Interviews | December 1, 2020

Improving Threat Detection Times Remains Daunting Challenge

Alsid | KnowBe4 | Sygnia | Synopsys

Nash Kapoor


Q1. How have threats targeted at AD environments evolved in recent years? How have requirements for AD security changed as a result?

Threats against AD have evolved in recent years mainly due to the number of accessible tools making it easier than ever to gain a foothold in the Active Directory environment, such as Mimkatz, a tool used to dump passwords, hashes, Kerberos tickets, this enables users to perform common attack techniques like pass the hash, pass the ticket and the creation of golden tickets.

Bloodhound, a tool using graph theory to highlight the shortest path for an attacker to take, allowing them to move deeper inside the organisation or perform privilege escalation techniques to acquire a privileged account.

We have also seen an increased threat across AD via Ransomware attacks, whether this is through advanced attacks adding malicious files to Group Policy Objects and the NETLOGON directory, or through RaaS (Ransomware-as-a-Service) allowing even the most novice cybercriminal to deploy Ransomware attacks.

Active Directory acts as the weak point in most businesses due to its design, age, and complexity and is typically secured by auditing and detecting. A reactive cyber strategy that focuses on attack detection is important but this approach today on its own is not enough to mitigate the threat. Instead of waiting for an attack to happen, then focusing on the incident, we should focus on how attacks may be possible.

An effective defence strategy can be built by introducing a proactive solution which will highlight risks, contextualise alerts, monitor changes as they occur and provide prevention measures to close the attack path and ensured it stays closed, thus reducing the threat landscape.

Q2. What are some of the key considerations organizations need to keep mind when building an AD security program? What questions should they be asking and why?

When it comes to key considerations, I think we can break this down into some key areas; Proactive Security, Reactive Security, Ongoing monitoring and Backup and recovery. When we bring these four pillars together, you have a comprehensive AD security strategy.

Proactive - Prevention
Proactive security is becoming a core part of the security strategy and for so many years this has been an after though when it comes to Active Directory. To be proactive, firstly, we need to map out the AD environment giving us visibility of forests, domains and trusts. Secondly, we need to have a solution not only highlight the risks, threats, vulnerabilities and misconfigurations but also contextualise this information so as a business, we can understand what the risk is, why it’s important, which objects are affected and the recommended remediation steps. This is how we start preventing, or minimizing the attacks from happening in the first place.

Reactive - Detection
Reactive security has been a common practice for a long time but is often left as a single area making up the AD security program, and on its own is not enough to protect AD. Whilst this is a critical part of the security program, it relies on the attack happening to trigger the alert, which means we are notified after the attack has happened. This has become increasingly challenging over the years with the introduction of solutions such as SIEMs and the high volume of alerts generated across numerous sources resulting in resource constraints leading to alerts or incidents not being picked up immediately and in some cases even missed altogether.

Auditing — Ongoing Monitoring
For both proactive and reactive to work effectively, we need to have a complete view of changes and events that occur across Active Directory and we need this information immediately. For many years, organisations have relied on Windows Event logs, which lack context, generate false positives due to bad configurations and often require agents to be installed on Domain Controllers or privileged accounts, both of which are not necessary today.

Backup & Recovery
Often overlooked, however a core part of the strategy. If all else fails and the attacker cripples AD, we must be able to successfully recover the Active Directory environment.

Q3. What is Alsid planning to highlight at the Black Hat Europe 2020 virtual event?

We are excited to be attending our first Black Hat Europe event, during which we will cover why a proactive and prevention approach is key to any Active Directory, no matter the size. We will be showcasing how we have leveraged the attack path principles behind Bloodhound to rapidly identify issues within AD and consume all changes in real-time via the Microsoft Built-in AD replication API, without the need for any agents or privileges. We are going to demonstrate how we map out Active Directory environments, how we capture changes to AD and how these changes are alerted within seconds of the commit action, providing full details and enriched context behind the alert and how we can act as a filter before passing events into widely used SOC tools such as SIEM and SOAR to enable automated orchestration and response actions.

