Q1. You've talked about the benefits of combining signals intelligence (SIGINT) with human intelligence (HUMINT). What are some of the challenges organizations face in implementing a model that combines both the network and human centric approaches security?
[The main challenge with] SIGINT or network centric threat detection [is that it] requires a global collection infrastructure [in order] to build accurate detection models, derive telemetry on global threats and to compare trends across geographies, industries, and customers. [However] even though [SIGINT] requires access to large amounts of raw data, it has a relatively lower barrier of entry than in the case of HUMINT. For example, there are several large-scale open source data sets. However developing customer centric threat detections is not possible with open source data.
With HUMINT, or actor centric threat detection , [the challenge is that] it relies on engaging actors in closed underground forums and marketplaces. Therefore, it is crucial to have human expertise built over several years in the language, culture and social patterns of the countries where the actors are from. Analysts need to have developed personas over many years in the underground forums in order to be trusted and granted access to highly vetted forums and allowed to communicate and engage with the most sophisticated cybercriminals. The barrier of entry to the highly vetted forums is very high. The actor centric approach relies heavily on human experts and cannot be scaled and automated as much as with network centric approaches. [At the same time HUMINT] provides insight into the real actors' motivations and their interactions with their customers as well as with other actors before attacks happen. This provides a proactive view into the business models, infrastructures, services, tools and goods being sold in the underground and not just their manifestations on victims' systems and the global Internet traffic.
Q2. Why are DNS-based attacks increasing? What are some of the behavioral and technical causes driving the trend?
DNS-based attacks are still consistent and omnipresent. They are agnostic to the type of threats. Because practically all online threats need a website or domain presence--cybercriminal marketplace, forums, criminal chat server, malware, phishing, botnets, etc and a hosting IP presence—DNS and IP space will always be relevant to monitor and track these threats both on a customer's network and at global internet scale.
Q3. What do you expect will be some of the key conversations around threat detection and threat intelligence at Black Hat USA 2018?
Banking Trojans and ransomware are still relevant. Cryptomining is a new emerging widespread threat. Targeted attacks have always been around and are still causing problems where threat actors leverage vulnerabilities in hardware, and software. It has also become an established criminal practice to harvest large pools of vulnerable IOT devices and hosts that are connected to the Internet. These devices are weaponized by state sponsored actors or cybercriminals for diverse purposes [such as] DDoS attacks, brute-forcing attacks, mass spam sending, reconnaissance phase of future targets, proxy exit nodes to hide the origin of other attacks, etc.
Q1. Forcepoint has recently begun recasting itself as human-centric security vendor. What does that really mean and how is it impacting the way you develop and deliver products and services?
Let's face it, traditional cybersecurity has failed us, and it has put our nation and corporations at risk. As the number of sophisticated threats rise and the attack surface expands with digital transformation, legacy alert-centric solutions struggle to keep up. [Organizations] are overwhelmed by the billions of network alerts observed by a modern enterprise. Simply put, today's IT ecosystem is just too complex for traditional cyber architectures and point solutions.
We believe that a better approach is to understand the behavior of all the identities—employees, contractors, business partners, customers and even hackers—that access and interact with sensitive company data and then take appropriate action if that behavior is suspicious. This approach allows us to cut through the noise of all those security alerts and focus on addressing behavior that poses true risk.
We achieve this through our Human Point architecture which aggregates sensory information from a variety of channels, such as web, email, network, and inputs it into a sophisticated behavioral analytics engine to determine the actions, unintentional or malicious, that may pose a security risk. Based on the level of behavioral risk, we can take appropriate action to mitigate the risk. The power of this capability is that it can be used to automate enforcement at an individual level. This is unique in the industry.
Our human centric approach has certainly impacted how we develop our products. We are introducing behavioral analytics in each of our products and we are designing them to be able to transmit observed behavioral signals and risk scores amongst each other so that there is a global view of an individual's risk. Basically, we can sense anywhere and respond everywhere.
I truly believe the seminal issue of the day comes down to people and how they interact with technology. We're leading the industry with our cyber solutions that utilize human behavioral analytics to provide the highest levels of security.
