Ben Herzberg
Security Research Group Manager
Imperva
Itsik Mantin
Director of Security Research
Imperva
Q: why do so many breaches remain undetected for lengthy periods of time? What is that that organizations are not doing, or are not equipped to do, and how is Imperva helping address the problem?
The cybercrime industry has evolved. In the past, attackers were so excited with the idea that they can hack their way into a system, that they acted like a "bull in a china shop," getting some data, leaving traces all over the place and running to tell the hacking community of their achievement. Modern attackers are anything but hobbyists and are often playing a game against an empty goal.
Today's professional attackers have well established business models, knowing how to translate a hack to a breach and a breach to money. Attackers strive to optimize their ROI and to get the most from breaches. Why steal the data of the infected admins desktop and get caught and removed after a day, when instead you can wait on the machine, monitor her emails waiting for something interesting to pop-up, waiting for a chance to harvest the credentials of a more powerful user, like an IT expert doing a maintenance operation.
In addition, some of the most famous breaches involved the personnel data of the organizations, which render the traditional layers of defense, perimeter and endpoint protection, useless. When the attackers come from within, there is no perimeter to penetrate, and no malware that can be detected by anti-virus.
What is common to attacks coming from both inside or outside the organization is that the attackers are after the data, either user's information or other business critical data, and the way to detect and mitigate the attacks is by putting controls on the places where business critical data resides, databases, file servers or cloud applications.
Imperva data security products do exactly that -- DAM and FAM products, are used to monitor and audit access to databases and network file systems, and the CounterBreach product uses machine learning engine to detect attacks, anomalies and suspicious behavior of users.
Q: Ben, tell us a little bit about Imperva's Research Center and how your customers are benefiting from it?
Our research group consists of teams dealing with data science and machine learning, application security, infrastructure protection and DDoS mitigation. The group covers the entire spectrum of web application protection – from our on-premises/cloud deployments of SecureSphere solution to the Incapsula CDN. That means that on the one hand we have the highly flexible SecureSphere product, and on the other, we have the amazing visibility we get from the attacks we can observe on our CDN. In addition to making sure our clients are safe from external threats, our group is also initiating development of PoC's for new products and features, which brings a lot of delight to our work.
Customers are benefiting from our ability to combine high visibility and data analytics which allows us to continually improve the level of security and find new attacks, as well as address "the elephant in the room" – providing a high level of security without compromising on the number of false positives. By combining that with strong security intelligence from our CDN, we can also make smarter decisions when it comes to using reputation to enhance security. In addition, our group has experienced and innovative developers who can execute new products and solutions. We can be very independent and deliver strong security value to our clients.
Q: Itsik, enterprises worldwide are spending tens of billions of dollars on cybersecurity and yet remain vulnerable as ever. What can security vendors, such as your company do more of to help organizations better secure themselves against existing and emergent threats?
There is great technology available for every threat now, and while it doesn't mean that if you deploy everything you will be protected, the industry does have technology for realistic, current threats. But this means an enterprise can easily have 50 or more solutions deployed all with different components, languages and configuration options. To help their customers better defend themselves, security vendors need to do more to integrate components in terms of configuration and common APIs across solutions.
Q: Ben, why is it important for Imperva to be at Black Hat USA 2017? What topics do you expect will dominate the conversation at the event this year?
Being at Black Hat is something that's important for any security company, as that's a great place to meet everyone from the industry, discuss co-operation which can help provide better security to the global community, and open our minds to new ideas. That's in addition to gaining knowledge from the briefings. I expect that there will be a lot of interest in AI and machine learning-based analytics, as the amount of data we get from security controls continues to grow and has the potential to overwhelm staff.
Q: What has IOActive's experience in pen testing and security assessments taught you about enterprise preparedness—or the lack thereof—to deal with existing and emerging threats? Where do the biggest gaps exist?
At a very high level, our vast experience in pen testing and security assessments has taught us two important and indelible truths. First, given the pace of technology development and the subsequent threats associated with it, there will never be such a thing as being 100% secure, period. It's why we often discuss the importance of consistently balancing your efforts on defense, offense, and resilience.