Perry Carpenter
Chief Evangelist and Strategy Officer


Q1. What are some common mistakes organizations make when it comes to providing security awareness training to employees?

The single biggest mistake I see organizations make is assuming that providing the right information will naturally lead to employees taking the right actions. But any parent will tell you that people just don't work that way. Back in 2018, I released a book called Transformational Security Awareness: What Neuroscientists, Storytellers, and Marketers Can Teach Us About Driving Secure Behaviors. It was all about revealing the most effective ways to influence employee behavior. There were three axioms that I used to underpin the book. 1) Just because I'm aware doesn't mean that I care. 2) If you try to work against human nature, you will fail. 3). What your employees do is way more important than what they know.

So, as you can tell, my belief is that it all comes down to understanding human nature and working with (and within the bounds of) human nature to drive results. Anything else is really just throwing information at people and hoping for the best; it might check a compliance box, but it won't prevent a breach.

Q2. What are the attributes of a good employee security-awareness training program? What are the biggest challenges organizations are likely to encounter in implementing such a program?

Effective awareness programs will focus on knowledge, beliefs, and actions/behaviors. The only way to do that is to make information relevant to people's lives. This means understanding that each employee is an individual and is operating within different cultural contests as influenced by their upbringing, profession, specialties, peers, regions, and social expectations. All of this will impact how information gets encoded/internalized into beliefs (or not). We can't ever forget that humans are emotional beings. So, if we can influence our messages with emotional context, those messages will be registered by the mind as much more relevant and 'real' than simply presenting information or facts.

Good security awareness programs also place a high value on behavior science and designing for the behavioral outcomes they want. This is one reason why simulated phishing programs are so popular -- because they are effective at measuring and shaping behaviors. Working with human nature means accounting for how humans will naturally behave in situations and then finding ways to naturally nudge the behaviors we want to see or to provide employees the necessary tools, training, or other situational elements to make the task as easy and natural as possible.

The biggest challenges I usually see organizations face here is in obtaining buy-in for changing the status-quo for their training program. If the organization has simply been operating in a check-the-box model for awareness, then the awareness program leader will first need to educate the executive team and HR on what the new program will entail. And they sometimes need to sell the benefits of having a higher-touch model for training. Luckily, the data is squarely on the awareness program leader's side.

Q3. What virtual events/programs/discussions has KnowBe4 planned for the Black Hat Europe 2020 virtual event?

KnowBe4 is thrilled to be a Diamond Sponsor at Black Hat Europe 2020.

I will be speaking at the show as well as IT Industry expert Roger Grimes, Data-Driven Defense Evangelist at KnowBe4.

We will dive into important topics for security leaders today around social engineering and phishing with our sessions "The Mind’s Lie: How our Thoughts and Actions can be Hacked and Hijacked" and "Incredible Ways You Can be Hacked Using Email & How to Stop the Bad Guys". Hope you can join us for these informative and actionable sessions.

Also, be sure to stop by our virtual booth to meet our staff and discuss how we can help you manage the ongoing problem of social engineering, spear phishing and ransomware attacks by securing your last line of defense.

Sharon Isaaci
Vice President, Cyber Security Services Delivery


Q1. Sygnia has positioned itself as a company that helps organizations enable a proactive cyber defense capability. What exactly is proactive defense and what are some of the key requirements for enabling such a capability?

Sygnia is a cyber technology and service company, that provides consulting and incident response support for organizations worldwide. We work with companies both to proactively build their cyber resilience, and to defeat attacks within their networks. In doing so, we leverage learning from our reactive engagements, as we’re constantly responding to cyber incidents, and we bring these insights into the proactive work of building resilience. We make sure to drive security against the realistic risks, not only controls, and to focus on the highest impact threats to business and the most impactful opportunities to enhance security.

Sygnia is the trusted advisor of technology and security teams, as well as senior leaderships, of leading companies around the world, including Fortune 100 companies. We draw on security talent from across the industry, as well as the ranks of elite intelligence and technology units, and we provide our clients with end-to-end strategic support. This means applying a hands-on gloves-off approach, working in close collaboration with IT, security teams, as well as executive management.

