The Gately Report: RSAC 2024 Kicks Off with Debut of AT&T's LevelBlue
RSAC 2024 is underway with AT&T's new standalone cybersecurity company, LevelBlue; plus, cybersecurity news from Google Cloud, Cisco and Fortinet.
![](https://eu-images.contentstack.com/v3/assets/blt10e444bce2d36aa8/bltf5b1e28361b60223/652427fe2c37415e44909fae/RSA-Wide-Shot.jpg?width=700&auto=webp&quality=80&disable=upscale)
Channel Futures: How big of an organization is LevelBlue?
LevelBlue's Bob McCullen: We're in over 10 countries. We're predominantly here in the United States, and we predominantly support AT&T International customers. That's led to our international presence. We have over 1,000 employees and we have tens of thousands of customers, so it's a pretty sizable business.
CF: What sort of market opportunity do you see for LevelBlue?
BM: So initially, we're going to look to focus on AT&T’s customers that have come over, which have predominantly been enterprise and federal government, and state and local government, so public sector and enterprise. But after awhile, we'll start to go down market and get to that midmarket space.
CF: Are there any changes in terms of products and services?
BM: We don't look to initially change anything, and that includes the team. But what we'll look to do is enhance our current offerings and provide a predictive security service, which I think has really been a failure in the security industry. So if you look at all the hundreds-plus players out there, we're a leader in managed services, and part of our strength is we provide a managed service for the leading technologies in the industry. And so we'll look to continue to do that and enhance it with our technology to really provide threat detection for leading organizations.
CF: What will LevelBlue mean for AT&T Cybersecurity’s partners such as MSSPs and resellers?
BM: So that's sort of the exciting part. Most companies start and they build a product, and then they build a channel. Well, we have one of the largest channels in the world through AT&T, so that's going to be great for us. And that includes AT&T’s MSP channel.
We also have our own unique channel internationally. And so we'll look to provide more partner training and really educate them on solutions. They may have only bought one thing, and we have a lot else to offer. Then we'll get their input and have partner councils to get their feedback on how can we do better for them, their customers and different technologies. Our job is to be the No. 1 partner for them, but also to be easy to do business with for their customers. So when they're onboarding a customer, we want to do a great job, we want to make that as seamless as possible.
CF: Have you heard from AT&T partners while forming LevelBlue? If so, what do they want from this new company?
BM: You can get lost in a very large organization, where they're coming from, but what we'll provide is a focus on the simplicity of doing cyber, and working with us in this organization. So the core for us will be being agile, being able to do things quickly and being completely focused on cyber for the partners.
CF: What will give LevelBlue a competitive advantage in the market?
BM: LevelBlue is currently one of the largest MSSPs in the world and we will lean into that. We will embrace it and we will do a better job than any of the other MSSPs out there. So we'll continue to grow in that area. We'll look to leverage AT&T’s relationships as much as possible. We have thousands and thousands of AT&T sellers, which is great for us, but then we'll look to add new channels. I've got a lot of experience in international channels, and then different channels like in financial services and others.
CF: Do you see any obstacles out there in terms of growth? If so, how do you get around those?
BM: If you look at the threat landscape, and I've been doing this a very long time, it has not gotten better. You've got more technologies than ever and more data than ever. And then during COVID-19, the boundary of your network expanded to your home, so that's made it more difficult for IT professionals. And there's a shortage of IT professionals; we've been saying this for the last five-plus years and that hasn't gotten any better. So we'll look to leverage technology; we currently have AI projects and a number of machine learning (ML) projects, so we'll look to do that to enhance what we offer. But I think in terms of how can we differentiate ourselves, we have a lot of customers right now and we have a lot of data right now, and we have great employees. So we'll look to invest in all of that, in our channels and our employees, and the technology that we've acquired.
CF: As CEO, what are your goals for Level Blue in the months ahead?
BM: Iniitially we want to do customer outreach and get to know our customer. That to me is the most important thing, and get to know the employees and really the capabilities that we have, and then sharpen those tools to go out and provide better solutions. We want feedback from our partners, our customers, and our employees on how we can be easier to do business with. So that's our No. 1 goal, making that current customer happy, and then we'll look to do investments after that. So in the short term, it's all about the customer. Longer term, it's about investing in growing the business.
CF: Are there challenges associated with launching an all-new company with a new brand?
BM: I've done this a number of times, and it is a challenge to get your brand out there. But we're super fortunate that AT&T will be leaning into LevelBlue. And so you'll see that at RSAC, you'll see that in our announcements. And then you'll also see that in events as we go on and partner together because we'll be their security arm. They're going to be helping us continue to promote that brand going forward. But then we'll also have our own initiatives that'll be unique, and different industries and internationally.
