As the speed and volume of threats today shows no abatement, there is much discussion that the only way to keep pace is through automation and self-learning. Although the answer sounds simple, the tough part is figuring out how we achieve this.
Most attackers look at the broad dossier of attack techniques today and, like any playbook, take some of what has been done before and try to sprinkle in a hint of their personalization to make it unique. In today’s world this is no longer about simply creating a bad binary object and emailing it around with a smart, socially engineered subject line.
Take, as an example, Cryptowall v3.0. Ransomware is a simple concept; but, to succeed at that, attackers have had to leverage multiple campaigns with over 4,000 iterations of the attack binary using multiple exploits, including exploit tools such as the Angler exploit kit, compromising large numbers of public WordPress sites and building a complex array of over 800 command and control sites, just to name some of the aspects of the overall attack. Once compromised, payments could hop through up to 80 bitcoin wallets before reaching their final destination. Why is all of this so important? The more we can map out attackers, the better we can find and block future iterations of their attacks.
In the physical world, criminals typically look just like every other person; and, today, with over 7 billion people on the planet, finding them can seem like an impossible task. Over the years, law enforcement experts have built techniques to uniquely identify criminal, such as photofits and, now, DNA. Such techniques not only uniquely identify criminals but also help link them to the crimes they have committed.
The same concepts apply in cyber, but today under a less mature guise. We rely on tools to identify unique characteristics much like looking for eye or hair color. The challenge being, when you look at any such characteristics in isolation, such as looking for a bad email characteristics or a certain hair color, the level of false alerts can be unreal. The once unique binary is like a face with makeup, so many different permutations are quickly achieved. As such we need to look at all the attributes and try to see the whole face of the attack – better still, the DNA of the attack. If we can do this, we can start to see existing attacks more accurately, allowing us to automate. The more we can automate the quicker we can detect. And, if we can gather the whole DNA, we can start to identify new attacks as they happen by their genetic links.
Source: Wikipedia
Going back to CryptoWall, when v4 came out, it had some enhancements. Of course the email messages delivering it changed, as did the binary, requiring many traditional approaches to need an update. However, most of the underlying infrastructure stayed the same. In the sci-fi film Jurassic Park, they filled in the DNA gaps to rebuild dinosaurs. Here we have the ability to make fiction into fact by mapping out the whole attack lifecycle (the DNA of the attack), which includes all of the indicators aligned to it (rather than just the indicators we see as compromising the victim), we can better detect and block not just the current attack but all future instances, forcing the attack to effectively create a whole new dinosaur. Effectively, we use the broader attack architecture DNA to fill in the gaps created by the dynamic components, such as the changing binary and delivery wrapping.
Why don’t we all do this today? DNA analysis happens in one lab; most security solutions simply look for an element of the attack. Much like the criminal photofit, they look at maybe the eyes or the nose or the hair — perhaps all three. But they typically don’t see the whole face, and they certainly don’t gather the entire DNA. It’s like having a bunch of labs looking at different atoms trying to join together the strands, which was not historically their goal. Their goal was to block the attack, not understand what makes the attack function in the broader sense.
To identify the DNA, we need to be able to join the right elements together. This means analyzing and correlating these characteristics; looking at the known and mapping against the unknown, we need to pull this into a single point of analysis so we can see the big picture. To achieve this at a vendor level, you need solutions that were nativity designed to talk the same language; otherwise they are not comparing like for like.
No vendor spans all the security requirements today. This is why protocols such as STIX, TAXII and Cybox have been developed to allow multiple vendors to collaborate in a virtual common lab, such as the Cyber Threat Alliance, acting as the interpreter to automatically exchange big data through a common translation structure to support better mapping of the attack DNA. Through this approach, the Cyber Threat Alliance worked collaboratively to uncover CryptoWall 3.
There are many ways of trying to keep pace with today’s threats; each has its own advantages and disadvantages. The challenge, however, is that most are still looking to improve the identification of a characteristic. To better spot the criminal among the billions of faces, we need to leverage every aspect we can to make them stand out as unique and at the same time identify commonality. What’s more important is that, with big data tools and common frames of reference, we can then look for these attributes to find their future faces. At the end of the day, you can easily change individual aspects of your appearance, but it’s extremely hard to change your DNA.