When we think about proactive defense, we aim to create an "efficient frontier": How do you build the optimal portfolio of security efforts against the threats. We go beyond the traditional method of gap analysis against generic best practices, by leveraging the attacker perspective. One of the ways that we found to be highly effective is the use of a scenario-driven approach to better identify the threats organizations face, ascertain the ability to defend against them, and determine their impact. We merge the strategic perspective of business risk with the technical perspective of ethical hacking, to assist in developing high-impact attack scenarios focused on protecting critical assets and enabling business processes. We call this methodology MASS, (Massive Attack Scenarios Simulation).

The proactive resilience enhancement journey often culminates in the delineation of a security roadmap that is prioritized across impact and feasibility, typically focused on optimizing existing capabilities.

Q2. What are the biggest challenges that organizations face when it comes to reducing attacker 'dwell time'? What should they be doing to reduce it as much as possible?

Dwell time is the length of time that cyber attackers has free reign in an environment from the time they get in until they are detected and extricated. Dwell time is often measured through metrics such as Mean Time to Detect (MTTD) and Mean Time to Remediate (MTTR). Naturally, the longer the dwell time — the greater the opportunity for attackers to steal sensitive information, disrupt operations, corrupt data, and cause strategic damage.

The data we have indicates that generally dwell time has been declining over the years. However, the situation is still far from acceptable. There is also a learning competition in this area as well — attackers are operating with greater velocity and stealth, and in the longer term we’re seeing a trend of attacker automation. Our experts already identify slow changes in malware design and TTPs, which suggest that we may end up with fully automated APTs, which will be far faster than what we see today.

Improving detection time can be a daunting challenge. Some of the difficulty is the result of the fact that our networks are increasingly complex, and that as visibility improves, "signal" to "noise" ratio becomes almost unmanageable.

The good news is that we can take an existing monitoring capability of a company, or a SOC, and improve its visibility and response readiness dramatically, in most cases even based on its existing technologies. We help companies assess their detection capabilities against realistic threats, and optimize visibility, logging, and analytics, dramatically enhancing their detection capabilities. It must be contextualized to the network, critical assets and threats. When we combine this work with enhancing processes, contingencies and playbooks, to improve readiness, we also see a dramatic reduction in response time, and diminished effects of a breach.

If an organization has the maturity and resources, a strong recommendation is also to proactively hunt threats within the network to identify and defeat attacks at an early stage. While there is no absolute assurance, the technologies, threat intelligence, advanced analytics and forensic expertise that we leverage as part of these efforts can provide a relatively high level of fidelity. You can gain confidence in the integrity of your networks and better protect your critical assets. BTW, as many detection capabilities are based on discerning anomalies, it makes sense to establish a clear baseline — so as to make sure you don’t already have an active or dormant malicious presence within your network, before you optimize your detection capabilities.

Q3. What are Sygnia's plans at the Black Hat Europe 2020 virtual event? What do you expect to highlight at the events?

At Black Hat Europe 2020, we plan on showcasing a heavyweight disruptive extortion attack, from both the attacker and defender perspectives, and presenting key lessons learned and insights from the frontlines of incident response during the COVID-19 era. Black Hat is also an opportunity for us to touch base with our friends in the industry and make sure we are on top of the latest in terms of security technologies.

COVID-19 has intensified the challenges of cyber. We have all taken war time risks in adapting to the new normal, and in many cases, security was affected. What we intend to do in our talk in Black Hat is to focus not on the risk, but rather on the opportunity - the silver lining. How can organizations leverage their control of their terrain, and the ability to emulate and simulate the attackers, to flip the asymmetry and improve resilience?

There is a unique opportunity to leverage these circumstances to make organizations even more secure — even as they become even more dependent on technology and expand their potential attack surface.

