Q: FireEye recently added new security orchestration capabilities to its global threat management platform. What is security orchestration and why do enterprises need it?
Grady Summers: Two of the top things I hear from our customers is that, first, they're overwhelmed by alerts. Secondly, there just are not enough qualified resources to staff their security operations centers. Automation helps address both of these challenges. A well-orchestrated incident response process can automatically triage alerts so that your experts can spend time focusing on the alerts that really matter.
Q: FireEye's Mandiant Consulting gets called in a lot to investigate and mitigate security breaches. What would you say have been the biggest changes to incident response requirements over the past few years?
Summers: Attackers continue to get [stealthier] so our Mandiant experts must continually stay ahead of the game. It's a constant cat-and-mouse situation. However, since we're called in to work most of the large breaches around the globe, we tend to see advanced techniques early, which immediately inform our analytics and our FireEye products. It's a virtuous cycle. The biggest challenge to incident response is frankly more mundane though: most orgs just aren't collecting the right types of data until after they're breached—so we typically don't have the evidence we need to perform an investigation. For these reasons, we often recommend FireEye's PX, HX, or TAP products so that this critical evidence can be collected before a breach.
Q: FireEye has a pretty broad portfolio of security products and services. Is there a specific area or areas that you intend to focus on at Black Hat USA this year and why?
Summers: Ironically, a lot of my focus recently isn't on any one product or services, but the connective tissue that binds them all together—our platform. This means FireEye Security Orchestrator to coordinate between our products—and many third-party products—as well as our APIs so that customers can connect programmatically to all of our products. Having a broad and diverse platform like FireEye's is most valuable when all of the pieces talk to each other. We've made a lot of progress there, and our customers will hear more about this in the year to come.
Q: What are some of the limitations of current vulnerability assessment and management approaches and how exactly can cloud agent technologies like those from Qualys address these limitations?
Sumedh Thakar: Today vulnerability management is very much a periodic assessment based approach instead of being a continuous monitoring approach. Many organizations still do scans every week at best, if not every month. The threat actors don't wait for scan windows and approvals, they attack continuously. Cloud Agent technology eliminates the need for periodic assessment. The agent is continuously monitoring the device and updating the platform about latest vulnerabilities in real time.
This approach significantly reduces the effort and costs involved in performing traditional scans and deploying the infrastructure for that. Cloud Agents also eliminate the resistance when it comes to credential management needed for successful scans. Given that the agents are only a couple megabytes they are very lightweight and have minimal impact on the system. This new agent technology also enables customers to consolidate multiple point solutions into a single lightweight agent. Instead of deploying a different agent for each point solution, for example, vulnerability management, policy compliance assessment, asset inventory, FIM, patch deployment and IOC, can all be done with a single agent.
Q:You are a big proponent of SaaS and cloud computing. What do organizations need to understand or fail to get about the security implications of adopting these models?
Thakar: SaaS solutions today are very mature. They put a lot of focused attention on the security of the customer data. They also tend to be very transparent about their security measures to gain their customers trust. Lot of them tends to follow well-established standards since they have to be transparent. If an organization plans to do business with a solution like these, then they should ensure they have clear documented understanding from the vendor how their data is being secured. They should be periodically reviewed with the vendor. In cloud computing environments, the customers should put in place all security and compliance measures for the cloud as they would for their regular infrastructure. Many cloud and SaaS vendors are staring to offer private cloud versions of their platforms so organizations [that] have hard compliance requirements should check with the vendor for availability of such an option. SaaS and cloud computing greatly enhance [the] ability of organizations to be nimble and dynamic and scale with elastic cloud and should be embraced for significant cost saving after ensuring correct security and compliance measures are in place.
Q: Qualys researchers presented several key talks covering a broad range of issues at Black Hat USA 2015. What is the overriding theme to your messaging at Black
Thakar: Qualys' overriding theme is to focus on the basics, on making your infrastructure robust enough to survive the daily attacks that happen when you navigate the Internet. These attacks, paired with the increasing mobility that we see in our user base, mean that you can't trust your normal enterprise tools anymore, because your machines are as likely to be inside of your enterprise network as they are to be outside. Each machine has to be prepared to get through a normal working day. For the IT team this means knowing that a machine exists; having access to its base configuration; being able to audit configuration settings; and keeping track of vulnerabilities and their remediation.
That is a lot of work, but in our presentation we are showing how to prioritize by targeting the small subset of exploited vulnerabilities first, as they have the biggest ROI for any patching activity.
Q: RSA's threat detection and response platform recently received Common Criteria Certification. Why does that matter to your customers and to enterprises in general?
Zulfikar Ramzan: Common Criteria is a highly well regarded security certification that is required by the United States as well as over 20 national governments worldwide when seeking to procure commercial products. Common Criteria certification provides independent third-party assurance that RSA's products achieve a rigorous and technically demanding set of security criteria.
Along with achieving Common Criteria EAL 2+ certification, the latest release of RSA's Security Analytics threat detection and response platform also offers real-time behavioral analytics, leveraging sophisticated machine learning techniques to swiftly identify threats. RSA not only wants our customers to have confidence in the functionality our products provide to solve important security problems, but also to have confidence that our products themselves were soundly and securely designed.
Q: Tell us a little bit about the RSA Cybersecurity Poverty Index. What exactly should organizations be taking away from your research?
