Cisco | Microsoft | Qualys | ReliaQuest | Sophos | Varonis
Q1. What specific enterprise security requirements is Cisco addressing with its new Hypershield technology? What gaps does it address?
The current stock of security tools deployed today were built for yesterday's architecture. Securing a highly distributed enterprise requires focus on key challenges and addressing gaps such as segmentation, vulnerabilities, and policy management and enforcement.
Cisco Hypershield is the first truly distributed, AI-native security architecture that puts security wherever it needs to be: in every software component of every application running on the network, on every server, and in public or private cloud deployments.
It provides AI-powered management that automates security policy lifecycle and security infrastructure upgrades. At the same time, the system is designed to empower customers to figure out the level of autonomy they are comfortable with - using test, record, and report capabilities to earn trust. Imagine a network security solution that can write its own rules, test its own rules, deploy its own rules and lifecycle manage its own rules. It can even upgrade itself while you sleep.
Hypershield deeply combines security and networking in a way only Cisco can, by taking the network security functions that used to come in a box and “melting them” into the network.
Q2. You recently identified zero-trust network access as a fundamental security requirement. What's your advice for security leaders on how to manage the increased complexity of access controls in a zero-trust environment without overwhelming IT and security teams?
The important thing about zero trust-network access is that it directly impacts the user experience, and the overall security of an organization. For the user experience, you want security to be invisible. They should be able to open their laptop, connect to the network and get to work, regardless of where the user is, or what kind of applications they need to access. The experience should be consistent, fast and stable.
The key is to be more explicit about how you're building your current policies, not necessarily to add even more controls. Zero Trust is about enforcing least trust across the environment. Understand your assumptions, and fix anything that you realize is a possible gap.
For example, if you're assuming that someone appears to be in the office and is therefore trusted, you should probably change that so that a user must go through the same checks – including things like continuous trusted access and identity verifications on a machine-level with certificates and biometrics, which can happen in the background without imposing a burden on the user—regardless of where you are.
This will not only make the user experience more consistent and comfortable, but also improve your security.
Q3. What does Cisco have planned by way of panels, presentations, workshops, or other events for attendees at Black Hat USA 2024? What key messages or insights do you hope to convey through these events?
This year is the 10-year celebration of the founding of Cisco’s Talos Intelligence. Cisco is proud of the work our Talos organization does in the way of threat research, analysis, and engineering to help protect our customers.
On Wednesday, we’ll host a lunch and learn where members from Talos will lead guests through a game of Backdoors & Breaches and discuss recent trends and events. We have a session being led by Talos’ Nick Biasini, where he will present a threat briefing with insights and mitigation strategies related to identity attacks, zero-day exploits, ransomware, and infostealer malware. We’re hosting an incident response workshop, where participants can get hands-on experience to develop their skills and test their abilities, as they learn how to scope, contain, and eradicate threats like a pro. At the Cisco booth, we’ll have talks focused on the latest Talos research, and showcase some of our latest technology innovations. We’ll have some interesting games too, which could earn visitors a chance to win a unique Cisco Talos shirt available only during Black Hat.
Q1. How can organizations balance the need for timely threat intelligence with the requirement for thorough vetting and analysis, especially with the recent increase in information warfare and disinformation campaigns?
Microsoft Threat Intelligence’s goal is to empower organizations, including our own, to reduce risk, expedite detection, and disrupt attacks early in the attack chain. We do this by balancing the necessity of speed of information delivery and impact with a methodology that ensures we’ve scored, corroborated, and analyzed data. This approach moves at AI-speed and is fueled by 78 trillion signals analyzed daily.
Additionally, we also believe driving the threat actor back into development is an effective way to disrupt active campaigns. This is why we spend considerable resources mapping actor infrastructure that we can use to take legal action and seize actor Internet-facing assets or sinkhole their operations. This enables our team to rapidly implement protections while observing and learning about their evolving techniques.
Our threat intelligence experts are seeing an increase in sophistication and speed of attacks. The world is experiencing an intense level of geopolitical instability with wars on multiple fronts, political change with electoral contests all over the globe, as well as the huge technological explosion of AI and all the societal implications around it. All this change and flux is reflected in the cyber threat landscape. Geopolitical conflicts are truly hybrid conflicts that have and will continue to touch industries outside of the immediate zones of the physical fight. Nation states are leveraging cyber operations and influence operations to support strategic and battlefield objectives.
