Interviews | November 13, 2014

Black Hat Sustaining Partner Interviews: Fireye, Qualys, and Tenable Network Security

Tony Cole

Tony Cole, VP and global government CTO at FireEye, Inc., talks about the latest trends in advanced persistent threat attacks, and the fact that over 95% of enterprises and government agencies are compromised and don't know it.


Q: Tony, your most recent "Advanced Threat Report" analyzed more than 40,000 advanced attacks across the globe to map out the latest trends in advanced persistent threat attacks. Fill me in on some of the key findings.

Tony Cole: Our 2013 FireEye Advanced Threat Report provides a high-level overview of the computer network attacks discovered during 2013. It is primarily focused on the advanced persistent threat (APT) and how it has evolved over the last year. This year, once again, we also provide additional focus on state-sponsored attackers due to their relationship with advanced and persistent threats.

In 2013, we discovered 11 zero-day attacks. During the first part of the year, Java seemed to be a primary target for zero-day attacks and, during the latter half of the year, Internet Explorer zero-day attacks were utilized via watering hole attacks on unsuspecting victims.

During 2013, we analyzed more than 100 per day on average unique cyber-security incidents, discovered more than 50 unique malware infections per day, and logged over 22 million command-and-control communications. We determined that malware is definitely the most utilized cyber-weapon in an attacker's arsenal and that this problem is only going to get worse.

Q: You say that, based on FireEye end-user data, over 95% of enterprises and government agencies are compromised and don't know it. What exactly does that mean -- and what is there about the FireEye Oculus Experience that makes it a "comprehensive approach to threat prevention"?

Cole: When FireEye prospects wish to test our products, they generally put us into their networks to test it and see if we identify any new attacks, ongoing attacks, or possible command-and-control callback activity. These tests have indicated that over 95% of organizations are compromised and don't know it.

The FireEye Oculus experience (now Managed Defense) lets customers focus on running their business while we focus on finding the advanced attacks targeting their business. When customers need that additional expertise in their organization, they can have it provided by the FireEye product and Mandiant Service experts in this area -- us. We provide a number of services in this area, including identified APT alerts in the customer environment, our monthly ThreatCon reports, System Health Monitoring, and Hunt services to find those attackers that may be in your network and have been for quite some time. We have great feedback from our customers using this service and expect to see even wider adoption.

Q: FireEye has said that traditional signature-based security offers no protection from zero-day and targeted APT attacks. Why is that? What do enterprises need to combat these attacks?

Cole: Today we see many customers utilizing a defense-in-depth architecture with numerous products, including intrusion detection systems, intrusion prevention systems, firewalls, next-gen firewalls, email gateways, Web gateways, antivirus, host intrusion detection, and so on. Years ago, this was a semi-effective strategy. Today, the attackers have moved on to targeted attacks based on unknown vulnerabilities they've either found or bought in the underground along with newly created exploit code associated with the vulnerability. The legacy defense-in-depth products we mentioned are almost all running on signature-based identification for malware. Since signatures can only be created once the new malware is seen in numerous times in the wild, a targeted attack renders the legacy signature-based products useless in identifying or stopping the attacks. Our recent Maginot Line Study gives greater detail on this issue for legacy products as well as deep statistics on which verticals seem to suffer the most from this new threat.

Q: FireEye is a Black Hat "sustaining partner," which means you sponsor all three of the Black Hat conferences -- Asia, Europe, and USA. Why is Black Hat such an important part of FireEye's marketing strategy?

Cole: Black Hat is important to FireEye for a number of reasons, probably the largest being it's where the world comes to hear about the latest on new vulnerabilities, new threats, and new tactics being used by attackers to break into systems. It's a well-known worldwide venue for getting up to speed on the things that will keep a cyber-defender awake at night. It's important for us to be part of this event to share and study this changing threat, and continue doing our very best to keep our products and services at the forefront of the latest in cyber defenses. Our customers expect nothing less.

Jonathan Trull

Jonathan Trull, CISO for Qualys, Inc., discusses how 96% of successful breaches can be avoided through "basic cyber-hygiene," and what lessons were learned from Heartbleed.


Q: Jonathan, Qualys has talked about how to prevent breaches with a sustainable continuous security program. Tell me how that works.

Jonathan Trull: Based on our analysis of actual data breaches, attacks occurring over the last decade, and discussions with CISOs, we identified several common themes:

  • Cost breaches can be avoided through basic cyber-hygiene, i.e., patching vulnerabilities, securely configuring servers and desktops, and so on.
  • Hackers often have a more timely and accurate view of our networks than we do.
  • Toxic combinations, basically a combination of two otherwise innocuous weaknesses which can often lead to breaches (for example, a server that exhibits a combination of configurations or vulnerabilities that can make it susceptible to attacks).
  • IT processes, especially those involving humans, will inevitably fail.
  • Weaknesses are identified and exploited within 72 hours.
  • Time is a key limiting factor for any security program.

With these themes in mind, we believe a truly effective security program must be able to continuously and accurately identify not only common vulnerabilities, but toxic combinations of weaknesses and then generate automated alerts so that security staff can immediately address and remediate issues within 72 hours. This new philosophy drove the development of the Qualys Continuous Monitoring solution which leverages the elasticity of our cloud infrastructure to provide security teams with a real-time view of their security posture, no matter the size or global scale of their networks.

Q: In a recent panel on "Rapid Response To Heartbleed," your CTO, Wolfgang Kandek, discussed what lessons were learned from Heartbleed that can prepare everyone for the next inevitable Internet shock. What were the most important of those lessons?