Organizations battle daily with social engineering-based cyberattacks and unfortunately often find themselves on the losing side. What can be done? To determine this, we need to step back from our technological tools and start with the psychological basis of why social engineering works and why it is a tactic of choice for cyber attackers. Armed with that knowledge, organizations can begin to mount a more effective defense.
When people think of social engineering they tend to think of phishing, which is a huge problem. According to the 2015 Verizon Data Breach Incident Report (DBIR), 23 percent of phishing recipients open messages, and 11 percent click on attachments. The 2013 DBIR reported 95 percent of incidents attributed to state-sponsored actors used phishing, and more than two-thirds of cyber-espionage incidents involved phishing.
A cybercrime campaign of only 10 emails yields a greater than 90 percent chance that one person will click on a malware link. Fifty percent of users open emails and click within the first hour of receiving.
Going Beyond Phishing But the social engineering problem goes well beyond phishing.
It is no wonder hackers use social engineering techniques; they work. Hackers are in business and are looking for a return on investment. Whether it is stolen identities, bank account numbers, intellectual property or just notoriety, they are looking for a return for their time.
Think of it this way: If you had a choice to spend hundreds of hours scanning networks, identifying operating systems and applications in use, determining vulnerabilities, and crafting malware, or making one phone call pretending to be from the help desk and talking a user out of his/her password, which would you do? Social engineering provides a greater return on investment.
Social engineering is not an invention of the information or even the industrial age; it has been around throughout history—look at the original Trojan horse. There is a psychological basis for why social engineering works. All of the following can be turned against a target to gain a goal:
Trust
Sense of urgency
Desire to be helpful
Curiosity
There are many tools available to cybercriminals to conduct social engineering and gain valuable information from individuals, including Google and other search engines, dumpster dives, simple phone calls to just ask, burner phones (prepaid cell phones replaced frequently to avoid leaving a trail), caller ID spoofing, doppelganger domains, fake public Wi-Fi access points, and, yes, phishing email.
Fighting Back Against Social Engineering So how do you block this path of least resistance and prevent attacks, detect attacks sooner and lessen impact? First, it is critical to know what information hackers are looking for in social engineering attacks and how to protect it. Having some technical security controls in place is critical, as well. And, finally, awareness training—making your people social engineering attempt detectors—will go a long way in addressing the weakest link in these sorts of attacks—humans.
Douglas Rausch is President of Aurora Cybersecurity Consultants, and an assistant professor of cybersecurity at Bellevue University, Bellevue, NE. His expertise centers on providing risk management, cybersecurity, governance and awareness training expertise to organizations worldwide. He brings 25 years of experience as a cyber operations officer in the US Air Force, leading risk management activities, assessing cybersecurity, and recommending cybersecurity policy and technologies for Department of Defense and Air Force terrestrial and space systems. He was recently appointed to the National Initiative for Cybersecurity Education (NICE), Training and Certification Sub-Working group.
Rausch will present a webinar, Social Engineering: Placing Obstacles on the Path of Least Resistance, on Tuesday, 23 February, at 11AM Central Standard Time. To sign up, click here.
Douglas Rausch, CISSP President Aurora CyberSecurity Consultants, Inc.
Ransomware persists as one of the top crimeware threats thus far into 2016. While the use of document-based macros for ransomware distribution remains relatively uncommon, a new family calling itself “Locky” has borrowed the technique from the eminently successful Dridex to maximize its target base. We first learned of Locky through Invincea and expanded on qualifying this threat with the help of PhishMe. Locky has also gained enough traction to find its way onto Dynamoo’s Blog and Reddit.
Using Palo Alto Networks AutoFocus, Unit 42 observed over 400,000 individual sessions containing the Bartallex macro downloader, which in turned dropped Locky ransomware onto victim machines. Researchers suspect there is a link between the Dridex botnet affiliate 220 and Locky due to similar styles of distribution, overlapping filenames, and an absence of campaigns from this particularly aggressive affiliate coinciding with the initial emergence of Locky. This blog post explores this threat further and offers recommendations on mitigating its impact.
