Artificial intelligence (AI) in 2023 feels a bit like déjà vu to me. Back in 2001, as I was just entering the venture industry, I remember the typical VC reaction to a start-up pitch was, “Can’t Microsoft replicate your product with 20 people and a few months of effort, given the resources they have?” Today, any time a new company is pitching its product that uses AI to do ‘X,’ the VC industry asks, “Can’t ChatGPT do that?”

Twenty-two years later, Microsoft is at the table once again. This time they’re making a $13 billion bet by partnering with OpenAI and bringing to market new products like Security Copilot to make sense of the threat landscape using the recently launched text-generating GPT-4 (more on that below). But just as Microsoft did not inhibit the success of thousands of software start-ups in the early 2000s, I do not expect Microsoft or any vendor to own this new AI-enabled market. 

However, the market explosion and hype around AI across the business and investment spectrum over the past few months has led people to ask: what are we to make of it all? And more specifically, how do CIOs, CSOs, and cybersecurity teams learn to deal with technology that may pose serious security and privacy risks?

The good, the bad, and the scary

I look at the good, the bad, and the scary of this recent Microsoft announcement. What’s incredible about ChatGPT and its offspring is that it brings an accessible level of functionality to the masses. It’s versatile, easy to use, and usually produces solid results.

Traditionally, organizations have needed sophisticated, trained analysts to sort through, analyze, and run processes for their security data. This required knowledge of particular query languages and configurations relevant to each product, like Splunk, Elastic, Palo Alto/Demisto, and QRadar. It was a difficult task, and the available talent pool was never enough.   

That difficulty in SIEM (Security Information and Event Management) and SOAR (Security Orchestration, Automation, and Response) still exists today. SIEM helps enterprises collect and analyze security-related data from servers, applications, and network devices. The data is analyzed to identify potential security threats, alert security teams to suspicious activity, and provide insights into a company’s security defenses. SIEM systems typically use advanced analytics to identify patterns, anomalies, and other indicators of potential threats.

SOAR builds on SIM capabilities by automating security workflows and helping businesses respond more quickly and efficiently to security incidents. SOAR platforms can integrate with various security products, including enterprise firewalls, intrusion detection systems, and vulnerability scanners. SIEM/SOAR is where you orchestrate action for an incident response plan. Using those actions helps in the remediation process. Managing the process and products involved in remediation is difficult.

Now, Microsoft is putting a stake in the ground with its generative AI Security Copilot tool. With Security Copilot, the tech company is looking to boost the capability of its data security products for deep integrated analysis and responses. By integrating GPT-4 into Security Copilot, Microsoft hopes to work with companies to

more easily identify malicious activity;

summarize and make sense of threat intelligence;

gather data on various attack incidents by prioritizing the type and level of incidents; and

recommend to clients how to remove and remediate diverse threats in real-time.

And guess what? Theoretically, it should be easier to sort through all that data using GPT APIs and other tools or figure out how to leverage these on incident data. These systems should also make more automated response and orchestration much simpler.

Overall, the emergence of GPT-4 may be a step towards the industry’s dream of “Moneyball for cyber,” allowing for a more robust defensive posture by leveraging the experience and wisdom of the crowds. And it will allow for a stronger defense of smaller organizations that do not have sufficient resources and expertise today.

It’s all about trust

However, there are still significant obstacles to overcome regarding adoption and trust. First and foremost, there is still reluctance among many organizations to share their incident data with others, even if de-identified, as it could potentially lead to leaked information, bad press, and brand damage. Sharing has been talked about for years, but is rarely done in a systematic, or technology-delivered manner for these reasons. The best sharing practices followed today are industry CISOs talking amongst their tight peer group when something significant occurs. Thus, given the reluctance to share in any meaningful way previously, I suspect that the industry will take a long time to put their data in this or any third-party platform for fear that it exposes them in some way.

Another hurdle is overcoming hesitancy about privacy and security concerns. Microsoft claims that integrating data into its systems will maintain privacy and security. Security Copilot will not train on nor learn from their customers’ incident or vulnerability data. However, without full transparency, the market will have lingering doubts. Users may fear that attackers may use the same GPT-based platform to develop attacks that target the vulnerabilities in their systems that it has become aware of, no matter what the ELA states to the contrary.  Wouldn’t an attacker love to ask, “Write an exploit that allows me to navigate the defenses at Corporation X?”

There is also a question about how the system can learn from the newest attacks if it is not training on the data from customer organizations. The system would be more powerful if it did learn in the wild from customer incident and vulnerability data.