Q2. What's driving the need for formal workforce monitoring programs at enterprises? What are some of the biggest issues/obstacles that organizations typically need to overcome when implementing such a program?
One of the growing causes of data breaches today is "insider risk," whether it is accidental or malicious. This is a real concern for any organization, especially as it seeks to empower its employees to be able to access company data efficiently in order to do their jobs. Legacy security tools are primarily designed to keep threats out and fail when the threat emanates from the inside. This is why many hackers often compromise insiders as a means of bypassing traditional security. The only way to effectively stop insider risk is to monitor the cyber activities of the users, understand their behavior and intent, and respond rapidly. Understanding intent is critical so that abnormal but innocuous behavior can be addressed differently than malicious behavior.
However, workforce monitoring presents big challenges for multiple departments and functions, from executive leaders and legal counsel to HR and IT teams as they balance the need for data and intellectual property protection with the privacy and legal rights of their own employees. The different laws in each country pose additional challenges, forcing companies with global operations to develop multiple policies depending on the location of their workforce. In some jurisdictions, organizations have broad authority to monitor how their workers use information assets. In others, they may need to avoid processing personal communications, and analyze private communications and information only where there are reasonable suspicions of misconduct.
Preserving employee privacy and ensuring trust is crucial. Many countries require that workforce-monitoring programs are only implemented after consultation and consent from workforce representatives or individual employees, and rightfully so. Every workforce-monitoring program must be deployed with the utmost transparency and respect to ensure the sanctity of trust between the employer and employee.
Q3. Forcepoint has a very wide swathe of products and services. Are there any specific product/technology areas that the company plans to focus on at Black Hat USA 2018?
We will continue to evolve our Risk-Adaptive Protection solutions as the foundation of our human-centric approach to cybersecurity. Forcepoint developed the industry's first Risk-Adaptive Protection offering – Dynamic Data Protection – in response to the challenges enterprise and government security teams face today in balancing airtight user and data security without getting in the way of business productivity.
Dynamic Data Protection is an automated risk response solution, which uses the power of human-centric behavior analytics for the most effective data protection against advanced threats. It automatically shapes and enforces security policies across enterprise endpoints or devices based on the calculated risk level of a given identity on the network.
Dynamic Data Protection is the newest product offering within our Human Point System architecture. Bringing together sensor, analytics and enforcement innovations, the Human Point System architecture enables customers to "start anywhere" with best-in-class cybersecurity products, including DLP, User and Entity Behavior Analytics (UEBA), Cloud Access Security Broker (CASB), Web/Email Security, Data Guard and Network Security (NGFW). These capabilities integrate seamlessly into a system with unified policy management or plug into existing on-premises or cloud environments.
At Black Hat, Forcepoint experts will be hosting theater presentations and hands-on demos at our booth #620. We're moving fast to change the cybersecurity industry and we're also looking for the best talent to join us. Our recruiters will be at booth #2241 in the Career Zone to answer questions from anyone who'd like to learn more about job opportunities at Forcepoint.
Steve Grobman
Senior Vice President & CTO
McAfee
Raj Samani
Chief Scientist and McAfee Fellow
McAfee
Q1. Steve, McAfee has recently talked about the need for more 'human-machine teaming'. What exactly is that and how is it transforming security operations?
In cybersecurity, as long as we have a shortage of human talent, we must rely on technologies such as artificial intelligence, machine learning and deep learning to amplify the capabilities of the humans we have. Furthermore, as long as there are human adversaries behind cybercrime and cyber warfare, there will always be a critical need for human intellect teamed with technology.
"Human-machine teaming" recognizes that humans are good at doing certain things and machines are good at doing certain things. Machines are good at processing massive quantities of data and performing operations that inherently require scale. Humans have strategic intellect, so they can understand the theory about how an attack might play out even if it has never been seen before. The best outcomes will come from combining them.
