Q: What is the difference between a unified security management platform and a traditional security information and event management (SIEM) tool? Do USM tools extend and build on SIEM, or do they replace it?
Patrick Bedwell: A unified security management (USM) platform is an all-in-one security product that unifies a wide range of security technologies. Customers deploy USM platforms to reduce the complexity and cost of deploying and managing those tools individually, and the data those tools generate. Similar in concept to a Next Generation Firewall (NGFW) or Unified Threat Management (UTM) device, a USM is a single product that can perform multiple security functions.
The AlienVault USM platform includes five core capabilities: Asset Discovery, Vulnerability Assessment, Intrusion Detection, Behavioral Monitoring, and SIEM. Customers can utilize an extensive list of plugins to incorporate security data from their existing tools into the correlation process, to maximize security visibility and threat detection. Customers deploy USM in place of SIEMs when they have limited resources to dedicate to security.
Traditional SIEM products, on the other hand, are complex tools that focus on managing and analyzing security event data--they do not include the data sources to generate the data themselves. The SIEM customer must deploy and integrate the data from those devices individually. SIEM tools also do not include an extensive library of correlation rules or other threat intelligence elements—users must create their own rules and develop threat intelligence themselves, or contract with another vendor to supply them.
Q: Why is threat intelligence sharing critical to enterprise security? How does it really help organizations bolster their defenses against existing and emerging threats?
Bedwell: Before I answer the question on sharing, I want to explain what threat intelligence is to us. Threat intelligence is information about malicious actors, their tools, infrastructure and methods. It is critical to IT teams of any size because it enables them to detect, prioritize and respond to threats faster and more effectively.
Creating actionable threat intelligence involves research into the tools, actions, and infrastructure of attackers. The objective is to construct a list of the indicators of compromise related to any particular threat, such as IP addresses, domains, malware analysis, and actor profiling. However, few organizations have the time, technology, or security staff to stay on top of a constantly changing threat landscape.
Threat sharing, therefore, enables IT teams with limited resources to benefit from others' analysis and expertise to reduce the effectiveness of the threats we all face. By working together on threats and their indicators of compromise, the security community makes everyone stronger.
Q: The results of a survey conducted by Alien Vault at Black Hat 2015 showed that a majority of organizations rely on their own detection processes for threat intelligence. What would your advice be to such organizations? Would you expect the result to be different if you were to conduct the same survey at Black Hat this year?
Bedwell: My advice to organizations relying on their own detection processes for threat intelligence would to take advantage of free sources of threat intelligence, to expand the information your team has access to. There are several options that will help you increase visibility without having to increase spending, and they will complement the tools and processes you already have in place.
For example, AlienVault Open Threat Exchange (OTX) is an open threat intelligence community that enables collaborative defense with open access, collaborative research, integration with AlienVault USM and OSSIM products, as well as ability to export indicators of compromise (IOCs) to almost any security product. OTX provides open access for all, allowing you to collaborate with the community of threat researchers and security professionals, accelerating the distribution of the latest threat data and automating the process of updating your security infrastructure.
Yes, I would expect greater adoption of threat intel from crowd-sourced/open source, as well as paid subscription services, to increase over the 2015 levels. I believe more organizations are turning to these sources to supplement what they can do internally.
For example, the OTX community has well over 37,000 participants contributing threat data. At BlackHat 2015 in Las Vegas, we announced a major update to the OTX platform that significantly increased its collaborative capabilities. Since that announcement, over 10,000 people have signed up to use OTX and collaborate with the community. There are more than 37,000 participants in 140 countries contributing millions of threat indicators daily, giving everyone in the OTX community global visibility of emerging threats.
Q: Carbon Black is a big proponent of organizations adopting threat hunting as a culture. What does that involve? What exactly does it take from a technology and process standpoint to move from a mostly defensive and reactive security posture to one that is more proactive and aggressive?
Ben Johnson: This is a fundamental issue in security today. Threat hunting involves humans and data. Conceptually, it's very simple, but "hunting" is a widely used term and can require a lot of skills. Twenty or 30 years ago, detection and threat discovery were largely "human" issues. At some point we pivoted and started relying solely on technology to do our detection. That's not inherently a bad thing but it suffers from the deploy-and-decay syndrome where technology is deployed and, over time, gets worse because it doesn't get the care-and-feeding. "Set-and-forget" just doesn't keep up with the organic environments we have today.
Now, cyber defenses have swung back to requiring a technology to automate alerting, but people still have to go looking for evil, often pulling together different sets of information and intelligence to paint a clearer picture of what's actually occurring in their environment. No system, even with many tools, will have 100 percent detection. So, that gap between where technology and alerting ends and perfection is where humans must play. Go find what's being missed. Go find the suspicious or risky activity that isn't yet malicious but will soon lead to compromise. Get ahead of the game and have a better posture overall.
In order to free up your humans to have the time to go "find evil," you must focus on integration, automation, and orchestration of your existing products. Concepts like APIs, playbooks, and looking at your workflow to see where you can apply more computational power are all huge areas of focus for today's leading cyber defense teams.
Q: What specific gaps in traditional endpoint security products do next generation endpoint products such as those from Carbon Black address?
Johnson: The two most fundamental concepts missing from endpoint security have been visibility and the ability to take action. Why is IR expensive? Because scope and root-cause are really hard to identify without the proper data. Is this patient zero or patient twenty? These questions consume too much time with traditional approaches, both in endpoint security and in digital forensics. So, the tide is shifting to visibility. From here, taking action – isolating an infected host, killing a malicious process, or gathering additional evidence for a deep-dive investigation – is critical for modern cyber defense teams to stop the bleeding.