Even without specific details learned from any one customer, assuming full transparency on security and privacy is guaranteed, given the wide aperture of knowledge that can be obtained from other public and non-public sources, won’t this AI-based system become an adversary’s favorite exploit development tool?

Given all of this, there are potential risks and rewards involved in using ChatGPT in cybersecurity.

Microsoft has major ambitions for Security Copilot. It’s a tall order to fill, and I hope they get it right for everyone’s sake.

Know the potential consequences

GPT-4 under Microsoft auspices might be a great tool if it figures out ways to cut off all that potentially harmful activity. If it can train the system to focus on the positive and do it so that proprietary internal data is not compromised, it would be a potent tool for mainstream analysis of security incidents and security. To date, this has only been done with very sophisticated, high-priced people and complex systems that cater to the higher end of the market.

But suppose the mid-tier companies, who can’t afford top-quality cybersecurity resources or the best data security teams, choose to open up their data to Microsoft and GPT-4? In that case, I just hope they know there may be possible side effects. Caveat emptor!

Artificial Intelligence, Data and Information Security, Security

In today’s cybersecurity environment—with new types of incidents and threat vectors constantly emerging—organizations can’t afford to sit back and wait to be attacked. They need to be proactive and on the offensive when it comes to defending their networks, systems, and data.

It’s important to understand that launching an offensive cybersecurity strategy does not mean abandoning traditional defensive measures such as deploying firewalls, intrusion detection systems (IDS), anti-malware software, patch management, security information and event management (SIEM), and other such tools.

Going on the offensive with cybersecurity involves taking extra steps to preemptively identify weaknesses before bad actors can take advantage of them. It means thinking like they do and anticipating their moves. While the idea of taking a proactive approach to security is not new, it has taken on greater significance given the level of risk so many organizations face today.

Threat hunting strategy

One of the most effective ways to be proactive with security is to deploy a threat-hunting strategy. Cyber threat hunting is a proactive defense initiative in which security teams search through their networks to find and isolate advanced threats that evade existing security tools.

Whereas traditional solutions such as firewalls and IDS generally involve investigating evidence-based data after an organization has received a warning of a possible threat, threat hunting means going out to look for threats before they even materialize.

Gain visibility

Several key components make up the foundation of a strong threat-hunting program. The first is the ability to maintain a complete, real-time picture of the organization’s environment so that threats have no place in which to hide. If the security team is not able to see the threats within their organization’s environment, how can it take the necessary steps to stop them?

Having the kind of visibility that’s needed can be a challenge for many organizations. The typical IT infrastructure today is made up of diverse, dynamic, and distributed endpoints that create a complex environment in which threat vectors can easily stay out of sight for weeks or even months.

That’s why an organization needs technology that allows it to locate each endpoint in its environment and know if it’s local, remote or in the cloud; identify active users, network connections, and other data for each of the endpoints; visualize lateral movement paths attackers can traverse to access valuable targets; and verify whether policies are set on each of the endpoints so they can identify any gaps.

Proactively hunt for threats

The second key component of threat hunting is the ability to proactively hunt for known or unknown threats across the environment within a matter of seconds. Security teams need to know if there are active threats already in the environment.

They need to be able to search for new, unknown threats that signature-based endpoint tools miss; hunt for threats directly on endpoints, rather than through partial logs; investigate individual endpoints as well as the entire environment within minutes without creating a strain on network performance; and determine the root causes of any incidents experienced on any endpoint devices within the environment.

Remediating threats

The third foundational component of threat hunting is the ability to respond to and resolve any threats that the security team finds within the same unified platform. Finding a threat is not enough—it has to be obliterated.

A threat-hunting solution should enable security teams to easily shift from threat hunting to response by using a single dataset and platform; quickly applying defensive controls to endpoints during an incident; learning from incidents and, through this knowledge, hardening the environment to prevent similar attacks,and streamlining policy management to keep endpoints in a secure state at all times.

What to look for in a threat-hunting solution 

A key factor to look for in a threat-hunting solution is the ability to use statistical analyses to better understand whether particular incidents are notable. That can only happen when a system can enrich data telemetry in real time, at scale, and in constantly changing situations.

Security teams can leverage every log source, piece of telemetry, and bit of endpoint metadata and traffic flow in an aggregated manner to get a clear understanding of what’s going on. Threat actors will not be able to get into an organization’s environment completely undetected. It’s only a matter of whether the threat-hunting team is leveraging the right data to track them down.

