17 February 2017

Ending America’s Defensive Cyber Posture

Source Link
By Steve King

I love Rudy Giuliani, but I have never understood his position on cybersecurity “offense verse defense.”

He recently stated in several interviews that our cybersecurity offense has gotten way ahead of our defense, and somehow it is tied to money. I am sure he has a good basis for his opinion, but in many ways the reality of the nation’s cybersecurity posture is the exact opposite.

Last year alone, Homeland Security responded to 245 cyber incidents reported by critical infrastructure operators.

If anyone is making money in cybersecurity, it’s the defense guys. Not that any of it is working, but that’s where the money is. We will see more than 400 exhibitors at this year’s huge cybersecurity conference (RSA in San Francisco this week) and all of them will be focused on defense.

We are now fighting a cyber war against very sophisticated and highly organized adversaries, yet we still approach cybersecurity with a strictly defensive mindset. Our insistence that having the best defense will keep us safe has resulted in more than $85 billion in venture capital funding for security technologies that are designed to defend against advanced adversaries. These are the same adversaries who continue to demonstrate their ability to break through any defense at any time and do whatever they want.

We need to start approaching security by thinking about how we can stop an offense, which is different from mounting a defense. Think about armed sentries standing at watch in a gated community. That’s defense. Now think about a supplemental recon force patrolling the grounds armed with intelligence and tracking tools, looking for intrusions and perimeter penetrations. That’s stopping an offense.

Instead of focusing all of our energies on our vulnerabilities as we have in the past, we need to organize in a way that seeks out the attacker's footprints, their behaviors, and their weaknesses so that we can start using the enemy's activities to our offensive advantage. We need to shift our mindset to view the corporate or government computing environment as a battlefield and begin to adopt classic military principles to gain an advantage and balance the asymmetry that is now killing us.

In every aspect of the cybersecurity battle, from economics to information, and from technology to education, we are outgunned. Our banks are spending $500 million a year (JPMorgan Chase) to defend against a $25 exploit purchased on the dark web by some guy somewhere with a PC and an internet connection.

We know nothing about our attackers (the interference of Russian hackers in our recent election is still not proven, nor is the attack on Sony Pictures), yet our attackers know everything they need to about us. Why? Because they probe, attack, and learn exactly which technologies we are using to defend ourselves. We are at a severe informational disadvantage.

We use outdated technologies to defend critical assets (the Office of Personnel Management records were defended by a 12-year-old technology) and remain focused on our perimeters, our end-points (mobile phones and desktops), and our websites, while our attackers have figured out long ago how to get around, through, and under every defense we mount.

This isn't because we haven't figured out how to apply artificial intelligence, machine learning, big data, predictive analytics, and advanced behavioral modeling — we have.

Finally, while the North Koreans, Iranians, Chinese, and Russians are drilling tens of thousands of students in the nuances of cybersecurity hacking, defense, and attack vector development, our colleges here in the U.S. offer almost no coursework in cybersecurity, even inside computer science curriculums. Also, it should be stated that it is really hard to get into those programs over there. In addition to being math and computer geniuses, the applicants must speak and write fluent English.

In order to shift this dynamic, we need a combination of rich, active data and advanced analytics so we can link individual behaviors to an entire campaign and catch an attack before it has the ability to develop. This means constantly performing reconnaissance and collecting information and analyzing it in real time. With this knowledge, we can begin to control our environments instead of allowing the attackers to dictate the terms.

So, why aren't we doing it?

Cybersecurity resides in IT and IT departments aren't run by people who view security issues with a military mindset. Today's IT leaders evaluate security incidents in isolation and don't think of their IT ecosystem as a field of battle, or for the most part acknowledge that we are at war. In addition, most IT leaders are still evaluating second-generation cybersecurity technology while our enemies are using third-generation attack techniques.

We have successfully launched advanced artificial intelligence products that can perform sophisticated analytics on threat data and reduce the incidents of potential compromise by 85 percent but they have had trouble gaining traction. This technology is only in use in a handful of companies.

The bad guys continue to outpace the good guys in every aspect of cyber crime. While this fact is troubling to businesses and organizations dependent on increasingly digital operations, it is beyond troubling in the internet-connected physical world. The boundaries between cyber and physical security are disappearing.

The hack of the Bowman Avenue Dam near Rye Brook, New York, was a good example of a phishing attack carried out by an enemy nation-state that led to their control and manipulation of the flood gates. They didn't want to steal anything. The purpose of that attack and the Dyn attack last October, which shut down the web for an entire day, was to test our vulnerabilities in defense of critical infrastructure. Last year alone, Homeland Security responded to 245 cyber incidents reported by critical infrastructure operators, 32 percent of which were in the energy sector alone.

I can only hope that a review of the conditions on the ground caused the Trump team to delay the executive order. Maybe we will start to take the problem seriously after all.

Steve King is the COO and CTO of Netswitch Technology Management.

No comments: