You've probably been asked what you like best about your job. Since I've spent the majority of my career in the public sector, one of my top answers is that I love the challenge of helping organizations with security solutions and enabling new technologies to help the business of government. I also enjoy learning and sharing what works and doesn't work in different enterprise situations.
During these panel sessions, the participants typically talk about a range of (hopefully intriguing) topics that include top cybercrime trends, cyberthreat intelligence, attracting and retaining cybertalent, big industry security breaches, internal security incidents or the always interesting (but overused question) “what’s keeping you up at night?”
Inevitably, security and technology topics include well known themes such as ransomware, IoT botnets, cloud computing, smart cities, smartphone security, government CISO plans, securing the smart grid, end-user training, etc. Hopefully, we get beyond the problems and spend a few minutes on solutions. Nevertheless, the hopeful emerging technologies are often shortchanged in these panel discussions due to a lack of time.
Hazards on the Horizon Panel at SecureWorld Expo 2017 in Boston
Behind the Curtain
I sometimes learn more in pre-event discussions, one-on-one CISO breakfasts and panel preparation sessions than during the actual conference sessions. There are different reasons for this, but most panelists want to talk about a set number of their company or government talking points that are pre-negotiated. Some CISOs and other tech leaders don’t want to discuss specifics about their company or difficult security situation in public, since stock prices, business reputations, brands and more can be impacted. In addition, as I have explained before, no security or tech leader wants to become an accidental news headline.
Meanwhile, the audience tends to ask questions about breach headlines or recent headline technology outage incidents with major impacts — rather than seeking a deeper dive into emerging new technologies.
So what are the new cybertechnology solution trends being discussed in private? What cross-industry topics are on the minds of CSOs, CTOs and CEOs — besides their own specific enterprise issues?
The three cybersolution topics I hear most about during these pre and post-panel discussions are analytics (including metrics), artificial intelligence (AI) and orchestration. In order to honor the “off the record” aspects of these conversations, I won’t be providing names or companies regarding what I’m hearing.
Analytics, ‘Big Data,’ ‘Little Data’ and Cybermetrics
Without a doubt, the topic that every CISO has near the top of their “must do” project list is to do more with cyberanalytics. That is, do more with the data they collect and sector incident data gained through vendor and Information Sharing & Analysis Center (ISAC) partnerships.
There are many companies that offer solutions in this space. Teradata describes cybersecurity analytics in this way: “Big data and deep analytics provide high-speed, automated analysis for bringing network activity into clear focus to detect and stop threats, and shorten the time to remediation when attacks occur.”
Recently, CIO Magazine ran this article: Feds to battle cybersecurity with analytics. Here’s an excerpt:
“With more real-time information sharing, officials envision cyber defenses moving from 'vaccine' to 'immune system,' a big analytics project that could achieve something like automatic security. …
Security firms offer a bevy of products that can intervene to mitigate the damage from a person clicking on a malicious link, [former deputy undersecretary of cybersecurity at the Department of Homeland Security] Phyllis Schneck said. But she envisions a much larger, global pool of threat data that could be tapped instantly and automatically to keep machines from falling prey to malicious actors, a system that would be aided by "big analytics" capabilities to make sense of the massive trove of data.”
Others think that “big data” is over-hyped, and we need to start thinking in terms of “little data.” Regardless of the approach taken, the discussion always leads to this wider cybermetrics topic with dashboards for management decision-making.
Another article from CSO Online reported that: Predictive analytics can stop ransomware dead in its tracks.” The article describes how Livingston County, Mich., has deployed predictive analytics as a defense against ransomware attacks.
But more than these two examples, I am hearing local, state and federal CISOs tell me that they are planning to do much more in their security operations centers (SOCs) with cyberanalytics products and services. How will this be done? There are numerous different approaches, but one set of solutions takes this topic to the next level with artificial intelligence.
Artificial Intelligence (AI) and Cybersecurity
Another topic that is hot right now is how will artificial intelligence (AI) help our cyberdefense efforts?
This recent article by Nasdaq.com describes how IBM’s AI is being used in the Department of Defense (DoD) because humans can’t keep up with cyberthreats.