That said, another important thing our experience has taught us is that the earlier you make security a priority in the design and development of your network, product, or service, the better off you will ultimately be from a security posture and preparedness standpoint. We have seen significant improvement across organizations and industries over the years as breaches have unfortunately grown to the level of notoriety that is forcing the issue, but too often we still see security being more of an afterthought, a formality needed to check the box on RFPs.
If security isn't made a top priority at the very front end, it becomes harder, more time consuming and expensive to address vulnerabilities further along the development line. So much so that the cost versus risk equation often turns sound security decisions into calculated business decisions where security is compromised. The phrase "hope is not a strategy" comes to mind when we see businesses make these decisions. As I said, it is getting better, but it's still a really big problem and the reason the cybersecurity beat is a very busy place. We don't get bored.
Q: With all the security technologies that are available these days to address virtually every conceivable threat, why do organizations need someone like an IOActive? What do you bring to the table that is so vital?
There is so much misinformation about what makes a sound security strategy. There is definitely no shortage of security technologies nowadays, but given the pace of technology and threat landscape that has emerged it's virtually impossible to cut through the noise and ensure you're staying ahead of the threats. To be clear, there are a lot of great and important security tools. I spent years with product companies and have a great appreciation for their place in building a solid security infrastructure and program.
But we consistently see organizations making massive investments in security technology and consequently developing a false sense of impenetrability, only to wind up asking how they still ended up on the receiving end of a breach. The truth is tools alone can only get you so far. To keep pace with modern threat actors you simply cannot supplant the human element. That means needing highly skilled security talent that can think like an attacker to help design better security programs and produce more secure products.
Tools can't replicate what our world-class consultants and researchers do for our clients and the industry as a whole. Threats emerge and evolve far too fast and are too complex. The real world attackers trying to exploit vulnerabilities to do bad things are human. Our experience enables us to bring that adversarial view to our work and the investments in our labs ensures our team has access to the cutting edge technologies that true adversaries do - leveling the playing field so to speak.
At our core our people are hackers. But fortunately for all of us they're on the good side and committed to making the world a safer and more secure place. I believe that attacker mind and skillset is a perspective we bring to our work and clients better than anyone in the world...and it's just not something you can buy in a box on the exhibit floor.
Q: IOActive is hosting its IOASIS event at Black Hat USA 2017. What can we expect from the event?
I'm really excited about our Vegas program this year. We're honored to be partnering with Black Hat to elevate our very popular IOAsis program and have it officially be part of arguably the industry's most influential conference. We created IOAsis to be an "escape" of sorts from the conference chaos. A place to relax, take a break, grab a bite and something to drink, network with peers, meet face-to-face with IOActive researchers, and ultimately recharge to get back out to the conference. We know there is so much to see and learn—it can be overwhelming.
In keeping with our IOAsis tradition of amazing security knowledge and talks, we'll have a great cast of our subject matter experts and researchers on hand and presenting, such as Ruben Santamarta, Lucas Lundgren, Bryan Singer, Daniel Miessler, Shane Macaulay, some of our top embedded systems lab team, and world class penetration testers. There will be an incredible knowledge base present and accessible to attendees throughout the event. IOAsis is always a great opportunity to welcome our community in to get a glimpse into their world and discuss their research, approaches to hacking, and the threats they are worried about in the years to come.
As always, our talks at the conference and IOAsis will include some great presentations, including new research on radiation monitoring devices, electronic automobile logging devices, connected motorized scooters, and more. Additionally, some of our top security pros will be covering really interesting topics, including egression testing, volatile memory analysis, emerging ICS attack models, and embedded systems hacking, iSCSI, BSD kernel vulnerabilities, forensics. I could keep going but you get the idea. It's a power-packed line-up we're bringing to town.
Looking forward to seeing everyone in Vegas!
Q: Why is it so difficult enabling enterprise security analysts to make decisions that improve security outcomes at their organizations? How is Leidos helping address these challenges?
