Adallom co-founder and CTO Ami Luttwak and VP of strategy and marketing Tal Klein talk about why their company was named one of the "10 Coolest Security Startups Of 2013," and why Black Hat USA 2014 attendees should visit their "Intro To The World Of SaaS-Based Attacks" workshop.
Q: Tal, Adallom was named by "CRN" as one of the "10 Coolest Security Startups of 2013." That's quite a compliment. As a newcomer to the space, what makes Adallom so "cool." What differentiates you from the other security firms?
Tal Klein: I think there are really three factors that play into the attention we've been getting.
The first is that companies are moving from the exploratory phase of their cloud strategies into the adoption phase. What we're seeing is CIOs officially sanctioning cloud applications like Office 365, Google Apps, Box, Successfactors, Salesforce, and even Dropbox and Evernote. So the evolution of the IT philosophy towards SaaS has shifted from treating something like Salesforce as "Shadow IT" into "Sanctioned IT." This is important because up until now I think IT was still trying to grapple with problems like provisioning (and more importantly deprovisioning) access to applications that it did not control. But that problem was solved by the IAM people (like Okta, Ping, Centrify, and OneLogin). So now that SaaS applications are becoming sanctioned, IT has a really urgent need for extending its purview into these applications – and what I mean by that is today when you use an app like Salesforce, the administrator has very little visibility into the actual usage of the application. There are both security and regulatory ramifications for this lack of visibility and control which fall under the "shared responsibility model." Salesforce is responsible for the security of their platform and the customer is responsible for the security of the users using the platform and, more specifically, the security of the data which is accessible and controlled by the customer's users. So if a Salesforce user is compromised -- say, phished -- how would you know? Salesforce has no accountability nor liability for informing you that the entity with a user's credentials is not in fact that user. So you are accountable for whatever happens in that context, and your company is liable for any data exfiltration or regulatory infraction. But you don't have the visibility or control to do anything about it. So that's what we call the "SaaS security gap" and it's precisely where Adallom helps. We extend IT purview to SaaS applications without getting in the end-user's way.
The second factor which we attribute to our success is the acceptance among IT leaders that BYOD, mobility, and cloud are all part of a single trend that requires an operational pivot. Forcing all users to interact with corporate data exclusively through a virtual desktop, VPN, or managed device has been proven to be untenable. So IT is coming to terms with the fact that users are interacting with corporate data on unmanaged devices over insecure networks. Sounds obvious, but it's actually been a battle of sorts within IT. We all know at least one IT ops guy who thinks end-users must follow corporate policy because, if they don't, they'll get fired. But the person is wrong, because the first people to violate policy are executives, and nobody is going to fire the VP of sales for violating IT policy -- say, sending a contract over Google Drive on their phone in order to close a deal. So there's been this trickle-down acceptance of essentially treating every user as an executive – accepting that VDI, MDM, EMM, VPN are all ineffective controls for mobile users on unmanaged devices accessing corporate data in cloud applications over insecure networks. Some people have been calling this "user-centric IT," but I think the users are not what IT needs to worry about. Our approach complements "data-centric IT" since IT needs to focus on protecting data wherever it lives and however people interact with it. So, as corporate data moves to the cloud, Adallom is nicely positioned to help IT satisfy the company's needs for information governance in the cloud without endpoint agents or devices in the data center.
Lastly -- and this is probably the biggest factor for the attention we've been getting -- existing perimeter (Firewalls, IPS) and endpoint protections (AV, Sandboxes) are completely useless when it comes to protecting privileged data in cloud services. Perimeter controls fail because, as I mentioned, users are interacting with data outside of the perimeter. A firewall cannot see what is not in its path. AV and Sandboxes look for things like malware and APTs but can't do anything against a garden-variety phishing attack. Protection-wise, we are entering the age of context. The technology Adallom was built on was originally designed to detect online behavioral patterns associated with terrorist activity. We have several pending patents in machine-learning and anomaly detection and are essentially repurposing tech that was designed to save lives into a solution that protects enterprise data. Once we establish a user's behavioral standard deviation, we can tell whether they are compromised in less than five clicks (or transactions). We can also detect for behavioral anomalies associated with intentional or unintentional data exfiltration -- for example, if a user is sharing all of their corporate files on Box with their personal email address.
