Q1. How does Proofpoint's recently released PCASB, 360 Degree Email Fraud Protection, Threat Response Auto-Pull Abuse Mailbox Monitoring, and Executive and Location Threat Monitoring services help organizations address people-centric risks? Can technology really help address the risks caused by the human factor?
Absolutely, advanced security technology coupled with effective security awareness training is the strongest defense organizations have when it comes to stopping today's increasingly specialized, socially engineered attacks. Our recent releases emphasize our relentless focus on enabling organizations to safeguard their greatest vulnerability—their people—by preventing, defending, and responding to threats across an ever-changing landscape. This has never been more critical: more than 99% of all the targeted attacks we see rely on the user to activate them, whether that involves clicking on a macro, typing a password into a phishing site, or simply sending data to a BEC actor.
Every single organization has people who are targeted by attackers, but unlike security teams, cybercriminals aren't focused on infrastructure and don't view the world in terms of a network diagram. Instead, they do care about identifying who in your company has access to the information they want and are laser-focused on targeting them directly through email, cloud apps, and social media channels. The truth is attackers often know more about the employees than the security team does.
No matter what your security architecture looks like, attackers are adept at using two of the most powerful information tools of our era—LinkedIn and Google—to conduct reconnaissance on potential individuals to target. It's a much more effective, easier path for them to navigate.
Our recent releases help organizations keep their critical communication channels safe. For example, our Proofpoint Cloud App Security Broker (PCASB) solution enables security teams to deploy cloud applications with confidence (and avoid advanced threats, accidental sharing of sensitive data, and compliance risks). The enhanced Proofpoint 360 Degree Email Fraud Protection protects employees, customers, and partners from all forms of email fraud from a single portal. Our new abuse mailbox monitoring provides rapid automated analysis and response for emails that users flag as potentially malicious (all automated). And our executive/location monitoring solution reaches deep into the dark web and social media world to provide security teams with visibility into physical and cyber threats for their most high profile and targeted users. Finally, our TAP Isolation solution, announced here at Black Hat, is an excellent additional control to protect highly targeted and risky users from malware, phishing, and data loss.
Q2. Why does email continue to be the top attack vector of choice for cybercriminals? What is it that organizations are failing to understand about the nature of the threat?
Cybercriminals follow the money— and the percentage of people who regularly use email is very high. Email attacks are still the easiest way to directly target their intended victims to click and bypass traditional security measures, and this remains the case for all types of attackers. Everyone from low sophistication BEC groups up to APT actors are running phishing campaigns to get the initial compromises they need to pursue other actions.
In scale terms, email attacks continue to represent a massive percentage of the threat landscape simply because they work, are cheap to run, and clearly result in serious paydays for criminals. In addition to more technically complex email attacks, simple email fraud attacks can simply trick individuals into wiring money or sending sensitive data, and involve no more sophisticated techniques than email spoofing and classic credential phishing.
Ultimately attackers are focused on people, not the network. It's imperative that organizations use their security budget on their biggest challenge and most vulnerable communication channel, which is email. While the network, web security, and endpoints are all important, studies have shown that email continues to be the vector of choice for attackers.
Most security professionals are trained to approach security with the IP address at the center of their world. And the industry reflects that, defenders are confident dealing with networks and endpoints, which is why more than 60% of IT budgets are focused on the network (according to Gartner Research). Unfortunately, attackers don't care about any of that and when the largest data breaches are investigated, it's clear that email is the most lucrative path.
Q3. What do you want attendees at Black Hat USA 2018 to know about Proofpoint's strategy for addressing new and evolving trends in your market space?
Threat actors are increasingly targeting people, not infrastructure, and the move to the cloud is changing the way organizations need to protect themselves. We give you visibility into who your most targeted users are, and help you protect your people, data, and the users themselves against advanced threats and compliance risks. If your organization is struggling with phishing attacks, BEC, or understanding the threat actors you're up against, we would welcome a chance to help – we provide that protection to more than 60% of the Fortune 100, but security outcomes improve for organizations of all sizes when they better protect their #1 threat vector.
