Dr. Philip Cao (aka #DrPC), EDBA, MSCS, ZTX-I, CCISO, CISM, CMSC, CCSP, CCSK, CASP, GICSP, PCSPI is a Strategist, Advisor, Educator, Contributor and Motivator. He’s also a Cyber | Zero Trust Strategist & Evangelist and Chief Trust Officer. He has 24 years’ experience in IT/Cybersecurity industry in various sectors & positions.
Discover which applications and threats are exposing vulnerabilities in your security posture using our Security Lifecycle Review (SLR). Learn how you can benefit from our comprehensive SLR report in this video by Scott Simkin, Senior Threat Intelligence Manager.
On June 21st our CEO, Mark McLaughlin, spoke in front of President Obama’s Commission on Enhancing National Cybersecurity. The Commission is holding open meetings around the country to hear from cybersecurity experts and gather input for a set of recommendations they are expected to announce in December. Mark was one of a handful of CEOs and technology officials from the Bay Area to present to the Commission at its conference focused on “Innovation for the Future of the Digital Economy.”
This Commission has its work cut out for them. Enhancing national cybersecurity is a massive challenge, and there are no simple, quick-fix solutions. Yet, it is a challenge that must be undertaken—and one that can be successful.
At the heart of the current cybersecurity battle is a math problem. Unfortunately, today, this math problem overwhelmingly favors our adversaries. Here’s why: The cost of computing power required for malicious actors to launch successful cyberattacks has been decreasing dramatically for decades. Coupled with the widespread availability of black market malware and exploits, our adversaries are able to conduct increasingly automated, successful attacks at little to no cost.
In the face of this automated onslaught, the network defender is generally relying on decades-old security technologies, often cobbled together as multiple layers of point products that are not designed to communicate with each other. This lack of automation and interoperability has become increasingly problematic as networks grow in complexity due to macro technology trends like the adoption of virtualization, software as a service (SaaS) technologies, cloud computing, mobility, and the internet of things. This increased complexity of enterprise architecture and independent security controls creates a dependence on one of the least scalable resources organizations have—people—to manually fight automated, machine-generated attacks. As defenders, we are simply losing the economics of the cybersecurity problem.
That’s why cybersecurity innovation must be focused on prevention.
Prevention means significantly decreasing the likelihood—and increasing the cost—of malicious actors launching a successful attack. We should not assume that attacks are going away or that all attacks can be stopped. The outcome we should strive for isn’t to eliminate all risk but to change the economics by making it more expensive in terms of resources, time and personal impact to launch a successful attack.
Innovative approaches—effectively applied to people, process and technology—can be one of the key principles in regaining leverage against our adversaries and achieving prevention.
First, we must develop technologies that work together seamlessly to enhance the security of individuals, enterprises, and the broader ecosystem. Simplification and automation are essential for making networks adequately defensible. Security technologies must be leveraged as part of natively integrated platforms, and capable of automatic reprogramming based on new threat information, to prevent threats across all stages of the attack lifecycle—on the network, in the cloud, and at the endpoint.
For example, Palo Alto Networks next-generation firewall customers around the world receive new preventive measures every five minutes – these average 1.1 MILLION new preventive measures week – based on the automated discoveries made by our WildFire advanced persistent threat detection capabilities. There is no way that people could manually generate this volume of prevention to keep up with the evolving threats seen across our base of 30,000+ customers.
To build upon such a platform, security technologies need to be fully integrated as part of a larger, global ecosystem. More specifically, this ecosystem must incentivize information sharing, leverage open source integration APIs, and develop interoperable technologies capable of automated security—including through partnership with complementary technologies from third-party companies.
We also need to ensure that our workforce is trained and leveraged with the right mix of automation. If we build our workforce development plans on a foundation of automated technology, we can ensure that we are recruiting and training people in a more targeted way for only those jobs that require a human’s sophistication and critical thinking. Absent automated defense, we are left with the impossible task of staffing every organization’s security operation’s center with tens of thousands of people simply responding to alerts of successful attacks. As our adversaries become increasingly automated, it is simply unscalable as a defense model to manually combat functions that could be more effectively addressed by automated technology.
Finally, we need to start educating children at the earliest possible age so that cybersecurity is fundamental. We must ensure that hands-on training with innovative security technologies is ingrained in educational curriculum. And we must leverage innovative technologies, like those that enable long-distance virtualized learning, to educate more people, and faster.
We applaud the tremendous work being done by the new Commission, and, as a company, were honored to be part of their deliberations. We hope if they only remembered one word from Mark’s presentation that it was “prevention.”
The Federal Risk and Authorization Management Program (FedRAMP) Project Management Office officially released its High baseline for High impact-level systems. This baseline is at the High/High/High categorization level for confidentiality, integrity, and availability in accordance with FIPS 199; and is mapped to the security controls from the NIST SP 800-53, Rev. 4 catalog of security controls. Previously, the FedRAMP authorization process was only designed for low and moderate impact systems. The number of controls for each of the FedRAMP defined impact system levels is presented below:
The release cumulates several months of work from the FedRAMP PMO, numerous agencies, cloud service providers and key stakeholders that established the draft baseline, collected industry and federal comments, and completed pilot programs.
FedRAMP High Baseline The establishment of the FedRAMP High Security baseline is critical for federal agencies to migrate more high-impact level data to the cloud. The High baseline is the strongest FedRAMP level to date, covering sensitive, unclassified data. According to FedRAMP Director Matt Goodrich, most of the information to be covered under the High baseline will be law enforcement data and patient health records. This should cover the needs of several civilian agencies, the Department of Defense (DoD), and the Department of Veterans Affairs (VA).
