Q&A: Exabeam’s Chief Data Scientist Derek Lin on Deep Learning and Cybersecurity

Deep Learning is being applied to analyse network packets and binary executable files. ExaBeam’s Chief Data Scientist Derek Lin spoke to Computer Business Review’s editor Ed Targett about the challenges and opportunities for its further application in cyber security.

(Read on CBR)

Derek Lin is Exabeam’s Chief Data Scientist and has more than 20 years of experience in the cybersecurity industry. His previous work has included behavior-based security analytics such as malware detection and insider threat detection, risk-based on-line banking fraud detection, data loss prevention, voice-biometrics security, and speech and language processing. He spoke to Ed Targett about why the “devil is in the data”.

How much is AI/Machine Learning/Data science helping cybersecurity?

Cybersecurity solutions to detect threats used to rely on signature-based blacklisting or correlation rules.  These solutions have long been inadequate.  These days Data Science plays a significant role in areas from endpoint protection to insider threat detection.   This is particularly true in the area of user or entity behaviour monitoring where each user or entity’s current activity is constantly being monitored against its historical profile (or normal behaviour).  This type of pro-active monitoring is impossible without an automated data-based analytics approach afforded by data science.

What’s the biggest advancement these technologies have provided to the cybersecurity industry?

In addition to user and entity behaviour analytics – where machine learning has shined – a big advancement in network traffic or malware binary detection is Deep Learning (a machine learning framework).  Deep Learning is… now applied to analyse network packets and binary executable files, looking for clues in packet or byte streams that are impossible to identify with human eyes.

How far can AI/advanced analytics go to automate threat detection and response?

The goal is not to fully replace human analysts, but to make analysts more productive. Without advanced analytics, security analysts have been mired in mountains of alerts. Much effort is wasted in chasing down false positives while many threats go undetected.  The goal of advanced analytics is to provide better and sharper signals for humans so there are fewer leads to start with. Given alerts, systems can automate low-tiered incidents but leave the few, but difficult ones, for human analysts.

How is AI/advanced analytics being utilised by cybercriminals?

Cybersecurity is a cat-and-mouse chase game.  Cybercriminals have the same toolset as we do.  For example, in order to avoid domain name blacklisting, they have used domain generation algorithms to come up with fast-changing domain names with random-looking characters to avoid being blacklisted. Once we were able to detect domain names with random characters, they switched to generate domain names with random words to evade the detection. In security work, it has always been to build the wall a little higher until it is scaled again.

How is data currently being used in the infosec sector?

Let’s take the area of insider threat detection. Data is everywhere.  Yet, it is an open secret that much of the security data needs curation before it can become useful. Volumes of the raw data need be parsed and cross-correlated so that data elements are fully normalised before they can be utilised. Once the data is cured, we use it to monitor user activities to look for anomalous behavior. We can use it to derive system intelligence to supplement IT knowledge and detect threats of known behaviour scenarios.

Will Machine Learning continue to disrupt the industry, or have all of its uses been found?

We shouldn’t limit our horizon to the existing data sources or to the current level of machine learning research.  A good parallel example is in the advancement of natural language processing.  It wasn’t too many years ago that Deep Learning disrupted the then plateaued field of speech recognition and brought forth new realisations in accuracy and applications.   We are still at the beginning of machine learning application for cybersecurity.

What is the next step for AI in cybersecurity?

Compared to other industries, there are relatively fewer machine learning scientists working in cybersecurity.  In theory, as the community grows larger, more innovations will come. But what can really encourage the progress is collaboration at both the human-level and data-level. Future industry-wide efforts in sharing  security data and incidents for the purpose of research will benefit research activities tremendously.


Exabeam Sees Rapid Growth of Next-Gen SIEM Platform

SAN MATEO, Calif., April 05, 2018 (GLOBE NEWSWIRE) -- Exabeam, the next-gen SIEM company, today announced the rapid growth of the Exabeam SIEM platform one year after its release. Product line additions, pickup by reseller and integrator partners, and expansion in existing accounts have resulted in a significant increase in adoption over the past four quarters.

(Read on GlobeNewswire)

The Exabeam Security Intelligence Platform (SIP) is comprised of six integrated products that help organizations protect their valuable information. SIP provides companies of all sizes with end-to-end detection, analytics, and response capabilities from a single security management and operations platform. The platform provides elastic scalability through the use of a modern big data infrastructure and advanced detection using machine and deep learning algorithms -- all at a predictable cost that is not based on data volume. This means organizations no longer need to choose between adhering to security budgets and adding additional data sources to minimize their security blind spots.