Delivery and Installation
Palo Alto Networks telemetry showed that Locky focuses primarily on e-mail delivery through massive phishing campaigns with Microsoft Word document attachments. The subjects for these malicious messages adhere to the following convention:
ATTN: Invoice_J-< 8-digits>
The naming convention of respective malicious Word document carrier files match the e-mail subject line portion after the “ATTN: “, switch the “i” in invoice to lowercase, and append a “.doc” extension. An example follows:
Our analysis revealed that this ransomware requires command and control (C2) communication for a key exchange, prior to encrypting victim files. It performs its key exchange in memory for this process. This is interesting, as most ransomware generates a random encryption key locally on the victim host and then transmits an encrypted copy to attacker infrastructure. This also presents an actionable strategy for mitigating this generation of Locky by disrupting associated C2.
Unfortunate victims unable to mitigate this threat would see the following ransom demand.
And a subsequent visit to the referenced Locky payment portal site would reveal the following options for victims.
Threat Volume and Targeting
We observed approximately 446,000 sessions for this threat, over half of which targeted the United States (54%). For comparison, the next most impacted countries, Canada and Australia, only accounted for another nine percent combined.
Industry analysis for targeting reveals expected indiscriminant distribution within impacted countries; however, Higher Education, Wholesale and Retail, and Manufacturing make up over a third of observed targeting.
Pairing this volume with the “decryption cost” advertised for Locky victims, it is clear why ransomware in general continues to thrive in the threat landscape. Using some napkin math furnished by our friends at PhishMe, even if one assumed a 50% efficacy / infection rate for these 446,000 sessions and a 1% payment rate of 0.5 bitcoins (BTC) from victims, the currently observed activity alone yields several hundred thousands of dollars in profits for Locky’s malicious actors.
Conclusion
Locky is aiming high in an effort to join the ranks of other big name ransomware families. Despite some weaknesses in its current implementation, we can expect to see further developments for this threat in the future. Ultimately, successes experienced by one attacker group embolden and inspire others. It goes without saying that cybercrime adversaries will continue to advance efforts to commoditize the already lucrative extortion of victims through encryption-based extortion.
Defending against ransomware first requires a focus on the basics of a strong security posture: security awareness and the hardening and patching of systems. Ransomware can be especially damaging in enterprises, where this class of threat commonly targets network shares and other media attached to corporate assets. To further reduce associated risks, layered preventive controls are a must.
Palo Alto Networks customers are protected through our next-generation security platform:
WildFire successfully detects this threat as malware
AutoFocus identifies this threat under the Unit 42 “Locky” tag
The C2 domains and files mentioned in this report are blocked in our Threat Prevention product
Microsoft discontinued support of the venerable Windows XP operating system (OS) in April 2014. This OS had been a workhorse for over 12 years with a foothold on consumers, enterprises, and embedded systems such as automated teller machines (ATMs).
A year later, it was estimated that 75 percent of the world’s ATMs (2.2 million) were still running on Windows XP. Given the quantity of devices and the geographically dispersed nature of the ATMs, it is reasonable to assume that many of these devices have yet to be upgraded from Windows XP as any upgrade project is logistically daunting. And since Microsoft no longer provides software patches for any security holes, these devices are now more susceptible to malware and viruses. Some financial institutions made custom, extended support arrangements with Microsoft for a short timeframe to provide some protection as upgrade plans were put into motion.
Another factor that many banks and credit unions had to consider was the impending Mastercard deadline for Europay Mastercard Visa (EMV) chip-enabled ATMs. Beginning October 2016, liability for fraud will shift to the ATM owner. Consequently, some institutions opted to accommodate both the Windows XP and EMV chip reader upgrades as part of an overall, strategic plan to refresh their ATM technology. Based on the age of the installed base, this may require both new hardware and software. ATM industry experts have estimated the cost of this upgrade to range from $1,000 to $3,500 per ATM.
For Windows XP-based ATMs that continue to face delays in upgrades, one option would be to add advanced endpoint protection such as Palo Alto Networks Traps. Windows devices are then protected from malware and exploits — without the use of signatures. Traps can disrupt the relatively small number of techniques that malicious entities must use to compromise Windows systems and the remaining Windows XP-based ATMs can be protected even in the absence of future software patches. By implementing Traps, we can help restore confidence in these aging, but still highly visible customer touch points.