Q1. Brian, ReliaQuest's co-management security services, depends to a large extent on your company's ability to recruit highly skilled security staff. What's your strategy for finding and recruiting the expertise you need to deliver your range of enterprise security services?
ReliaQuest has industry-leading growth and retention rates of both customers and RQ team members. The secret to our success is our commitment to developing talent ahead of demand through ReliaQuest University (RQU). From our advanced curriculum that simulates actual environments and scenarios to provide meaningful context that speeds up the learning process, to our investment in ReliaQuest University's Leadership Academy that enables our organization to create technical and team leadership opportunities for our employees, RQU provides a wealth of career growth potential. Our full-time instructional designers work across the ReliaQuest ecosystem of team members, partners, and customers to create a capability where we can take individuals that have all the intangible skills and give them the practical training needed to develop our own talent. We do this at every level of the organization, therefore enabling us to scale without being concerned about our workforce keeping up.
There is a well-documented shortage of trained cyber security professionals to fill jobs worldwide, but there is no shortage of people that have the talent and would love to work in the industry. ReliaQuest has invested millions of dollars and years of time to give that large group of people an opportunity to be a part of a great industry. Our investment in innovation also drives our retention rates by automating the security operations process at every step of the way, creating proprietary technology that removes low value-add, time-consuming work. In turn, this frees up our people to do the more interesting and valuable analysis, development, etc. that keeps them engaged and excited to learn, while delivering best-in-class outcomes for our customers that result in high customer retention rates. This commitment to automation and training and development proves that you can create a great environment for people to work while also growing a business that provides significant value to a talented customer base.
Q2. Joe, talk to us about ReliaQuest's Cyber Simulator and why it matters for your employees and for customers?
The Cyber Simulator is an extremely critical part of our training program. We originally designed it for training our analysts and engineers in a real-world environment that mimicked a typical corporate environment. We included a mix of security technologies such as firewalls, IDS/IPS, WAF and antimalware software as well as the traditional enterprise servers. We also simulated a user environment with a mix of various operating systems and applications. Once we got the actual environment set up, we intentionally made some of the servers and workstations vulnerable so we could run automated attacks created by our Red Team. These attacks would then create logs for the variety of security technologies (SIEM, EDR, UEBA, etc.) and generate alerts that the students could train against, therefore speeding up the time to learn.
Creating an environment that our employees could practice in based on realistic events proved to be a game changer in how prepared they were coming out of training. It drastically shortened the time to get an analyst or engineer ready to work in real customer environments. Since the Simulator contains such a wide variety of offensive and defensive tools and applications, we also use it as a demo environment to show customers how a particular technology should be optimized or holds up against real Red Team exercises. Once we got the Simulator tuned with feedback from our training department, we also started allowing customers to attend some of our training classes free of charge. The reason why we offer the training for free is because it significantly helps our team when working with the customer if everyone is speaking the same language and trained on the same Incident Response procedures.
Q3. Brian, what's driving demand for services such as those that ReliaQuest offers? What impact do you foresee automation and AI having in this space?
The demand for our services is driven by our ability to work with our customer's team to deliver consistent and reliable security outcomes while planning and executing a path to evolve the customer's security capability, ultimately being able to reduce risk and deliver value to the larger organization over and above security. We work with our customers to make sure they are demonstrating the true value of the work they are doing, from the Board of Directors down, in a way that is easy for the organization as a whole to understand.
At ReliaQuest, automation, machine learning, and AI have been developed and deployed successfully, solving problems at scale at the enterprise level. Our success is driven by millions of dollars of investments made to automate and enhance the security operations process in a way that can be individualized for each customer. Our solutions allow the customer to maximize the ROI on the security tools it already owns, tailored to fit the organization's current architecture, all done alongside its internal security team in its own actual environment.
