Q: You recently blogged about the importance for enterprises to find ways to reduce the time that attackers spend undetected on their networks. What are the biggest challenges that enterprises face in reducing dwell-time?
What really stands in the way of most enterprises reducing or eliminating dwell-time is resources. Most organizations tell us that they want to move to a proactive model where they can reduce dwell time by empowering their best and brightest to hunt for threats, but they simply don't have the resources to do it. All too often, those teams are bogged down by nuisance malware, or wading through alerts and handling false positives. This ends up consuming all of their time, so they never get around to proactive threat hunting. CrowdStrike solves this by delivering better endpoint security with Falcon Endpoint Protection and by offering proactive threat hunting as a service from its OverWatch team.
Q: What's driving demand for threat hunting services, both managed and in-house? How does threat hunting help an organization improve its overall security posture?
What's driving the demand is broad recognition of the problem. Security professionals, as a whole, now understand that sophisticated and stealthy attacks are the new normal. Gone are the days when defending against advanced attack techniques was the sole province of large corporations and government entities. We see evidence of this in industry reports that show organizations of all sizes get breached, and when they do the attacker goes unseen for an average of 229 days. Since traditional defenses are failing to both stop the attacker and alert you to the attacker presence, it is pretty clear that we need a new solution. Threat hunting is that new solution. It improves overall security posture by immediately identifying post-exploitation threat activity, which then enables you to handle the security incident before it escalates into a full blown breach.
Q3: What is CrowdStrike's main focus at Black Hat USA 2017? What can attendees expect from your presence at the event?
This year, Black Hat is all about Threat Intelligence fo CrowdStrike. In the same way that we have changed the game for endpoint security with our Falcon Endpoint Protection Platform, we will change the game for Cyber Threat Intelligence professionals with the new threat intelligence solutions that we're launching at Black Hat USA 2017.
Q: Why have machine learning and AI because so critical to endpoint protection? What is it about the nature of endpoint threats these days that necessitates these capabilities?
Artificial intelligence (AI) and machine learning (ML) are imperative to counter modern threats on the endpoint because the threat actors have based their entire model around a reactive defense. They have a very small cost of changing threats to bypass existing defenses, versus a high cost for all of the defenders to react. By shifting towards a predictive and hence, proactive defense, we shorten the time to handle a new attack to zero, and bring the costs and timeframes back to favoring the defenders. AI and ML, when applied correctly, move us past reacting faster and towards true prevention.
Q: What did WannaCry teach us about the state of end point security? What, if anything, should enterprises be taking away from it?
Wannacry in many ways reignited a flame that had smoldered for a long time. Worms used to be common, but had nearly died out as a common threat. The combination of exploitation as a spread vector and a replicating, destructive payload harkens back to worms such as Conficker and Code Red. Rapid spread paired with persistent threat creates a unique challenge for defenders. It highlighted the failings of reactive defenses in a starkly visible way. Ransomware has already been showing this an instance at a time, but the worm nature and high profile of Wannacry drove home the point that not stopping threats when they happen has immensely negative effects. While it might seem like a good idea to reduce an attackers' dwell time from months to weeks or days, Wannacry showed clearly that if you give them seconds, you could be compromised by ransomware.
Q: Cylance is a Platinum Plus sponsor of Black Hat USA 2017. At the event last year, Cylance scientists presented sessions on machine learning and reverse engineering. What can attendees expect from your company this year?
Attackers are continuously changing their threats, and the level of sophistication required keeps coming down as more threats become commoditized. Cylance will be showing some of the underbelly of the crimeware areas and digging deeper into some of the threats that have affected us all over the past year, along with actionable activities to help counter these threats. Additionally, we have a presentation on some of the more advanced techniques around hacking and defense in firmware, and our data scientists will be around to discuss advances in AI and ML across the security space.
Q: Talk to us about DarkMatter's recently launched Trusted Transparency Programme. How will it help your enterprise customers and what specific security issue does it help address?
The Trusted Transparency Programme is borne of the requirement for assurances to be offered to users of digital infrastructure that their systems, devices, and platforms are free from backdoors and hidden malware.
The programme was initiated out of DarkMatter's belief that the technology ecosystem needs to evolve its outlook to embrace more rigorous vetting of platforms, infrastructure, and operating systems to remove vulnerabilities.
The firm's programme is based on two primary facets—Trusted Transparency and XEN1TH Labs.
The Trusted Transparency Programme stands as a call to action for the technology industry given the firm's deeply held belief that the current cyber security model needs modification. Cyber criminals, with varying degrees of sophistication, are finding vulnerabilities and new opportunities to compromise IT systems with relative ease. Part of the issue arises as a result of software and hardware that governments and businesses use not always having been adequately vetted or lagging behind the capability of modern-day hackers.