In the more general case for financial institutions, Traps can also be used to protect any Windows-based servers, desktops (both physical and virtual), and laptops from malware and exploits. This extends the benefit across the entire inventory of Windows devices from customer-facing ATMs to corporate personal computers and servers.
To learn more about how Traps can protect your endpoints, please visit:
Having joined Palo Alto Networks following a 35-year career in the U.S. military, the past decade of which I served in a variety of leadership positions in cyber operations, strategy and policy, I have found that many of the cybersecurity challenges we face from a national security perspective are the same in the broader international business world.
This blog post series describes what I consider to be four major imperatives for cybersecurity success in the digital age, regardless of whether your organization is a part of the public or private sector.
To provide a sense of what I intend to cover in this series, here are the major themes for each imperative:
Imperative #1 – We Must Flip the Scales
Imperative #2 – We Must Broaden Our Focus to Sharpen Our Actions
Imperative #3 – We Must Change Our Approach
Imperative #4 – We Must Work Together
BLOG #1 of 4: Imperative #1
WE MUST “FLIP THE SCALES”
This first blog in the series is about Imperative #1 for cybersecurity success in the digital age.
Before I get to the details of the first imperative, allow me to provide some background and context for all four imperatives, and then I’ll provide an executive summary of the first imperative in case you are pressed for time.
BACKGROUND AND CONTEXT
First, my role as the Federal CSO for Palo Alto Networks requires that I “evangelize” to the various groups of individuals, leaders and organizations with which I interact. My job is to use my past experience to ensure a deeper understanding of the cyberthreat landscape and provide thought leadership about effective concepts to deal with a growing threat while ensuring that leaders can manage risk in ways that enable their business or mission, not detract from or restrict those vital functions.
Second, because of my military experience, I think of effective concepts in terms of several key factors. I use these factors to explain concepts in a comprehensive way, and so I’ll use these factors to describe each of the imperatives for cybersecurity success in the digital age. Figure 1 below provides the four factors that I use; and, below that, I provide some brief definitions:
Figure 1
Threat: This factor describes how the cyberthreat is evolving and how we are responding to those changes.
Policy and Strategy: Given our assessment of the overall environment, this factor describes what we should be doing and our strategy to align means (resources and capabilities – or the what) and ways (methods, priorities and operations – or the how) to achieve ends (goals and objectives – or the why).
Structure: This factor includes both organizational (human dimension) and architectural (technical dimension)
Tactics, Techniques and Procedures (TTP): This factor represents the tactical aspects of how we actually implement change where the rubber meets the road.
My last point of background and context is about the digital age, itself. So, what does the digital age environment look like? Two important trends come to my mind.
First, our growing reliance as a society on technology for just about everything we do is only going to increase. This isn’t news to anyone; and, regardless of whether you are talking about pubic or private organizations, or our personal lives, there is no escaping the level of trust that we continue to place in technology. Equally increasing is the level of connectivity not only between us as a human race but in the devices that we use to do almost everything in our daily lives. The phenomenon of the Internet of Things represents this trend.
The second trend isn’t news to anyone either, so I won’t waste your time going into the details. Just look at the growing list of headlines about cyber breaches across government and industry worldwide. Figure 2 below depicts the most recent list of cyber breaches – it’s a mess! And I believe it’s going to get worse before it gets better. You’ve all heard the tired (but, nonetheless, true) saying, “It’s not a matter of if, but when.” The trend is alarming; and, no matter whether you sit in the public or private sector, you have to understand that the cyberthreat is a serious problem, representing an imperative for change if we are going to be able to continue to place trust in all the opportunity that the digital age promises.
Figure 2
(From “Information is Beautiful” website)
IMPERATIVE #1 – WE MUST “FLIP THE SCALES”
Using Figure 3 below as a reference, we must “flip the scales,” or at least rebalance them, to improve the cybersecurity posture that we choose to live with today. Let me explain what I mean, using the concept model I described above, and step through the implications via the categories of Threat, Policy and Strategy, Organizational and Architectural Structure, and finally Tactics, Techniques and Procedures (or TTP).
