chanpipat - stock.adobe.com
Getting new technology out early and maximising the capabilities of defenders is key to staying ahead of adversaries, says Steve Grobman, senior vice-president and CTO at McAfee.
“To amplify capabilities, we can use techniques like technology teaming by sharing threat intelligence between security products, human-machine teaming where humans interact with technology to make them more effective, and building technologies that have resiliency to the countermeasures that will be thrown at them by adversaries,” he told the MPOWER Cybersecurity Summit in Las Vegas.
Along with the rest of the security industry, Grobman said one of the things McAfee is focused on is finding ways of taking advantage of machine learning, artificial intelligence and data science as powerful tools to fight cyber threats.
“But McAfee is focusing from the outset on what the evasion tactics will be against this new breed of technologies, because it would be wrong to assume that adversaries will not look for ways around them,” he said.
Grobman said technology developers at McAfee are studying adversarial machine learning, which is the science of “confusing machine learning and artificial intelligence”, as bad actors are expected to do.
Only by understanding how machine learning models can be confused can security technology developers find ways of defending against this sort of attack, he said.
“We need to understand how to have multiple machine learning capabilities work together in order to not allow our technologies to succumb to this type of adversarial innovation,” he said, and key to that is understanding what drives adversaries and how they achieve their objectives.
The challenge, said Grobman, is that the number of ways for adversaries to achieve their objectives is almost infinite, whether it is exploiting vulnerabilities, using stolen credentials or social engineering.
“So when we think about the threat landscape, it really comes down to taking the confluence of the objective and the methods that adversaries use and calling that the threat landscape, and then we have to think about how we will innovate to defend against it,” he said.
But in deciding where to focus innovation efforts, the key is understanding how threat defence capabilities work together, not how effective each is on its own, said Grobman.
“While technologies on their own are very good at detecting certain types of threat, they also have areas that they miss,” he said. “But what we have been able to do, which I would assert nobody else in the industry has done, is figure out how to make these technologies work together to give you an aggregate final protection capability that is far better than any of the technologies working alone.
“Essentially, we have out-innovated the way the adversary is building threats by taking advantage of the fact that you can’t only think about each technology on its own, but understand that the correlation of detection technology is as critical as the technologies’ efficacy.”
According to Grobman, as well as providing maximum coverage, cyber defence technology firms need to be confident that their threat detection technologies are reaching an accurate conclusion.
“The strategy that McAfee is implementing, where we don’t count on any single technology, gives us a very powerful tool to do this, with some technologies being reinforced in the decision that they have made by the other technologies around them,” he said.
Understanding how technologies work together is the key to part of McAfee’s innovation efforts, said Grobman. Another key element is eliminating as many false positives as possible, because although threat detection is “easy”, threat detection without false positives is “hard”, he said.
“And given that in in the field of cyber security, the adversary is also constantly innovating, it is actually incredibly hard, so part of what we are trying to do is find ways of using emerging technologies to solve this problem.”
By looking at the underlying structure of threat defence, McAfee has been able to “dial in” the right level of detection, said Grobman. “There is this optimal area of sensitivity that is really key to tune products.”
“Essentially, the world has moved beyond malware, so a lot of our innovation is looking at what can be done beyond traditional threat defence to deal with things like malicious PowerShell scripts that differ by as little as one byte from legitimate scripts,” he said.
“We have to deal with the challenge of dual-use technologies, which requires more context, and we need to recognise that attacks no longer occur in just one place, but throughout an organisation.
“You need to understand how one event on one platform correlates and relates to another, which is why we are building capabilities like McAfee Investigator. It is the way we are thinking about the innovation problem and the areas that we need to innovate around.”
Grobman added: “We are looking at what building blocks we need to invest in to out-innovate the adversary. Machine learning is an incredible tool, as long as you recognise that the adversary is going to attempt to work around it.”
Other data science disciplines, such as threat research, should also be taken into consideration, he said. “Threat research is very important because understanding what the adversary is going to do next allows us to go where the puck’s going to go, not where it partly is.
“And being able to amplify your incident responders and security operations personnel gives you the headroom to do the investigation to out-innovate the adversary.”
Finally, Grobman said the only way McAfee is going to help its customers out-innovate the adversary is if it can out-innovate everyone in the industry.
“And I am committed to helping lead the 7,000 employees at McAfee embrace innovation as really the only way to win this battle,” he said. “One of the things you will see from McAfee is a level of intellectual honesty about what the attackers’ capabilities are and how to think about the attack landscape – not only today, but tomorrow as well.”