By John Davis, Retired U.S. Army Major General and Vice President and Federal Chief Security Officer for Palo Alto Networks\n\nWhat critical innovations can change the balance in cybersecurity, providing those of us responsible for defending our organizations with more capabilities against those who would do us harm?\n\nThis is not just a theoretical exercise. It is something all of us in cybersecurity need to understand \u2014 and a key national security priority.\n\nI\u2019ve given this question considerable thought in my role advising many of my former colleagues and other leaders in the U.S. government. In my view, there are two key interrelated developments that can shift the cybersecurity paradigm. They are:\n\nI\u2019m not saying these innovations can reverse the historical advantage offense has had over defense. But improved use of automation \u2014 combined with software-based advanced analytics \u2014 can help level the playing field.\n\nCyber threats are increasingly automated using advanced technology. Unfortunately, defense has continued to employ a strategy based mostly on human decision-making and manual responses taken after threat activities have occurred.\n\nThis reactive strategy can\u2019t keep pace against highly automated threats that operate at speed and scale. The defense has been losing \u2014 and will continue to lose \u2014 until we in the cybersecurity community fight machines with machines, software with software.\n\nPrevention is key\n\nAny good defensive strategy should be comprehensive with protection, detection, response, recovery, and resilience. Prevention is key, especially in today\u2019s complex environment. That is where we have not invested enough \u2014 and where automation and advanced analytics can make an enormous difference.\n\nFirst, let me define what I mean by prevention, starting with understanding the basic cyberattack process, sometimes referred to as the cyber threat lifecycle. This process consists of seven steps:\n\nThese steps usually occur in that order, but not always. The final step defines a successful attack, which could be encrypting data for ransom; exfiltrating sensitive data; exposing embarrassing information; or disrupting\/destroying targeted systems, devices, or data.\n\nModern cyber threat actors can work their way through the attack process more quickly than ever with advanced software and machines.\n\nBut the process still takes time \u2014 allowing defenders to see and stop a threat at any step in the process. To do so, however, defenders must have complete visibility across their network environment and be able to deliver protections everywhere automatically. Therefore, they need both sensors and enforcement points. Just seeing malicious activity without being able to stop it won\u2019t change the dynamic between offense and defense.\n\nTackling speed and scale\n\nAutomation lets security teams fight machines with machines and save their most precious resource (people) to do things that only people can do better and faster than machines. This includes hunting and deep, high-end analysis. Any other approach will never keep pace with the speed and scale of modern cyberthreats.\n\nSoftware-based advanced analytics enable security teams to fight software with software. They make it possible to deploy sensors and enforcement points in all critical places in a network environment. More importantly, they enable the integration between the sensors and enforcement points.\n\nWith advanced analytics, any type of suspicious behavior in a network environment can be quickly matched to the attack process used by all known threat actors or organizations. Analytics can even identify a threat never seen before or a possible threat not directly matched to a known bad signature or activity.\n\nUsing machine learning algorithms, a decision can be rendered in near real-time \u2014 less than 10 minutes is state-of-the-art today \u2014 and a protection can be delivered automatically to stop the threat everywhere in the organization\u2019s enterprise environment without the need for any human intervention.\n\nDefenders have access to an enormous amount of data from networks, endpoints, and clouds. The right kind of data includes cyber threat indicators of compromise as well as contextual information. It does not include traditional policy and legal landmines such as personally identifiable information, protected health information, intellectual property, or surveillance-related data.\n\nLeveraging this data, it is possible to act at speed and scale with a very high degree of precision, achieving false positive rates of less than one percent. The key to this kind of effective defense is complete, continuous, and consistent visibility and security controls across all elements of an organization\u2019s network environment \u2014 from the network to the cloud (public, private, hybrid, multi, SAAS) to endpoint and IoT devices.\n\nStopping threats, mitigating risk\n\nCybersecurity protections that leverage automation and advanced analytics are available today and getting better as time goes by, with more of the right kinds of data to drive automated decisions and protections.\n\nBest case, the use of these two innovations enable security teams to see and stop cyber threats before they are successful, providing an advantage for the defense. Worst case, they let security teams limit the damage of a successful attack to something determined to be an acceptable level of risk.\n\nWhy is this so important? Eliminating or reducing the advantage that cyber offense has over defense is critical to creating a more stable cyberspace. Traditionally, when offense has the advantage, it creates enormous instability. When defense has the advantage, it creates a more stable environment.\n\nWe\u2019re living in a world with an unacceptably high level of instability in the cyber domain. The risks of miscalculation, misinterpretation or even a plain mistake are just too high. Effective use of automation and software-based advanced analytics can help level the playing field between offense and defense and create a much more effective cybersecurity posture for any organization.\n\n\n\nAbout John Davis:\n\nJohn is a retired U.S. Army Major General and Vice President and Federal Chief Security Officer for Palo Alto Networks, where he is responsible for expanding cybersecurity initiatives and global policy for the international public sector and assisting governments around the world to successfully prevent cyber breaches.