Interviews | July 15, 2024

Human-AI Collaboration Can Deliver Significant Security Benefits


Darktrace | Security Blue Team | Tenable | Vectra | ZeroFox

Max Heinemeyer
Chief Product Officer

Darktrace

Q1. What new features and capabilities has Darktrace integrated into its recently launched ActiveAI Security Platform? In what way does it help organizations improve their overall security posture?

The rise of automation and cybercrime-as-a-service is increasing the speed, sophistication, and success of cyber-attacks. Multi-stage and multi-domain attacks are now widely used by adversaries, who take advantage of a lack of visibility and siloes to move undetected between systems. AI is already beginning to amplify these threats and increasing the challenge of cybersecurity for organizations globally. In fact, our latest research found that 74% of security professionals believe AI-augmented cyber threats are already having a significant impact on their organization, yet 60% believe they are currently unprepared to defend against these attacks. We introduced the Darktrace ActiveAI Security Platform to help organizations increase their readiness for this next phase of threats and to help security teams use AI effectively to transform security operations from a reactive to a proactive state.

Before I share an overview of what we launched this spring, I think it’s important to share what hasn’t changed. At the heart of the platform is our unique AI engine. Darktrace applies multiple types of AI directly to the data of each business to continuously learn an organization’s unique operations to understand what is normal and what is not. As our approach doesn't rely on existing threat data, our AI detects known, unknown, and novel threats in real-time and can provide an autonomous response to contains threats without disrupting business operations.

The platform includes our core detection and autonomous response capabilities as well as our pre-breach prevention, attack simulation and recovery capabilities in a single, holistic solution with a common AI architecture. The new innovations we’ve released within the platform provide more complete visibility across the enterprise and help illuminate any security gaps. Our goal is to help free up security teams so they can focus on more strategic tasks. Some of the new features that I’m most excited about include:

  • Darktrace Cyber AI Analyst, our unique investigative AI, operates across the platform and now provides more explainable, automated, and customizable investigations for all alerts – even those not escalated to an incident.
  • Enhancements to Darktrace/Email use AI to stop early-stage phishing, spot early symptoms of account compromise across a broader range of communications and increase SOC efficiency.
  • New features in Darktrace/OT provide the most realistic evaluation and prioritization of OT risk, helping teams understand where their time will have the most impact.

We designed the Darktrace ActiveAI Security Platform to bring machine speed and scale to some of the most time-intensive, error-prone, and psychologically draining components of cybersecurity, helping humans focus on the value-added work that only they can provide. By freeing up resources for more strategic tasks, organizations can focus on not only improving overall security posture but building overall cyber resilience. I am inspired by the impact we’ve already seen on our customers, who are saving time with our autonomous detection, response, and investigation, allowing their teams to focus resources on proactively reducing cyber risk and incident preparation training.

Q2. What are some of the challenges and considerations that organizations need to keep in mind when integrating AI into existing security operations and processes? How does Darktrace's approach help in this regard?

For more than a decade, Darktrace has applied AI to transform security operations (SecOps) for thousands of customers. We’ve seen first-hand the many benefits that an effective human-AI oration can have on business operations. However, organizations must understand that not all AI is created equal, and it is critical to use the right types of AI, trained on the right data and applied to the right security problems.

There are a number of questions organizations should consider when looking to implement AI into their existing SecOps and processes: What are the strengths and limitations of this specific approach? Is the model pre-trained on a set of data or is it continually learning? If the data is pre-trained, how often does the vendor retrain or update it? What measures have been put in place to ensure that data is private and secure, as well as what measures have been put in place to prevent bias and data poisoning?

In addition to this, organizations must understand if the AI – or any automation – is effectively augmenting and or transforming SecOps processes to uplift their teams. Our own Cyber AI Analyst is a good example of this – it uses AI trained to mirror how human security analysts conduct investigations and automatically investigates every alert to completion. This frees up significant resources in the SecOps process to spend on higher-impact tasks than alert triage.

It’s worth remembering that AI isn’t a silver bullet that will automatically improve SecOps – the right combination of people, processes and technology are all required to create an impactful partnership. Organizations must consider how AI impacts processes and people, and what needs to be adjusted to ensure the best results. For example, our AI can help lower the barrier to entry for common SecOps tasks, like threat detection and response, allowing a small, less skilled security team to do the job of a bigger, much higher-skilled security team with Darktrace's ActiveAI Security Platform augmenting it.

Q3. What insights and innovations does Darktrace plan to highlight at Black Hat USA 2024? What do you hope customers and other organizations will take away about Darktrace from the event?