Factors driving growth of the Exabeam SIEM platform include:

  • Product Line Expansion -- Exabeam added two new products to SIP, including Exabeam Data Lake, a security repository designed specifically for security analysts, and Exabeam Entity Analytics, a behavior analytics application that monitors device activity.
  • Customer Uptake -- Coming off a record 2017, billings grew 205 percent in Q1 compared to Q1 of last year. Exabeam SIP is currently monitoring over 4 million employees worldwide, and 89 percent of Exabeam customers have purchased multiple products.
  • Partner Success -- Q1 of this year saw an increase of channel generated bookings of over 150% compared with Q1 of 2017. Because of this momentum, Exabeam was recently named a CRN 5-Star Partner Program recipient. This week, leading cyber risk integrator Grant Thornton, entered into an alliance agreement with Exabeam.
  • Analyst Praise and Awards -- Though new to the market, Exabeam debuted as a Visionary in the Gartner Magic Quadrant for SIEM. Exabeam SIP is a 2018 finalist for both the SC Awards and SC Awards UK in the SIEM category.

“It has been an incredible year for our SIEM platform. It’s clear that organizations are tired of paying by the byte for technology that does not get the job done. Our flat pricing model and advanced analytics are making security teams more effective with a product that’s cost effective,” said Nir Polak, CEO of Exabeam. “I’m really pleased to see the expansion of Exabeam across new and existing accounts. The trust we gained with our analytics product has allowed us to get our data lake and incident response products into the hands of more companies looking to elevate their security practices.”

Exabeam will be demonstrating its next-gen SIEM at the RSA Conference in San Francisco April 16-20, Booth #1133 South Hall.


RSA Conference: Innovation & Cybersecurity Industry

Theresia Gouw talks security with RSA Conference's Britta Glade. Here’s something to ponder: In an alternate universe, where would cybersecurity be today without the continuous pursuit of innovation? While we can only guess, one thing is pretty certain. Cyberattackers would be a lot happier in that universe than they are here. In this episode, we take a look at multiple aspects of industry growth—from revenue and investments to tech advancements and opportunities.

Some of the topics we cover include:

•What investment strategies are VCs employing in 2018, and how do they differ from previous years?
•What criteria should buyers consider in choosing startups to add to their security portfolios?
•Based on where the industry is headed, what new and exciting developments can we expect at the RSAC 2018 Early Stage Expo?

(Listen on RSAConference)


Making China Into a Tech Powerhouse

Aspect Ventures co-founder Theresia Gouw discusses the impact of a trade war on China's tech industry. She speaks on "Bloomberg Daybreak: Asia."

(Watch on Bloomberg)


Companies Are Seeing How Vulnerable They Are to Hacks

George Kurtz, Chris Roberts and Theresia Gouw talk about the state of security and what comes next

It’s obvious that cybersecurity continues to be one of the biggest priorities facing government and industry. The number of hacks is rising, as is their scale—with the threat of even greater thefts and disruptions seeming ever more likely. The character of the attackers is changing, too, as the line between state-sponsored hackers and independent criminals gets ever hazier.

To examine the topic, and how companies should deal with it, The Wall Street Journal’s editor in chief, Gerard Baker, spoke with Theresia Gouw, founding...

(Read the full story on WSJ)


IoT-focused cybersecurity startup ForeScout files for initial public offering

“Internet of things”-focused cybersecurity firm ForeScout Inc. is going public.

The company announced Monday that it had filed its paperwork with the U.S. Securities and Exchange Commission for an initial public offering.

(Read on SiliconAngle)

The number of shares to be offered in the IPO and their price are described as having “not yet been determined,” though the company did say it was looking to raise $100 million, a common placeholder figure.

Founded in 2000, ForeScout offers a cybersecurity service that allows enterprises to see all sorts of devices the instant they connect to the network. The company’s platform integrates with leading network, security, mobility and information technology management products to allow users to control devices when they are connected to the network and orchestrate information sharing and operation among various different types of security tools to accelerate incident response.

“We have pioneered an agentless approach to network security to protect organizations against the emerging threats that exploit the billions of devices connected to organizations’ networks,” the company said in its S-1 filing. “The traditional approach of relying on a corporate-installed software agent to secure a device has significant limitations in today’s world as devices are developed using a wide variety of platforms and operating systems that cannot support agents.”