Figure 3
EXECUTIVE SUMMARY
We have a math problem that is giving today’s cyberthreats a significant advantage over our ability to secure and defend our networks. This problem pits a growing adversary marketplace – that leverages information sharing, automation and the cloud at increasing speed and decreasing costs – againstthe cybersecurity community, which is slow, clumsy, largely manual and increasingly expensive.
Part of the reason we have this math problem is due to legacy thinking and resulting policies that heavily favor opportunity and convenience over security and risk management rather than a more balanced approach toward both. Flipping the policy scale from a “trust everything” to aZero Trust model (“never trust, always verify”) will help to flip the scales on the attacker/defender math problem.
To change the policy balance and drive a real strategy that aligns limited resources and methods to achieve results also requires that leaders enter the decision-making forum when it comes to cybersecurity. A successful organization enables wise leadership to make decisions through collaboration between their IT and cybersecurity experts, working work in tandem to provide precise, accurate and clear recommendations. This is how the leadership of an organization can drive successful policy and strategy. It is also how the leadership and tech teams can work toward common goals and routinely demonstrate progress with real, measureable results.
Finally, cybersecurity success in the digital age requires a new way of thinking about our TTP. Implementing real change requiresrebalancing performance and security together, just as we also rebalance security and privacy together, empowering IT and cybersecurity teams to partnerin a win-win dynamic, rather than pitting one community against the other with win-lose priorities. This is how an organization can go about safely enabling the high performance of its users, using the applications and content the organization requires to do its vital functions, including fixed, mobile and virtual capabilities throughout the organization’s enterprise, from the cloud to the network to the endpoint device – BYOD or otherwise.
DETAILED DESCRIPTION OF IMPERATIVE #1
THREAT: Looking at this concept from a threat perspective, we all know that, today, the Attacker has a distinct advantage over the Defender. That’s not news, and we all know that; but let’s look at why that is true and why it’s only going to get worse unless we do something to “flip the scales” or at least rebalance them toward a better security posture than we choose to live with today.
This is what our CEO at Palo Alto Networks, Mark McLaughlin, calls a math problem. Due to the decreasing cost of automation and cloud-based capabilities, a growing marketplace of threat actor information sharing, and the ever-increasing attack surface with vulnerabilities growing in proportion due to the “Internet of Things” phenomenon, the Attacker’s job is getting cheaper and easier ever day. The Attacker only has to be successful once to get into your network and accomplish his or her nefarious intentions.
On the other hand, the Defender has to be everywhere, all the time. Additionally, the Defender, who typically uses manual procedures to respond, doesn’t usually detect the threat in his or her networks until months or even years have passed (the average detection time is more than 6 months according to most cyberthreat research and analysis). This is very costly in terms of time, manpower, technology, complexity, reputation, brand and, of course, money.
To illustrate further, I’d like to use a few numbers to tell a story about the world of protecting your business from cyberattacks and this math problem. I got these numbers from our Regional CSO for Europe and the Middle East, Greg Day.
In 2015, the Application Usage Threat Report from Palo Alto Networks saw 675,000 distinct threats, across almost 3000 applications. These are frightening statistics. But what does this actually mean in real terms to your business, to your team, or to you personally?
To get a feel for that kind of meaning, you need context that’s relevant to your world, so let me give you another number – 1.5 million. According analysts Frost and Sullivan, this will be the shortfall of cybersecurity professionals by 2020.
This demand outstripping supply is good news if you’re a security professional looking for a job, but bad news if you are trying to recruit cybersecurity professionals into your organization or retain your existing workforce. Many organizations have a model that is becoming harder and harder to sustain in this world of more threats and less security staff at the ready.
Who are these Defenders? CISOs and other IT security professionals, of course, defend their organization – against what, though? Today, it’s not just an attacker; it’s a marketplace, and that means groups of people sharing best practices with each other –trading with each other.
A few years ago some governments were investing huge amounts of resources to develop incredibly sophisticated attack approaches. Today anyone can purchase the same attack kit online for a few dollars, complete with instructions and a how to get started video.
This is why it’s getting easier for Attackers: because of their decreasing costs and the abundance of resources available to them. They only have to be successful once to win, but this is probably a tiny percentage of their attack attempts. Contrast that with the CISO, who has to successfully defend 100 percent of the time. Attackers are crowdsourcing, yet CISOs are on their own.