DarkMatter's Trusted Transparency Programme will be available to approved entities and the review will be confidential between the customer and DarkMatter. For maximum security, the review will be conducted as the final stage of the procurement process. The review will be undertaken in a clean room environment with appropriate controls that allow for full open review while protecting DarkMatter intellectual property.
Q: What do enterprises need to understand about turning compliance into a risk-mitigation tool? How does Dark Matter's GRC services help ensure that compliance is not simply a check-the-box exercise for enterprises?
This is exactly the point, enterprises need to appreciate that compliance is far more than just a box-ticking exercise, and if implemented effectively, can form the backbone of a robust risk mitigation programme.
Given this central importance of compliance in building cyber resilience, DarkMatter has devised a Cyber Scorecard, which has identified six key areas related to IT systems cyber security for enterprises, and which if properly developed and managed, have the potential to drastically reduce the likelihood or the impact of a cyber incident.
The six KPIs on DarkMatter's Cyber Scorecard relate to the following areas: Access control; Risk management; Architecture and design; Disaster Recover/Business Continuity Planning; Security operations; Communications securityp>
Q: DarkMatter offers a pretty wide portfolio of products and services. What areas do you plan to focus on at Black Hat USA 2017 and why?
This is the second consecutive year that DarkMatter will have a significant presence at Black Hat, and this year we are looking to frame our conversations and interactions around Cyber Advisory Services that consider a holistic view of the cyber risk posture facing entities and a scorecard to track progress in defending against them. We'll also be showcasing products such as KATIM, our secure communications portfolio, which further raises the bar on end-to-end cyber security.
Our intention to focus on these areas is based on our mission to provide cyber-security to digital systems end-to-end, and to ensure entities establish a pro-active stance towards keeping their digital environments protected from breach. Hence, our initiatives, product development, and research and development efforts are all geared towards raising cyber security to a state of cyber resilience, which incorporates planning; prevention; detection and protection; and response to cyber incidents in digital environments.
Q: Leidos was recently selected as the prime contractor for providing cybersecurity and threat mitigation services to the Department of Homeland Security's NextGen Security Operations Center. Tell us a little bit about how you are using those same capabilities to help other enterprises evolve their security operations.
We are very excited to be selected by DHS to provide those services – we'd like to think it's a testament to our heritage and proven success conducting the cybersecurity mission for both government and commercial customers. To be honest, it's not so much a flow down from the government arena to the commercial side as it is a true bi-directional partnership. Both sides can—and do—learn from each other and draw on our shared Leidos experience to advance the overall state of cybersecurity.
Defending an enterprise, whether it falls under .GOV or .COM, takes a successful integration of people, process, and technology. The methodology we apply to the mission and the skillsets we bring to the table for both DHS and our commercial clients have evolved and been proven over time in the heat of the battle. We are in a unique position to leverage the tactics and techniques we have developed to meet the needs of one particular market, and then apply them to the other side as well.
One great example of this is our Arena ATM capability, which was first developed to support internal network defense operations, then simultaneously adapted for and rolled out to the government and commercial markets in slightly different flavors. All that said, there are reasons we maintain expertise in both markets – what works in one doesn't necessarily work in the other. For example, procurement and contracting operations operate differently, and hiring/staffing/workplace-logistics are often more flexible and or internationally dispersed in the commercial environments.
Q: Leidos has positioned its Managed Detection and Response service as capable of helping enterprises turn incident response into incident prevention. How do you help them do that?
Great question, and as a former network defender, the answer is near and dear to my heart. At the risk of oversimplification, I like to think of successful network defense as a marriage of four necessary components that build on each other. For any given threat, I have to first be able to see it, then I need to be able to understand it, then I can detect it, then I can finally stop it. It's usually the middle two that get all the press – analytics and capabilities are fun to talk about, and admittedly they make for great marketing material.
Visibility and controls though, are two of the most foundational elements that often get overlooked- and frankly these components provide some of the greatest return on investment to a cybersecurity organization.
Our Managed Detection and Response (MDR) solution is first built on the foundation of full enterprise visibility. We construct this picture through a custom combination of network sensors, host-based capabilities, and traditional enterprise data sets – and couple this with experienced analysts who know how to leverage the information to find and detect threats. We want to be able to answer all the questions to paint a complete picture. What is going on now, what happened, when did it start, and how did it occur—just to pick a few. The last step, and one that I would argue is the objective of any real network defender – is to prevent the incident in the first place. The ability to take lessons learned from a prior event or newly ingested threat intelligence and turn that information into active and effective mitigations is the key to successful network defense. We consider the "R" portion of MDR to be a key cog of our daily operations – it's not just the mad scramble that happens after an incident. Effective mitigations and detections are at the core of our methodology; our aim is to work smarter, not harder, and to focus our efforts and our customer's attention on those high priority events that truly matter.
