Blackhat 2016: Dark Reading Interviews AlienVault
In this interview with Dark Reading at Blackhat 2016, Brian Gillooly and Roger Thorton discuss topics such as:
- What makes AlienVault different from other security companies?
- The detection vs prevention debate
- Update to AlienVault's Open Threat Exchange (OTX)
- How AlienVault is making threat intelligence available to organizations of all sizes
- Current challenges in threat detection
BRIAN: We are back. I am Brian Gillooly, we are live at the Dark Reading news desk, and my next guest it the CTO of AlienVault, his name is Roger Thornton. Roger, welcome to the news desk.
ROGER: Thanks Brian.
BRIAN: Before we get started, you guys are very kind to give me a little gift before we started. So I think it is only appropriate that I can don this the entire interview with your interview. I appreciate your gift.
BRIAN: So let's get started.
ROGER: I can take you much more seriously now.
BRIAN: Oh, okay. Well, let's go back to it. We do have important stuff to talk about, so let's get to that. Here, I am going to give you that. Thank you. (Throws glasses).
ROGER: So, I do want to get into OTX. I want to get into behavioral monitoring, a whole bunch of important issues, but let's talk a little bit about the security market is so complex. What makes AlienVault different? What is it you do and how are you different from your competitors?
BRIAN: Let me give you a little background about the company.
BRIAN: So the company was founded in 2007, and one of the things that makes us really unique is our founders were actually security practitioners who were operating a SOC. So they were struggling, like a lot of our viewers are, with that complexity that you just mentioned. So many products, that cost a lot of money, that take a lot of time to deploy, require a lot of expertise, and when you are that person that is actually in the SOC, who has got to make this stuff happen, and you have got multiple customers, it was just a crushing problem. So AlienVault's products are really the derivative of these various security practitioners. Myself and a number of other folks came in around 2011 and 2012, venture capital, money software people, but our genesis is built out of the SOC. Because of that, what makes us unique in the marketplace, we have got a product that takes a unified approach to security, and we will talk a little bit more in detail, but to do detection, there is no one magic bullet or product you buy and you find everything. You actually need a number of products, and typically you will need some type of data analytics platform and some knowledge and some time. AlienVault brings all these things together in a simple, easy to use, price-efficient product. We also feed that product with our own threat intelligence, and we are going to talk about OTX as the world's largest threat intelligence platform, and then we also have our security research team that uses OTX and other feeds to help our customers keep our products that they need tuned and effectively working to find the latest threats. Since it is all in one approach, it is AlienVault.
ROGER: And I do want to talk about OTX,, as you said, but you also brought up detection. There has been a debate here going on at the show—not raging, not one of the top debates, but it is still interesting, this concept of detection versus prevention, and I have heard both sides. What is the AlienVault take on it?
BRIAN: I will tell you, I have actually lived both sides, right? So if you are of the belief that, “Hey, we don't need this detection stuff, because if we just got it right, we would keep the bad guys out.” I would say, “You probably haven't been in the security business for a long time.” When I was in the security business, that was how I felt, and I worked and founded a company called Fortified Software, and I truly believe in my heart of hearts that if we just made the software more robust, then it would be resilient to attack and everything would be fine, but after you spend enough time in security and you take an interest and passion and you start reading, there is a game theory concept of the defender's dilemma, and that is to keep a bad guy out. This is not just true for computers. It could be in the physical world, too. You are in the cockpit of an airplane, or a military base, or a bank vault. To keep the bad guy out, you as a defender have this big disadvantage in that the bad guy gets to choose where, when, and how he attacks. So you need to be on your game and perfect at all times at every place against every method. It is just not ever going to work out that way. One of the things I learned when I was at fortified, and we had a lot of big banks and DoD as customers. A more sophisticated approach to security is that I am going to try my best to keep people out, but I am not going to constrict the flow of business, and to truly keep everyone out, I would kill the business. So I will try my best, but I will be really good at detection, and the reason for that is the inevitable break-in. It flips the odds. So I go from these odds stacked against me with the defender's dilemma to there is now a bad guy in my environment, the environment I control completely, and that bad guy is a stranger in a strange land, so they are going to have to look around, snoop around, look around, move around, find the precious things they are trying to steal.
ROGER: And with the detection approach, you also know a little bit more about that adversary than you would have had you not had that opportunity.
BRIAN: So this is why I personally went from naively believing that, “Boy, if protection was done right, we would get it perfect,” to the point where you need both, right, to leave your enterprise completely wide open. You need detection, it would melt because there would be so many demands on it, so we try to do effective protection, and of course, you see a lot of companies have the circle. It feeds itself. Good prevention, great detection, improves the prevention, and it is a never-ending game.