I’d like to show you, in the following sections of the concept model, how many leaders and security professionals are taking action to alter their defensive model to take advantage of the valuable assets they already have – in other words, “flipping the scales” to give the Defender more of an advantage than he or she has today.
POLICY: The legacy view is that technology is driven by opportunity and convenience (which are built-in) while security and risk management chase from behind trying to catch up (and are, therefore, bolted-on afterwards).
The environment, as shown in Figure 2 above and captured in almost daily headlines about the latest breaches, is changing this balance; but the change is slow and uneven. This change is beginning to drive a need to bring the scales in Figure 3 to a better, more responsible balance.
This includes changing a “left side of the scale” assumption that you’re safe, to a “right side of the scale” assumption that the threat is going to get in, if it hasn’t already, resulting in the need for a Zero Trust environment.
All of the security leaders we talk to want to reduce the workload on their organization. Getting back to the math problem from earlier, here’s another number – 65,000. Like some the earlier numbers I used, this one also comes from Greg Day, and it identifies some of the reasons the network defender’s workload is so big.
When the Internet was conceived, that was the number of ports of communication that people thought might be needed for all the different traffic and protocols. This provided lots of scope and scale for flexibility.
Today we use very few of these traditional ports. Most of the traffic consists of either email or web-based protocols; however, within these, there are now thousands of Internet applications and each has its own sub-protocols.
You can block all these ports; but, since almost all the traffic comes through these same few ports, you cannot just block them. Using traditional technology, you have to trust these ports, or you would block out all the traffic you need to run your business.
This policy means that security professionals have to program their legacy firewalls to block traffic using rules that are based on where traffic is coming from, where it’s going to, and what type of traffic it is. And, of course, your organization wants to do new things all the time, so the policies have to change all the time.
So, your starting position is to trust all the traffic going through these few ports. Then you have to block traffic using policies – lots of policies. Policies on top of policies. Rules on top of rules. It’s very difficult to even understand what the policies and rules from the past did and if the new policies and rules conflict in any way. This approach is very costly, labor-intensive and ineffective because it’s using this old frame of reference that only adds complexity and cost to the equation, neither of which are your friends as a cybersecurity professional.
The only way to fix this is to design a totally new type of technology using a different frame of reference – one based on how we use the Internet today. You need technology that understands modern Internet usage and can identify each of the applications that effectively uses its own protocols over the few trusted ports each business has enabled today. This is exactly why Palo Alto Networks has engineered its next-generation firewalls to safely enable the applications and content required by an organization’s users, whether fixed, mobile or virtual, to do the vital functions required for the mission or business (more on this in the TTP portion below).
The balance on the right side of the policy scale is called a Zero Trust model. Trust nothing unless it’s defined as part of how you operate your business. This essential capability is unique. It also allows you to create rules that determine what traffic can flow into your organization. But, instead of being based on the port, the type of traffic, where it’s from, and where it’s going to, it’s based on who wants to communicate and what they want to do. That means the applications and content that they want to use.
The end result is that it’s easy for you to define your company’s way of doing business because you need far fewer policies and they are relevant to how your organization operates. They also make sense, and you can see your security policy written in black and white.
It’s more effective because your starting point is Zero Trust rather than trust everything, and it understands the sub-protocols that modern web applications use. It’s easy to follow and much less work.
ORGANIZATION: The decision-making forum when it comes to dealing with cyberthreats has traditionally been within the technical (CIO/CISO/CSO) community, but the exploding threat problem along with the changing balance between opportunity/convenience and risk are driving the decision-making forums into C-Suites and boardrooms; no longer are they solely within the purview of the IT community. This is becoming and, in more and more cases, has already become a leadership issue rather than just a technical one. So this scale has already begun to flip – and that’s a good thing!
Leadership is one of the most critical aspects of this imperative about changing the balance on these scales and creating an environment where those in the business of driving cybersecurity within an organization can begin to acquire an advantage over the threat.
Leadership from the top drives the prioritization of resources and assets, enables an effective strategy that aligns the ways and means to achieve real goals, and requires that the team routinely bring back results that can be measured in relationship to the bottom line, whether you are a business or a national security organization.