At Black Hat USA 2024, AI will undoubtedly be the hot topic of conversation. However, according to our latest research, only 26% of security professionals report a full understanding of the different types of AI in use within security products. As organizations increasingly look to implement AI, we look forward to helping demystify AI and its use cases in cyber for our customers using our learnings from over a decade of applying AI to the challenge of cybersecurity.

Black Hat is also a great opportunity for the community to share key insights on the evolving threat landscape, and we’re looking forward to being a part of that dialogue. We are already seeing signs of how AI, cybercrime-as-a-service and other emerging technologies are impacting the threat landscape. There has never been a more important time for these discussions, with more people going to the polls globally this year than ever before, the 2024 Paris Olympics convening millions of people, and important discussions on AI safety and security happening around the world.

We hope our customers and others leave Black Hat understanding why moving from a reactive to proactive stance is critical for defenders to stay one step ahead. This, however, is often easier said than done so we hope to help customers understand what AI can do – as well as what it can’t do – and identify how that fits into their overall strategy and goals. We want to educate customers and others on how our Darktrace ActiveAI Security Platform can help them transform their security operations from a focus on reactive threat detection to proactive cyber resilience – all within a single, holistic solution across a common AI architecture platform.


Joshua Beaman
CEO

Security Blue Team

Q1. How does your firm strike a balance between theoretical knowledge and practical, hands-on experience in your training programs? What does Security Blue Team offer to ensure that participants not only understand defensive cybersecurity concepts but can also effectively apply them in real-world scenarios?

It's important to understand how or why something works, but being able to do it yourself helps set you apart. Our theory-based training comprised of written lessons and videos are complimented with hands-on labs, quizzes, and practical assessments. We ensure that our students finish our training and have gained practical hands-on experience through our method of "teach it, show it, do it", where students will be taught a concept, shown how to do something, then do it themselves to ensure the knowledge is retained. For the vast majority of our training labs, we have modelled them on real-world activities conducted by our team members or members of our Academic Advisory Boards, ensuring that the skills and knowledge are transferable to real-world security operations.

Q2. How does your company stay ahead of the curve in terms of identifying emerging cybersecurity trends, attack vectors, and defensive strategies? How often do you update/incorporate these insights into your training programs and certifications?

All of us have a genuine interest in cybersecurity, with a good amount of us coming from technical security backgrounds. We ensure we're up to date by keeping an eye on industry news, RSS feeds, threat feeds, CERT announcements, and blogs or information shared by individuals or organizations on social platforms. When we come across a notable event, piece of information, or tool, we'll evaluate if any of our free or paid training would benefit from including it, then we'll get to work. We're always striving to ensure our training is applicable to modern operations, providing the most value.

Q3. What do you want attendees at Black Hat USA 2024 to know about Broadcom's new Enterprise Security Group?

Innovation is and always has been the lifeblood of both Symantec and Carbon Black. As Broadcom’s newly formed Enterprise Security Group, we’re committed to redefining what’s possible in cybersecurity. Leveraging the most talented teams, backed by some of the most in-depth threat research on the planet, we are developing innovative solutions to meet the ever-changing threats our customers face. As we look ahead, we have a clear vision to build a secure digital world. And we are more determined than ever to make it a reality. The best is yet to come.


Jason Merrick
Senior Vice President of Product

Tenable

Q1. How exactly has the rising adoption of cloud-native architectures and container technologies complicated the enterprise exposure management and data security posture management challenge? What's Tenable approach to help organizations address these challenges?

Companies everywhere are reaping the benefits of cloud-native infrastructure. However, as organizations increase their cloud footprint, they expand their attack surface and introduce complexity that inhibits visibility, which opens the doors to cyber risk. According to Tenable’s latest Cloud Security Outlook report, 95% of organizations reported cloud-related breaches, with 92% reporting that their sensitive data was exposed and 58% of those acknowledging that the sensitive data exposure caused harm. To eliminate cybersecurity threats and exposures in the cloud, organizations need a unified view of cloud risks – infrastructure, workloads, data, and identities – and context to accurately assess and remediate risk.

Tenable Cloud Security is a unified cloud-native application protection platform (CNAPP) that enables organizations to close cloud exposures by connecting the dots between misconfigurations, vulnerabilities and excessive permissions.

We recently announced our intent to acquire Eureka Security. With Eureka’s data security posture management (DSPM) capabilities embedded in Tenable Cloud Security, security teams will gain a holistic view into their cloud data security footprint, fight policy drift and misconfigurations that put data at risk, and continuously improve their security posture over time.

Q2. What trends do you see driving adoption of cloud security posture management and cloud native application protection platforms (CNAPP) over the next few years?

In the evolving landscape of cloud security, several key trends are anticipated to shape the industry over the next few years, including Zero Trust architecture, AI and machine learning (ML), and DevSecOps integration.

