Q1. A recent study by analyst firm Forrester Research found AlienVault's USM can help organizations reduce time to detect threats by as much as 80%. What is it about AlienVault's approach to threat detection that enables this?
AlienVault is able to deliver threat detection that is 80% more efficient because it puts the threat first, not the technology. Most vendors stretch to make a single threat detection technology cover as much as possible - whether it is log analysis, network IDS, EDR, or vulnerability assessment - each vendor is trying to cover all potential threats with a single technology. At AlienVault we focus on the threat. Instead of asking "how can our technology detect this threat?" we ask "what technology do we need to detect this threat?" Our USM platform comes with not only the security analytics required to piece together complex behavior but also the basic technologies needed to gather the initial indicators of an attack. Having log analysis, network IDS, endpoint visibility and a rich asset inventory system built into a unified platform means less time wasted piecing together the bigger picture and more time spent containing incidents.
Q2. What is the biggest challenge organizations face when it comes to reducing attacker dwell-time on their networks? How is your Open Threat Sharing Network & Open Source SIEM Project helping in this regard?
Most organizations are woefully under-prepared to detect malicious activity in their environment. Most do not have the basic detective controls needed to gather the evidence or if they do rarely are they kept up to date with the latest threat intelligence describing the tactics, techniques and procedures of the adversary. AlienVault's Open Source SIEM provides that basic platform for threat detection - it includes the basic detective controls and can take advantage of the wealth of threat intelligence provided to the security community by our Open Threat Exchange.
Q3. What do you expect will be some of the hot discussion topics at Black Hat USA 2018 within your market segment?
I am excited to see a further focus on Cloud Security. Our experience has shown a growing wave of companies exploring the cloud as a critical part of their future. The move to the cloud comes with a lot of opportunities for improved security but also comes with some new security concerns. Forums like BlackHat is where we need to explore both of those paths so we can keep pushing forward and improve the solutions for securing our future.
Q1. Ian, what were the lessons for enterprises from the Spectre and Meltdown flaws? What did it teach us about enterprise readiness—and mechanisms—for dealing with such issues?
Spectre and Meltdown are without doubt the most expensive security bugs in history. Designing mitigations has been a fabulously interesting computer science exercise. The reality is that there are still aren't any known attacks circulating in the wild, so as of right now, it doesn't look like that effort has been commensurate with the threat. Spectre and Meltdown were front-page news because they were so unusual—actual hardware issue—as opposed to the far more mundane but more dangerous application and OS bugs that get reported every week.
Spectre has been good in raising awareness in enterprises that they must have a strategy for updating their BIOS firmware images. Most organizations hadn't previously acknowledged this, and were running with the firmware the platform was originally shipped with. Even with all the publicity, the percentage of organizations that have actually gone to the trouble of updating their firmware is disappointingly small, not helped by Intel's initial misstep supplying broken microcode. These legacy firmware images all contain vulnerabilities more scary than Spectre (e.g. assorted ME/AMT vulns, nasty UEFI variable and SMM vulns etc), and shouldn't be ignored.
Bromium customers were safe in the knowledge that attackers using Spectre or Meltdown to try to read secrets out of the kernel having achieved code execution via all the common vectors were only going to be reading from the guest kernel. [The gues kernel] doesn't contain any real secrets—just honey [credentials] we've placed there. Deploying OS and firmware patches is always a good thing, but they could do it at their leisure, knowing they were in good shape.
Q2. Ian, if there's one thing you would like attendees at Black Hat USA to know about Bromium, what would it be and why?
Black Hat attendees know that detection is futile—modern OSes and applications offer such a vast attack surface that all it takes is a little bit of effort or ingenuity to bypass existing technologies. Bromium makes it such that you use hardware-enforced virtualization to get a fresh instance of the app and OS every time you open an email, access a document, click on a link etc. The VM lives just for the life of the task, and has access to just the resources and files needed for the task. An attacker can compromise the app and even escalate privileges to pwn the OS instance, but within the VM they have nothing of value to steal, no way to move laterally, and no way to persist beyond the life of the task.
Bromium drastically reduces the attack surface into something far more manageable and amenable to hardening, while remaining largely transparent to the end user. Application and OS vulnerabilities are no longer critical. Don't take our word for it, participate in our Bring Your Own Malware challenge, or see our Bug Crowd bug bounty program.
Q1. You recently joined Carbon Black as Chief Cybersecurity Officer. What is your immediate mission at the company in that role? What are some of your short-term objectives?
My immediate mission is to strategically guide and align threat research with the tactical goals of our MSSP partners and government information sharing programs. The long-term platform for modernization is dependent on understanding the latest TTPs and integrating those into our predictive analytics.
In the short term, I serve as a trusted advisor to our Fortune 100 clients per their security posture and strategy and represent the company around the country in various speaking and media engagements. A lot of people are interested in Carbon Black's view on the market and the threat landscape.
Q2. How exactly are Big Data and analytics in the cloud helping Carbon Black address emerging endpoint security challenges? How are enterprises benefiting from it?