This is a great example of how the same question can have very different answers across different organizations, or the tried and true "it depends" answer. Even generalizing to people, process, and technology, there are a wide range of potential challenges across each facet. That said, we definitely see some common themes contributing to this:
Our own experiences, background, and evolution put us in a unique position to see these types of challenges and help our clients address them (sometimes in creative ways). When you look across the Leidos portfolio (products, professional and managed services), it's really built around creating this type of sustainable security evolution. We know there isn't going to be a simple answer or checklist, but by coming in as a security partner, we create opportunities to identify and address the major challenges impeding positive security outcomes.
Q: What do enterprises need to understand about the power of using an analysis framework to bolster security capabilities?
It's critical to see an analysis framework as an enabler for analysts, not as an end-state or box to be checked. The power of an analysis framework doesn't come from the framework itself (it's just a tool), but rather from analysts using it to evaluate, analyze, and understand threat activity more completely. As that happens, you start to see and think about things you hadn't before (what is consistent between these events, what would have happened next, how could we detect this earlier?). That can be a very powerful shift in mindset for the enterprise.
I like to think I'm a realist, so one of the biggest things I try to convey is that an analysis framework is not a silver bullet or a quick-win solution. In many organizations, it was actually the desire to adopt and leverage a consistent analysis framework that ended up driving considerable evolution and advancement in capabilities. Clients wanted analysts to be doing consistent, exhaustive analysis, only to realize that their analysts didn't have the visibility or data accessibility that they needed to do so effectively. Even once those enablers or supporting functions are in place, the real transformative power of an analysis framework can take time to build and develop. Just saying "our analysis will use this framework" isn't going to achieve the desired results. But actually using it, analyzing events consistently and thoroughly, and tracking, comparing, and correlating that analysis over time can yield tremendous value.
Q: What are Leidos' plans at Black Hat USA 2017? What can attendees expect from your presence there?
First and foremost, we're excited to be here and have the opportunity to engage with other security practitioners from around the world. Like many Black Hat attendees, we're living the challenges of the security domain every day, so having the opportunity to come and hear from other experts and learn from their experiences and successes (and failures) is really exciting for us. And we want to contribute to those discussions based on our own experiences and successes (and failures)! To this end, we're hosting a couple of sessions again this year, specifically looking at Managed Detection and Response (a managed service that really mirrors our own philosophy when it comes to enterprise defense) and talking about threats and trends in the threat landscape we've seen over the last year.
We're also here to help identify the challenges facing enterprises today and offer up effective solutions across a robust portfolio. We've always approached the space with a partnership mindset – we want to build strong relationships with our clients that ultimately lead to transformative or evolutionary engagements. The Leidos team is really excited to be a part of those opportunities.
Q: What are some of the biggest challenges that organizations face in enabling a robust incident detection and response capability? How does Masergy help in this regard?
The world of cyber security is an asymmetric battleground. The attack surface is growing as a result of the growing number of connected devices, malicious apps, the Internet of Things, cloud services and the digitization of business functions.
Keeping the bad guys out is no longer an option. But implementing the tools and practices to respond rapidly to these myriad threats is an enormous challenge for companies.
Savvy security professionals are adding breach detection and rapid response to their cyber strategies. One reason breach detection is so important [is that] much of the damage can occur after a breach. Once hackers get into your network, they can poke around for months — even years — mining valuable data and causing all sorts of damage and chaos.
Detection comes in two main flavors:
• Endpoint detection and response: EDR tools record numerous endpoint and network events, then store this information either locally on the endpoint or in a centralized database. They use this data to continuously search for breaches — including attacks by insiders — and rapidly respond to attacks.
• Managed detection and response: MDR adds help from a managed service provider. This helps internal IT groups that lack the manpower, skills, budget and other resources to do it themselves.
Q: How can setting up a security operations center capability help organizations bolster their defenses?