The Zero Trust model, which assumes that threats could be both external and internal, is gaining notable traction. It emphasizes continuous verification of user identities, devices and network connections. As organizations increasingly adopt Zero Trust frameworks, such as least privilege access and Just-In-Time provisioning, they will seek out cloud security solutions with strong cloud identity and entitlement management (CIEM) capabilities, enabling least-privilege access and empowering real-time monitoring across all cloud environments.

As AI and ML continue to expand in popularity and business use cases, the security of the underlying data is paramount which will accelerate the rise of Data Security Posture Management (DSPM). DSPM plays a significant role in enhancing AI and ML integration in cloud security by providing robust frameworks for securing data, enhanced data visibility and access control, real-time monitoring, anomaly detection, compliance and data security – all of which is critical for effective AI/ML operations.

The increasing prevalence of integrated DevSecOps teams is also driving cloud security adoption. More and more frequently we’re seeing shift-left approaches to prevent vulnerabilities from reaching production environments and security checks embedded in continuous integration and continuous deployment (CI/CD) pipelines to ensure secure code development and deployment.

All of these trends reflect a proactive and integrated approach to cloud security, aiming to address the complexities and dynamic nature of cloud environments while mitigating potential risks.

Q3. What are some of Tenable's objectives at Black Hat USA 2024? What technologies and capabilities does Tenable plan to highlight at the event?

Tenable will have a large presence at Black Hat USA 2024. At the Tenable both (#1732), our team will be demoing the Tenable One Exposure Management Platform, as well as our entire portfolio of exposure solutions – Tenable Cloud Security, Tenable Vulnerability Management, Tenable OT Security and Tenable Identity Exposure.

We are committed to delivering cybersecurity solutions that enable customers to accurately predict threats and proactively manage cybersecurity risk across the modern enterprise, from IT, cloud, OT, web apps, identity systems and beyond. We encourage anyone interested in learning more about how Tenable can take their security program to the next level to stop by the booth.


Jeff Reed
Chief Product Officer

Vectra

Q1. You were recently appointed to the newly created position of chief product officer at Vectra. What are some of your immediate priorities in the role? Where do you see the biggest opportunities for growth for Vectra over the next few years?

I’ve been fortunate to inherit a terrific team and excellent product, so it’s been a great start to my tenure. In terms of immediate priorities, I’d highlight two areas. The first is identity. We’re always working on new, AI-driven detections across our coverage areas (network, identity, M365, AWS) but I’m particularly excited about innovations in the identity space. As we’ve seen from actors such as Scattered Spider, identity threat detection is vital, and Vectra AI provides industry-leading protection for hybrid identity attacks. Secondly, we are just about to introduce a set of detections for Microsoft Copilot for M365. Almost half of our customers are either using or trialing Copilot and it opens up a whole new threat surface in their environments. We are leading the market in helping customers use Copliot securely.

Looking further ahead, our focus is to continue to tie together the disparate coverages areas into the industry’s best XDR platform, driven by over a decade’s worth of experience leveraging AI. There’s no way we can protect against the scale and sophistication of attacks without leveraging AI, and the reason I joined Vectra AI is that no other security vendor has our experience and has woven AI into the core platform, from the very beginning, like we have.

Q2. Tell us a little bit about Vectra's Attack Signal Intelligence technology and what it does. How does it help organizations improve their security posture?

Vectra AI Attack Signal Intelligence uses AI to analyze, triage and correlate thousands of detection events a day spanning networks, identities, clouds, and SaaS applications. Instead of delivering thousands of alerts on individual threat events, our AI platform delivers single digit alerts per day on prioritized entities — both hosts and accounts — under attack.

In the most basic terms, our AI answers the three questions SOC analysts need answered every day they sit in front of their monitors: Is this threat real? Do I care? And how urgent is it? In other words, is it worth my time and talent. One of our customers put it best by saying, “the Vectra AI Platform helps our engineers and analysts take ambiguity out of their day and focus on what matters.”

How we do it is simple. We leverage our pre-built, behavior-based, domain-specific AI detections to make unknown attacks known. We use AI to integrate and automate threat event correlation to remove detection engineering latency. And most importantly, we use AI to shift the analyst experience from event-centric threat detection to entity-centric signal prioritization, thus reducing noise and workload, thus maximizing the value of existing SOC talent.

Q3. What is Vectra's focus at Black Hat USA 2024? What can customers and other attendees expect by way of any announcements, demos, presentations and talks from Vectra at the event?

Black Hat attendees can visit our booth #2422 for 1:1 demos, interactive discussions with technical leaders, and to participate in custom games and a Capture the Flag competition. Our speaking session, "Defending Hybrid Attacks in the Era of Identity, Cloud, and GenAI," will offer insights into detecting and stopping sophisticated attacks.

