This month, Symantec caught up with Don Maclean, Chief Cyber Security Technologist, DLT, to get his thoughts on today’s top cyber challenges. You can hear more from Don at the Symantec Government Symposium on Oct. 30, as he shares his perspective on the “Aligning Cyber Priorities and Modernization Policies” panel.
1. Agencies are dealing with so many cyber challenges – siloed systems, constrained budgets, workforce shortages, mandate upon mandate, etc. In this tough environment, how can they innovate to affect real change?
It’s difficult for government agencies to innovate, although there is movement in that direction. For instance, the Defense Innovation Unit (DIU) program, along with the numerous awards and research programs for the use of distributed ledger and blockchain technologies, point to the government’s willingness to spur innovation in industry and in its own proprietary operations. The key is to understand that if you don’t innovate, the bad actors will. History shows that bad actors use the best technology for the worst purposes. As soon as cloud services became prevalent, we saw cyber adversaries using cloud deployments to carry out distributed denial-of-service attacks, mine bitcoins, and implement machine-learning attacks on victims. As soon as digital currency became viable, we saw bad actors using it to get ransomware payments anonymously.
Innovation requires a commitment to long-term benefits as well as a willingness to “fail.” In this sense, “failure” should not imply a deficiency of competence, but rather an effort that did not yield the results expected while also generating important new insights.
2. As the attack surface expands due to the cloud, mobility, and IoT, how can agencies get a better handle on their data – what they have, where it resides, and who has access to it – so they can better protect it?
In the new version of the Risk Management Framework, NIST has included a new step: “Prepare.” This step is much more than simple common sense or exhortation to get ready for a big effort. Its purpose is to ensure involvement by upper management in cyber security programs. One of the most important contributions upper management can make is to prioritize and identify agency missions, and the data – “high-value assets” as they are now called – that supports those missions. So, to get a handle on the data, you need to understand the missions the data supports – which upper management typically has the best perspective on.
3. How can we better leverage threat intelligence across the public and private sectors to stay ahead of the bad guys?
Remember that a threat feed is not threat intelligence. A list of suspicious IPs or URLs is great, and you can automatically block those. This type of data – operational intelligence – is often confused with “threat intelligence.” Operational intelligence comes from computers, while strategic intelligence comes from humans. Can you derive from threat data the intelligence you need to make decisions about incident response, or about long-term security strategy? Are you seeing an uptick, for instance, in malicious domain names generated by algorithms? If so, what products, technologies, or procedures should you consider? That is threat intelligence vs. threat data in a nutshell.
4. What are some interesting cyber use cases you’re seeing in AI and machine learning?
There are many, but natural language processing to identify phishing and SPAM is certainly high on the list. Identifying beaconing, to stop command and control traffic is also important, not to mention machine learning to identify URLs created by domain-generating algorithms. Remember, though, that if you can use it, the bad actors can use it too. Bad actors are foiling machine-learning defenses by “training” those systems to recognize bad traffic as innocent.
5. If you could look into a crystal ball, what do you think is next for cyber innovation?
Machine-learning and AI will play an ever-larger role. Many of the concepts and approaches to AI and ML have been around for a long time – decades, even – but were impractical because they needed massive resources for implementation. Recently, as machines grow more powerful, but especially since cloud services provide enormous computing power, AI and ML have gained ground, not just in cyber security, but in many other fields as well. On another front, we’re seeing a lot of interest in blockchain and distributed ledger technology, in areas such as supply chain management, and possibly in ensuring the integrity of voting data. There are some other new ideas coming out, too, but I’m not at liberty to talk about all of them!