This changing balance within the decision-making forum in no way diminishes the role of the technical community in the overall decision process. The tech community must take greater care than ever before to educate their leadership in clear, accurate ways so that wise decision-making is the result.
Let’s face it – not all of our senior executives have the technical background to readily comprehend all of the details required to address what can be a very mysterious and complex problem set. It’s incumbent on the leader’s technical experts to explain issues in plain English to the maximum extent possible.
Use of analogies can be tempting; and, sometimes, that may be a good way to explain something that is familiar to a leader’s background and experience. But beware, the technology environment associated with cyberspace has some of the most significant distinctions that I’ve personally ever witnessed when compared to the traditional physical “domains.”
Scale, speed, and complexity (especially given the blurring of lines between human interaction with cyberspace and the various layers of technical, logical, physical and geographic segments) make analogies dangerous because, inevitably, the analogy falls apart at some point, and senior executives who think they understand what decision to make based on an imprecise analogy can be making serious mistakes.
TTP: So why is it that it seems we continue to lose, and the problem is getting worse and not better? Why haven’t we all had a “Cyber Pearl Harbor” or “Cyber 9/11” epiphany? From what I can see, it’s because there is still, what I believe to be, a false narrative about the balance between security and performance – that you can only increase one at the expense of the other.
This has traditionally been described as a “win-lose” dynamic. And, in the world of business just as in the world of national and economic security, performance always wins, which is why most CISOs report to CIOs. And when they don’t, it’s always a win-lose proposition pitting one community against another.
The fact is that, in this new environment, security and performance go hand in hand. So how do we enable a “win-win” dynamic? How do we put security into a model that safely and effectivelyENABLES performance, across all users, using all their applications, all their content, including mobile and virtual devices? Is that even possible? If your cybersecurity solution provider isn’t working toward that objective, shouldn’t they be?
As we saw in the threat discussion above, organizations are faced with the situation where the attacker has low costs and automation. And the defender has high costs and human beings performing manual tasks.
This is why leaders are looking for another way because this model is hard to sustain. Perhaps it is even unsustainable.
Imagine if you could change the balance. At the moment this precious resource – your staff – is focused mostly on discovery. Taking productive business action is secondary. This model gives a poor return. What if your people only took productive business action and the discovery part was automated? That model would give you a much higher return. More on manual vs. automated in one of my next blog posts about other imperatives for cybersecurity success in the digital age.
One thing that I think can help us to pursue more of a win-win dynamic is to speak with more clarity and accuracy about what we are trying to do with information sharing in order to provide “cyber” security and distinguish that from some of today’s conflated ideas about providing “traditional” security and the associated “surveillance” issues that get carelessly lumped into the cybersecurity discussions.
So in addition to the false narrative about performance vs. security, I think there’s another false narrative about security vs. privacy. In the cybersecurity world, unlike the world of counterterrorism and surveillance issues, security ensures privacy – it doesn’t detract from it! For example, we should begin to clearly identify exactly what kind of cyberthreat information needs to be shared, and how a narrow focus on that specific information has little (or maybe even nothing) to do with privacy-related information.
I’ll cover more about information sharing in Imperative #4; but, for now, let me summarize the key tenets of this first imperative about “flipping the scales.”
CONCLUSION
Cybersecurity success in the digital age requires us to take action to change several important dynamics that are currently out of balance.
Legacy thinking and resulting policies put the cybersecurity community on the wrong side of a math problem when it comes to the threat, and in a win-lose dynamic with both the IT community and our leadership when it comes to choosing between performance and security. We have to “flip these scales,” and this effort must be driven by the organization’s leadership with the active participation of the IT and cybersecurity communities working toward common goals within an organization.
We also need to start throwing the weight of our technology, processes and people on the side of the scales favoring next-generation technology that recognizes the way the Internet works today, leverages the powerful advantage that automation can bring to discovering threats on a wider scale and in reduced time, and saves our most precious resource – our people – to do what only people can do instead of spending all of our resources in “cleanup on aisle 9” mode.
Next in this blog series will be Imperative #2 for cybersecurity success in the digital age … We Must Broaden Our Focus in Order to Sharpen Our Actions.
Written by John A. Davis, Major General (Retired) United States Army, and Vice President and Federal Chief Security Officer (CSO) for Palo Alto Networks