By the numbers, ForeScout reported revenue of $166.8 million in 2016, up from $126 million in 2015, showing continued growth with revenue of $90.6 million for the first six months of 2017. Still, losses have continued to grow as well, with the company reporting losses of $27.3 million in 2015, $74.8 million in 2016 and $47.7 million to July 31 this year.

ForeScout last took venture capital in January 2016, when it raised $76 million, and it has raised about $156 million to date. Previous investors include Accel Partners, Amadeus Capital Partners, Aspect Ventures, BCS Growth Fund, Cross Creek Advisors, Founders Circle Capital, ITOCHU Corp., Meritech Capital Partners, Oxx. Pitango Venture Capital and Wellington Management.

As of its last round, the company was described as having a valuation of “$1 billion or more.” Although the valuation for the IPO has not been disclosed, it would be fair to guess that it won’t be lower than that. A date has not been set. ForeScout will list on the NASDAQ under the stock symbol “FSCT.”

Morgan Stanley & Co. LLC, J.P. Morgan Securities LLC, and Citigroup Global Markets Inc. are acting as lead book runners, with BofA Merrill Lynch and UBS Securities LLC assisting.


How 'the invisible network' poses a major security threat

Imagine a hacker remotely turning off a life support machine in a hospital, or shutting down a power station. These are the nightmare scenarios we face because many organisations haven't a clue how many unsecured devices are connected to their networks, cyber-security experts warn.

(Read post on BBC News)

It was an ordinary day at a busy hospital - doctors, nurses and surgeons rushed about attending to the health of their patients.

For Hussein Syed, chief information security officer for the largest health provider in New Jersey, it was the health of his IT network that was keeping him busy.

And today, he was in for a surprise.

He knew he presided over a complex web of connected medical devices, computers, and software applications spread across RWJBarnabas Health's 13 hospitals.

This included about 30,000 computers, 300 apps, a data centre, as well as all the mobile phones hooking up to the hospitals' wi-fi networks.

Company mergers had only added to the complexity of these sprawling IT systems.

But when he used a specialist IoT cyber-security program to carry out a full audit, he discovered that there were in fact 70,000 internet-enabled devices accessing the health firm's network - far more than he'd expected.

"We found a lot of things we were not aware of," Mr Syed tells the BBC, "systems that weren't registered with IT and which didn't meet our security standards."

These included security cameras and seemingly innocuous gadgets such as uninterruptible power supplies (UPSs) - units that provide back-up battery power in the event of a power cut.

"These unidentified devices could definitely have been access points for hackers who could have then found high-value assets on our network," says Mr Syed.

Hack in to a UPS and you could potentially switch off life-critical machines, he explains. Or hackers could steal patient data, encrypt it, then demand a ransom for its safe return.

On the black market "health data is worth 50 times more than credit card data", says Mr Syed.

The audit "helped us protect our network," he adds, preferring not to dwell on what might have been.

Mike DeCesare, chief executive of ForeScout, the software provider Mr Syed brought in, says: "Businesses typically underestimate by 30% to 40% how many devices are linked to their network. It's often a shock when they find out.

"With the proliferation of IoT [internet of things] devices the attack surface for hackers has increased massively.

"Traditional antivirus software was designed on the assumption that there were just a few operating systems. Now, because of IoT, there are thousands."

ForeScout's software monitors a company's network and indentifies every device trying to access it, "not just from its IP [internet protocol] address, but from 50 other attributes and fingerprints", says Mr DeCesare.

The reason for these other layers of security is that it is "relatively easy" for hackers to mask the identity of a particular device - known as MAC [media access control] spoofing.

So ForeScout's software takes a behavioural approach to monitoring.

"We look at the traffic from all those different devices and analyse whether they are behaving like they should," he says.

"Is that printer behaving like a printer? So why is it trying to access other devices on the network and break in to the system?

"If we spot aberrant behaviour we can disconnect the device from the network automatically."

Services from network monitoring firms - ForeScout, Solar Winds, IBM, SecureWorks, Gigamon and others - are becoming increasingly necessary in a world where everything - from lamp-posts to lawn sensors - is becoming internet-enabled.

According to Verizon's latest State of the Market: Internet of Things report there are now 8.4 billion connected devices - a 31% increase on 2016 - and $2tn (£1.5tn) will have been spent on the technologies by the end of 2017.