These elements are paramount in a modern cybersecurity program. Predictive analytics help facilitate cyber situational awareness. Anomaly detection is imperative when it comes to preventing, detecting, responding to, and predicting attacks.
Q3. What is Carbon Black's messaging going to be at Black Hat USA 2018? Is there any specific technology area that you expect to be focusing on at the event?
We'll continue to educate the market on the Cb Predictive Security Cloud (PSC) and have conversations with organizations [that] are increasingly shifting their endpoint security to the cloud. I'll also be talking with attendees about decreasing dwell time, unifying defenses, and threat hunting.
[Carbon Black will be focusing on] the latest developments with the Cb Predictive Security Cloud (PSC) and our pioneering endpoint detection and response (EDR) capabilities. At Black Hat, beyond focusing on messaging, we spend a lot of time listening to attendees and taking careful notation of their respective pain points. With the greatest information security minds gathered in one place, there are some amazing conversations that occur. I'm really looking forward to them!
Q1. Juraj, ESET announced a whole new suite of enterprise security products and services at RSA including ESET Enterprise Inspector and ESET Dynamic Threat Defense. What specific issues are you helping organizations address with this suite of products? How do they build on your existing capabilities?
By introducing ESET Enterprise Inspector and ESET Dynamic Threat Defense, we want to help organizations with visibility and manageability of their security efforts in terms of prevention, detection and response. These two products extend our Endpoint Security Solutions, and are built around our existing infrastructure, with ESET LiveGrid and ESET Cloud Malware Protection System integrated within them.
ESET Enterprise Inspector is a very powerful Endpoint Detection and Response solution that leverages the intelligence we have in our Endpoints and Cloud, and helps organizations find potential threats based on their behavior and reputation, among other factors, and respond to them from our ESET Security Management Center. ESET Dynamic Threat Defense creates an additional layer of protection for organizations providing a way for them to submit suspicious files to our cloud infrastructure and get personalized feedback, ratings and detailed reports on those files if they are malicious or not, and let them adjust their prevention capabilities accordingly.
Additionally, we are introducing services to provide our expertise and intelligence to our customers. These services are going to help them with monitoring and finding potential threats within their infrastructure (ESET Threat Monitoring and ESET Threat Hunting), and provide them with additional threat intelligence that can further be used to customize their defense.
Q2. Ignacio, what do you see as some of the biggest current and emerging endpoint security threats that organizations face these days?
What's interesting about endpoint security threats is they are usually similar in nature even though their goals might be different. Ransomware is still a relevant threat but lately we have observed a surge in malware focused on cryptocurrencies mining. However, the attack vectors used by both of these types of threats are very similar if not the same and preventable in the same way. There are other threats that are being seen or discussed more often lately, like file-less attacks, that differ slightly in their nature but use similar entry points into the organization.
Besides the above technical threats, there are at least two other very big current threats for organizations around the world: misinformation and talent shortage.
I believe these might be even bigger than the technical threats that I've mentioned before. There's currently a lot of noise in the security market with the arrival of new, emerging vendors with very aggressive marketing messages that are many times not entirely true and are causing some customers, due to their lack of time, resources or knowledge, to choose a "solution" that doesn't protect them properly and they only notice it later because everything sounded nice on the paper and looked good during the PoC.
The [situation] is also fueled by a clear shortage of experienced and prepared security professionals that combined with the pace technology and interconnectivity is growing, it's becoming a very big challenge for organizations around the world.
Q3. Juraj, more than one year after WannaCry, the EternalBlue exploit continues to threaten unpatched and unprotected systems worldwide. Are you surprised? What is the lesson to be learned here for enterprises?
Unfortunately, that's not a surprise. Remember the Conficker and MS08-067 vulnerability? It's challenging for many organizations to keep their systems updated and protected in the connected and rapidly changing world we live in. It's part of our work as a security vendor to be close to our customers and users to help them improve this situation through our solutions as well as our expertise.
We recently published an anniversary piece on WannaCry on our WeLiveSecurity.com blog about the lessons that should have been learnt since then. The main lesson is that the security community needs to make it easier for customers to stay up-to-date with their anti-malware protection and software patches.
Q4. Ignacio, what are ESET's plans at Black Hat USA 2018? Last year, ESET presented some pretty groundbreaking research on the Industroyer threat. Should we expect anything similar this year?
Black Hat has always being a great opportunity to reach out to security professionals and researchers. We want to continue showcasing and introducing to them our new line of Enterprise Solutions, including the ESET Enterprise Inspector and ESET Dynamic Threat Defense products as well as the new services that we have made available since this year—ESET Threat Monitoring and ESET Threat Hunting.
We conduct research regularly and we publish it in WeLiveSecurity.com. But of course, as some of our top researchers are going to be in Black Hat, we are working on preparing valuable content for the audience as we did last year with Industroyer. We also invite everybody to stop by our booth and talk with our team there about anything they have in mind. I am sure they will learn a lot about ESET that they didn't know before.