In addition, “Aside from partnering Watson with H&R Block to process and analyze 11 million tax returns, the other major development has been the recent commercial release of cyber security by Watson to over 8,000 customers. With growing data sharing arrangements among members of the cyber security intelligence community, Watson was able to digest over 700 terabytes of data from just one partner (that is about 150,000 DVDs worth of data, enough to power Netflix for over 34 years without interruption). More data inputs only further empower the potential for AI in cyber security, allowing machine learning software to automatically detect, diagnose and counter cyber breaches in a more informed manner.”
I really like this article from earlier this year by SecurityWeek.com’s Torsten George on The Role of Artificial Intelligence in Cyber Security. The article describes three use cases for AI in cyber, including: Identification of threats, risk assessments and orchestration of remediation.
Here's an excerpt: “Too often, unsupervised machine learning contributes to an onslaught of false positives and alerts, resulting in alert fatigue and a decrease in attention. For opponents of AI, this outcome provides ammunition they typically use to discredit machine learning in general. Whether we choose to admit it or not, we have reached a tipping point whereby the sheer volume of security data can no longer be handled by humans. This has led to the emergence of so-called human-interactive machine learning, a concept propagated among others by MIT’s Computer Science and Artificial Intelligence Lab.
Human-interactive machine learning systems analyze internal security intelligence, and correlate it with external threat data to point human analysts to the needles in the haystack. …”
What Is Network and Security Orchestration?
The last area I hear quite a bit about from CISOs lately is network and cybersecurity orchestration. Like bringing together different instruments in an orchestra to produce beautiful music in a symphony, orchestration brings together diverse tools, processes and people to improve cyberdefense results and incident response to (hopefully) produce better results.
Security orchestration allows for automation and improved capabilities to navigate the full scope of security operations and incident response activities from the initial alert through remediation. This excellent "Siemplify" article describes three aspects:
Context — understanding of the relationships across alerts, intelligence, and security data into prioritized cases with the complete contextual threat storyline. Automation — integrating automated capabilities in a flexible manner; from basic playbooks, to semi-automatic workflow, to complete automation of incident response where appropriate. One size fits all doesn’t work with security automation. Analyst Enablement — giving analysts the proper tools and visibility to effectively intervene throughout the investigation and response process and ultimately ensuring we are curing the disease, not just the symptoms. In this Network World article by Jon Oltsik from earlier this year, the state of incident response and security orchestration is described in more detail. He covers several vendor products and the outlook for the near future.
You can also learn more about the security orchestration market at this Business Wire article.
Final Thoughts — Telling Your Customer's Story With Data
I am at the National Association of State CIOs (NASCIO) Midyear 2017 meeting (follow at #NASCIO17 on Twitter) this week for learning, discussions and networking with public- and private-sector partners.
One keynote speaker was Jason Ashlock, who spoke on the importance of storytelling with data. His main message was that in our information age, we need to compete by making sense of the data we have. Our customers want to hear how the data fits into their unique business story and problem-solving. "Get the story right and you illuminate decision-making. You drive discovery and revelation. You transform data into knowledge and knowledge into wisdom."
I really liked Jason's comments about how our job as technology and security leaders in the coming decades is to humanize the data and take the actions that machine learning cannot do. We need to be driving innovation by personalizing topics to meet client needs through storytelling through the eyes of the business.
Another breakout session will cover state government examples from my top cybertrend from 2016, namely Hacktivism and how hacktivists - which has been active all over the country.
In a keynote session, Virginia Gov. Terry McAuliffe is scheduled to deliver some remarks, which will no doubt touch on cybersecurity and what is being done by governors through his National Governors Association chair role.
But regardless of whether you will be at any of these security and technology events or not, you can engage your team and vendors into deeper discussions regarding these three relatively new security topics. Analytics, AI and orchestration are already elbowing their way onto enterprise security agendas around the world, and regardless of the security problem — these topics are key pieces of cyberstrategy road maps and security solutions as we head toward 2020.
In conclusion, we started 2017 with many cybersecurity industry predictions regarding online problems, but data analytics, AI and orchestration may have been understated as potential cybersolutions moving forward. Jason Ashlock challenges us to learn as much as we can about the data, and to make meaning for our customers out of this information and data using stories. We need to become translators that demonstrate business opportunities and risks.
So what's your data story?