Also at RSAC 2024 …
Google Cloud has unveiled a number of AI security offerings to further empower cyber defenders against emerging threats.
Sunil Potti, general manager and vice president of Google Cloud Security, said AI means reduced toil and labor costs for MSSPs.
“No longer do partners need to waste resources, writing complex detection rules or summarizing cases for customers,” he said. “Google Cloud's generative AI (GenAI), native to SecOps, accomplishes these tasks automatically, and especially helps our partners reduce labor costs involved with recruiting and training talent [in the junior levels]. When coupled with Google Cloud's Vertex AI, partners can extend this capability to customer use cases.
![Google Cloud's Sunil Potti Google Cloud's Sunil Potti](https://eu-images.contentstack.com/v3/assets/blt10e444bce2d36aa8/blt50f1bf938fe1c45d/6525de5086281bb92a139dfa/Potti-Sunil_Google-Cloud.jpg?width=700&auto=webp&quality=80&disable=upscale)
Google Cloud's Sunil Potti
Google Threat Intelligence is a new offering that combines investigative learning from Mandiant frontline experts, the VirusTotal intel community and Google for tailored threat insights, with an efficiency of scale made possible by Gemini. It offers deep insights from Mandiant’s incident response and threat research team, and combines them with Google’s massive user and device footprint, and VirusTotal’s broad crowdsourced malware database.
Google Cloud also unveiled the latest release of Google Security Operations, an intelligence-driven and AI-powered platform that allows security teams to better defend their organizations by detecting, investigating and responding to cyber threats. Formerly known as Chronicle, this update is designed to reduce the do-it-yourself complexity of SecOps and enhance the productivity of an organization’s entire SOC.
Google Cloud is also empowering defenders with new GenAI security tools and expertise:
New services from Mandiant Consulting will help organizations secure the use of AI, and also apply AI to enhance cyber defenses.
New AI protection capabilities that can help Google Cloud customers implement Google’s secure AI framework by building on the release of Security Command Center Enterprise.
Notebook Security Scanner, available in preview, provides visibility to and remediation advice for open-source software vulnerability exposure introduced from Python packages in managed notebooks.
Model Armor, expected to be in preview in the third quarter, enables customers to inspect, route and protect foundation model prompts and responses. It can help customers mitigate risks such as prompt injections, jailbreaks, toxic content and sensitive data leakage.
“Over the past year, we’ve seen GenAI transform the world as we know it – especially as it relates to cybersecurity,” Potti said. “It’s remarkable in its ability to summarize, classify and generate information, and with proper training, can reason about specialized data and provide natural-language, conversational interactions that facilitate workflows more quickly than flat interfaces in typical security tools. On the other hand, we expect to see GenAI and large language models (LLMs) being leveraged by hackers to personalize and slowly scale their campaigns - further enabling threat actors that once were limited by reduced resources and capabilities. The intersection of emerging technology and security has resulted in an immediate need to protect AI-powered workloads against old and new risks, and apply GenAI to solve security problems.”
Google keeps more people and organizations safe online than anyone else in the world, including billions of users and millions of websites globally, he said.
“Our security offerings provide unmatched frontline intelligence, expertise and AI-powered cloud innovation,” Potti said. “We’ve heard from partners that our AI development is a unique differentiator, with rule-creation and case summaries allowing for cost reduction benefits and a competitive advantage."
Also at RSAC 2024, Cisco announced new innovations across the Cisco Security Cloud to both power and protect the “AI revolution.”
Cisco unveiled its first integration with Splunk, just two months after it acquired the company. The combination creates a security solution for threat prevention, detection investigation and response for organizations of any size, utilizing cloud and endpoint traffic, along with Cisco's network footprint.
Craig Connors, Cisco’s vice president and CTO of security, said “we’re moving quickly to bring these two solutions together.”
![Cisco's Craig Connors Cisco's Craig Connors](https://eu-images.contentstack.com/v3/assets/blt10e444bce2d36aa8/blt9dac841ec12db37e/66366f6330f5e180e45bcecb/Connors_Craig_Cisco_2024.jpg?width=700&auto=webp&quality=80&disable=upscale)
Cisco's Craig Connors
“If you look at an extended detection and response (XDR) solution like Cisco XDR, and you look at a security information and event management (SIEM) like Splunk Enterprise Security (ES), while they provide some similar functionality, they're targeted differently,” he said. “XDR is generally looking at very specific high-value data over a short time interval to find critical emerging threats in your network, whereas a SIEM is storing a lot of data from thousands of sources over a long period of time, which really drives your investigation and remediation strategies around things when they go wrong. So by bringing these two together, the start of this is simply that we want to make sure that if XDR is able to detect something before Splunk ES is able to detect something, that we will feed those high-fidelity alerts directly into it so that investigation and remediation piece that's happening on the Splunk side can start much sooner than it would have otherwise. And you'll continue to see us bring the real-time AI runtime security capabilities that we're building out across the Cisco portfolio with the long-term data retention and investigative intelligence capabilities that exist inside the Splunk portfolio going forward.”