It’s important for security hunting teams to have high-confidence threat intelligence and to follow the right feeds. While enriching alerts with real-time intelligence is not always easy, it’s vital for success. Teams need to work with trusted sources of data and must be able to filter the data to reduce false positives as well as false negatives.

In addition to threat hunting, organizations can leverage services such as penetration testing and threat intelligence. With penetration testing, an organization hires a service provider to launch a simulated attack against its networks and systems to evaluate security.

Such tests identify weaknesses that might enable unauthorized actors to gain access to the organization’s data. Based on the results, the security team can make any needed enhancements to address the vulnerabilities.

Cyber threat intelligence is any information about threats and threat actors that is intended to help companies mitigate potential attacks in cyberspace. Sources of the information might include open-source intelligence, social media, device log files, and others.

Over the past few years, threat intelligence has become an important component of cybersecurity strategies, because it helps organizations be more proactive in their approach and determine which threats represent the greatest risks.

By being proactive about security, organizations can be out in front of the ever-expanding threat landscape. They can help to ensure that they’re not just waiting impassively for attacks to come, but taking initiatives to stop bad actors before they can act.

Learn how a converged endpoint management platform can help CIOs keep pace with tomorrow’s threats. Check out this eBook, The cybersecurity fail-safe: Converged Endpoint Management.

Security

By Leonard Kleinman, Field Chief Technology Officer (CTO) ) Cortex for Palo Alto Networks JAPAC

Many things challenge how we practice cybersecurity these days. Digital transformation has brought significant adoption of new technology and business models, including cloud solutions, e-commerce platforms, smart devices, and a significantly more distributed workforce. These, in turn, have brought with them an increase in new threats, risks, and cybercrime.

As organizations emerge post-pandemic, many of the risks and uncertainties manifested during that period will persist, including the hybrid workforce, supply chain risk, and other cybersecurity challenges.

Let’s look at some of these cybersecurity challenges and how automation can level the playing field.

Problem: not enough cybersecurity talent

A major contributor to the growing spate of cyberattacks is the lack of skilled cybersecurity personnel. The overall global numbers of experienced cybersecurity practitioners are low compared to the need for such practitioners to handle the cyberthreats that manifest across all industry sectors. While demand for practitioners continues to escalate, the growth in actual numbers is low, leading to the increasing deficit between demand and supply.

This contrasts significantly with the global cybersecurity market, which is expected to expand at a compound rate with more demand for solutions and products. The increasing number of cyberattacks, digital transformation changes, and talent shortages are contributing to this growth, and organizations are expected to acquire/deploy more advanced security solutions to detect, mitigate, and reduce the risk of cyberattacks.

Automation, AI, and vocation

Automation systems are everywhere—from the simple thermostats in our homes to hospital ventilators—and while automation and AI are not the same things, much has been integrated from AI and machine learning (ML) into security systems, enabling them to learn, sense, and stop cybersecurity threats automatically. So instead of just alerting us to a threat, an automated system would be able to act towards neutralizing it.

At its core, automation has a single purpose: to let machines perform repetitive, time-consuming, monotonous tasks. This, in turn, frees up our scarce human talent to focus on more important things or simply things that require the human touch. The result is a more efficient, cost-effective, and productive cyber workforce.

Even threat actors are themselves using automation to facilitate their attacks. The MyDoom worm, one of the fastest-spreading pieces of malware on the internet, uses automation to propagate and is estimated to have caused around $38 billion in damage. It is still spreading, but the surprising part is MyDoom is not new. Released in 2004, it can still be seen trolling the internet.

A persistent fear in cybersecurity is that automation is here to replace humans. While somewhat justified, the reality is that automation is here to augment humans in executing security operations and, in some cases, help organizations supplement and address the growing talent gap. As advanced as it may be perceived, automation will always be reliant on humans, completely configurable, and under the supervision of the security team. If anything, automation and AI are bringing forth new cybersecurity roles such as Algorithm Bias Auditor or Machine Risk Officer.

The benefits of automation

Automation can do many things, from detecting potential threats to containing and resolving threats. These actions take seconds and are largely independent of human intervention. Provided via security orchestration, automation, and response (SOAR), automation gives SOCs a significant boost in execution, significantly improving productivity and response. The Cost of a Data Breach 2022 Report highlights the role of automation in halving the cost of a data breach and reducing the time to identify and contain by 77 days.1

Orchestration provides the ability to activate the many tools in your operational environment, seamlessly connecting them via playbooks to undertake specific actions. This allows for a consistent, repeatable response process together with all the necessary information for your cyber practitioner, all in one place.