Together these three factors give us an innovative edge over other players in what Gartner's been calling the "Cloud Access Security Broker" market. And they gave us the Cool Vendor nod in the Infrastructure Protection category because they recognize that the boundaries of infrastructure now must include cloud services.
Q: Ami, just a few months ago, Adallom discovered and reported a token hijacking vulnerability bug in Microsoft Office 365. The identity theft vulnerability in Office 365, found in the wild, allowed attackers to grab user identities and steal e-mail and documents. How was Adallom able to detect the bug … and what sort of solution do you provide your clients to keep them safe?
Ami Luttwak: Yes, the "Ice Dagger" attack, MS13-104. I'm glad you chose this one to ask about because it was the first exploit we found in the wild – it's a token hijack with extra cruft. We caught it in our very first customer last year, so there was a lot of second guessing because we wanted to be absolutely sure that what we found was a real live attack. Basically, what we saw was an Office 365 user requesting a document from a TOR hidden service under the onion.to TOR gateway. While we monitor and flag all requests performed against known TOR gateways, this specific request was performed by an Office component (Word) rather than the user. The Adallom engine freaked us out a bit because it reacted by disabling ALL corporate user access to Office 365, not just the affected user. In retrospect, we realized the reason was that the malicious behavior was being attributed to the application rather than the user, so it was doing the right thing – but, at the time, it looked like a giant false positive. To put things in context, it's the only time we've ever seen the engine react to an event by blocking access to an entire SaaS application rather than an individual user. It's a credit to our R&D team for designing a heuristics engine that assumes humans and applications are equally susceptible to flaw. By the way, I want to give a shout to the Microsoft Security Response Team; they were great to work with, and upon confirmation of the attack and resolution, they added us to their advanced protections program (MAPP) because we were the only vendor who they identified as being capable of thwarting this class of attacks. Noam Liran, our chief security architect, wrote a great blog about the work that went into deconstructing this attack.
Q: You are sponsoring a workshop at Black Hat USA 2014. Tell me a little about the topic and what will be the biggest takeaway for attendees?
Luttwak: Yes, it's a very hands-on workshop designed by Adallom Labs, our R&D forensics team. We're going to show attendees some real-life attacks against enterprise Software-as-a-Service applications in order to explore the nooks and crannies of the shared responsibility model. The ubiquitous accessibility and extensibility of SaaS applications has unveiled many new attack vectors. We will explore and contrast "SaaS attacks" vs. traditional attacks, and cover various attack vectors, from application exploits, to protocol vulnerabilities, and, of course, end-user attacks. For example, we'll show attendees why the mechanics of the recent Google data URI scheme which allows attackers to include data in-line in Web pages as if they were external resources merits a lot more attention than it's been getting. The scheme uses Base64 encoding to represent file contents, in this case supplying the content of the fake Web page in an encoded string within the data URI; the attack is invisible even to Google itself. That's just one example. We'll also be covering token hijacks, Oauth MIMs, and more. The goal is to arm infosec pros with the right tools to assess the security postures of SaaS vendors their companies do business with. I think it's going to be a lot of fun.
Join us in our workshops and visit our booth to see a live demonstration and how these solutions can help enable a secure enterprise.
Ned Snow, president of SecureNinja, explains the benefits of his IT security training and certification "bootcamp," the 29 free training courses that can be seen on SecureNinja TV, and why Black Hat USA 2014 is so important to his marketing strategy.
Q: Ned, SecureNinja maintains an IT security training and certification "bootcamp." For those readers who aren't familiar with what your company does – or what a certification bootcamp is – tell me a little bit about what attendees can learn and why what they're learning is so important to their enterprise.
Ned Snow: SecureNinja provides cybersecurity training and consulting. Our training courses are available in many different formats but the most popular modality is certification bootcamps. Cybersecurity bootcamps provide hands-on knowledge transfer combined with exam preparation in an accelerated and cost effective manner. We teach cybersecurity bootcamps from foundation-level classes, such as CompTIA Security+ and Cybersecurity Fundamentals, all the way up to advanced level courses, such as Malware Analysis, Reverse Engineering, and Offensive Penetration Testing. All SecureNinja instructors are master practitioners in the field and bring real-world skills into the classroom ensuring that when students return from class, they can hit the ground running with their newfound knowledge.
The average candidate for a SecureNinja courses is someone who has been in the field of information technology for 1-2 years or those who have a good notion of the underlying concepts of computers and networking. Individuals come to our bootcamps for many reasons, but the typical attendee is looking to advance their skillsets thereby ensuring that they are competent in the latest technologies to maximize their competitiveness in a very busy marketplace and, in many cases, garnering them a higher salary or promotion. Certification also shows to an employer or potential employer that you are committed personally to always improving your game.
Enterprises send personnel to SecureNinja to make sure their team has the knowledge to perform mission requirements more efficiently, to fortify their cybersecurity posture, or to be compliant with government and commercial mandates regarding certification. Many companies use training and certification ways to motivate their team members all while helping the business' overall internal performance. Company sales can increase by showing potential customers that you have certified employees with the skill necessary to assist them with their solution.
The bootcamp curriculum consolidates courseware from weeks or months into one- or two-week courses. Official curriculum can be redundant and bootcamps make the retention of knowledge much easier by eliminating the repetitiveness and non-essential content. To further the return on investment from a bootcamp, we provide on-site testing for vendor certification in the classroom on the last day of class. The end result is that students go home or back to work certified and with real world skills to hit the job running.
SecureNinja assists students to make sure that their time spent learning is as stress-free as possible. SecureNinja student services team takes care of travel and accommodation and meals for attendees. Student books and courseware are shipped to the student at the point of registration so they can begin reviewing the material even before they come to class. We have made a considerable investment in state-of-the-art classrooms. All students will be provided with in-class laptops with a minimum of 8GB of RAM and adjustable chairs which include lumbar support designed for long hours of sitting. SecureNinja stands behind its mission to get the student certified and guarantees that if the student does not pass their certification on the first try, they can come back and attend the same class free for up to one year.
Students who come to our bootcamps find that when they are away from home, it eliminates the distractions they normally face and can focus in on preparing only for the certification exam. The bootcamp format may not be for everyone, but for those who can attend, it is a winning formula for -- as we call it -- 100% Certisfaction!
Q: I'm intrigued by your SecureNinjaTV and the 29 free training courses you maintain there. What sort of audience would benefit from viewing the videos and what skills would they pick up by watching them?
Snow: SecureNinjaTV is the new media division of SecureNinja and was created to give back to the cybersecurity community. SNTV covers industry events and shares information on hot cybersecurity topics through interviews with industry leaders.
Recently, SecureNinjaTV began producing free training videos, namely the Cyber Kung Fu for the CEHv8 Sensei Series. Throughout the 29 videos in the series, instructor Larry Greenblatt covers all modules of the CEH (Certified Ethical Hacker) training curriculum with his own brand of exciting material made engaging by the infusion of storytelling along with the teaching of the common body of knowledge, while Tom Updegrove demonstrates hacking skills and tools via hands-on lab with SecureNinjaTV host, Alicia Webb. The CEHv8 Sensei Series covers topics such as Footprinting and Reconnaissance, Scanning, Enumeration, NMap, Nessus, Metaspolit, Wireshark, and more. The series will familiarize viewers with basic ethical hacking tactics, tools and concepts, as well as better prepare them to pursue the CEHv8 certification.
Our goal with the Sensei Series is for students to utilize these videos and become interested in the world of white hat hacking and, as a result, pursue a career in the field and an education path through SecureNinja. The U.S. continues to suffer from a lack of cybersecurity professionals in both the private and public sector. There are so many developing opportunities in cybersecurity and it is our goal to help people learn the skills necessary to lock in a great position and to produce an army of warriors for the industry. If our free training can serve as a launching pad for talented individuals to become a part of the fight for cybersecurity, then our goal will be achieved. We welcome all who are interested to join the Ninja tribe to help protect our organization and governmental cybersecurity systems.