Politically, more countries and people will vote for their elected leaders this year than in any year in history. Malign influence actors are putting infrastructure in place and testing new ways of crafting and distributing content intended to influence public opinion. For example, Pro-Russia groups Storm-1516 and Storm-1099, have networks of spoofed news outlets for distributing content. Pro-China groups also have a deep bench of Chinese language sites and social media influencers promoting propaganda among the diaspora.
Cybercrime is evolving as well. Cybercriminals are moving from business menace to threatening actual lives with large scale attacks on healthcare providers. Established ransomware families like Akira, Lockbit, Play, and Phobos were still the most predominantly used in attacks observed by Microsoft in the first quarter of 2024. This period also saw the resurgence of Qakbot, which was observed leading to Basta deployments. Meanwhile, newer families like Knight/Ransomhub, INC, and Hunters international were also observed. Microsoft now tracks 75 active ransomware families. This new reality demands an increased level of vigilance to detect threats and a collective approach to disruption.
Q2. What role do you see generative AI technologies playing in alleviating the deepening skills shortage in the cybersecurity space and impact intelligence gathering?
Generative AI and solutions that build on top of it like Copilot for Security will bring new skills to cybersecurity professionals. Those without deep knowledge of a particular topic will be able to learn it more rapidly with the help of generative AI. AI can also help us overcome another of the industry’s biggest challenges. In the face of a global cybersecurity workforce shortage, with roughly 4 million cybersecurity professionals needed worldwide, AI has the potential to be a pivotal tool to close the talent gap and to help defenders be more productive. We’ve already seen in one study how Copilot for Security can help security analysts regardless of their expertise level—across all tasks, participants were 44% more accurate and 26% faster.
Today, professionals save time and complete jobs that otherwise may have been beyond their experience. For example, scripts associated with an incident can now be easily explained by the language model whereas that task previously required someone with technical expertise in the scripting language. Another example would be constructing structured queries like KQL to hunt for threats or answer questions. Using natural language, users can express their intention and the model will suggest KQL queries to run.
Any new technology that’s adopted brings a demand for talent to understand it. The generative AI movement has created one of the best times to begin learning about this space and applying it in the cybersecurity workforce. Those learning now will be in a strong position to apply technology for cases where attackers look to abuse it.
Q3. How does Microsoft plan on using its presence at Black Hat USA 2024 to spread awareness of the company's security AI strategy? What do you hope customers and other organizations at the event will take away from your company's presence there?
Microsoft plans to use its presence at Black Hat USA 2024 to showcase its commitment to security and demonstrate how its AI strategy is integral to enhancing cybersecurity measures. By sharing insights, best practices, and the latest advancements in AI-powered security solutions, Microsoft aims to educate and engage with customers and other organizations. The goal is for attendees to gain a deeper understanding of Microsoft's security AI capabilities and to recognize the company as a leader in the field, committed to innovation and the protection of digital assets. Here’s some of the highlights of what we have planned for the event:
Microsoft will host a customer VIP Mixer and a researcher celebration to strengthen relationships and engage with the community and MISA partners. Reserve your spot for this customer happy hour. We hope to see you there!
Overall, Microsoft aims for attendees to leave with a deeper understanding of its commitment to security, and the innovative use of AI, and critical role of threat intelligence in enhancing cybersecurity measures. By integrating threat intelligence into our security strategies, we ensure a proactive stance against cyber threats, providing attendees with insights into the future of security and the importance of staying ahead in the intelligence-driven defense landscape.
Q1. What impact has the increasing adoption of cloud-native technologies and containerization had on vulnerability management and security assessment practices? What new challenges have they introduced?
The growth of cloud computing has evolved how companies need to measure, communicate and eliminate their cyber risk. Many cloud security incidents start with misconfigurations, meaning the scope of what enterprises need to secure and protect goes beyond vulnerabilities and is getting increasingly complex. This necessitates enhanced cloud security practices and advanced mitigation actions that can scale across a hybrid enterprise. Regretfully, many organizations leverage a fragmented approach, with separate point solutions for managing assets on-premises versus in the cloud. This approach is costly and inefficient and makes it more difficult to analyze cyber risk across the entire enterprise, thus inhibiting a swift and effective response, often at the cost of a breach.
The truth is, with most modern-day multi-cloud and hybrid infrastructures, there are simply too many vulnerabilities and misconfigurations. There aren’t enough resources or hours in the day to fix everything. The only way for businesses to be effective in bringing down their cyber risk is by looking at one’s risk holistically, knowing which issues need to be prioritized, and implementing patches and mitigations judiciously.
