Bill Taylor, Vice President and General Manager, LogRhythm APJ talks about the importance of security analytics and the need for organizations to develop capabilities for detecting and responding to breaches.
Q: Bill, recent mega breaches have focused attention on the need for improved threat detection and response capabilities at many organizations. What role does security analytics have in enabling this capability?
Bill Taylor: Security infrastructure put in place at many organizations collect a large amount of data. From security logs to network packets, there is a need to analyze [this] data in a timely manner to identify and respond to a breach. That is the key role that security analytics plays in the next level for threat detection and response capabilities.
We don't see security analytics entirely different from next generation SIEM, especially in the case of LogRhythm's Security Intelligence Platform, which has capabilities for collecting security data from multiple sources. Detection is not based on signatures or static correlation rules but on dynamic comparisons to normal baseline behaviors for individuals or groups that have similar job functionality and requirements.
Q: Technologies like the LogRhythm 7 platform announced last October can help organizations reduce the mean time to detect and the mean time to respond to security incidents. Can such technologies get us to a point where enterprises can reliably predict a security event before it happens? Why or why not?
Taylor: It is a cat and mouse game. As we improve, they find new ways to beat the system and we find new ways to detect and stop them. It is difficult to say if we can reliably predict a security event before it happens in the future but I would like to think we are heading in the right direction.
At the moment, we are focused on educating organizations that the threat landscape is not static and it continuously evolves. That way, we can move away from purely just building walls to stop breaches, to installing sentries that will be able to detect these intrusions as soon as the walls are breached, responding to them and reducing the damage the perpetrator can do. As long as organizations understand that, then we will see the right investment being made into security analytics. Hopefully, we will come to a stage where we have enough means to predict what's going to come next.
Q: LogRhythm is sponsoring a presentation on rapid threat containment at Black Hat Asia 2016. What is the main focus of the presentation? What are some of the main takeaways for enterprise customers?
Taylor: Our main focus is on the new and evolved ransomware threat. We will be giving the audience a technical overview of how these schemes function and how they can be spotted and responded to early enough in the threat lifecycle to severely limit the potential damage. We will also share a framework to help you better protect your organization in the face of this looming menace. Participants of this session can expect to learn what are the early indicators of ransomware, what automated defenses they can use to thwart the attacks and steps that must be followed to make a molehill out of the possible mountain.
Matt Alderman, Vice President of Strategy at Tenable Network Security discusses the nature of the shadow IT threat and the need for organizations to have continuous visibility across IT networks and systems in order to address it.
Q: Tenable recently announced a product to help organizations manage unknown and shadow assets on their networks. What exactly is it that they need to understand about the nature and scope of the issue? Is there a tendency among enterprises to underestimate the security threats posed by such shadow assets?
Matt Alderman: Unknown and shadow assets are one of the biggest challenges organizations face today in our rapidly evolving technology landscape. The adoption of cloud services, mobile devices, and the Internet of Things is only making that challenge worse. Organizations can't protect these new devices if they don't know they are on their network, let alone protect other critical assets from these new potential attack vectors.
Not all unknown or shadow assets are bad, but not understanding what's on your network or where your data resides does expose an organization to potential exposure and loss. Most organizations do not have a good inventory of these assets; therefore total exposure is underestimated.
Q: How specifically does your Unknown and Shadow Assets technology help address these issues?
Alderman: Organizations need to achieve continuous visibility across all systems and devices. Visibility is not just about periodic scans; it's a full-time endeavor. Attackers are attempting to penetrate networks constantly, thus requiring a complete inventory of all devices and applications – including rogue devices, shadow IT, and virtual systems. Our passive listening capabilities augment our traditional scanning capabilities to provide a comprehensive inventory of these assets.
Q: Tenable is sponsoring a technical session at Black Hat Asia 2016 on how organizations should be looking for and monitoring for early indicators of a security breach. Why has this become such a pressing need?
Alderman: Organizations need to be more proactive with their security processes. Attackers are learning new tricks all the time; network monitoring must be a constant activity to stay one step ahead of the attackers. By proactively monitoring your network for anomalous activity against your baseline, organizations can spot a potential compromise, learn from it, and quickly respond to stop a breach and cripple the attackers.
Wolfgang Kandek, Chief Technology Officer of Qualys explains how his Laws of Vulnerabilities 2.0 have evolved since 2009 and how organizations need to evolve their security strategies to keep pace with the new realities of cloud computing.