Jason Schmitt
General Manager, Synopsys Software Integrity Group


Q1. You took over as GM of Synopsys' Software Integrity Group a few months ago. What's your immediate priority in this role? Where do you see the biggest opportunity for growth in this segment?

My first priority in this role is to unlock the tremendous growth potential of the assets that we already have in the current Software Integrity Group. We are uniquely positioned in the market to be able to address any application security needs through products or services, for customers at any level of maturity, and at any scale. Our business has traditionally been very strong in large enterprise where we have great long-term customer relationships. Now with our global presence and strong corporate commitment to this business from Synopsys, we see an opportunity to expand into new market segments and geographies, as well as expand into security capabilities naturally adjacent to application security, such as DevSecOps, cloud security and threat and vulnerability management. Our software security consulting business in particular is an area where I expect to see significant growth in the next few years as we have built up a complete software security transformation competency. We have the ability to handle a customer from end-to-end on their security journey with a build-run-transfer approach tailored to the organization’s goals. We often start with them at the very beginnings of their app sec program with maturity assessments, move into strategy development and managed services, and over time transition them to operating a mature, highly capable security practice based on both Synopsys and partner products. On the product side of our portfolio, we enjoy stable growth in our code scanning and open source security business, and see significant upside around our DevSecOps capabilities and platform and believe cloud security will be a big growth area for us, as well.

Q2. How has the increase in remote work triggered by the COVID-19 pandemic impacted application security? What, if any, long-term term impacts do you foresee as a result?

There are signs that COVID-19 is accelerating cloud adoption even more than in recent years due to the flexibility and automation requirements of remote workforce and elastic, available-from-anywhere infrastructure. As public cloud infrastructure and SaaS services become the norm for most business processes, the architecture, composition and very definition of applications are changing rapidly and leading to a rethink of software security approaches. This architectural shift, much like the rapid adoption of open source and DevOps practices over the past 5-10 years, will have a lasting impact on the security market as the security competencies and tools in most organizations will have to come to grips with cloud-native technologies, API-driven applications, rapid SaaS adoption, complex identity management and secure remote access needs that are not as supported in most security solutions today. Most new application development today is made up of a collection of third-party services, APIs, microservices and cloud-native components and services orchestrated via cloud providers or managed orchestration platforms like Kubernetes. Configuration of these application environments is increasingly managed in code to take advantage of automated build and deploy pipelines to elastic infrastructure, so the dynamic nature of these systems makes it challenging to use conventional application security techniques to identity and prioritize risk. As a result, application security teams are losing visibility into the security of these systems and challenging their processes and audit mindset. Application security will evolve away from a "scan and fix before release" mindset into a risk-based vulnerability management practice that seeks to embed automated security assurance deeply into the software build and delivery pipeline. Throughout the pipeline, orchestrated security services will automatically reinforce the policy guardrails to free developers from having to worry about how the application security tools work.

Q3. What does Synopsys plan to highlight at the Black Hat Europe 2020 virtual event?

We will be highlighting some of the most impactful findings from the latest release of the Building Security In Maturity Model, BSIMM11. As a resource which helps organizations evaluate and mature their software security initiatives, the BSIMM acts as a measuring stick to compare and contrast an organization’s current security activities with those of their peers in the broader BSIMM community. A data-driven model developed through the careful study of over 200 software security initiatives over the past decade, the BSIMM11 report is based on current, in-depth observations of the security initiatives of 130 organizations, primarily in 9 industry verticals including cloud, IoT, healthcare, and financial services. This year, the study revealed that organizations are shifting to DevSecOps, rather than just talking about it as was the case in previous years’ findings. This is the first real-world evidence of operationalizing DevSecOps practices, as software development teams are more proactively owning security requirements and building security into their infrastructure/configuration as code. We’re also seeing a cascading effect on how security practitioners will need to adjust to these new frameworks and technologies that are emerging quickly and already in use. The BSIMM provides our customers with a proven resource to benchmark their readiness for DevSecOps and a roadmap leading them into strategy development so that they may evolve from their current state into a mature and effective DevSecOps culture.

Sustaining Partners