Cybersecurity is very different from other fields that utilize big data, analytics, and machine learning, because there is an adversary trying to reverse-engineer your models and evade your capabilities. Security technologies such as spam filters, virus scans and sandboxing are still part of protection platforms, but their industry buzz has cooled since criminals began working to evade their technology. Human IT security staff on the front lines of an attack can anticipate new evasion techniques, exploits and other tactics in ways detection models based on the past cannot.
A major area where we see human-machine teaming playing out is attack reconstruction, where technology assesses what has happened inside your environment, then engages a human to work on the scenario.
Efforts to orchestrate security incident responses can benefit tremendously when a complex set of actions is required to remediate a cyber incident. Some of those actions might have very severe consequences to networks. Having a human in the loop not only helps guide the orchestration steps, but also assesses whether the required actions are appropriate for the level of risk involved.
In threat intelligence analysis, attack reconstruction and incident response orchestration, human-machine teaming can take the machine assessment of new information and layers upon it the human intellect that only a human can bring. Doing so can take us to better outcomes in all aspects of cybersecurity. Now more than ever, better outcomes are everything in cybersecurity.
Q2. Raj, what emerging cyber threats scare you the most and why? How is McAfee evolving its strategy to deal with these threats?
Scare me? I don't know if I would use those specific words, there are a number of threats that I find particularly challenging.
One in particular was seen in the attack on the Winter Olympics when the malicious actors used steganography as a means to hide malicious content. What was remarkable is that the tool used had only been released eight days earlier and demonstrated innovation by modifying the campaign in flight. Another example we published about was the use of DDE when the issue was only identified 2 weeks earlier.
It shows that threat actors are getting better, faster and simply put successful as a result of this rapid innovation.
Does it scare me? Nope, bring it on.
Q3. Steve, what do you see as some of the most critical gaps in enterprise security operations centers these days? What are some approaches for addressing them?
I see two major gaps we should focus quite a bit of attention on. The first is a bit broader and it is the comprehension of new security risks brought about by how companies operate in the cloud. People assume that the cloud is safe, and by moving to the cloud and offloading a bulk of the work that their job—as a security professional—is done. As we've already seen in some of these major attacks on misconfigured S3 buckets, this is clearly not the case. Just because you are off loading a bulk of the work doesn't mean you don't have a responsibility as a security professional. The cloud protections are out there, CASBs are a great starting point for security. I would advise SOCs to continue to take a data first approach, and truly understand where their companies' critical data is residing – whether in cloud, on premise, or a combination of the two.
The second area of concern to me is this concept of adversarial machine learning—essentially bad actors using machine learning and artificial intelligence against us. Bad actors have access to technology just as easily as we do. If you use a simple example like phishing, you can use machine learning to really amplify an attack. Think about the differences in generic phishing and spear phishing. In the prior, you send thousands of messages that all look the same hoping to get a few people to click along the way. Little effort on the bad actors' end, but typically the return is very low. In spear phishing the bad actor spends quite a bit more time focused on a well-crafted and targeted campaign, but it doesn't scale. You can only have a handful of targets. Your conversion rate is much higher, but the targeted population you can go after is much smaller. When you apply a technology like machine learning to this, bad actors can now hit a higher scale with targeted messages. For great technologies like ML and AI, we need to also be weary of how bad actors will use and also circumvent these tools. ML evasion is happening now.
Q4. Raj, What are McAfee's plans at Black Hat USA 2018? What do you want attendees to take away from McAfee's presence at the event?
McAfee's Advanced Threat Research team will be showcasing our latest discoveries and revelations across the threat landscape, including the many clues groups such as Lazarus and Hidden Dragon have left behind through campaigns such as Ghost Secret, Gold Dragon, HaoBao and others. These "puzzle pieces" can be put together to illustrate the connections between the many attacks attributed to nation-states and categorize different tools used by specific teams of their cyber armies. We're prepared to show what we have learned, and how to turn these insights into tools for pro-active threat detection and protection versus these and other groups.
Q1. Rapid7 has described itself as helping enterprises enable a SecOps capability. How exactly is it doing that and why is it important for organizations?