Before you start building out a security operations center, you should have a well-defined security strategy in place. This includes these four key steps:
Once you have your security strategy in place, consider the cost and coverage of a SOC. Do you want to build it in-house? Experts estimate that a SOC costs on average between $300,000 to $1M annually, depending on the size of your organization. An alternate approach is to work with a third party partner who can add manpower as needed, provide 24x7 coverage, and deliver new technologies as part of a monthly service contract.
Q: What do you want Black Hat USA 2017 attendees to learn about Masergy from your participation at the event?
Masergy's Managed Security solutions offers comprehensive managed detection and response services on a global scale, tailored to meet any budget. We take the workload off of your IT staff to help you optimize your security resources and improve outcomes. Masergy employs patented machine learning, predictive analytics, and human intelligence to analyze customers' threat profile and help them respond rapidly to breaches.
Q: You took over as CEO of Tenable relatively recently. What is it about the company that excites you the most? What do you see as its biggest opportunities?
I've been in the cybersecurity industry for over 20 years, in both the private and public sectors. I've seen the industry evolve over the years and I truly believe this is one of the most important moments in the history of our industry. The ever-changing threat landscape coupled with massive computing shifts such as Cloud and IoT have made cybersecurity an existential business risk.
I am excited about Tenable for many reasons. First of all, we are laser focused on helping our customers solve some of their hardest problems. We work with over 21,000 customers globally of all sizes, from 50 percent of the Fortune 1000 and government organizations to local hospitals and small businesses.
Cybersecurity is a risk for every organization that has sensitive information or critical infrastructure to protect. Accurately understanding this risk amidst continuous change and the move to digital as 'business as usual' will become one of the most important and critical problems for organizations to solve, and we have a rockstar team of professionals that genuinely care about helping our customers. Our passion as one team on one mission, combined with truly innovative technology, is a winning combination that I jumped at the chance to be a part of.
Q: Tenable recently launched Tenable.io, the industry's first cloud based vulnerability management platform. How does it build on what's already available in this space? What does it help your customers do, that they weren't able to do previously?
The modern enterprise environment is dynamic, borderless, and continuously changing. Employees bring personal devices to work and IT teams spin up virtual machines and services on-demand, creating microservices-based containers on the fly and decommissioning them just as fast. Chips are being embedded in every kind of device creating an explosion of connected IoT devices in the enterprise, from corporate conference systems to industrial control systems. Today's complex mix of compute platforms and environments represent today's modern attack surface, where the assets themselves and their associated vulnerabilities are constantly expanding, contracting and evolving like a living organism, creating gaps in overall system understanding, security coverage and resulting in exposure.
Tenable.io builds on our heritage in vulnerability management to provide the visibility enterprises need to defend against today's modern elastic attack surface. Our recent additions to the Tenable.io platform including Container Security and Web Application Scanning are evolving the platform beyond traditional IT assets to keep pace with our customer's digital transformation evolution. With every release of Tenable.io we'll continue to deliver on our vision of empowering organizations of all sizes to understand and reduce their cybersecurity risk. We're really excited about what's coming, so stay tuned!
Q: What IT security trends and topics do you expect will dominate the conversation at Black Hat USA 2017, and why?
Black Hat is known for its underground culture and outlandish hacks that grab global media attention. There's no doubt this will still be a staple at this year's conference, but I think we are going to see back-to-basics topics like cyber hygiene take more of the center stage at Black Hat this year. It seems more exciting to talk about nation-state attacks and how to protect against the 'threat of the week', but the recent WannaCry global attack which exploited unpatched systems is a prime example of why basic, yet critical processes like patch management, are still critical issues for which we've yet to close the gap. It may not be sexy, but good cyber hygiene is core to the problem - and the solution.
I think IoT security will be another hot topic this year. Many say IoT is still a ways off from becoming reality, but the reality is that the future is here. By 2019 there will be 9.1 billion active IoT devices deployed in the enterprise, representing more than the smartphone and tablet markets combined. For the first time, concerns about IoT security ranked higher in ISACA's State of Cyber Security member survey than concerns about mobile device loss. All of these connected devices are part of the attack surface and the time to be discussing this critical issue is now.