ROGER: Great, excellent. So we have talked about OTX. You have something new to talk about here at the show, so let's hear about it. This is the news desk.
BRIAN: Okay, so a little background information on OTX in case people don't know about it. At AlienVault, we have a commercial customer base of about four thousand customers. We have an open source user base of about twenty thousand users. That ecosystem ops into a threat-sharing system we call OTX (Open Threat Exchange). So OTX is members of that community sharing with each other through OTX, any indicator of compromise that they found while doing there threat detection work. In an ideal sense, if you attack one member of that network in a short manner of time, everybody in the network is going to know about it, and that is OTX. OTX has since grown. We have opened OTX to anybody in the security community that wants to participate. You don't have to be in AlienVault open source or a commercial user. You could be using any product, just having a genuine interest in helping the community and contributing. So you can go to OTX and you can become a member, there is forty-seven thousand people that have done that to date. Within OTX, we publish these things we call pulses, and a pulse is a collection of IoCs that together form some bit of information that someone would use to protect themselves. The community—anybody in the community can create a pulse, and anybody in the community can help curate that pulse. This has been going on for a couple of years, a lot of people use it, it is a big part of what fuels our threat intelligence. I know OTX data ends up in Spunk deployments and on-site deployments, and so we happily share that threat data with our competitors because this is all of us finding a common enemy. Now, what we have got to announce is OTX remains the world's largest open collaborative community, but we are giving people inside that community the ability to make private groups because whereas we would ultimately like you to share the threat intelligence of everybody, some companies don't feel comfortable sharing with everybody and they would rather start with sharing with a selective group of friends or colleagues or maybe people in the same vertical industry. So the latest version of OTX has just been released and it enables this creation of groups and private groups.
ROGER: And your threat intelligence approach is a little bit different from the rest of the market.
BRIAN: It really is. Going back to the ethos of the company, when we get up everyday, we go to work for the person in the SOC in a company that doesn't have enough people and enough money, and that is most companies. Then what we do by unifying all the various tools that you need for data with the SIEM and I know it is all together, it saves you the time of deploying all these tools and wiring them all together, but by taking our OTX data and funneling through our security research function, we actually do the tuning of that for you.
ROGER: So you are dumping data.
BRIAN: Back in, yes, and that is what generates the alarms. A lot of the approaches that you see today are made for DoD departments or global banks with a hundred people in a SOC and a security research team. If you have that, awesome, good for you. 90% of the companies in the world don't have that.
ROGER: Or even if you do have that, it is good to have somebody that can help analyze or manage the data for you ahead of time. That is a conversation we have had at this desk over the past couple of days, too, is threat intelligence is fantastic, information sharing is fantastic, but a lot of times it is a fire hose of information, and it is sort of the big data dilemma in the early days of big data, which was, “This was terrific. We now have all this information that will help us understand our products or customers better, but we don't know how to analyze it or if we did analyze it, we don't know what we have.” So the same thing is now happening with threat intelligence and security.
BRIAN: And it is really important to note, you know, IoCs by themselves, that is not the endpoint that they needed to detect threats, right? You have got to look at those understand them, and then understand what detective controls you have, and ultimately you have to tune those controls. Today's threats aren't simple one indicators, you are going to have tons of false positives. So it is an artful exercise to be able to tune all of your detective controls effectively so you catch everything without inundating yourself with noise. There is no way to do that without a research team. All of the advanced techniques, a lot of the vendors talk about machine learning, and these are great tools for a security research team, and if you have got a security research team and you are capable of doing that, then you want data like OTX and others so you can figure out your game plan. If you stretch there and you don't have the budget, then you want something like what we do where the tools themselves are being tuned. So you are just dealing with alarms.
ROGER: And we kind of leaped over this and we have about thirty seconds, I just want to hit that issue of behavioral monitoring, so we are kind of going back to that. Give us a though or two about how that is helping your customers. So the simplest way to put it is, as our detection techniques get better, the bad guys change, right? Not that many years ago you could find a bit of binary code in your network and then the antivirus found it, right? Today, that is polymorphic. Every version is going to be different. You could look at certain ports that were in use on a machine, certain IP addresses and things they are going to. This stuff is all bouncing around now. So your detection techniques need to be extracted one level higher where you are still ultimately looking for patterns, but they are not simple, signature-based patterns. They are a collection of things that you know when you see these, you have the probability of something bad going on.
BRIAN: So you get your customers one step ahead of the game by providing that kind of a service.
ROGER: Absolutely, and we do the bulk of that heavy lifting for the customers.
BRIAN: Well, Roger, thank you for joining us at the news desk. We really appreciate it. Thank you for my gift, I will definitely be wearing that later on.