Q: Leidos is a Platinum Sponsor of Black Hat USA 2017. What do you want attendees to learn about your company at the event?
At Leidos Cyber, we are Defenders first and foremost. While defending cyber interests globally for over a decade, we've developed a skilled team of defenders, advanced capabilities and a proven framework to protect what matters most to organizations.
We believe that successful cyber programs require great people with "Defender DNA." Facing the challenges posed by sophisticated cyber threats takes more than technology. It takes people. People with skills and innate qualities to outpace today's evolving threat landscape. We call these qualities "Defender DNA." Our practitioners take the mission to heart and thrive on opportunities to solve hard problems associated with defending an enterprise.
We strive to be a life-long partner to our clients rather than a point-in-time technology provider. We are committed to the long-term evolution of our clients, building upon a strong foundation and maturing capabilities to meet their challenges as the cyber threat landscape evolves over time. Our goal is to keep our clients ahead of the adversary and we do this by ensuring a strong and mature cybersecurity posture through technology, processes and most importantly, the right people.
Q: Paul, companies with a defense background, such as Raytheon, often have a hard time parlaying their experience into commercial cyber security products and services. How is Raytheon different?
That's absolutely true. Many of our peers have ventured into the commercial space and have gone back to their defense roots. Much about the commercial market is different, but the clients have many similar needs and pain points: lack of cyber expertise, fear of a security breach/loss of data, cost savings, requirement for expanded coverage (24/7) or compliance. I don't see us as at a disadvantage to our commercial competitors. Raytheon has extensive, successful experience in commercial markets, here in the United States and internationally. Our clients just happen to benefit from having a $25B company behind them as well. And with the cybersecurity incidents on the rise many commercial clients are seeking out defense grade cybersecurity. They see that we are truly committed to the commercial cybersecurity services markets. Raytheon has spent over $3B on acquisitions and intellectual property focused on commercial cybersecurity. We have also made large investments like competing in DARPA Grand Challenge to develop automated network defense capabilities. The results we're delivering to our clients, shows that those effort and investments are paying off.
Q: Joshua, what exactly does it take for an organization to move from a reactive cybersecurity posture to a more proactive one? How is Raytheon helping companies do this?
The primary ingredient to successfully moving from reactive to proactive cyber security is the people: resources that understand the business challenges to perform appropriate assessments of risk impact; that have the ability to respond quickly based on high value targets and proactively hunt for threats based on the business case and understanding of the threats coupled with the technology that it will take to detect and thwart would be attackers. It's expected that $120B will be spent on cyber security this year, yet we had one million cyber security job openings in 2016. That is a lot of spend on technology and support by enterprises struggling to find resources with the knowledge of their attackers and security companies knowing very little about the business their clients do day to day. At Raytheon Cyber, we pride ourselves in not only hiring the right people, but ensuring we get our clients the right technology and understand their business while we perform assessments, digital forensics and incident response, and proactive threat hunting. Very few in the market today provide this collaborative approach, but it is a key factor in how we have been successfully dealing with sophisticated threats for the last 10 years for both commercial enterprises and government agencies.
Q: Paul, in your first answer you mentioned delivering results. What results is Raytheon Cyber delivering and how do you measure results for your clients?
Appreciate the follow-up question. The key metric that Raytheon uses to measure success in securing our own enterprise environments is dwell time. Dwell time is the mean time to detect an intrusion plus the mean time to remediate an intrusion. The industry average for detecting an intrusion is approximately 220 days. That's a significant amount of time for an intruder to operate undetected in your enterprise. Imagine the havoc that they can wreak in 220 days. I am very proud that the Raytheon Cyber team averages less than 3 days for our clients. I am also happy to share that during the recent WannaCry attacks, none of our clients suffered an exploit due to our rapid threat alerting system and remediation. Raytheon Cyber achieves these results by delivering three types of services: Cybersecurity Assessments; Digital Forensics and Incident Response (DFIR); and our Advanced Threat Hunting-based managed security service called V-SOC. Many of our clients begin with an Assessment of current security or a DFIR engagement and come back for the enhanced security and low dwell time that the V-SOC service provides. And we highly recommend a DFIR retainer before the next attack occurs, so that your enterprise security team has a lifeline of support. When the next attack occurs, it may be too late to start looking for the help your team needs.
Q: Joshua, what is Raytheon Cyber's main focus and theme going to be at Black Hat USA 2017, and why?
That is a great question and quite simply put, our theme is "Shift the Burden". In particular, we want our clients to know that they have an option in expertise, technology and proven processes to shift the burden of protecting their enterprises to Raytheon Cyber. In turn, we will shift the burden to the attackers in making them work harder for every piece of cyber real estate they try and lay claims. Ultimately, we will reduce our clients' dwell-time, frustrate the adversary, and provide the primary ingredient every enterprise needs, talented and experienced cyber security professionals.