Building on last month’s launch of Cisco Hypershield with distributed exploit protection protecting against known vulnerabilities, Cisco is now introducing capabilities to detect and block attacks stemming from unknown vulnerabilities within runtime workload environments. In addition, suspected workloads can be isolated to limit the vulnerability's blast radius.
In addition, Cisco Identity Intelligence is now available in Cisco Duo to enable continuous identity security to protect organizations against the sharp rise in identity-based attacks
“When it comes to cybersecurity and AI, we're doing two things,” Connors said. “We're trying to build security solutions that work in this age of AI where the scale is higher and the speed is rapid. We can no longer do security at human scale, we have to do security at machine scale to identify these threats. So if you look at, in particular, what we're doing in Panoptica (Cisco’s secure application cloud) and in Hypershield, it’s really drawn around how do we bring the speed and breadth of things like machine learning (ML) and GenAI into detecting and mitigating threats at runtime that exists inside of products. The other thing that we're doing and that we're focused on is moving away from a world of disparate point products to a platform that works holistically together. The idea is bringing all of these different sources of information together, and then use AI to drive machine-scale analytics on top so that we can detect and respond to threats in real time.”
Also at RSAC, Fortinet’s FortiGuard Labs announced its Global Threat Landscape Report for the second half of 2023.
One of the many key takeaways from this latest report was that attacks started on average 4.76 days after new exploits were publicly disclosed. Similar to how FortiGuard Labs mapped this in its Global Threat Landscape Report for the first half of 2023, the team found that attackers in the second half of 2023 increased the speed with which they capitalized on newly publicized vulnerabilities by 43%.
Derek Manky, Fortinet’s chief security strategist and vice president of global threat intelligence, said in the future, “we’re not going to be talking in days, we’re going to be talking in hours, and it’s quickly heading toward that.”
![Fortinet's Derek Manky Fortinet's Derek Manky](https://eu-images.contentstack.com/v3/assets/blt10e444bce2d36aa8/blt4ae9c8d4cc1d5b4d/6636705778d3a0e37c2c5bfc/Manky_Derek_Fortinet_2024.jpg?width=700&auto=webp&quality=80&disable=upscale)
Fortinet's Derek Manky
“Time is not a luxury we can afford in the industry,” he said. “What that means is it's obviously driving the risk element much, much higher and it does have a direct impact on the industry. This is the classic arms race that we always talk about. Thankfully, though, it's not a nail in the coffin. There are a lot of things that we can do to actually address that. It's just that this has become a priority now because of that.”
Some other relevant findings include:
Fortinet telemetry found that 41% of organizations detected exploits from signatures less than one month old and nearly every organization detected N-Day vulnerabilities that have existed for at least five years.
Forty-four percent of all ransomware and wiper samples targeted the industrial sectors.
Across all of Fortinet’s sensors, ransomware detections dropped by 70% compared to the first half of 2023.
In addition, the new report gives a glimpse into the discourse between threat actors on dark web forums, marketplaces, Telegram channels and other sources.
Some of the findings include:
Threat actors discussed targeting organizations within the finance industry most often, followed by the business services and education sectors.
More than 3,000 data breaches were shared on prominent dark web forums.
Some 221 vulnerabilities were actively discussed on the darknet, while 237 vulnerabilities were discussed on Telegram channels.
Over 850,000 payment cards were advertised for sale.
The report does include some encouraging findings, such as the overall drop in ransomware activity, Manky said.
“The attackers now have shifted to a more targeted approach, so they're being selective,” he said. “But what that means is that we can follow that and we can actually disrupt these cybercriminals as a result. Basically, the efforts that we've been doing have been paying off, and now they're starting to switch strategies when it comes to targets they're looking at and so forth. And so it's really an opportunity to create a culture of collaboration, transparency, accountability, everything from secure by design, radical transparency on the organization and vendor side, and working with law enforcement. That's really encouraging because we're actually seeing the direct impact that this is making a difference.”
Also at RSAC, Fortinet’s FortiGuard Labs announced its Global Threat Landscape Report for the second half of 2023.
One of the many key takeaways from this latest report was that attacks started on average 4.76 days after new exploits were publicly disclosed. Similar to how FortiGuard Labs mapped this in its Global Threat Landscape Report for the first half of 2023, the team found that attackers in the second half of 2023 increased the speed with which they capitalized on newly publicized vulnerabilities by 43%.
