Q: Cylance was recently named a Distinguished Vendor of the TAG Cyber Initiative. What exactly is the initiative all about, and what is Cylance's role in it?
Jon Miller: The TAG Cyber Initiative is a group focused on aggregating and providing intelligence back into enterprises and their teams. The information security industry has to evolve quicker than the adversaries that are attacking us daily. Due to this fact, it's almost impossible for teams to stay up to date on threats, attacker techniques, and the new technologies that are coming on the market everyday. Cylance was named as a Distinguished Vendor due to our product's ability to detect and stop next-generation threats before they run on the system, a large deviation from the industry's mantra that attacks are going to happen, and enterprises should focus on detecting and remediating after the breach has already occurred.
Q: As a vendor of an artificial intelligence based malware detection system, what is your organization's view of the role of traditional signature-based malware detection tools?
Miller: Signatures were great… twenty years ago. With the rise of polymorphic malware, attackers have realized it's trivial to ‘mutate' malware to quickly and easily avoid signature-based detection. It's become obvious that we need an evolutionary step in the core engines that are used to detect and protect against threats. Cylance was the first company to build a 100% machine learning based anti-malware solution. We have been able to deliver efficacy against not only the known threats that signature-based technologies have been previously blocking, but the unknown threats as well, regardless of where the threat is introduced to the system, or if it's been used on 1,000 hosts, or used solely in one attack. Our core engine works differently than every other legacy product as well as the other vendors in the ‘Next-Gen Endpoint' space.
Q: Cylance is a Diamond sponsor at Black Hat Europe 2016. What do you want people at the event to know about next-generation advanced threat protection technologies such as those offered by your company?
Miller: We want people to know that they should try it, test it, and believe for themselves. It's easy to talk about how good something is, but the real proof is shown on customer's networks. It's easy to get swayed by third parties, but using a product is the only true way to know its effectiveness. Cylance is more than happy to provide a no-limit evaluation license for our product, allowing customers to deploy in their live environments, or if they prefer, in lab environments. I can't say that our product is perfect, but it performs head and shoulders above the competition, not only in efficacy, but also with a lower impact to system performance. Our product is the first industry certified antivirus replacement, providing unique protection capabilities that don't exist yet in competing products, such as the ability to stop script-based attacks, or to run servers in whitelisting mode.
Bob Anderson
Managing Director and Global Information Security Lead
Navigant
Benjamin Donnachie
Associate Director and UK Cyber Forensics Lead
Navigant
Q: Bob, as a practice leader for Navigant's Global Legal Technology Solutions what, in your opinion, is the biggest challenge that organizations face when it comes to protecting proprietary data and trade secrets? How is Navigant helping them address those challenge?
Bob Anderson: Insider Threat combined with modern technology that enables the insider the ability to ex-fill data rapidly and send it anywhere in the world in seconds.
We offer several different services where we look at the companies' IT, Information Security Program and their Insider Threat program holistically. Looking for ways to reduce the companies risk.
Q: Benjamin, how do you see the move to cloud infrastructures and services impacting an organization's ability to do ediscovery and forensics?
Benjamin Donnachie: The move to cloud infrastructure is certainly impacting upon organization's ability to perform e-Discovery and forensics. Often we are discovering that the information we need for an investigation is not retained by the cloud provider or simply not available. When choosing to move services to the cloud, organizations need to ensure that not only is the service secure but also that they have the capability to respond in the event of a cyber incident; whether that is investigating it themselves or giving you appropriate access to investigate. Also ensuring that you test this capability [is important]; many organizations regularly penetration test cloud services but very few test their incident readiness.
Q: Bob, how are you leveraging your experience as a former national security executive with the FBI in helping Navigant customers deal with cyber threat threats and protect their business?
Bob Anderson: My background enables me to look at the situation from many different angles. Nation States, Hacktivist, Criminal Organizations and the Lone Wolf. This is also is combined with 30 years of real life investigations and bad guys to compare the attack the client is having. It allows us to get to the point where we can help the client faster and more economically.
Q: Benjamin, why is being at Black Hat important for Navigant? What is your main message for people at the event?
Benjamin Donnachie: Black Hat is important to Navigant as we have a very strong cyber breach team, working closely with the major insurance providers globally, and with Bob Anderson joining as our practice lead we are expanding rapidly with our proactive service offerings. My main message for people at the event is not to judge the success of your cyber defenses by the amount you invest in products – it is important that you have the right people, policies and procedures to support your organization.
Q: What do enterprises need to understand about threat prioritization for vulnerability management? Why has that become so important?
Darron Gibbard: No IT department, not even the largest ones, has enough staff to fix all the vulnerabilities within their IT environment, especially with the dearth of infosec professionals in the industry. Consequently, organizations must prioritize their remediation work by identifying their most critical vulnerabilities and fixing those first.
There are three factors enterprises need to understand about threat prioritization.
First, visibility is critical. Enterprises must be able to detect all of their IT assets across their on-premises IT systems, mobile devices and public, private and hybrid cloud instances. Without a comprehensive and continually updated inventory of IT assets, an organization can't expect to properly prioritize the remediation of its most critical vulnerabilities.
Second, automated correlation of the thousands of disclosed vulnerabilities against an organization's IT asset inventory is key. It's impossible to do this manually, given the fact that new vulnerabilities are disclosed every day, and that the level of risk associated with a particular vulnerability can suddenly change months or years after its disclosure if, for example, it's packaged in an exploit kit.