Beyond this, attempting to get to a more positive security model – either for prevention or detection, is key. The more you can define what expected or "baseline" behavior is, the better you can identify (or block) the anomalies. Insider threat is real, and insiders might use no malware or new binaries. The outsiders also are gunning for legitimate user-credentials, so they become insiders. This happens time and time again. Even ransomware is now logging into remote RDP systems via brute-forcing passwords and then using PowerShell, so relying solely on the ability to look for malicious binaries is flawed.
The final aspect we should mention is the ability to integrate and automate. With third party contractors, suppliers, and roaming employees, there is no perimeter anymore. That means the defense between the attackers and access to your systems is whatever protections you have installed on your hosts – your employee systems. Next-Generation Endpoint Security is a keystone of modern cyber defense programs.
Q: Why is it important for Carbon Black to be at Black Hat? What's your message to customers, partners and industry analysts at the show?
Johnson: We are very invested in uniting the security community via collective defense. We believe in concepts such as herd immunity and sharing best practices. Let's be very open, very communal in our approach to cyber defense. We cannot win the cyber war without collaboration. Black Hat empowers all security professionals to further educate, connect with, and learn from partners, customers, and prospects.
Q: How exactly is cloud DLP different from on-premise data leak prevention practices?
Ken Levine: Actually our Cloud DLP isn't a delivery model, it's a product we offer that protects our customers' sensitive data as it moves to and from the cloud. We offer several types of data leak prevention technologies, including Cloud DLP, Network DLP, Endpoint DLP and Discovery DLP, which all protect data in their own unique way. These are all offered either on-premises or as a managed security program (outsourced to Digital Guardian experts). Our product, Digital Guardian for Cloud Data Loss Prevention, integrates with leading cloud storage providers such as Box, Citrix and Microsoft to extend DLP policies to the cloud.
This solution accurately discovers sensitive data in cloud storage and continuously audits files that have been uploaded. It automatically remediates according to enterprise policies And instantly alerts the appropriate administrator and data owner when protected data has been identified and the actions taken.
Q: Digital Guardian recently acquired Code Green Networks. How will your customers benefit from the acquisition? What does Code Green bring to the table?
Levine: Organizations need a way to monitor and control network communications to prevent confidential information from leaving the network. While this can be accomplished with the existing Digital Guardian for Endpoint Data Loss Prevention (eDLP) solution, many companies prefer to start with network-based DLP (nDLP) solutions as they are easier to deploy and maintain. We wanted to be able to have the flexibility to offer our customers both network DLP as well as endpoint DLP (eDLP) based on their specific use cases. Code Green Networks also offered a cloud data protection offering, which was extremely complementary to our existing portfolio.
With the acquisition, Digital Guardian became the only security company exclusively focused on protecting customers' most valuable data at the endpoint, on the network and in the cloud from both insider threats and external attacks. The combination of Digital Guardian and Code Green Networks will ultimately provide organizations with one data protection policy administered by a single management console and enforced regardless of where the data is located or how it is accessed.
More specifically, the acquisition provides Optiv clients with greater benefits through improved access to resources, capabilities and solutions, including:
Q: It's going to be two years since Verdasys rebranded itself as Digital Guardian at Black Hat USA 2014. How has your market segment evolved since then? What are the biggest drivers of demand for security technologies such as those sold by Digital Guardian?
Levine: We have seen a significant resurgence in the demand for data loss prevention over the past two years, and this only appetite only continues to grow. There are a few factors we believe driving this:
Q: The overall design approach for your next generation firewalls are based on something your company describes as Single-Pass Architecture. What is that and how does it benefit your customers?
Rick Howard: With traditional integration approaches, the base firewall functions are capable of performing at high throughput and low latency. But when the added security functions are enabled, performance decreases while latency increases.
Our Single-Pass Architecture addresses this challenge with a unique single-pass approach to packet processing. A common decoding engine picks apart an application stream to determine what the different pieces are, and the content is scanned only once for files, data, threats, and URLs. This results in the following benefits:
Q: Why do organizations need to be thinking about and planning for attacks from a cyber kill chain perspective?
Howard: Today much of the security industry has abandoned the idea of prevention, instead relying on legacy detection devices and manual response to find adversaries after the damage has already been done. Unfortunately, as our world becomes more digital, the trust we place in our networked infrastructure to run our power, financial system, and day-to-day lives is continually eroded by this fatalistic view. Starting with a prevention mindset is the only way to raise the cost for attackers and either drive them to a different target or stop them completely. While attackers get faster and more innovative every day, we can use this prevention mindset to find opportunities to slow or halt their progress by planning our defenses along their attack kill chain.
Q: What topic do you expect will dominate the security conversation at Black Hat USA this year? What do you want attendees at the event to know about Palo Alto Networks' approach to addressing the fast evolving threat landscape.
Howard: In the year since we last gathered together, we have seen an explosion in crimeware, specifically the rise of ransomware. Adversaries have realized what a lucrative criminal business model encrypting and holding sensitive files for ransom has become. A trio of factors have led to this, including a drop in the value of stolen records, reliable encryption and decryption, as well as an explosion in the number of ransomware variants available. The threat crosses the boundary between individuals, business, across every vertical and region— and we expect it to garner the lions share of attention at Black Hat.
Palo Alto Networks is making prevention real, with a fundamentally different approach than legacy "detect and response" methodologies, which typically consistent of an array or poorly coordinated security devices from multiple providers. Through our next-generation security platform, we have natively brought together best-in-class security protection for the full spectrum of threats across the attack lifecycle. We do this with unified security and management across the network, cloud and endpoint, to protect your business wherever it exists. The platform gains leverage from globally shared threat intelligence, with new protections automatically created and enforced, for even the most advanced attacks. Taken together, Palo Alto Networks is simplifying security workflows, with both automation and the ability to make threat intelligence actionable for analysis, hunting and forensics.