Derek Manky, Fortinet’s chief security strategist and vice president of global threat intelligence, said in the future, “we’re not going to be talking in days, we’re going to be talking in hours, and it’s quickly heading toward that.”
![Fortinet's Derek Manky Fortinet's Derek Manky](https://eu-images.contentstack.com/v3/assets/blt10e444bce2d36aa8/blt4ae9c8d4cc1d5b4d/6636705778d3a0e37c2c5bfc/Manky_Derek_Fortinet_2024.jpg?width=700&auto=webp&quality=80&disable=upscale)
Fortinet's Derek Manky
“Time is not a luxury we can afford in the industry,” he said. “What that means is it's obviously driving the risk element much, much higher and it does have a direct impact on the industry. This is the classic arms race that we always talk about. Thankfully, though, it's not a nail in the coffin. There are a lot of things that we can do to actually address that. It's just that this has become a priority now because of that.”
Some other relevant findings include:
Fortinet telemetry found that 41% of organizations detected exploits from signatures less than one month old and nearly every organization detected N-Day vulnerabilities that have existed for at least five years.
Forty-four percent of all ransomware and wiper samples targeted the industrial sectors.
Across all of Fortinet’s sensors, ransomware detections dropped by 70% compared to the first half of 2023.
In addition, the new report gives a glimpse into the discourse between threat actors on dark web forums, marketplaces, Telegram channels and other sources.
Some of the findings include:
Threat actors discussed targeting organizations within the finance industry most often, followed by the business services and education sectors.
More than 3,000 data breaches were shared on prominent dark web forums.
Some 221 vulnerabilities were actively discussed on the darknet, while 237 vulnerabilities were discussed on Telegram channels.
Over 850,000 payment cards were advertised for sale.
The report does include some encouraging findings, such as the overall drop in ransomware activity, Manky said.
“The attackers now have shifted to a more targeted approach, so they're being selective,” he said. “But what that means is that we can follow that and we can actually disrupt these cybercriminals as a result. Basically, the efforts that we've been doing have been paying off, and now they're starting to switch strategies when it comes to targets they're looking at and so forth. And so it's really an opportunity to create a culture of collaboration, transparency, accountability, everything from secure by design, radical transparency on the organization and vendor side, and working with law enforcement. That's really encouraging because we're actually seeing the direct impact that this is making a difference.”
RSA CONFERENCE — The biggest news from day one of RSAC 2024 in San Francisco on Monday the launch of LevelBlue, formerly AT&T Cybersecurity, now a new, standalone managed cybersecurity services business.
Tens of thousands of cybersecurity professionals have descended on the City by the Bay for this week’s RSAC 2024. It’s where the industry convenes to participate in conversations about how to secure businesses, employees and customers.
LevelBlue is a joint venture with WillJam Ventures, an investor with cybersecurity industry experience, and AT&T, which announced the intent to create the standalone business last November.
In 2019, AlienVault combined with AT&T Cybersecurity Consulting and AT&T Managed Security Services to form AT&T Cybersecurity. AT&T acquired AlienVault in 2018.
LevelBlue's Launch During RSAC 2024 a 'Fortunate Coincidence'
Bob McCullen, WillJam Ventures’ managing partner, is LevelBlue’s chairman and CEO. He said launching LevelBlue during RSAC 2024 wasn't planned, just a fortunate coincidence.
AT&T is retaining a minority ownership stake and board representation in LevelBlue.
“If you look at AT&T’s history, obviously they've been involved in networks for 100 years or so, and cyber has always been an important part of networks and securing their customers,” McCullen said. “This business has grown to the size where it needed a focus and attention, and an opportunity for us to invest in it. I've had a relationship with AT&T for a long time, and I've been in the managed services industry for over 25 years, so this was like a perfect marriage.”
![LevelBlue's Bob McCullen LevelBlue's Bob McCullen](https://eu-images.contentstack.com/v3/assets/blt10e444bce2d36aa8/blt52178ef15a07a6a3/66366dd277a62d073d2cd4d8/McCullen_Bob_LevelBlue_2024.jpg?width=700&auto=webp&quality=80&disable=upscale)
LevelBlue's Bob McCullen
LevelBlue offers managed security services, cybersecurity consulting, threat intelligence and continuous security operations center (SOC) support.
“I found out some time ago that AT&T was interested in a partner to help invest and grow their cyber business, and so it became an alliance between WillJam and AT&T as a spinoff for us to do that,” McCullen said. “So it's a great opportunity for us. It will be one of the largest startups in security industry history, so we're all very excited.
We also have the latest news at RSAC from Google Cloud, Cisco and Fortinet.
Scroll through our slideshow above for more on LevelBlue and other news from day one of RSAC 2024.
About the Author(s)
You May Also Like