The next phase in continuous cyber defense and what it means

The next phase in continuous cyber defense and what it means

An interview with Kim Watson, Technical Director of the Integrated Adaptive Cyber Defense (IACD) initiative at JHU APL

Is it possible to get access to, and process all the relevant information available, to improve cyber defense? The threat landscape continues to evolve, new and ever more sophisticated TTPs (tools, techniques and procedures) are utilized by adversaries while cybersecurity teams have a new arsenal of AI/ML and orchestration tools, that may offer relief for overwhelmed security staff whose efforts are gaining increased attention by the c-suite.

The current state of cyber defense demands that a lot of data needs to be acquired and analyzed in real-time, in new and different ways, and the people involved need to be able to make decisions, as quickly as possible, to inform cyber defense countermeasures. So, how can we improve our processes to enable real-time decisioning, better leveraging data and over-watching automation as a next phase to adaptively meet cyber threats?

We interviewed Kim Watson, a technical director of the Integrated Adaptive Cyber Defense (IACD) initiative, to get her perspective on these questions and the next phase for continuous cyber defense.

Q: Do you believe organizations are serious enough about addressing cyber security? Is (enough) progress being made? Or, are cybersecurity risks and liabilities being treated as “the cost of doing business?”

There was a time when the senior security manager had to convince the C-Suite that the cyber threat was real and that a successful compromise would impact the business. Then multiple high profile breaches and attacks demonstrated not only the reality of the threat, but also the financial and reputational impact to compromised organizations. Now the C-Suite and Board of Directors are educated on and asking about cyber security. Progress is being made, but there will always be a cyber “cost” to doing business in today’s interconnected and network-centric operating environment.

Q: What do you see as the biggest risks and challenges - the growth in volume, the increased speed of information and/or the increased sophistication of the adversaries? Is the IT community sufficiently acknowledging and addressing these challenges?

In my opinion, the biggest risk is the evolving threat landscape while the biggest challenge is overcoming the limitations created by our own perspective on cyber security. While it is true that the adversary has the natural advantage, this is not the reason why cyber operations cannot effectively protect and defend against the threat. I believe that as long as cyber security is funded, managed, and measured independent of business objectives, then the security posture of an organization cannot match its desired risk posture. We need to think about cyber security in a fundamentally different way. We need to: stop equating compliance status with security posture; coordinate and jointly prioritize SOC and IT asset management activities; measure the health of our operations instead of the state of our assets; and evolve static and manually-intensive security processes to enable the appropriate use of automation.

Q: What are your thoughts regarding the current threat landscape as it pertains to the state of network monitoring? Do organizations understand the benefits to be had by implementing new technologies resulting in continuous real-time decisioning / tighter decision loops?

We must improve the speed and scale of cyber defense. Current cyber operations do not consistently address threats and risks in cyber-relevant time (i.e., where the defender’s decision loop finishes “inside of” or disrupts the adversary’s decision loop). Current threat intelligence sharing and network monitoring tends to focus on state or observables, which limits the value of what is detected and, by extension, the scale of the defenses that can be deployed in response. Characterizing and identifying adversarial behaviors (e.g., TTPs) enables organizations to deploy capabilities to protect against, monitor for, and respond to these behaviors across their systems.

To get back to your question, capabilities that improve the speed and scale of cyber defenses are dependent on a level of visibility that current monitoring implementations do not provide. There is a need for something equivalent to real-time network telemetry, as well as rapid access in an automated manner to the data that provides associated context to support decision-making.

Q: Will the promise of continuous (near) real-time threat detection and remediation ever become a reality?

I absolutely believe it will. Why? The current industry investment in AI/ML, the inherent uncertainty in cyber systems, and the maturity of these capabilities in related problem spaces (e.g., fraud detection) establish a solid foundation for supply, demand, and adoption of such capabilities. I believe that continuous (near) real-time analytics platforms will be deployed to identify: suspicious/malicious behaviors, conditions that impact system or business performance, and situations when operators need to “take back the wheel”.

Q: What is your vision for the next stage in the evolution of monitoring and decisioning as it pertains to cyber defense?

Data collection and monitoring will evolve to support automated sense- and decision-making. The previous generation of monitoring was designed to provide situational awareness and alerts to operators to support human understanding and decision-making. Then we moved into the age of big data and analytic platforms. Monitoring systems collected as much data as possible and structured it such that the analytics could perform more complex sensing and sense-making to provide more timely alerts and more comprehensive situational awareness to operators to support Course of Action (COA) development. I consider the next stage to be an evolution because the role of the human changes. The monitoring will be optimized for AI/ML algorithms and automated decision support and decision-making processes. Humans will approve, audit, or monitor the effect of the decision.

Q: Will purpose-built, turnkey threat analytics solutions persist? Conversely, are we getting to the era where dedicated IDS/IPS, firewalls and SEIM solutions… become disaggregated into sensors and “software driven network functions” - communicating with, and under the direction of, advanced analytics, AI and ML workflows?

Industry has shifted to the business model of the cyber security platform where integration, automation, and orchestration are supported by default. There will always be a small set of products that optimize the decision loop for a specialized problem, but even they will need to have integration points such that they can be a sensing, sense-making, decision-making, or acting sources for the other capabilities in the organization.

Improving cyber defense at speed and scale implies that every step of the current decision loop increases in complexity.

• Sensing shifts from detecting alerts/events to detecting threats/attacks.
• Sense-making shifts from correlation to remove false positives to understanding the business/system context to determine scope of compromise.
• Decision-making shifts from approving response actions to using local policy, internal context, and external information to determine an appropriate course of action (COA) or set of COAs.
• Acting shifts from executing an action to executing a COA, which involves coordinating a set of tasks across independently managed organizational processes.

Advanced analytics and algorithms will be critical to implementing this more complex decision loop and will need to be able to access and task disparate network functions in a coordinated and automated manner.

Q: Given the dependency on data in most organizations, do you see the potential for convergence between network, security and identity solutions that could result in a mega-analytics service or will industry specific solutions persist?

I think that there will be a set of “interface points” defined by these cyber security platforms that will enable the convergence of services and solutions to ease integration and automation in operational environments. Different organizations will invest in different models for shared and managed services, to include analytic services. I suspect there will be a few mega-analytic service offerings, but I know that certain industry or sector specific solutions will persist. Most organizations will probably have both in their environments simultaneously.

Kimberly K. Watson is a member of the Senior Staff at the Johns Hopkins Applied Physics Laboratory and is a Technical Director for Integrated Adaptive Cyber Defense (IACD).