Cloud and containerization have added other technical and operational challenges to performing effective vulnerability management. For example, containers are built on images that are stored within either on-premises or cloud-based registries. Containers are meant to be small and self-contained and are rarely patched like a traditional server. Instead of traditional patching, most DevOps teams fix the issue in the image, build a new container, and then migrate the container into a production environment replacing the now deprecated, vulnerable container.
To adapt to this new operating model, Qualys introduced new technology that can scan images in registries before deployment, while also detecting vulnerabilities in running containers that may have been built with unauthorized images. This provides teams with the most comprehensive view of the vulnerabilities and remediation actions needed for containerized applications.
Qualys has also released scanning technologies that are geared to work in a cloud-native fashion such as our FlexScan technology. Qualys TotalCloud FlexScan is a comprehensive cloud-native assessment solution that allows organizations to combine multiple cloud scanning options for the most accurate security assessment of their cloud environment, including agent-based and agentless scanning, snapshot assessments, and appliance-based scanning.
Q2. You have advocated the need for organizations to take a more consolidated and strategic approach to risk management rather than a scattershot, tactical approach to security. What exactly does that entail? Where and how do organizations start on that journey?
At Qualys, we believe a risk-based approach to cybersecurity is the only truly effective way to de-risk the business. The biggest challenge in this is prioritization - where should you focus your efforts to have the most impact? This becomes especially important when faced with hundreds or thousands of security alerts, all of which are ‘critical’. If everything is critical, nothing is.
You need to determine, which of these issues are a serious risk to the business that must be addressed right away? Which are important but can be deprioritized or patched with automated updates? Every company is different. From the applications deployed across the business to the risk appetite and compliance requirements that you have to meet, these differences all affect your risk model and how you prioritize your actions to prevent those risks.
The first step in risk prioritization is measuring and quantifying your risk. To do so, organizations need to take into account vulnerabilities, misconfigurations, and threats - but the key layer is adding business context, such as asset criticality. By integrating the rich dimensions of asset value, threat intelligence, vulnerability state, and business impact - and quantifying these in monetary terms - you obtain an actionable risk score to prioritize the most critical issues. We call this TruRisk, Qualys’ proprietary risk scoring and quantification method. However, the same principles apply to any enterprise.
Next, it’s crucial to get executive buy-in through effective communication of what those risk scores mean and the action steps necessary to reduce the most imminent threats to the business. This involves transforming raw security telemetry into meaningful and actionable plans for practitioners and executive stakeholders.
The final, most important step is eliminating the threats you have identified and prioritized through an effective remediation and mitigation strategy. Qualys offers remediation capabilities that include traditional vulnerability patching and the ability to mitigate threats through system configurations (e.g., registry updates).
Q3. What can attendees expect from Qualys at Black Hat USA 2024? What are some of the company's objectives at the event?
At Qualys, we’re seeing more opportunities to develop solutions that consolidate cybersecurity and risk management to facilitate proactive posture management for our customers. As mentioned above, we want to help facilitate more effective risk management for companies by making it easier to measure, communicate, and eliminate their cyber risk.
Using advanced technologies like AI and machine learning allows us to get better at predicting and preventing attacks before they occur. We’re also responding to the evolving market need to secure the emerging AI and LLM technologies that enterprises are leveraging within their tool stacks.
In addition, recognizing that improving MTTR and reducing cyber risk is the shared responsibility of both IT and security organizations, another key area of focus for us this year is helping to increase IT-SecOps collaboration. Thus, we are investing in more security tooling and technologies to aid this coordinated effort. A vital piece to this will be our TruRisk Eliminate launch, which curates and packages risk elimination with patch management, mitigation, asset isolation, and virtual patching, depending on what businesses need.
Of course, we cannot discuss de-risking the modern enterprise without mentioning web application and API security. We will also introduce major updates to Qualys Web Application Scanning (WAS) and debut a new API security solution. Come meet us at our booth (#1320) at Black Hat, and let’s chat about how Qualys can help you on your risk management journey.
Q1. Given ReliaQuest's visibility across numerous client environments, what emerging threat trends or attack vectors are you most concerned about in the next 12-18 months?
Commodity ransomware should be at the top of most organizations' threat models. If enterprises can't defend themselves against these opportunistic attacks, they cannot protect themselves against targeted attacks from sophisticated threat actors. Standard ransomware defenses like hardening external-facing assets, strong MFA coupled with automated response, and containment plays are critical to protecting against these threats. Initial containment is vital; there is no time to wait to reset passwords and isolate hosts when ransomware actors are targeting your organization.