Security Operations, or SecOps, is not a new term, but what we are seeing from our customers is a desire to create a shared motivation between security, IT, and development. Implementing this practice of SecOps necessitates that these three groups make security part of everyday business processes and the only way to make that possible is visibility, analytics, and automation. Rapid7 has been working towards a fully realized platform that now allows these three groups to scan for and prioritize vulnerabilities in the network and applications, detect and contain incidents from endpoints to cloud instances, simulate and analyze phishing campaigns, as well as orchestrate and automate across each team.
Q2. What is Attacker Behavior Analytics and how does it help enterprises bolster their cybersecurity posture?
Attacker Behavior Analytics (ABA) feeds Rapid7 Insight solutions with a threat intelligence core directly from our security analysts, Internet-wide scanning, and honeypots found throughout the globe. In practice, ABA feeds InsightIDR customers, who are also automatically using User Behavior Analytics (UBA) with high-fidelity alerts on evolving attacker behaviors built from thousands of incident investigations, including the use of fileless malware, cryptojacking, and spear phishing. When these malicious techniques are identified, alerts highlight notable behavior from the affected user and asset, making it significantly easier for security teams to respond quickly and with confidence.
Q3. What do you want attendees at Black Hat USA 2018 to know about Rapid7's SIEM technology and how it has evolved over the years to keep pace with changing enterprise requirements?
SIEM is often an overhyped, or perhaps scorned, technology. When Rapid7 introduced InsightIDR in 2016 we would often hear that it was 'the SIEM you always wanted', and that was true because our focus was more on the ability to properly detect incidents with high-fidelity by combining the best parts of SIEM, EDR, and security analytics. Now we've added onto that with our ABA threat intel and a solution on-boarding that takes just a few minutes to get the product started for any environment, in fact we might be the only SIEM that offers a 30-day free trial.
Q1. What are the biggest challenges organizations face when it comes to securing the public cloud and DevOps in today's threat environment?
DevOps and the use of public cloud offer amazing opportunities for companies to have a much more dynamic and elastic development schedule. It allows them to update their custom apps more often and offers unparalleled flexibility for the developers who can now configure the infrastructure through the use of APIs. The challenge is to keep an overall visibility on this process. Public cloud providers come with myriad services and the elasticity of the process makes it much harder to have an overarching view of the infrastructure, as it changes all the time. This makes it difficult to conduct basic cyber hygiene and to make sure that every service and server is configured securely and has all the latest security fixes applied.
Q2. Enterprises have typically struggled to measure and quantify cyber risk and to benchmark their efforts against peers. How does Lumin help in this context? What are some uses cases for the technology?
Tenable.io Lumin leverages our 15 years of experience in vulnerability management by prioritizing vulnerabilities by different factors such as the criticality of the vulnerability itself, the importance of the assets that are affected and how widely it's being exploited in the wild. Tenable.io Lumin also lets companies compare their overall security postures against others in the same vertical or against our overall user base, which in turn allows them to better gauge the return on investment of their security methodology.
One use case is what we call "time to detect/ time to remediate" benchmarks for a given vulnerability. This analyzes how quickly a company detects a specific vulnerability on its network-, how that compares to their peers, and how much time it takes to actually correct it. This use case is incredibly useful as it allows companies whose overall result are in the bottom percentiles to identify whether their security processes are lagging or if IT processes are getting in the way. Over time, we'll release more metrics that will not only better help companies understand their posture, but also better understand the latency built in by their processes. Tenable.io Lumin is currently in beta. It will be generally available in the second half of 2018.
Q3. Tenable calls itself the Cyber Exposure firm. What do you want attendees at Black Hat USA 2018 to know about your company's strategy for addressing that exposure?
The digital infrastructure has never been so varied. In addition to traditional servers, endpoints and mobile phones, security teams now have to deal with an ever-changing public cloud infrastructure, with developers having IT privileges, IoT devices popping up throughout their facilities and in some cases OT devices that are now connected to their global network. The complexity and velocity have never been higher. Cyber Exposure empowers our customers with a real-time view of their digital assets, an understanding of how those assets fit into their business and how important they are and the ability to report useful metrics and benchmarks to their management. We're transforming cybersecurity from an art form to a KPI-driven discipline.