Ramzan: The RSA Cybersecurity Poverty Index is the result of an annual worldwide maturity self-assessment completed by organizations of all sizes across a variety of industry verticals and geographies. It provides organizations with an opportunity to personally reflect on their current capabilities and where they stand with respect to a variety of important criteria. More so, by completing the survey each year, organizations can track their own progress over time.
The 2016 Index reflects results from 878 respondents across 81 countries. Like our 2015 survey, this year's results clearly show that we have significant work to do to improve risk management and cybersecurity capabilities regardless of company size, geography, or industry vertical. Two important findings stand out from the wealth of data. First, the biggest weakness of surveyed organizations is the ability to measure, assess and mitigate cyber risk, which makes it difficult, if not impossible, to prioritize security activity and investment. Second, the survey demonstrates that organizations still overemphasize protection over detection and response, despite the overwhelming evidence that threat actors easily and routinely bypass prevention-oriented technologies. RSA believes that as organizations continue to be unhappy with their current state of affairs, they will use the cybersecurity poverty index as a vehicle for identifying what changes they need to make moving forward.
RSA encourages organizations to complete the survey and obtain a benchmark that can help plan for advancing their capabilities.
Q: How does RSA plan to use its presence at Black Hat USA this year? If there is one thing that you want attendees at the event to know about RSA's strategic focus and direction what would that be?
Ramzan: RSA has always been a leader in bringing technologies to market that address the threats that matter most to our customers. We're looking to achieve two overarching goals with our presence at Black Hat this year. First, we'll provide Black Hat attendees with information about the latest threats our Incident Response team and our customer practitioners have encountered. Second, we're looking to raise awareness about some of RSA's latest innovations for allowing organizations to rapidly identify, address, and eradicate threats to their environment.
If there is one piece of knowledge we want attendees to be armed with, it's that taking a reactive posture is the single biggest mistake organizations can make when it comes to addressing today's threats. Fortunately, by coupling a robust analytics platform with pervasive visibility into endpoint, packet, log and flow data, RSA dramatically simplifies life for analysts. Each day analysts are tasked with making mission critical decisions that protect their organizations from a wide array of existential threats. Our technology portfolio allows analysts to make those decisions with greater ease, speed, intelligence, and ultimately more confidence.
Q: Tomer, Gartner recently named SentinelOne a Visionary in its Magic Quadrant. What is it about your technology that put SentinelOne in that category?
Tomer Weingarten: SentinelOne was one of the first new entrants in years to a magic quadrant that was comprised only of the incumbent antivirus members. The ability to bring a completely new and disruptive approach to a space that has not changed in a very long time has definitely helped position us as Visionaries. Moreover, our core behavioral-based detection engine has proven time and time again that it is by far the most effective approach in dealing with advanced threats compared to other technologies out there. Couple this with the fact that Gartner noted we were the only vendor in the entire MQ research that unified next generation detection abilities (EDR) into a complete protection (EPP) suite - making SentinelOne the first ever all-in-one suite.
Q: Jeremiah, you recently left WhiteHat Security, a company you founded 15 years ago. What is your mission, what are your priorities as the new chief security strategy officer at SentinelOne?
Jeremiah Grossman: The malware space has been an area of personal interest for a long time, mostly because I always follow what our adversaries are up to. And typically after an adversary exploits a software vulnerability, they install malware on the compromised endpoint. For defenders, keeping systems malware free is an extremely difficult and escalating battle — one in which the security industry is not winning.
As Chief Security Strategy Officer, my role is as the name implies. Possess a deep understanding of the malware threat landscape, understand the particular needs of the customer, and design technological and business defense strategies to help solve the problem. Then take what we learn at SentinelOne, what works and what doesn't, and share the knowledge with the world! This is how we all best improve our defenses and turn things around.
Q: Jeremiah, is anti-virus technology really dead, as some have argued, or has it just morphed into something different?
Jeremiah Grossman: I think so, have said so, but in my experience discussing form this point of view, it only leads to a semantic debate. Avoiding that, one thing everyone seems to agree upon is that using malware signature as a primary means of detection is either long dead or largely unreliable. What all anti-malware vendors are moving their products towards, and some are further along than others, is behavioral-based detection. Behavioral detection algorithmically scores what could potentially be malware by monitoring what the binary application does during execution. At run-time, malware has distinctively unique characteristics from benign software.
If you want to call this style of malware protection ‘anti-virus,' fine. I won't argue, but it's probably not the most accurate or descriptive. My preference is next-gen endpoint protection (Next-Gen EPP), as the term captures a more complete and modern set of functionality that's necessary to stop today's forms of malware.
Q: Tomer, what do you want attendees at Black Hat USA to understand about next generation endpoint security?
Tomer Weingarten: First attendees should understand there is now a very viable alternative to antivirus. Like any technology it's not a magic bullet, but should be viewed as a significant leap from the static-based engines that organizations have used for decades. There's also a lot of noise and different definitions to what is next generation endpoint protection, and its important to highlight that true next generation endpoint security must include the entire gamut of functionality - from prevention, through detection, remediation and finally endpoint visibility, and also has to be able to deal with the most advanced attacks out there and cover all different attack vectors - malware, exploits, file-less attacks and script based attacks. If you don't have these capabilities, you might be exposed to certain threat vectors - so it's imperative to understand which coverage you're getting, and for what.