Beyond this threat, third-party exposure will continue to be an issue, as we have seen countless times in 2024. Infostealer malware has been associated with many of this year's third-party incidents. Infostealers, like LummaC2, harvest usernames, passwords, and session cookies, which threat actors then use to gain initial access to target organizations. Threat actors can purchase a subscription to LummaC2 for as little as $250 a month, which lowers the bar for attackers. Defenders must protect the credentials and cookies of their employees and customers.
We are closely tracking threat actors' use of artificial intelligence. Our research indicates that rather than introducing sophisticated or novel attack techniques, adversarial use of AI is focused on optimizing existing techniques and lowering the barrier to entry. AI-enhanced phishing, AI-enhanced scripting, and deepfakes for social engineering are examples of areas where threat actors use AI today. The rapid development and adaptability of AI-enhanced attacks will make defenders' jobs even more challenging over the coming months and years.
Q2. How does ReliaQuest's internal security strategy inform the development and evolution of the services you offer to customers?
GreyMatter, our SaaS-based Security Operations Platform, is a foundational component of our internal security strategy. We leverage the same tool backed by our ReliaQuest experts, that our customers use. ReliaQuest is a customer of ReliaQuest; we are customer zero. GreyMatter is a force multiplier for our internal security, enabling us to scale our prevention, detection, investigation, response, threat intelligence, and threat-hunting functions. Through our use of GreyMatter and our relationships with ReliaQuest's product and technical operations teams, we can provide direct input on the pain and opportunities that security operations teams face. We can influence the product roadmap by suggesting new features and being the first early adopters of new capabilities. We have a continuous feedback loop to ensure customers receive the desired outcome of new offerings.
ReliaQuest's internal security strategy is not just about protecting our environment; it's a blueprint for our clients' services. By leveraging GreyMatter, fostering a culture of continuous improvement, and taking a threat-informed defense, our customers get a force multiplier for their security operations that increases their visibility of threats, reduces the complexity of orchestrating their defense, and helps them manage the biggest risks to their organizations. Our commitment to internal security translates directly into the value and trust we deliver to our clients.
Q3. What are your company's main objectives and focus areas at Black Hat USA 2024? Are there specific technologies or industry trends you aim to highlight during the event?
At Black Hat, one of our key focus areas highlights how enterprises must lean forward with automation across the detection, investigation, and response spectrum. Without automated actions, defenders can't respond to the ever-challenging threat landscape fast enough. The longer we wait to contain suspicious activity, the more likely a threat actor will accomplish their objectives. Since last summer's gaming industry ransomware attacks, we have seen security leaders far more open to automated containment actions that can keep the organization out of the headlines. Organizations must make automated response decisions in advance; we can't wait to be amidst an incident to decide how to respond. When the seconds count, change control board approval is weeks away. At ReliaQuest, we work with our customers to set up automated response plays in our Security Operations Platform to reduce the blast radius of attacks.
Security operations and security monitoring are going through significant change right now. Vendor consolidation and the continued explosion of security telemetry are disrupting the space. CISOs are reconciling their security stack while future-proofing their capabilities and investments. We haven't seen this much change in the space in over a decade. CISOs are also wary of vendor lock-in, putting all their eggs into the single-vendor platform basket. Defenders want the flexibility to ingest from and integrate with disparate third-party sources. The vendor and technology-agnostic approach to our Security Operations Platform, GreyMatter, ensures that customers can still receive their desired security operations outcomes despite this change.
Q1. Sophos has transformed from a product only company to more of a managed cybersecurity services company recently. What's driving the transformation and what do you see as the biggest opportunities for growth in the years ahead?
For 99% of organizations, cybersecurity is too complex, too difficult, and changes too fast to be effectively managed on their own. Just as SaaS, PaaS, and IaaS modernized markets for software, platforms, and infrastructure by turnkeying below-the-surface elements like networking, storage, CPUs, virtualization, operating systems, applications, and perhaps most importantly, the talent required to keep them all running smoothly and efficiently, Cybersecurity as a Service (CSaaS) is modernizing the way that cybersecurity is delivered and consumed, particularly by small and midsize organizations.
And when I say, “99%,” I don’t mean that symbolically or metaphorically. If we look at the United States as one example, the Small Business Administration reports that 99.9% of businesses have 500 or fewer employees. These organizations, which make up vast portions of the literal critical infrastructure of our society, are on the wrong side of the Cybersecurity Divide: the gap separating the resource-rich, for whom most cybersecurity companies, tools, and services have been designed to serve, and the remaining 99% who have been given the seemingly impossible task of adapting these often ill-fitting tools to solve a drastically different set of needs.
