In this video filmed at Black Hat 2017, Lenny Liebmann from DarkReading has a conversation with AlienVault CTO, Roger Thornton about the economics and resources of cyber defense.
LENNY: OK, welcome back to the DARKReading news desk at Black Hat USA in Las Vegas. I'm Lenny Liebmann. My next guest is the CTO of AlienVault. His name is Roger Thornton, and we're going to have an interesting conversation about kind of the economics and resources of cyber defense—is that OK with you?
ROGER: That’s right, Lenny. Thank you.
LENNY: I couch it that way because, being here at Black Hat, there seems to be an awful lot of stuff that I’m expected to do, and as much as I may focus on a particular session or a particular technology, when I look at things as a whole, I’m feeling a little bit overwhelmed, especially in light of my finite resources.
LENNY: Do you want to comment on that to start with?
ROGER: I’d be happy to. In fact, for the last 5 years, that’s solely what I’ve been dedicated on. If you’re a security practitioner, you come to an event like Black Hat or RSA. You are going to be inundated with multiple layers deep but different types of products that you need to buy, you need integrate, and you need to make work together in order to do your thing.
When we started AlienVault, one of the problems that we saw was there are too many products. You add them all together; it costs too much. And then the time and resources that it takes to manage that over time… It just wasn't really a model that was made for the everyday company. It might be the right model for some of the big banks, companies with 500 people on a security team, but let's face it—most companies have between one and 20 people in security.
ROGER: So, what we focused on at AlienVault was taking the essential security controls for threat detection.
ROGER: So, we carve off detection, and putting them all together in a box, pre-integrated—and by "box," I don't mean literally a shoe box… But pre-integrated, they work together, and when you install it, you're installing everything, all at once. We add to that all of the threat intelligence that you would normally have to do yourself in order to determine how you're going to find the bad guys, and we also add the data science that allows the data to be analyzed so that you get results.
What we try to do is bring together a package at a very reasonable price, with a very minimal amount of effort. A security team can deploy what would otherwise be daunting and maybe even undoable for a lot of companies.
LENNY: Right. So, that’s from sort of the internal resource side—what about from the actual threats that organizations of that size face? Have you seen any particular pattern in that that would make your approach make more sense for a company that size? I’m thinking, in particular, of the fact that everybody is paying a lot of attention to ransomware and protecting data from malicious encryption lately. That seems to be a narrow definition of what the threat matrix looks like. Maybe you want to talk about what it is that most organizations are facing and what you believe maybe they’re going to be facing in the near future.
ROGER: Sure. If you think about the threats that a regular company faces the last 10 years or so, it's not like they've changed, completely, who they are. One thing that's definitely changed is the idea of being stealthy, coming in and stealing stuff from you, or maybe using your assets and having you never know. I mean, the gloves have completely come off on that. They seem to not really care if you know they're there, ransomware being a great example of that.
ROGER: But I guess there’s probably an increase in the volume.
ROGER: But the threats themselves are kind of the same actors. They've just gotten a little more brazen and a little more aggressive and less likely to be hidden. What I have seen, though, change quite a bit is on the defensive side in many really good ways. When we first started, there was a prevailing thought that "Hey, I don't really need to do detection because I'm going to buy really great protection products, and everything will be great."
ROGER: At the very high end of the market, they always knew that was a fallacy, and they had really great threat detection capabilities. We’ve definitely seen it, coming down to the everyday company, an awareness that you’ve got to be good at detection.
ROGER: This is great.
LENNY: And you have to kind of understand the whole post-intrusion kill chain, so you can shift as early as possible.
ROGER: That's right, that's right. Yeah, so a breach that you detect, intermediate before any damage is done. That really is protection, right? Well, a breach that caused some damage, you want to minimize that damage and be able to get it done. Even a breach that's a whole wipe-out of your system has to be responded to.
ROGER: So, threat detection has to be done. The better it’s done and the earlier stages that it’s done, you minimize the expense.