Q: Wolfgang, back in 2009 your ‘Laws of Vulnerabilities 2.0' report examined four distinct and quantifiable attributes of the vulnerability lifecycle: Half-Life, Prevalence, Persistence and Exploitation. Seven years later what has changed?
Wolfgang Kandek: A lot has changed. We now have 4 times more customers than in 2009. This shows how many companies have become aware that the right solution for security starts with fundamental measures such as maintaining computers updated and free of vulnerabilities. Since 2009 for example PCI has clarified that vulnerabilities need to be addressed within 30 days, while other organizations promote even quicker turnaround in that space. Our most advanced customers now reach under 7 days for critical patches.
Q: You recently predicted that automated patching would come to the IoT environment in 2016. Why is this important for enterprises? Why should they care about the availability of more efficient patching processes for fitness trackers and other Internet-enabled consumer devices?
Kandek: IoT has multiple impacts on enterprises. Building automation is a reality right now. A friend of mine recently moved his company into a new building and found 1300 devices active in the building - before moving in a single computer. Even worse these devices, temperature sensors, door openers, light switches were sharing the same network as the normal office computers. A vulnerability in these devices would then allow an attacker to use them as an entry point to the enterprise network, ideally positioned to steal data, financials, part drawings or PPI.
The second vector you mention, consumer devices is probably even more difficult to control. Your users are going to bring multiple network devices into your company [containing] vulnerabilities that would allow an attacker to access the network that these devices are on. Automatic updates by the IoT vendors will help, but we cannot depend on the vendors alone.
Q: Qualys is a Platinum sponsor of Black Hat Asia 2016. What do you hope your customers and other enterprise will be able to take away from your presence there?
Kandek: We have worked hard in adapting our offerings to the cloud architecture that is the future of computing. We think that enterprise computing will follow personal computing into the cloud and be implemented on a model that has only endpoints, virtual servers and the Internet as a connecting layer. Such architecture promotes mobility and allows employees to be always connected and productive. But it also means that we cannot depend on traditional means for security. Companies will have to adapt to this new model and need to look for security tools that were developed for this Internet use. Tools have to function as soon as a machine enters the network, server or end-point and have to be capable to deal with the 10x increase in data that we are projecting over the next 5 years. I am looking forward to discuss these challenges with the BH Asia visitors.
Etay Maor, Executive Security Advisor at IBM Security talks about how intelligence driven security can help organizations enable greater cybersecurity preparedness.
Q: IBM has recently been advocating an intelligence-driven fraud protection and life cycle management approach for maintaining an effective defense posture against online fraud. What's driving the need for an intelligence-driven approach?
Etay Maor: Today's fraud prevention products lack from two major flaws: a silo approach and the lack of real time threat intelligence. The silo approach is visible when analyzing today's security products and realizing that there are many good security solutions but those solutions don't communicate and share data. On average - a business will have over 80 different security products from over 40 vendors! Cybercriminals look for those gaps in communication and threat sharing and take advantage of them.
The second big factor is real time threat intelligence. By protecting over 170M end points, we not only keep our customers safe but we have a huge global network of sensors for new and emerging threats. This allows us to understand the current threat landscape and react very fast.
Q: What specific shortcomings in today's fraud prevention products does an intelligence-driven approach address?
Maor: One of the key factors driving the need for intelligence driven security is the fact that cybercriminals DO share data and move very quickly. Long gone are the days we could settle for a solution that would be updated with new algorithms every quarter. We have to move just as fast, and even faster, than our adversaries. We have to make sure that we have a holistic solution, one that has all of its layers communicating and sharing information, providing protection to that specific customer but also contributing knowledge to a global threat intelligence database. Global, real time threat data that helps protect clients while not adding overhead to the security team or burdening the end user.
Q: IBM recently announced its plans to acquire Resilient Systems. How will the acquisition help IBM customers?
Maor: The acquisition of Resilient Systems will advance IBM Security's strategy to help organizations succeed in an era of escalating cyberattacks. Adding Resilient Systems to the IBM Security team unites Security Operations and Incident Response to help customers prevent, detect, and respond to threats. Resilient Systems allows security teams to orchestrate response processes, and resolve incidents faster, more effectively, and more intelligently. Resilient Systems is built to integrate with IBM Security's QRadar and other IBM and third-party solutions to ensure organizations of all sizes can successfully resolve attacks.