Q: What sort of workshop are you sponsoring at Black hat USA 2014 and why is it important to your marketing strategy to participate in the conference?
Snow: SecureNinja's workshop focus is on the practical process for initiating penetration tests on Web applications. The workshop will cover manual Web application testing, attacking ASP / MSSQL Web apps, as well as PHP / MySQL Web apps. The main thing, as with any SecureNinja training course, is that attendees will learn from someone who won't put you to sleep. Our CTO, Joe McCray, is a highly charismatic, polished teacher/consultant and will show all attendees how to really do the attacks and create their defenses in plain and simple English instead of a bunch of geekenese. Topics include learning SQL Injection, Cross Site Scripting, and malicious file handling against ASP.NET/MSSQL, and PHP/MySQL.
SecureNinja has partaken in Black Hat USA conferences for over three years running. The conference is an excellent opportunity to introduce new and existing products to potential customers from all parts of the world. We find an immediate return on investment from BlackHat in short order as key decision makers present purchase our cybersecurity training and consulting solutions. As we move towards international expansion, we will be sure to include Black Hat Asia and Latin America to our overall marketing strategy.
Gidi Cohen, CEO and founder of Skybox Security, discusses why common methodologies are no longer effective at reducing the attack surface, and how Skybox's Vulnerability Remediation Dashboard helps IT security pros act on data quickly – often within hours of vulnerability discovery.
Q: Gidi, I know that Skybox Security provides automated tools that find and prioritize factors that contribute to cyberattacks, such as vulnerabilities, firewall configuration errors, and access compliance issues. Tell me about your latest automated tool and what it does that competing tools don't.
Gidi Cohen: People talk about making "context-aware" security decisions, but frankly, most organizations have no ability to do this well. Context involves linking your network infrastructure data with your vulnerability data, threat feeds, firewall rules, asset database, patch management, etc. One-to-one correlation of data sets has almost no impact; you need to bring together dozens of different sources and make complex decisions about how each piece of information affects others. This is where modeling and simulation excel, and Skybox created the best modeling and simulation environment for enterprise-scale risk analytics.
We use this analytics-based approach to extract vulnerability data from existing data repositories without scanning the hosts. We can identify whether a risk really represents an exploitable attack vector with high impact and high likelihood that you should go fix -- or a red herring that's a waste of time and energy.
In comparison, competing solutions have a very rudimentary approach to security analysis, combining a small set of data sources and applying limited analytics. It's like the difference between solving a 10x10 Sudoku puzzle in an hour or a 1000x1000 Sudoku puzzle in a minute. Our combination of model-based architecture, simulation, and sophisticated analytics answers the toughest security questions really fast.
Q: You gave a talk on why common methodologies are no longer effective at reducing the attack surface. What common methodologies were you talking about … and why are they no longer effective? What's changed?
Cohen: Businesses have well-established processes for vulnerability management, firewall policy management, and the like. These processes just don't keep up with the times. They weren't designed to handle the scale and complexity of networks today, the fast-changing threat landscape, or the speed at which decisions need to be made. They just can't keep up, they break at the scale we see today, and produce a lot of irrelevant or inaccurate results.
If you start with the idea that you first have to understand the attack surface -- the sum total of all attack vectors against your network – then it puts you in an entirely different frame of mind. We focus on understanding the attack surface first, and then apply the knowledge of the attack surface to the security management processes so you get far better results in much less time.
Q: You recently introduced what you call your Vulnerability Remediation Dashboard. What exactly does that do – and will you be showing it off at the workshop you'll be sponsoring at Black Hat USA 2014? What will be the biggest takeaway there?
Cohen: Vulnerability regulations were established to ensure that risk-causing vulnerabilities live in an organization's environment for the shortest amount of time possible. After all, finding vulnerabilities is only half of the battle – remediation vulnerabilities before an attack is what counts.
In February, Skybox announced a new vulnerability remediation dashboard which provides a central view for IT security professionals to effectively monitor and track vulnerability remediation.