This continuous correlation process gives infosec teams a clear view at all times of all the vulnerabilities impacting their IT assets. Many organizations lack this clarity. According to Verizon's Data Breach Investigation Report for 2016, the top ten known vulnerabilities accounted for 85 percent of successful breaches, although patches were available for all of them.
Finally, once an organization has a complete inventory of IT assets and it has identified their vulnerabilities, it can assess where the highest risks to its business lie, using a variety of criteria, such as: the severity of the vulnerability, how many people within the organization would be affected if it's exploited, and the support requirement for deploying the relevant patches for it.
In short, if enterprises can understand where the highest risk lies within their environments at any given time, they will shrink the possibilities of suffering a successful attack by addressing those threats first.
Q: What do C-level executives want to know about vulnerability management reporting?
Gibbard: Humans are inherently visual. For those who are not technically savvy, like some C-level executives, a good dashboard or visualization around security preparedness can help bridge gaps and secure support over time. Visualizations also make it easier to explain complex scenarios, prioritize where efforts should go, and display how effective those actions have been over time. C-level executives often want to know what threats they face and which are being addressed. Visualization also makes it easier to show these results both internally within the IT department and to other stakeholders within the business.
C-level executives are also concerned with the overall strategy and how remediation efforts are trending towards achieving those goals. In a constantly changing landscape of threats that can lead to breaches, bad press, lawsuits and more, infosec teams need to constantly keep the executive team updated on current and evolving strategies to secure enterprises from rootkits, ransomware and such. By correlating continuous external threat data with asset inventories, security teams can better report prioritization strategies and the progress towards achieving the goals of those strategies.
For C-level executives, the regulation and compliance landscape is another key priority. For example, all companies and public sector bodies will have to implement data protection policies that comply with the General Data Protection Regulation (GDPR), which goes into effect across all European Union member states in May 2018. The rules here govern all organizations that hold customer data for European citizens, so almost all companies will have to conform to GDPR.
Q: Why is being at Black Hat Europe important for Qualys?
Gibbard: 2016 is the year of the platform for Qualys. We've transitioned from being a leader in cloud-based security and vulnerability management to becoming a leading cloud-based platform provider of integrated solutions across IT security and compliance.
Qualys has integrated 10 security and compliance applications into one platform, and this simplifies the management of IT security and compliance. We've added new compliance tools like Security Assessment Questionnaire, which helps companies ensure their third-party supply chains and partner ecosystems are as secure as their own environments. European companies which must comply with privacy and geographic regulations may be interested to know that our Private Cloud Platform (PCP) family of self-contained, pre-configured appliances offers the security and compliance services of the public cloud Qualys Cloud Platform within a customer's or partner's data center, keeping sensitive data on-premises. Our newest addition to this family of products is the PCP-A, designed for medium-size companies.
We're also excited for the conference because as compliance becomes an important issue for European companies, we're uniquely equipped to help them handle these requirements in the age of cloud computing. Our cloud-based architecture allows companies to better track their assets and vulnerabilities on premises, in the cloud and on endpoints. For instance, the goal of GDPR is customer data protection, but if companies can simply manage vulnerabilities across the assets, which hold this data, they come a long way towards both maintaining the necessary security posture and achieving the end goal of these regulations.
Q: Why has threat hunting become such a critical capability for enterprises to have?
Mark Orlando: Investments in defenses that aren't fully integrated, utilized by skilled defenders, or prioritized by the business are wasted. Unfortunately this is the current state of most security programs, where organizations rely primarily on automated tools to keep them safe from attacks.
In order to keep pace with sophisticated attackers, our defensive measures must be equally as creative, empowered, and proactive. Adopting a proactive hunting approach means that your defenses are informed by, and can quickly adapt to, a persistent adversary not bound by time or organizational constraints. This approach requires highly trained staff capable of researching and understanding the threats combined with a dynamic security infrastructure used to capitalize on that understanding.
Q: What do organizations need to understand about highly targeted attacks and how to look for and protect against them?
Orlando: A motivated adversary has researched your business and your defenses and is not bound by the same organizational constraints as your defenders. Waiting for automated tools to identify these adversaries, or failing to prioritize network defense as a business, invites these threats into your environment. The best we can hope for is to identify intrusions when they inevitably occur and contain them as rapidly as possible.
To do this requires an understanding of how attackers work: how they conduct reconnaissance, exploit a target, move laterally, and go after sensitive processes, users, or data. We must then apply this understanding in an environment where we can observe these tactics and techniques. Our observations as defenders, and successful identification of intrusions, must then inform a comprehensive and layered defense; it's a highly cyclical process. Only by investing wisely and fielding in this kind of layered, flexible, and capable defense can organizations make themselves a more challenging target.
Q: It's been a year since Raytheon acquired Foreground Security. What do you want attendees at Black Hat Europe 2016 to know about the combined entity and the capabilities it delivers in the cybersecurity space?
Orlando: In many acquisitions, the acquired company quickly loses the mindshare and innovation that made it so special in the first place. Raytheon has not only put a premium on Foreground Security's unique approach and culture, but it has also made Foreground offerings the centerpiece of its security services roadmap. Raytheon will promote and continue Foreground's leadership in the space – not stifle it. This focus, combined with Raytheon's unrivaled investment and innovation in cyber security over the last several years, is going to bring lots of new and exciting capabilities into the space.
