resources: a downloadable, free, step-by-step guide to getting up and running with threat intelligence, The Threat Intelligence Handbook, and a Threat Intelligence Grader to help you figure out just where you are on the threat intelligence sophistication spectrum.

And of course, we'll be showcasing our latest research on nation state actors and the criminal underground from the Insikt Team as well — Recorded Future's research arm.

Sustaining Partners