Skybox converts volumes of vulnerability data into detailed remediation instructions, so security managers can act on the data quickly – often within hours of vulnerability discovery. Skybox identifies concentrations of vulnerabilities by vendor, business unit, security bulletins, or by geographic location in a company, enabling organizations to reduce overall vulnerability levels quickly with minimal effort.
The remediation dashboard provides a centralized view to monitor and track the vulnerability remediation process against defined service-level agreements (SLAs). Security metrics track resolution of vulnerabilities against goals, such as fixing high-priority vulnerabilities within a defined period of time, or achieving a target rate of found versus fixed vulnerabilities, and provide a breakdown of vulnerabilities that meet the SLA and those that do not.
The remediation dashboard guides daily remediation efforts by providing a prioritized list of vulnerabilities and presenting multiple remediation alternatives to block or mitigate known vulnerabilities, such as patching, IPS shielding, configuration changes, or a prioritized list of security bulletins that should be applied.
The Skybox Workshop will focus on identifying critical vulnerabilities so they can be fixed as quickly as possible to ensure a reduction in risk and the shrinking the attack surface over time.
In this session on vulnerability analysis and prioritization, we'll cover: calculating risk exposure (Risk = Impact * Likelihood * Time); the data you need to collect about assets and vulnerabilities; prioritizing vulnerabilities using simple two-factor relationships; asset-to-vulnerability correlation to augment the accuracy and freshness of active scan data; and techniques to drive down the risk exposure time.
Christopher Ling, executive VP at Booz Allen Hamilton, announces the second Kaizen Capture The Flag workshop at the Black Hat USA 2014 conference, and why he believes companies ought to focus on diversity in the security arena.
Q: Christopher, at last year's Black Hat USA, you sponsored a tremendously fun and informative Capture The Flag event designed to build the skills of information security professionals through hands-on challenges in forensics, Web exploitation, scripting, and binary reverse engineering. What's on the agenda this year?
Christopher Ling: We're proud to be the first company to officially offer a Black Hat Capture The Flag event via a workshop, and we will once again be holding another CTF that we're calling "Kaizen 2.0"!
The level of involvement and excitement around the Kaizen CTF last year essentially sold out our event and we couldn't fit any additional participants into the room. To build on that success and the highly positive feedback we received from participants, we plan to use that same concept, incorporating new challenges and opportunities for continuous learning, enhancement, positive change, and overall the improvement of one's skills and self which is the mantra of our Kaizen CTF.
Q: "Vault" recently ranked Booz Allen Hamilton first in public sector consulting and fourth best consulting firm worldwide on a number of criteria, including prestige and quality. Very impressive. What do you believe differentiates your company from its competitors?
Ling: Booz Allen is celebrating our 100th year in 2014, and we're particularly pleased at these rankings because "Vault" reflects the views of the people we interview and hire. We strive to be a firm where very bright and highly motivated people can thrive, and it's rewarding to see that these efforts are realized in the experiences of people who work here.
A key element to our success involves listening to feedback from organizations like "Vault" or our own employee surveys to improve our employee experience, including feedback in important areas like creating a better work/life balance for our employees. Through our staff, we focus on being an essential partner to our clients, working alongside them to address their toughest challenges. We don't just provide a service -- we're a partner. And we place a priority on supporting the communities in which we live and work by linking our corporate giving to employee volunteerism to maximize our impact. It's the combination of these factors, along with the careful financial management of our business,that differentiates Booz Allen among our competitors.
Q: Your company seems to be focusing on diversity in the security arena – from BAH's Latin American Forum organizing a mentoring event for the New York City chapter of Girls Inc. to being listed as one of the 50 best companies for Latinas, to filming a video about creating a workplace where lesbian, gay, bisexual, and transgender employees feel welcomed. Why has this become a priority for BAH?
Ling: We want to ensure that our clients are getting the best ideas, the highest quality work, and the strongest vision from our staff. We know that's only possible by building a workforce with a true diversity of ideas and life experiences. We want to create an environment where employees feel they can bring their "full selves" to work, applying everything they have learned and experienced in life to help solve our clients' problems. We're a collaborative organization, and different points of view are essential for a rich collaboration that results in the strongest results.