Q: Raytheon Foreground offers a unique cyber-monitoring and threat hunting service. What exactly is a threat hunting service and how is it different from traditional enterprise security models? What's driving demand?
David Amsler: A threat hunting service is an evolution of the traditional reactive model that has required people to respond to the outputs of products. A threat hunting service does exactly the opposite, concentrating on visibility—[of] packets, host EDR and logs—instead of tools. Rather, using the tools to see activity and look for behaviors in order to find advanced attacks that are evading today's products. This means searching through data with custom tools, consolidated intelligence and human ingenuity. The demand is being driven because once all of the normal security controls and piles of tools are implemented they are not stopping these advanced [threats]. Enterprises are feeling that pain as we see breach after breach and they want to reduce the dwell time and leakage of their intellectual property.
Q: Does threat hunting involve the use of any new tools, processes or methodologies? Do you see it as complementing the cyber kill chain model or replacing it?
Amsler: Threat hunting generally leverages a blend of new and traditional tools but does not require new tools to get started. If you have a SIEM or NSM system collecting and monitoring your network, a hunter can often use that infrastructure to implement and look for threats. The processes and methodologies on the other hand are something special and not everyone has what it takes to be a hunter. You have to be able to question normal activity and actions as well as identify patterns that look odd. You also have to know how to use intelligence in new ways to find threats that may only be caught [by] one provider or combination of providers. The cyber kill chain is often misconstrued as something more than a mechanism for measuring detection and other activities in the cyber incident timeline. By contrast, threat hunting is a detection activity aimed at identifying previously unknown, or known, threats earlier in the timeline.
Q: What does the Raytheon acquisition mean for Foreground's customers? At the same time what value-add does it bring for Raytheon's customers?
Amsler: RFS is an autonomous business unit within the Cyber Security & Special Mission division within Raytheon. This allows us to operate as a more commercial organization meeting the ever-changing needs of our commercial and international customers and attracting the best talent in the industry by keeping our very unique and cyber centric culture. However, we also have complete reach back to Raytheon—a $24 billion dollar company—with significant investment, R&D, and global reach. Today we are already benefitting from those capabilities by starting to integrate R&D capabilities found within Raytheon centered around Behavior Analytics, Big Data Analytics, autonomous and automated vulnerability management systems, open source intelligence automation, insider threat capabilities and many more. We are also quickly capitalizing on the global reach of Raytheon and its customer base by opening new offices and capabilities in new regions within EMEA and supporting nation state scale Security Operation designs and implementations.
Q: There appears to be growing interest in the use of microsegmentation as a way to mitigate threats on modern, agile infrastructures. The CloudPassage Halo product offers this capability. What exactly is microsegmentation? Why should enterprises be considering it?
Robert Thomas: Today's data center is dynamic and elastic. This modern IT infrastructure--which leverages virtualization, containers and cloud--allows workloads to be added and retired dynamically, residing in any location and commonly using distributed, shared resources. This puts a huge strain on security teams, making change control challenging. Maintaining granular firewall rules and security policies can become a time consuming process. In addition, a dynamic and elastic infrastructure also means flatter networks and an increase in east-west traffic, which makes it difficult to detect malicious traffic inside the network.
Perimeter and network security tools leave blind spots and miss a significant percentage of threats in the dynamic infrastructure. In addition, traditional endpoint security tools scale poorly in modern infrastructure.
Microsegmentation describes a strategy where security teams can create policies or rules around which servers can talk to other servers in your data center or private cloud. Controlling east-west network traffic this way reduces the available attack surface. This gives security teams the ability to ensure server/workload integrity as they grow infrastructure.
Q: What does instant visibility really mean in the cloud context? Why has it remained so difficult to enable?
Thomas: Every enterprise is in the middle of a massive transformation to agile IT delivery models that involve automation, shared resources, high rates of change and mixed infrastructure. Maintaining visibility in this environment can be challenging, especially when workloads and containers are provisioned and terminated in minutes or hours. Traditional security tools simply don't work well in these environments because they aren't agile enough, require lots of manual change control, don't scale and don't automatically deploy as systems spin up.
Instant visibility in the cloud means to have real-time visibility into every workload/instance from the point of creation, including what OS and applications are running, identifying potential vulnerabilities, server configuration errors and indicators of compromise. Instant visibility ensures protection at a granular, workload-level, which can protect against the stealthy attacks in a world where the threat landscape is becoming increasingly complex.
Q: CloudPassage recently did a survey on cybersecurity education in US universities. What was the main takeaway from the report?
Thomas: In our study, we looked specifically at undergraduate computer science programs and found that cybersecurity isn't a core requirement for many of our nation's top computer science degree programs. That fact is, all computer science engineers need a security mindset and skillset as they enter the workforce. Even if they're not entering a security-specific field of work, our engineers, programmers, and coders must have a strong understanding of security so that they're armed with the skills they need to bake security into everything they create from inception.
While I wasn't surprised at our findings, the overwhelming feedback from students, universities, government professionals and security experts has been great. It's encouraging to see the conversation taking shape and gives me assurance that we'll soon see progress in shaping education to meet this growing national need.
Q: What specific enterprise security issue does Tripwire's new Axon data collection platform address and how? What's driving the need for such technologies?
Gus Malezis: Today, organizations deploy an ever-increasing multitude of agents on critical infrastructure and user devices, attempting to align data collection and security capabilities with asset criticality. The growth of cybercrime and nation-state cyberattacks, coupled with the proliferation of valuable business data across the extended enterprise and the increase in the number of IoT devices on corporate networks, is driving the need for a richer and more timely—and real-time—collection of system state intelligence data. This need for more, better, faster system state intelligence data is best answered not with the loading up of more agents, but instead a new, scalable and modular solution is required.
To collect the data required to protect the expanding number of widely dispersed physical, virtual, transient and embedded assets, organizations need a modular solution that is easy to manage and deploy. They also need to be able to extract endpoint intelligence from every endpoint. This is what AXON uniquely delivers in the market.
Q: A recent Tripwire sponsored study shows that energy organizations are experiencing a disproportionately large increase in cyberattacks lately. What makes these organizations so vulnerable?
Malezis: Energy organizations face unique challenges in protecting industrial control systems and SCADA assets. Energy operational technology teams are focused on reliability and safety and have only recently had to worry about cybersecurity since most of these networks have only recently been connected to the Internet. In addition, most of the IT security solutions don't work for ICS environments. Often they create issues with reliability and availability.
Q: What has Tripwire's acquisition by Belden meant for your enterprise customers? How have they benefited from it?
Malezis: We've been able to successfully take advantage of key market opportunities in a variety of markets in 2015, and we expect this momentum to continue. Belden has been supportive of our continuing deep investments in technology innovation, customer relationships, channel and third party vendor partnerships, and aligning our solutions for optimum delivery.
