By John Davis, Retired U.S. Army Major General and Vice President and Federal Chief Security Officer for Palo Alto Networks
What critical innovations can change the balance in cybersecurity, providing those of us responsible for defending our organizations with more capabilities against those who would do us harm?
This is not just a theoretical exercise. It is something all of us in cybersecurity need to understand — and a key national security priority.
I’ve given this question considerable thought in my role advising many of my former colleagues and other leaders in the U.S. government. In my view, there are two key interrelated developments that can shift the cybersecurity paradigm. They are:
- Innovations in automation.
- Software-based advanced analytics — including big data, machine learning, behavior analytics, deep learning and, eventually, artificial intelligence.
I’m not saying these innovations can reverse the historical advantage offense has had over defense. But improved use of automation — combined with software-based advanced analytics — can help level the playing field.
Cyber threats are increasingly automated using advanced technology. Unfortunately, defense has continued to employ a strategy based mostly on human decision-making and manual responses taken after threat activities have occurred.
This reactive strategy can’t keep pace against highly automated threats that operate at speed and scale. The defense has been losing — and will continue to lose — until we in the cybersecurity community fight machines with machines, software with software.
Prevention is key
Any good defensive strategy should be comprehensive with protection, detection, response, recovery, and resilience. Prevention is key, especially in today’s complex environment. That is where we have not invested enough — and where automation and advanced analytics can make an enormous difference.
First, let me define what I mean by prevention, starting with understanding the basic cyberattack process, sometimes referred to as the cyber threat lifecycle. This process consists of seven steps:
- Developing a delivery mechanism to get to a victim or target;
- Exploiting a vulnerability in the network environment;
- Installing malicious code;
- Establishing a control channel;
- Escalating privileged access;
- Moving laterally within the network environment.
These steps usually occur in that order, but not always. The final step defines a successful attack, which could be encrypting data for ransom; exfiltrating sensitive data; exposing embarrassing information; or disrupting/destroying targeted systems, devices, or data.
Modern cyber threat actors can work their way through the attack process more quickly than ever with advanced software and machines.
But the process still takes time — allowing defenders to see and stop a threat at any step in the process. To do so, however, defenders must have complete visibility across their network environment and be able to deliver protections everywhere automatically. Therefore, they need both sensors and enforcement points. Just seeing malicious activity without being able to stop it won’t change the dynamic between offense and defense.
Tackling speed and scale
Automation lets security teams fight machines with machines and save their most precious resource (people) to do things that only people can do better and faster than machines. This includes hunting and deep, high-end analysis. Any other approach will never keep pace with the speed and scale of modern cyberthreats.
Software-based advanced analytics enable security teams to fight software with software. They make it possible to deploy sensors and enforcement points in all critical places in a network environment. More importantly, they enable the integration between the sensors and enforcement points.
With advanced analytics, any type of suspicious behavior in a network environment can be quickly matched to the attack process used by all known threat actors or organizations. Analytics can even identify a threat never seen before or a possible threat not directly matched to a known bad signature or activity.
Using machine learning algorithms, a decision can be rendered in near real-time — less than 10 minutes is state-of-the-art today — and a protection can be delivered automatically to stop the threat everywhere in the organization’s enterprise environment without the need for any human intervention.
Defenders have access to an enormous amount of data from networks, endpoints, and clouds. The right kind of data includes cyber threat indicators of compromise as well as contextual information. It does not include traditional policy and legal landmines such as personally identifiable information, protected health information, intellectual property, or surveillance-related data.
Leveraging this data, it is possible to act at speed and scale with a very high degree of precision, achieving false positive rates of less than one percent. The key to this kind of effective defense is complete, continuous, and consistent visibility and security controls across all elements of an organization’s network environment — from the network to the cloud (public, private, hybrid, multi, SAAS) to endpoint and IoT devices.
Stopping threats, mitigating risk
Cybersecurity protections that leverage automation and advanced analytics are available today and getting better as time goes by, with more of the right kinds of data to drive automated decisions and protections.
Best case, the use of these two innovations enable security teams to see and stop cyber threats before they are successful, providing an advantage for the defense. Worst case, they let security teams limit the damage of a successful attack to something determined to be an acceptable level of risk.
Why is this so important? Eliminating or reducing the advantage that cyber offense has over defense is critical to creating a more stable cyberspace. Traditionally, when offense has the advantage, it creates enormous instability. When defense has the advantage, it creates a more stable environment.
We’re living in a world with an unacceptably high level of instability in the cyber domain. The risks of miscalculation, misinterpretation or even a plain mistake are just too high. Effective use of automation and software-based advanced analytics can help level the playing field between offense and defense and create a much more effective cybersecurity posture for any organization.
About John Davis:
John is a retired U.S. Army Major General and Vice President and Federal Chief Security Officer for Palo Alto Networks, where he is responsible for expanding cybersecurity initiatives and global policy for the international public sector and assisting governments around the world to successfully prevent cyber breaches.