LENNY: And before we run out of time, I know you’ve made a particular announcement here at the show about sort of a community of threat awareness. Do you want to talk about that?
ROGER: Yeah. So, keeping with the spirit of Black Hat, all of our announcements at the show today are about our open-source and our open-community products. We make commercial products, and we also make an open-source product. We also run an open-sharing community called the “Open Threat Exchange.” We started it off 3 or 4 years ago with very humble beginnings. Today, there are 60,000 people that use it. It’s a crowdsource group of folks. Nobody has paid. They are threat hunters and security practitioners in their companies that are putting into the system everything we know about the threats they’re sharing.
OTX, we run about 14 million indicators of compromise to the system on a daily basis. So, we add functionality every couple of weeks.
ROGER: But we, for the show, grouped a bunch of it together, and one of the neat things we did was… When you go into OTX, you pull IOCs together that you know are related, and you put them in what we call a “pulse,” and you share that pulse with the community.
LENNY: A pulse? And this community, some of these are vertical-type communities, or?
ROGER: Good point. So, the community itself is open to any security practitioner on Earth. Some of the people in the community choose to form groups and share within themselves.
ROGER: One of the first requests we got was for security practitioners in the healthcare sector, and they wanted to be able to share not exclusively but maybe with more energy, with people they trusted.
ROGER: People that had similar environments.
LENNY: Well, it’s not only that they face similar threats, but I also think, internally, if I work for a healthcare provider, my experience as a security professional is different than my experience in a bank or my experience in a university or college, right? So, I don’t want to just share about threats; I want to share about kind of “What are you doing?”
ROGER: Funny, the threats are a challenge, and there’s a lot of internal challenge that only someone in your industry is going to know about.
ROGER: So, we also added to OTX… So, we made the creation of a pulse easier.
ROGER: In OTX, as you could imagine, there's a small percentage of people that create the pulses—maybe for every one, there are thousands that are the recipients of it. It's a crowdsource environment, so we want to get more people participating, and we've added some tools to make that easier. You know, one thing I would say to people that are OTX users is, don't be afraid to create a pulse.
ROGER: If you create one that’s bad, the community will, hopefully politely, help you make it better. If you create one that’s redundant, there are engines on the back end that ties yours in with what exists.
ROGER: One of the other neat features we added to OTX is, basically, landing pages for all the threat actors that are attributed in OTX.
ROGER: And this is something that I’m so excited about because, for the longest time, we would talk about “the threats,” “the actors,” “the bad guys.” Well, now they have their own personal, little website inside OTX where we can annotate, as a community, everything we know about them.
LENNY: Yep, and this sort of collective crowdsource intelligence is just enormously important for us to stay ahead of the curve. I mean, everybody talks about Day 1, but Day 12 is really important, and Day 24 is really important to get ahead of the curve. We’re kind of time I do feel like, if somebody has been listening to us, and they’re either interested in the simplicity and the elegance and the completeness of your solution, and/or they’re interested in the community side of things, you should probably tell us, “What’s something I can do tomorrow to start getting engaged with AlienVault?”
ROGER: We really pride ourselves on self-service, so if you aren’t really burning up to go talk to a salesperson, you can go to our website and educate yourself on absolutely everything we do.
ROGER: All of our products have free trials, and then, of course, we have our open-source franchise. And the last part… Even if there’s no way you're ever going to buy an AlienVault product, you’ve made a commitment maybe to an IBM or another product, you should still be a member of OTX because we believe that sharing that threat data amongst ourselves transcends our affinity to one product or another because that’s information about the threats that we can all benefit from.
LENNY: Yeah. It’s collective. Again, I really like this idea of finding peers who are like me—somebody who is at my skill level, somebody who is in my industry, somebody who is in the same part of the country, somebody whose organization feels like mine, so that I get some external support, and we can kind of share what it is that we’re actually going to do. So, I appreciate you sharing all of that.
LENNY: That was Roger Thornton of AlienVault. Don’t go anywhere—we’re going to have some more great interviews at the news desk from Las Vegas at Black Hat after this.