Additional efficiencies are derived from the AI/ML engine within SOAR, which can learn attributes from alerts and use that knowledge to prevent future attacks. Every alert and event handled are learned from for future purposes. Automation plays a significant role in terms of enabling an agile, proactive cybersecurity capability.

Most importantly, automation provides a better quality of life to your cybersecurity team, reducing alert fatigue and frustration and giving them back precious time. In the age of the Great Resignation, retention has become a significant issue.2 Retaining staff allows you to increase your ROI on people—acknowledging the significant investment organizations make through recruitment, ongoing training, and tacit knowledge learned on the job.

Automation helps organizations address the talent challenge. It also enables a greater ROI on your current tools and technology, bringing them into play as part of the orchestration process.

Where to start?

A prerequisite for automation begins with gathering and correlating data. Any good automation system requires good data to work efficiently and effectively. The more data sources, the better the quality of operations.

Aim to gather data from all aspects of your business environment, such as endpoint, network, and cloud. The AI/ML system within the automation platform makes analyzing and correlating all this data easier. These two components are what make cybersecurity automation possible.

Next, analyze your current standard operating procedures (SOPs), looking for regularly recurring activities/processes—ones that reduce workload and the risk of an overlooked alert. Look for tasks that do not deviate or vary in an unpredictable manner. These are prime candidates for automation.

Now, identify the tools that need to be orchestrated within those processes, along with the required APIs (or create them) to enable the integrations.

Finally, create your playbook. This gives you control over the process, providing you with the ability to consistently replicate and improve the process over time. Include any specific actions you require, the tool/s to perform, and any other additional tasks, e.g., block, notify, contain, etc.

Don’t drop the ball on automation

Cybersecurity is essential for any business in a digitally transformed world, protecting company data, its people, and its customers. However, just the implementation of cybersecurity will not be enough as our adversaries continue to innovate and get craftier in their approach.

As organizations continue to pursue digital transformation initiatives coupled with technology advances, the automation of cybersecurity is not just recommended—it is mandatory in leveling the playing field.

Learn more about the benefits of consolidation.

1. Cost of a Data Breach 2022 Report, IBM Security, July 2022

2. Paula Morgan, “Top Five Tips For Retaining Employees During The Great Resignation,” Forbes, August 4, 2022.

About Leonard Kleinman:

Len Kleinman is the Field Chief Technology Officer (CTO) – Cortex for Palo Alto Networks JAPAC focusing on critical industry sectors such as Government, Banking and Finance, Utilities, and Education. His mission is to work with executives and business stakeholders to make security a strategic priority that translates into business value and assist in the development of a risk-based cybersecurity culture aimed at protecting our digital lives.

Artificial Intelligence, IT Leadership, Machine Learning

By Ravi Balwada, CTO of Guitar Center

In retail, we don’t have the luxury of thinking about security as an afterthought. We have to think about security early in the innovation process and make sure our security best practices, governance and architectures are taken into account when we are designing our solutions—everything from defining what a container needs to look like when we deploy something to what sort of access controls we have. 

With modern cybersecurity technology, we have better tools and instrumentation to monitor environments more effectively, to change the security posture very rapidly and meet the changing needs of the company—whether it is adapting to a new wave of mobile devices or introducing a new population of workers to information that is sensitive. 

Also thanks to modern cybersecurity, new use cases have become available in retail that were never possible before. Many retail leaders talk about the changes being enabled for their customers, but it’s also vital to explore the exciting new ways retailers can enable their frontline workers.

Three areas cybersecurity is helping to supercharge our frontline workforce

When you focus on cybersecurity in an environment like Guitar Center, you have the power to do amazing things—for your sales associates, customers and overall business. Here, digitization and cybersecurity are empowering our sales associates in three major aspects of our business:

Customer serviceBack office functionsEfficient, individualized, business management

Securing a new level of customer service and relationship

Our mission is to build a lifetime relationship with our customers in their musical journeys. Whether it’s lessons, product, repair or rental services, acquiring or selling used equipment, technology connects how we build our relationships with customers. Customers can start online and finish in a store; start in a store and finish online; or any combination they choose.

As a result, we’re shifting the engagement with the customer to the aisle instead of at the point of sale. In a previous incarnation of our business it was: “What do you need? Let me ring you up.” Now we are about: “Let me work with you collaboratively. I understand who you are, your needs, your aspirations. Let us brainstorm and together we can find the best solution. Let’s move this conversation to the aisle where I can help you make good choices.”