But as Verizon points out, lack of industry-wide standards for IoT devices is giving businesses major security concerns.

Stories of cyber-attacks mounted on the back of insecure devices such as video cameras have highlighted the issue.

"IoT security is one of the biggest challenges we're facing right now," says Darren Thomson, chief technology officer and vice president, technology services at cyber-security firm Symantec.

The difficulty is that IoT devices are generally simple, cheap and low-powered, without the capability of running the antivirus programs operated by traditional computers.

"The challenge with critical infrastructure is that it wasn't built with security in mind," says Tom Reilly, chief executive of Cloudera, the IoT and data analytics platform.

"Smart cities are a great playing field for hackers - changing traffic lights, turning elevators on and off - there are many security exposures.

"We need to get ahead of them."

This necessitates a different approach to security, a growing number of experts believe.

In April, telecoms giant Verizon launched what it calls its IoT "security credentialing" service, whereby only trusted, verified devices are allowed to access a company's network.

Meanwhile, Cloudera has formed a strategic partnership with chip maker Intel.


What James Comey’s Firing Means For the Future of Cyber Attacks

Theresia Gouw and Jennifer Fonstad on the future of cyber-attacks.

Following Presidents Trump’s abrupt termination of FBI Director James Comey earlier this month, the US government is left in a vulnerable spot as officials struggle to create the right policies to avoid cyber-attacks. Comey was one of the few federal officials equipped to get the job done right; he handled the investigation into Hillary Clinton’s use of a private email server and led a criminal investigation into whether Trump advisers colluded with the Russian government to steer the 2016 presidential election.

(Read on Fortune)

Although the Justice Department last week appointed ex-FBI director Robert S. Mueller III to head the investigation in Comey’s place, the developments nonetheless beg broader questions over what kinds of protections against cyber-attacks should Americans expect from the US government?

Without senior leadership in many of these government agencies, very few agencies are willing or even able to make large financial outlays or make decisions for new software, architecture, or counter-measures. Per reporting from Politico and USA Today, top-ranking positions across U.S. Defense, Treasury, and State departments, as well as key ambassador spots, are still awaiting appointments. In other words, rather than addressing the issue with press-laden, sweeping executive orders, perhaps the problem is simpler – putting talent into key open positions and enabling them to do their jobs. While Trump’s full cabinet has been confirmed, the Nonpartisan Partnership for Public Service has identified 557 ‘key’ government appointments that have yet to be confirmed by the Senate (not to mention the thousands of appointments that do not require Senate confirmation).

As time passes and without leadership in place, any decisions around major cybersecurity initiatives must be put on hold.

Former President Obama proposed a $19 billion cybersecurity plan in 2015 and 2016 (as part of the President’s Fiscal Year 2017 Budget) to improve IT infrastructure. But many deals are on hold while awaiting President Trump’s team that would help replace old government systems that are the most vulnerable to cyberattacks. While Trump did sign a separate cybersecurity order earlier this month, it’s improvements are incremental. Even as Trump also proposed increases in cybersecurity budgets for U.S. Homeland Security, he still flirts with the notion that a government shutdown would be “good for government,” as suggested ina recent tweet. As government employees worry about getting paid and are furloughed, America’s capacity to build and secure its digital boundaries flounders.

It is now time to start building a more comprehensive plan for protecting and prosecuting cyber-attacks against our citizens and organizations. As Fortune 500 companies make cybersecurity a responsibility that even corporate board members are held to, perhaps it’s time for the Administration to appoint a cybersecurity czar to direct and manage cybersecurity across agencies, reporting directly to the President. Similar to coordinating physical security, cybersecurity needs to be elevated in mindshare, management, and resources. A proactive approach must be the priority. Rather than acting in a reactionary way, this approach enables leadership to coordinate efforts across agencies and internationally, and may provide impetus for filling positions more rapidly and effectively across the organization in the same way the private sector protects itself from cyber hacks.

Unfortunately, it’s not enough to keep the police on the streets and the military bills paid anymore. When governments are compromised by a hack, their people and their organizations are held up for ransom and the leadership is bogged down in identifying where the blame lies. How can we expect to protect ourselves? Let’s not wait until there is another Federal breach that undermines the security of our nation (remember the Office of Personnel Management hack in 2015?) to put a spotlight on the problem. What we’ve seen so far is just the beginning.