FedRAMP High Baseline Authorized Cloud Service Providers The three Infrastructure-as-a-Service (IaaS) providers who participated in the FedRAMP High baseline pilot program and achieved Authorization are:
Microsoft’s Azure GovCloud
Amazon Web Services GovCloud
CSRA / Autonomic Resources’ ARC-P
Federal agencies are able to review these vendor’s security packages, through OMB MAX, to begin to use these services immediately.
Coalfire was one of the earliest Third Party Assessment Organizations (3PAO) in FedRAMP, providingFedRAMP assessment or advisory services to cloud service providers in pursuit of their FedRAMP P-ATO or Agency ATO. If you’d like to talk to one of our staff about the new FedRAMP High baseline or have questions about the FedRAMP process, please contact us.
Abel Sussman, Director, TAAS–Public Sector and Cyber Risk Advisory, Coalfire
This past week, Palo Alto Networks hosted our very first Intern Tech Week to give our interns the chance to connect with teams from different branches of the company. It was an opportunity to not only learn more about Palo Alto Networks products but also see how they are made.
We kicked off the week last Monday with a deep dive from the creative minds behindAutoFocus. Scott Simkin, Senior Threat Intelligence Manager; Bilal Malik, Senior Product Manager; and Farshad Rostamabadi, Software Engineering Manager, discussed how they worked as a team to create a game-changing product that provides actionable threat intelligence to businesses and governments.
Tuesday began with a field trip to Flex to discover how our products are made. Vonnie French, Vice President, Supply Chain Operations, and her team provided an overview of the manufacturing organization and took the interns on a tour of the factory to see the entire cycle, from where the products are built to how they’re packaged and shipped to our customers.
The interns then met up with their hiring managers at Baylands Park to enjoy some good eats and fun outdoor games.
On Thursday, we got to find out what goes on in the mind of a hacker! Bryan Lee from Unit 42 stopped by to discuss what motivates hackers and what the future looks like for the cybersecurity industry. Ashwin Dewan, an intern from Product Management, learned a few new things from Bryan. “The presentation from the Unit 42 researcher helped me understand the company mission and vision,” he said. “Palo Alto Networks exists because hackers do, and understanding what a hacker is, and does, is as important as understanding any particular part of the platform.”
We ended the week with a great talk by our InfoSec Team. Rinki Sethi, Senior Director, Information Security, led a presentation with Lucas Moody, CISO, and other Information Security experts. This engaging panel discussed how they work to protect our brand and people using our best-in-class products. They also led the interns through an exercise of thinking through risk assessments, giving them a glimpse of what our customers do on a daily basis.
One of the main goals of our Summer Intern Program is to provide our interns with experiences that offer them a meaningful connection with our business. By hosting this Tech Week, we wanted our interns to learn more about the company and our products and get a glimpse into what our culture is truly like.
We think we achieved this because, as the week wrapped up, Channel Operations Intern, Jennifer Lu, said, “Seeing all the different people that made time for us interns, from Nir [Zuk] to Unit 42 to the InfoSec team, I really felt like I was part of Palo Alto Networks. I could clearly see the incredibly supportive, humble, and collaborative culture from every person I met at Tech Week! We are thankful for all of the great speakers we had this week and we already can’t wait for next year!”
When speaking to people who never considered a career in cyber or information security, we often find an audience put off by the perception that it is only for the technically minded. This couldn’t be further from the truth! Lucy Chaplin, a young consultant from the United Kingdom (U.K.) who became an Associate of (ISC)2 last year, demonstrates the possibilities.
Lucy considers herself lucky to have missed out on graduate programme schemes for management consulting. Coming out of Bristol University in 2012 with an honours degree in Economics and Politics, these programmes seemed to be the obvious choice at the time; and she made a concerted effort to contact The Big Four global consulting firms and small consultancies alike. Her research led to KPMG’s risk consultancy practice, which was a little bit more technical than the career she had imagined, but not daunting.
“I have never looked back. I asked for the opportunity to speak to as many people as I could around different practice areas and it became obvious that this was a high-growth industry that promised a lot of opportunity,” Chaplin says.
Celebrating her 25th birthday this year, Lucy is well aware that her choice has fast-tracked her career. She has worked on a variety of business, technical and strategic programmes examining technical risk, business resilience, infrastructure, cybersecurity and now Data Insight Services, where she helps clients take advantage of the volumes of data they have running through their systems to maximise the impact of their data and reporting. Her assignments have even included a stint on the McLaren Alliance, where she got a close-up view of the cars and met star Formula One driver Jenson Button.
Given the level of information and IT security required in the work she was doing, Lucy sought to solidify her knowledge in this area. Luckily, she was supported by her employer to pursue the Certified Information Systems Security Professional (CISSP®). She is now an Associate of (ISC)2 while she gains the five years’ experience required for full professional recognition.
“This was a great credential to work for because it really helped me get a broader view of the field, and the directions I could take in my career,” she says, adding, “As a young female who hadn’t studied the area, it also demonstrates that I understand the technical aspects of what I am working on. I continue to be very business-oriented, with a strong understanding of how technology works; but I have never had to be a technology expert. I work with others when such deep expertise is needed.”
What advice would Lucy give to graduates today?
“When you graduate, there is so much pressure on you from employers, family and peers to have a clear idea of what you want. But I got into a field that was changing too much to be able to build a five-year plan. In this organisation, my five-year plan changes with both the firm’s and my priorities. Take the time to talk to as many people as you can. Ask recruitment agents to refer you to people who can talk to you about their work. Attend events and ignore the pressure — let them tell you what is possible.”