Cybersecurity as a Service bridges this divide through the confluence of key elements, including underlying multi-vendor platforms (primarily XDR), multi-tenant platform operators to provide the service (primarily MDR), and the channels (primarily MSP) that allow for scalable delivery to the tens of millions of organizations. Over time, Cybersecurity as a Service will increasingly hybridize products and services and will become the dominant paradigm for how cybersecurity is consumed, as a primary form among small and midsize organizations, and as an augmentation among enterprise and large enterprise organizations.
Q2. Mid-market companies have become big targets for sophisticated cyberattacks. How do you envision the evolution of cybersecurity solutions to bridge the gap between enterprise-grade security and the resource constraints of smaller organizations? What innovations or shifts in approach do you believe will be crucial in democratizing advanced cybersecurity capabilities?
One of the critical problems exacerbating the increased frequency and impact of cyberattacks on small and midsize organizations—the aforementioned 99%—is that the tools designed for use by operators in the 1% are being unscrupulously sold to those in the 99% who are typically ill-equipped to use them, whether that’s in terms of their skill-level or the adequacy of their coverage. Even more insidious are the vendors who “nerf” or strip-down their tools—removing important features and functionality under the guise of reduced complexity—and then market these hollowed-out versions as “small business-friendly.”
Sophos is solving this problem by applying a relentless focus on the following:
Q3. What are Sophos plans at Black Hat USA 2024? What does your company plan on highlighting at the event?
Morgan Demboski and Mark Parsons of the Sophos MDR Operations team are sharing their story of how a threat hunt led to the discovery of a long-running Chinese state-sponsored cyber espionage campaign, code-named "Crimson Palace" involving three distinct threat clusters coordinating activity to maintain persistent access to the same Southeast Asian government organization. You’ll find their session titled, “Surfacing a Hydra: Unveiling a Multi-Headed Chinese State-Sponsored Campaign Against a Foreign Government,” in the Threat Hunting & Incident Response track.
Peter Mackenzie of the Sophos Incident Response team is sharing his research on the latest ransomware trends and emerging adversary techniques while sharing his firsthand experiences with formidable groups, such as LockBit, Akira, and Qilin. You’ll find Peter’s session, titled “Know the Enemy: A Defender's Real-World View on the Latest Ransomware Attack Techniques,” in the Security Operations & Incident Response track.
Sophos is also a sponsor of the CISO Summit and hosting an evening event at the Shark Reef Aquarium at Mandalay Bay Wednesday, August 7 from 7:00-10:00 p.m. PT. Stop by our booth (#1532) for live product demos and to get your limited edition custom screen-printed shirt.
Q1. What are some of the biggest challenges organizations need to address when it comes to balancing data access for productivity with robust data protection measures especially given the rising adoption of remote work and distributed teams?
Productivity is critical. Modern collaboration platforms like Microsoft 365 enable remote work and frictionless collaboration across cross functional teams and between organizations, but unless enterprise security teams ensure proper governance and control oversharing, data will be lost, stolen or misused, especially once they start deploying LLM-based tools that can reference all that data like Copilot for M365.
But the simple fact is that attackers log in, they don’t break in. The biggest hurdle for most threat actors is getting access to a legitimate credential and logging in. Once they’re there, they’re often free to establish persistence, move laterally, and access, exfiltrate, and possibly encrypt data. When data is available to too many people, like when environments default to “failing open” in the name of productivity, it makes the job of threat actors easy. Enterprises wouldn’t leave their bank accounts open to anyone in the company, they’d make sure that only people and applications with a business need have access.
Smart companies treat their data the same way because they know that’s the target of every attack. We don’t know how a threat actor will get in—it could be through phishing a user, taking advantage of a supply chain attack, or exploiting vulnerability or misconfiguration—but we know where they’re going: data.
Q2. What strategies can enterprises employ to effectively protect sensitive information in unstructured data across diverse storage platforms?
CISOs want to do three things:
Q3. What specific innovations or advancements does Varonis plan to showcase at Black Hat USA 2024? What can attendees expect from your company at the event?
Varonis is the first and only data security platform that covers data on-premises and in the cloud, in files, emails, databases, cloud infrastructure and object storage in Amazon, Microsoft, and Google’s clouds, and SaaS platforms like Salesforce. The pace of innovation in the last two years has been breakneck, and nobody offers the breadth of visibility, depth of automation, and the world’s first Managed Data Detection and Response service. We’re excited to highlight all of the data stores and applications we now support, the automation we can bring to reach security outcomes quickly, and a vision for unified data security that will help more companies stay safe in a world where everyone wants to get their data.