Our sales associates leverage information across all channels, which changes the conversations we have with customers. If you’re a salesperson, you actually know if the customer has been browsing certain items online. You know what the customer has purchased in the past. You can make recommendations for equipment, lessons, sheet music. You can help them complete their purchase and you can help them take advantage of other things that might make their musical journey more fulfilling. 

For our almost 12,000 frontline sales associates, it’s no longer a world of post-it notes and pieces of paper. We are bringing a massive amount of information and insight. They have full visibility into supply chains, status of inventory, deep insights into each customer, and much more. They are dealing with volumes of information around dozens of variables. There is far more data and activity at the edge and a much larger attack surface.

This requires cyber innovation and evolution. You now have multiple places where data is residing that have to be secured, which means you need cybersecurity with visibility and granular access controls to ensure that the right people are accessing the right information at the right time. There is also the challenge of forensics and investigation of security incidents. We need systems that have amazing logging and automation for us to be able to react very rapidly to any security incidents. That requires us to work with modern technologies that are agile and can very quickly be swung into action. 

Our data management is a key focus, including building data lakes and visual analytics capabilities that we are introducing across our entire enterprise. We also have to make sure we have a secure platform. We are replatforming our firewalls and leveraging new technology around identifying threat patterns—isolating problems when necessary, isolating our environments so they are more effective. Only through these kinds of moves can we support our associates to build those deep customer relationships that fuel their success.

Supporting the latest back office functions

Our associates have new frontline tools that enable not only customer relationship management but back office function. For example, every associate will have a mobile device. If associates need to perform actions such as pick up from a store, ship from a store, or access inventory, they have the information at their fingertips using their mobile devices. This provides a tremendous benefit for each of our people, but it also means our endpoints will increase ten times versus what we have today.

With each new device and endpoint, we put powerful capabilities in the hands of associates. You have to have amazing security—with isolation, compliance, controls, encryption, edge protection, and more. We are giving associates the ability to process payments on mobile devices. As you run financial transactions on mobile devices, on wireless networks, you need to prevent associates from compromising personal identifiable information. Another important factor is the ability to onboard people quickly and efficiently, especially with our seasonal workforce. Technology compresses time to value so they can be productive faster with information that is easily available and tools that are highly intuitive. And this speed only becomes possible when all of those interactions are properly protected.

Bringing new levels of management to the business

At a time when retaining and motivating workers is paramount to business success, Guitar Center has been executing operational advancements that are geared toward empowering and engaging our associates in new ways. Today, sales associates can manage their own businesses from their mobile devices. They can view status on commissions; access training; get real-time information on promotions; collaborate with colleagues and peers.  It’s not enough to just build an application that works on mobile devices. It has to be engaging. We’re building experiences across the enterprise that are more gamified.

It is an important, fundamental change—knowing that we have a security posture to support this kind of innovation. We continue to harden our security to ensure all of our 12,000+ sales associates can be more and more digitally enabled.

Enabling workforce satisfaction, innovation, and long term success

The value of empowering sales associates with robust, secure, digital experiences cannot be overstated, especially in today’s environment where workers have more options and are seeking jobs that are more enriching and satisfying. There is, however, one caveat. The kind of data-driven frontline innovation I am describing is only possible when we invest in and treat cybersecurity as an enabling technology, and a nice-to-have. At Guitar Center, we are always aware that we can only do the things we want to do if we have the security that we need. 

About Ravi Balwada:

Security Roundtable author, Ravi Balwada, is the chief technology officer at Guitar Center, the world’s largest musical instrument retailer.

IT Leadership

By John Davis, Retired U.S. Army Major General and Vice President and Federal Chief Security Officer for Palo Alto Networks

What critical innovations can change the balance in cybersecurity, providing those of us responsible for defending our organizations with more capabilities against those who would do us harm?

This is not just a theoretical exercise. It is something all of us in cybersecurity need to understand — and a key national security priority.

I’ve given this question considerable thought in my role advising many of my former colleagues and other leaders in the U.S. government. In my view, there are two key interrelated developments that can shift the cybersecurity paradigm. They are:

Innovations in automation.Software-based advanced analytics — including big data, machine learning, behavior analytics, deep learning and, eventually, artificial intelligence.

I’m not saying these innovations can reverse the historical advantage offense has had over defense. But improved use of automation — combined with software-based advanced analytics — can help level the playing field.

Cyber threats are increasingly automated using advanced technology. Unfortunately, defense has continued to employ a strategy based mostly on human decision-making and manual responses taken after threat activities have occurred.