Trull: The most important lessons were: (1) CISOs need real-time situational awareness of their systems and networks, (2) As the size and complexity of your network grows, more automation is needed to identify and remediate vulnerabilities, (3) Managing SSL certificates should be a top priority for any security program, (4) Never rely solely on the CVSS score assigned to a vulnerability when prioritizing your response (Heartbleed only received a CVSS score of 5 out of 10, with 10 being the most severe), and (5) Security teams need a well-tested plan to deal with emergent vulnerabilities.

Q: According to the U.S. government, 96% of successful breaches can be avoided through "basic cyber-hygiene," such as vulnerability and configuration management, but threats evolve so quickly that information security and risk management teams struggle to keep track of their posture. What basic cyber-hygiene advice do you have for such teams?

Trull: Practicing good cyber-hygiene is similar to sports in that it is typically the team that consistently executes on the basics that wins. We would advise that companies focus on the following:

  • Ensure that only authorized devices are connected to company networks.
  • Limit the applications or software running on company assets to only those necessary to meet business needs.
  • Securely configure assets, including removing default usernames and passwords, and restricting the use of administrative privileges.
  • Continuously scan and remediate vulnerabilities and misconfigurations in company assets.
  • Deploy a combination of network and endpoint malware defenses using a combination of technologies, including blacklisting, whitelisting, heuristics, and virtualization.

In today's complex security landscape, it's critical to be proactive and vigilant to protect against cyber threats in order to be as secure as possible. Practicing good cyber-hygiene ensures we are protecting and maintaining systems and devices appropriately by leveraging cyber security best practices.

Q: You are a Black Hat "sustaining partner," meaning you sponsor all of the Black Hat conferences -- Asia, Europe, and USA. Why is Black Hat an important part of your marketing strategy?

Trull: Black Hat is the quintessential cyber-security event attracting the most technically savvy professionals across the globe. For Qualys, Black Hat is an amazing opportunity for us to connect with our customers, showcase new technology, and keep our fingers on the pulse of emerging threats and innovative solutions to those threats. Black Hat is also an excellent opportunity for our staff to enhance their skills and connect with other professionals. We find that our staff returns with new and innovative ideas that help us drive innovation and enhance our own internal security.

Gavin Millard Tenable

Gavin Millard, technical director for EMEA, Tenable Network Security, talks about how security professionals can create and share their own metrics in their jobs, and why Black Hat is such an important part of Tenable's marketing strategy.

Q: Gavin, Tenable has said that "defensive technologies" -- like firewalls, antivirus, patching systems, and security event management -- have failed to prevent successful attacks because "they are frequently not aligned with a unified security policy or business practice." What did you mean by that -- and what solutions do you recommend.

Gavin Millard: When I ask a CTO, consultant, or support person from any security vendor "do your customers deploy your product exactly as you envisaged," the answer is always resoundingly "no." It's something every security product vendor knows already -- people use only a small fraction of their features, don't deploy it correctly or with a unified approach, and fail to fully operationalize its use within the organization.

If you don't have end-to-end visibility of your security prevention and detection program and audit this through effectiveness metrics, then all you really have is hope and faith that your defensive technologies are deployed correctly and are stopping the attacks they were bought to protect you from. If we take malware detection as an example, it's rarely deployed across every system, often missing updates, and the process of dealing with the alerts and outputs is ignored, which was one of the biggest issue in the case of the Target breach.

Organizations need to have a continuous view as to the state of their security controls and audit appropriately to ensure the investments made are protecting appropriately and working to full potential.

Q: In a recent blog, Tenable made some recommendations about how security professionals can create and share their own metrics in their jobs. Give me a few of the more important suggestions for creating such metrics.

Millard: Measuring the effectiveness of security is critical to understand how well each part of the organization is performing against defined security goals. When it comes to picking the right metrics, the organization has to agree that the measures they choose are moving them towards a reality that gives value for money and a significant reduction in real-world risk while supporting the overarching mission of the business.

My personal favorite five are:

  • What percentage of systems are scanned in-depth by a vulnerability scanner?
  • What is the time taken to patch critical, easily exploitable vulnerabilities?
  • What is the percentage of systems with up-to-date malware defense?
  • What is the time taken to identify unknown assets on the network?
  • How is each business unit performing against the corporate security policy?

Q: It's been said that antivirus utilities are a waste of money and not effective. People have even said that "antivirus is dead." I'd like to hear your thoughts on that.

Millard: Malware authors create code to take advantage of known vulnerabilities that should have been patched, flaws in AV engines to circumvent detection, weak configuration that should have been addressed, poor security practice that should have been improved, or holes in the network that shouldn't exist. Antivirus is the catch-all – or, in reality, the catch-some -- net for other controls that have failed. But until those issues are addressed, malware will continue to penetrate and organizations will keep on paying for a reactive fix on a problem that requires a more fundamental approach to addressing foundational security flaws.

Backoff, a recent piece of malware targeting POS devices, is a perfect example as it took advantage of weak remote access passwords that should have never been in a production environment. Antivirus made us lazy.

Q: Tenable Network Security is a Black Hat "sustaining partner," which means you sponsor all three of the Black Hat conferences -- Asia, Europe, and USA. Why is Black Hat such an important part of Tenable's marketing strategy?

Millard: The Black Hat conferences are incredibly important to the security community, including our customers and partners around the world, as a place to hear about the latest and emerging threats, have meaningful conversations with fellow practitioners, and to learn. For Tenable, the conference provides an opportunity to hear about challenges and pain points, and explore how our technologies can help customers.

Sustaining Partners