We don't sell the customer a platform, create and forward tickets, or manage point technologies. We work with the customer to make them their own security platform. We have successfully automated: our cyber analysis process, the health and performance management of point technologies in the customer environment, the separation of actionable vs. non-actionable security information improving ROI on security tools, purpose-driven hunting capabilities, etc., all without requiring the customers to send their data offsite.
Q4. Joe, what are ReliaQuest's plans at Black Hat USA 2018? Why is it important for your company to be there at the event?
Black Hat is an extremely important conference for us. It is one of only a few events each year that we get to interact with such a large population of the security community, whether it's prospects, existing customers, or other attendees and researchers interested in the same areas of security we are in. There are many teams from ReliaQuest that attend with different agendas, but the most important aspect of the conference is the opportunity to share, learn and work closer to the industry as a whole. It provides us a chance to get together in person with our existing customers, either for our Customer Advisory Boards or just to socialize with everyone in the relaxing environment that is Las Vegas! Additionally, our presence at the conference allows for our researchers to see what new security projects or issues have been happening over the past year, and what areas we can expect to see gain relevance in the coming months. Black Hat is also very helpful in providing an environment that we can meet with prospective clients where everyone is already in the security mindset.
There are many events every year that ReliaQuest attends, each with their own focus and expected outcomes. Black Hat is one of the major ones that we use as an opportunity to strengthen our existing and prospective customer relationships, as well as gain a ton of knowledge on innovative security projects or research in a wide variety of areas in security.
Q1. What impact is the broadening adoption of DevOps and CI/CD practices having on application security testing?
The adoption of DevOps and CI/CD means that development velocity is increasing rapidly. Software companies are breaking down organizational silos and embracing automated tooling to push code changes through the pipeline from the developer's desktop to production at a nearly continuous pace. This enables organizations to iterate and experiment with different features, collect and respond to feedback quickly, and ultimately deliver more value to customers, faster.
One side effect of this paradigm shift is that it shrinks the window for security testing. Since code integration, QA testing, and sometimes even deployment activities are being automated, manual security tests that take days or weeks to perform are simply too slow. In addition to speed, the frequency of application security testing needs to match the cadence of code changes, which is often measured in hours or days as opposed to weeks or months. A few vulnerable lines of code can have a major impact on the overall security posture of an application, so securing a continuously changing application requires continuous security testing.
Application security needs to adapt and evolve to stay relevant. Security testing tools needs to be automated and integrated into the CI/CD pipeline, and they need to be distributed across the various stages of the SDLC—particularly early on, such as while developers are coding in their IDE or when they commit changes. This creates a tighter feedback loop and allows developers to proactively catch vulnerabilities before they make it into the pipeline.
Q2. What is your company's approach to helping enterprise integrate security practices into the SDLC, especially in modern development (DevOps, CI/CD) environments?
Synopsys has a unique approach to application security. We provide a portfolio of industry-leading tools, services and programs to help customers build security and quality into their software development processes, minimizing risks while maximizing speed and productivity.
From a technology standpoint, our solutions address three critical components of application security: 1) secure the proprietary code you write with static analysis; 2) secure the open source code you're building on top of with software composition analysis; and 3) secure your application's behavior and business logic with dynamic and interactive application security testing.
From a delivery standpoint, our security testing solutions can be deployed as automated tools integrated into the CI/CD pipeline or as managed services for customers that require flexibility and scalability. Our professional services offerings focus on helping customers build secure software development programs and augmenting application security efforts with activities that cannot be automated, such as architectural risk analysis and threat modeling.
Q3. What do you want attendees at Black Hat USA 2018 to know about Synopsys' range of software integrity services?
The message we want the Black Hat community to come away with is that Synopsys enables organizations to build secure, high quality software faster. When it comes to software development, security does not need to be an obstacle—it can and should be an enabler of innovation and agility.
