Andrey Kuzmin - Fotolia
Cyber security is an economics problem, according to Richard Struse, chief advanced technology officer at the US Department of Homeland Security.
“The application of cyber threat intelligence with automation can help change the economics away from benefiting our adversaries to benefitting the defenders in cyber space,” he told the European Identity & Cloud Conference 2017 in Munich.
The reason cyber defenders are not “definitively winning” in the war against cyber attackers, he said, is not because defenders do not have interesting tools and technologies or that organisations are not spending enough money on cyber security.
“The reason we are keeping up with attackers is that, although we have some good tools, we are not employing them to the extent and level we need to,” said Struse.
“Our adversaries have robots or highly automated and adaptive technologies that help them do what they do, and I would argue that we [defenders] need some [robots] of our own.”
In 90% of the breaches covered by the Verizon 2016 data breach investigations report (DBIR), the time to compromise was measured in minutes and seconds, while the time to detection in the majority of cases is measured in days, weeks and even months, said Struse.
“So this idea that we are going to have people keeping pace with the threats we face as our primary or sole line of defence is less than well thought out,” he said.
The DBIR shows, said Struse, that adversaries are getting faster at compromising organisations quickly, while organisations are slower in detecting compromises.
In the face of this reality, he said, cyber security can learn from the fact that only through automation of the switching process were telephone services able to grow fast enough to keep up with the demand.
“What I see today is that we have lot of great [security] tools, but our policies and how we deploy them require people to ultimately do the things that are necessary to detect threats and prevent them from occurring or to mitigate the damage, and that is the critical area where we need to do a little better,” said Struse.
Asymmetry of the internet
At the heart of the cyber security challenge, he said, is the asymmetry of the internet which means that any system connected to the internet can be attacked from anywhere in the world, while cyber defence systems – while technically inter-connected – are not inter-connected at all at any logical level.
“Our adversaries exploit that asymmetry because while their attacks can transit the network, we haven’t linked our defensive systems together in an effective way,” said Struse.
“This is analogous to your bloodstream being able to carry only viruses but not white blood cells, which means the viruses would be able to get everywhere in the body, but the immune system would not be able to operate effectively,” he said.
However, Struse said by creating an ecosystem in which cyber threat intelligence – actionable, machine-readable information – is shared in real time and can be consumed automatically, defenders can begin to eliminate the asymmetry that currently favours attackers.
“By eliminating that asymmetry, we can gradually begin to increase the cost to our adversaries to attack us. We need to connect our defence systems in an effective way, so that our systems are protected without human intervention,” he said.
Read more about threat intelligence
- Threat intelligence tools are a growing market, and enterprises need to be able to see through the hype to get the best product for them.
- Learn how threat intelligence services benefit enterprise security and how to subscribe to the right threat intelligence service.
- Threat intelligence is quickly becoming an essential ingredient for protecting corporate systems and data.
Through automation, said Struse, organisations can reduce the workload on their security analysts and help them to do a better job by dealing only with the exceptions that cannot be addressed automatically based on policy.
“For all the technologies that are out there, in very few instances do we see organisations that are automating their cyber defences to such a point that their security analysts can focus on tracking adversary behaviour and make risk-based decisions about transient attacks because they are just trying to keep up,” he said.
Organisations need to give analysts the tools and technologies they need that ride on the top of “robots” so they are not overwhelmed by millions of alerts, and where small to medium-sized enterprises (SMEs) do not have analysts, he said automation is even more essential.
Struse said there is still a lot of work to be done and “robots” will not solve all security challenges, but automation will help to drive up the cost to attackers and reduce the return on their investments because attacks are detected and mitigated a lot faster than they are now.
“We need to force them to introduce more people into the equation and they can start to experience the economics that defenders have suffered from for a long time. For too long, our people have had to chase their robots, it is about time for our adversaries’ people to chase our robots,” he said.