Black Hat is returning to Asia for the first time since 2008 bringing together the brightest professionals and researchers in the security industry. Black Hat Asia will feature two days of deeply technical hands-on Trainings, followed by two days of the latest research and vulnerability disclosures at our Briefings, and a jam packed Business Hall with companies showcasing the latest security tools, technologies and services. In this issue, Black Hat interviews two key participants at Black Hat Asia, Qualys and Juniper.
Wolfgang Kandek, chief technology officer at Qualys, talks about recently collected data and how 39% of the tested machines have critical vulnerabilities, while the top failing controls are password-related. Qualys is a Gold Sponsor of Black Hat Asia.
Q: Wolfgang, Qualys just received – for the fifth time – the highest rating possible in Gartner’s “Marketscope for Vulnerability Assessment” which rates the offerings of 11 vendors using the evaluation criteria of market responsiveness and track record, sales execution/pricing, offering strategy, product/service, overall viability, and customer experience. Are there any new initiatives at Qualys that would explain your receiving such an honor?
Wolfgang Kandek: As a cloud solution, QualysGuard provides customers with a reliable, accurate vulnerability management solution that is easy to deploy and manage, with no need for equipment or software updates. Over the years, we’ve invested in our platform, the QualysGuard Cloud Platform, so it has the scalability to support the complex needs of large global customers. At the same time, we can provide cost-effective, powerful solutions to small businesses. In addition to vulnerability management, we offer policy compliance, PCI compliance, Web application scanning, and a new Web application firewall -- that can be used together in an integrated suite -- with reporting across services. We also now offer an on-premise version as a private instance, for use by government agencies, MSPs, or other organizations requiring the solution within their data center.
Q: You have integrated your software with a number of solutions, in areas including SIEM, access management, IDS/IPS, and IT-GRC. How do customers benefit from these integrations?
Kandek: Integrations with third-party solutions allow customers to utilize the security intelligence gathered from their networks and Web applications with QualysGuard and use it within other security and compliance solutions to provide better context when analyzing attacks and threats in real-time or doing data correlation and analysis. From the beginning, we put strong emphasis to provide extensible APIs as part of the QualysGuard platform to facilitate such integrations and this has proven to be of huge benefit to our customers.
Q: Qualys collected data from over 1.4-million-user computer scans and their respective browsers, revealing that 39% of the tested machines have critical vulnerabilities. How did you collect this data, and what can people do to keep their browsers secure?
Kandek: Qualys has a free tool called BrowserCheck that people can use to quickly evaluate the security postures of their machines, including their browsers, operating systems, and applications. In just a few seconds, the tool performs a scan and presents a list of items scanned, providing “fix-it” buttons so users can update any items that are out-of-date. We pulled the data for browsers, and found that a large percentage of browsers – including the most popular browsers such as Chrome and Firefox – are not updated to the latest level, leaving them vulnerable to critical vulnerabilities. Fortunately, there is a simple solution. The vulnerabilities can be eliminated by updating to the latest versions of the software installed, and using a tool like BrowserCheck is a quick and easy way to do so.
Q: After analyzing more than five million scans by organizations worldwide, Qualys said that one of your key findings is that, while 13 out of the top 20 controls are password-related, the top failing controls are also password-related. How can that be … and what should enterprises learn from that bit of information? What should they be doing differently?
Kandek: Passwords are present in almost all of our information systems and are thus on the top of our list of things to control. When used well, they can be very effective to control access and protect information. At the same time, our results show that they can be difficult to manage. But enterprises are taking steps to address the situation. By regularly scanning their infrastructure, they can map out where any issues occur and have the base data needed to establish processes for managing key controls.
Q: Qualys is a Gold Sponsor of Black Hat Asia. How do you plan to participate in the show … and why is the conference high on your list of marketing priorities? What will the top takeaways be for attendees who visit with Qualys at the show?
Kandek: Black Hat is known as the premier security research conference, and we are excited to see it back in Asia this year as our business in Asia continues to grow. It is an important show for us to hear about the latest security research, and to meet and interact with the world’s leading security experts and the show’s attendees, including many of our customers.
We invite attendees to join us at the Qualys booth to see our solutions in action. The QualysGuard Cloud Platform enables us to quickly roll out new solutions to existing customers, and we’ll be sharing our newest solutions, features, and initiatives, including our new continuous monitoring for the perimeter solution. We’ll have demos available, as well as Qualys subject matter experts there to answer any questions. So come by and see us at the show!
Greg Bunt, director of security, APAC at Juniper Networks, discusses managing multiple, geographically dispersed data centers, and enabling government agencies to use smartcard authentication on Apple iOS devices. Juniper Networks is a Diamond Sponsor of Black Hat Asia.
Q: Greg, just recently you unveiled a new architecture – what you call MetaFabric – to help enterprise organizations and service providers deal with the challenges of managing multiple, geographically dispersed data centers. What’s that all about and how does it accomplish that?
Greg Bunt: One of the big challenges for customers today is that network infrastructures are not agile enough to keep pace with new and emerging data center technologies, which prevents customers from fully capitalizing on the business potential of cloud, mobile, and Big Data. Gartner says that traditional network design practices do not adequately support the modern user and, to optimally serve the business, network architects need to shift their thinking from technology to users and business processes.
That’s why we launched MetaFabric, a new architecture for the next generation of cloud data centers that accelerates the deployment and delivery of applications across multiple data center locations. MetaFabric is designed to help enterprises and service providers address the challenges associated with managing multiple, geographically dispersed data centers. The architecture simplifies the network to improve performance and enable applications to be deployed quickly within and across multiple data center sites, accelerating time to value.
Essentially our vision is of a unified pool of network resources – whether they are within a single data center or across multiple locations – connected by a secure and scalable network fabric that seamlessly delivers all applications across global data centers. This will enable IT to deliver services and business applications with greater speed and reliability, thereby increasing IT efficiency, reducing costs and fostering new levels of performance.
MetaFabric is supported by comprehensive portfolio of Juniper Networks switching, routing, orchestration, software-defined networking (SDN), and security solutions as well as technology partnerships. As it is based on open interfaces, however, MetaFabric can integrate with a broad range of third-party hardware and software solutions from leading technology vendors, helping protect investment in existing infrastructure while enabling organizations to adapt to the changing needs of the data center without the need to rip and replace existing infrastructures.
Q: I understand you are now partnering with Thursby Software to enable government agencies to use smartcard authentication on Apple iOS devices. Why is that significant … and what difficulties will such a solution overcome?
Bunt: As the adoption rate of mobile devices – particularly Apple iOS devices – in government has increased, the need for smartcard authentication for mobile devices has likewise grown. In fact, the use of smartcards as a means of authentication has been mandated and incorporated into service by many different federal and government agencies and ministries around the world.
Through the partnership with Thursby Software, Juniper Networks is the first and only VPN vendor to offer seamless and secure authentication for remote access to government networks from mobile devices via simple smartcards. We can enable government agencies to use smartcard authentication on Apple iOS devices. Through integration with Juniper Networks Junos Pulse Secure Access Service and Thursby's PKard software and card reader hardware, government employees can now use the same smartcards in use today for all levels of authentication – both physical and online – to connect to private or carrier mobile networks through their iPhones or iPads.
Q: A few months ago, Juniper won two awards at Interop Tokyo 2013 – the Best of Show Award special prize in the carrier/service provider networking category and the Best of Show Award grand prix in the ShowNet product category. What did Juniper do to receive those two honors?
Bunt: At Interop Tokyo 2013, the Juniper Networks PTX3000 Packet Transport Router received the Best of Show Award Special Prize in the Carrier/Service Provider Networking category while our EX9208 Ethernet Switch, one of three switches within EX9200 line of Ethernet switches, won the Best of Show Award Grand Prix in the ShowNet Product category.
Juniper Networks PTX3000 Packet Transport Router is a groundbreaking Converged Supercore that sets the benchmark for size, performance, and efficiency, addressing the infrastructure and energy barriers that service providers face in today’s networks.
The programmable, flexible, and scalable design of the EX9200 Ethernet Switches simplifies the deployment of cloud applications, server virtualization, and rich media collaboration tools in campus and data center core and aggregation environments.
As a recipient of the Grand Prix award within the ShowNet Product Category, the EX9208 Ethernet Switch was actually used to power the high-speed network for exhibitors and attendees of Interop Tokyo 2013.
Q: With Black Hat Asia coming up in Singapore in March, Juniper has signed on as a Diamond Sponsor. Why is participating in the show important to you – and what will be your focus there?
Bunt: We believe Black Hat’s return to Asia for the first time since 2008 reflects a major change in the geographical profile of the security landscape, with Asia now prominent as both a source of security threats and as an increasingly important market for security systems and services.
As an extension of the world’s premiere information security conference, Black Hat Asia provides Juniper Networks with a unique opportunity to participate in an event that will bring together a lot of the key people involved in information security from Asian enterprises, government, and the wider technology community.
Obviously we’re planning to leverage the event to promote Juniper Networks’ latest security solutions, especially in the areas of the cloud, mobility, and data center. However, hearing from others about new trends and developments while networking with the community security practitioners in Asia is equally important, if not more so. After all, there are always going to be security threats, but one way to combat them is by putting our heads together. Unity is strength!
Q: What will be the top takeaways for attendees who hear about Juniper at the conference?
Bunt: With the fast pace of technology evolution and companies dealing with mobility and cloud while also increasing their on-line presence, the traditional attack surfaces have broadened and created security vulnerabilities. This has created a challenge for IT as they try to balance their business agility with risk management. Organizations have either had to accept that security systems are a bottleneck or invest heavily in deploying sufficient security capacity to balance the throughput of the network as a whole, which is a difficult ongoing process.
Having access to security expertise is equally critical and, as events like Black Hat Asia demonstrate, the requisite skill sets don’t grow on trees and are constantly changing in the face of the evolving security landscape.
At Juniper Networks, we are committed to innovation that will ease the burden on IT to defend against known and unknown attacks. For example, we are helping customers identify and address modern day cyber threats with our intrusion deception technology. Our DDoS technology is the only one that uses behavioral heuristics at the network and application level. We are at the forefront of innovation in security, delivering solutions from the device to the data center, even as security threats to a company’s critical data become more ubiquitous and the nature of the attacks become more diverse and harder to detect.
I want to add that we also believe that software-defined networking (SDN) is going to play a big role in addressing these issues. SDN will make it far easier to scale security capacity, on-demand, to match workload demand. SDN represents the next development in security-as-a-service, with service providers and enterprises able to dynamically provision security services and scale services up and down on existing network infrastructure in a cost efficient way.
By Paul Hyman
Paul is a technology writer and editor who has reported on the computer industry for over 15 years. Today he writes not only for Black Hat, UBM TechWeb, and IHS’ Electronics360.com but also for ACM (Association for Computing Machinery) News and CIO Insight, among others. He can be reached at firstname.lastname@example.org.