And Vectra AI will announce product news related to its Attack Signal Intelligence AI Platform.


Mike Price
CTO

ZeroFox

Q1. What specific types of assets and potential attack vectors does the recently introduced ZeroFox External Attack Surface Management product identity and address? How does it handle the discovery and monitoring of third-party vendors and suppliers that may introduce additional attack surfaces to an organization?

ZeroFox External Attack Surface Management (EASM) mimics attacker reconnaissance through an agentless, cloud-native solution that leverages the best open source data collection methods and builds upon them with our proprietary technology to enumerate the external attack surface. Our dedicated process enumerates and aggregates exposed systems, domains, subdomains, IP addresses, outdated software, security certificates, services and more that are externally visible to an attacker. This inventory is used to curate and maintain an asset library that is continuously correlated against our risk database, including Common Vulnerability Scoring (CVSS), Common Vulnerabilities and Exposures (CVE) and Expired Security Certificates, creating enriched contextualization of the issues discovered. ZeroFox EASM complements our existing digital risk protection (DRP) capabilities to provide customers with complete visibility and control across the entire external attack surface, all within one single platform experience.

We support both company-owned and third-party assets. ZeroFox EASM proactively removes threat actors’ targets of opportunity through full-spectrum discovery and enumeration of all internet-facing assets, continuous correlation and analysis of exposures, and actionable alerting and reporting to rapidly prioritize mitigation and remediation decisions. The discovery process is ongoing, meaning we’re constantly monitoring for new exposures and changes to existing assets that could introduce new risk. Our powerful searches can uncover new, unknown, or forgotten assets linked to customers’ domains and IP ranges, ensuring the entire external attack surface – including risks originating with vendors, third-parties and the broader supply chain – is protected.

Q2. What do enterprise organizations need to understand about the scale and scope of the account takeover threat? What should security leaders be doing to address the threat?

An account takeover is a type of cyberattack where attackers attempt to gain unauthorized access to a legitimate email, social, business software, app, or financial account owned by a target individual or organization. This type of threat is becoming increasingly common as the world becomes more digital and the average person finds themself managing tens or even hundreds of accounts – large organizations can easily find themselves managing millions of accounts and access credentials for business applications, email, social media, etc. Together, all of these accounts create a sizable attack surface for cybercriminals to target. Threat actors may implement several different kinds of cyberattacks to obtain login credentials for a targeted account, including malware and ransomware attacks, phishing and spear phishing, impersonation, and social engineering attacks. In short, the scale and scope of this threat is massive as account takeover attacks can be executed against several different accounts, in several different ways, simultaneously.

To protect against account takeover attacks, organizations need cybersecurity awareness, a strong password hygiene policy, and the right software, tools, and technologies to repel attacks. Security leaders should implement these best practices and invest in technologies that monitor for early indicators of account takeover, automatically delete malicious content posted to social followers, and freeze compromised accounts to prevent further damage to the target’s reputation. Real-time alerting is key to protecting the brand or individual’s reputation, to protect against compliance violations, offensive content, or unintentional sharing of sensitive information so that action can be taken before the company makes headlines.

Q3. What does ZeroFox have in store for organizations and attendees at Back Hat USA 2024? What topics and technologies does your company plan on highlighting at the event?

We’re always excited for Black Hat USA! It’s a really special place for ZeroFox and we look forward to returning to Las Vegas and seeing friendly faces each year. This year, we’re excited to give attendees more insight into our expanding AI capabilities - we have a few updates planned for late July that we’ll be sharing more about at the show. Cybersecurity buzzwords aside, we’re always innovating behind the scenes to enhance our tried and true DRP solutions, and we’ll have some exciting new intelligence search and physical security intelligence capabilities, as well as enhancements to our new EASM module, to demonstrate. All of this underscores our main theme for the year, which is consolidation – we feel the cybersecurity industry is long due for a consolidation movement that creates more synergies between EASM, DRP, and CTI, and our goal is to deliver on the need for a consolidated, single-platform experience that protects customers against the full gamut of external cyber threats.

This year, I’m excited to present on the evolving landscape of external cybersecurity threats on Wednesday, August 7 at 11:30am PT. Shameless plug to come to my session! We’ve been doing this for over 10 years now, starting off as a social media security company and growing to encompass all types of internet-based threats, so I think it’ll be really interesting to look back on how the threats we’re defending against have evolved over the years. I’ll be reviewing threats like social media impersonations, deepfakes and spoofed domains and now they’ve become more sophisticated over time, and the approaches required to safeguard against emerging external cyber threats effectively.

Sustaining Partners