This reactive strategy can’t keep pace against highly automated threats that operate at speed and scale. The defense has been losing — and will continue to lose — until we in the cybersecurity community fight machines with machines, software with software.

Prevention is key

Any good defensive strategy should be comprehensive with protection, detection, response, recovery, and resilience. Prevention is key, especially in today’s complex environment. That is where we have not invested enough — and where automation and advanced analytics can make an enormous difference.

First, let me define what I mean by prevention, starting with understanding the basic cyberattack process, sometimes referred to as the cyber threat lifecycle. This process consists of seven steps:

Probing;Developing a delivery mechanism to get to a victim or target;Exploiting a vulnerability in the network environment;Installing malicious code;Establishing a control channel;Escalating privileged access;Moving laterally within the network environment.

These steps usually occur in that order, but not always. The final step defines a successful attack, which could be encrypting data for ransom; exfiltrating sensitive data; exposing embarrassing information; or disrupting/destroying targeted systems, devices, or data.

Modern cyber threat actors can work their way through the attack process more quickly than ever with advanced software and machines.

But the process still takes time — allowing defenders to see and stop a threat at any step in the process. To do so, however, defenders must have complete visibility across their network environment and be able to deliver protections everywhere automatically. Therefore, they need both sensors and enforcement points. Just seeing malicious activity without being able to stop it won’t change the dynamic between offense and defense.

Tackling speed and scale

Automation lets security teams fight machines with machines and save their most precious resource (people) to do things that only people can do better and faster than machines. This includes hunting and deep, high-end analysis. Any other approach will never keep pace with the speed and scale of modern cyberthreats.

Software-based advanced analytics enable security teams to fight software with software. They make it possible to deploy sensors and enforcement points in all critical places in a network environment. More importantly, they enable the integration between the sensors and enforcement points.

With advanced analytics, any type of suspicious behavior in a network environment can be quickly matched to the attack process used by all known threat actors or organizations. Analytics can even identify a threat never seen before or a possible threat not directly matched to a known bad signature or activity.

Using machine learning algorithms, a decision can be rendered in near real-time — less than 10 minutes is state-of-the-art today — and a protection can be delivered automatically to stop the threat everywhere in the organization’s enterprise environment without the need for any human intervention.

Defenders have access to an enormous amount of data from networks, endpoints, and clouds. The right kind of data includes cyber threat indicators of compromise as well as contextual information. It does not include traditional policy and legal landmines such as personally identifiable information, protected health information, intellectual property, or surveillance-related data.

Leveraging this data, it is possible to act at speed and scale with a very high degree of precision, achieving false positive rates of less than one percent. The key to this kind of effective defense is complete, continuous, and consistent visibility and security controls across all elements of an organization’s network environment — from the network to the cloud (public, private, hybrid, multi, SAAS) to endpoint and IoT devices.

Stopping threats, mitigating risk

Cybersecurity protections that leverage automation and advanced analytics are available today and getting better as time goes by, with more of the right kinds of data to drive automated decisions and protections.

Best case, the use of these two innovations enable security teams to see and stop cyber threats before they are successful, providing an advantage for the defense. Worst case, they let security teams limit the damage of a successful attack to something determined to be an acceptable level of risk.

Why is this so important? Eliminating or reducing the advantage that cyber offense has over defense is critical to creating a more stable cyberspace. Traditionally, when offense has the advantage, it creates enormous instability. When defense has the advantage, it creates a more stable environment.

We’re living in a world with an unacceptably high level of instability in the cyber domain. The risks of miscalculation, misinterpretation or even a plain mistake are just too high. Effective use of automation and software-based advanced analytics can help level the playing field between offense and defense and create a much more effective cybersecurity posture for any organization.

About John Davis:

John is a retired U.S. Army Major General and Vice President and Federal Chief Security Officer for Palo Alto Networks, where he is responsible for expanding cybersecurity initiatives and global policy for the international public sector and assisting governments around the world to successfully prevent cyber breaches.

Data and Information Security, IT Leadership

Cybersecurity threats and their resulting breaches are top of mind for CIOs today. Managing such risks, however, is just one aspect of the entire IT risk management landscape that CIOs must address.

Equally important is reliability risk – the risks inherent in IT’s essential fragility. Issues might occur at anytime, anywhere across the complex hybrid IT landscape, potentially slowing or bringing down services.

Addressing such cybersecurity and reliability risks in separate silos is a recipe for failure. Collaboration across the respective responsible teams is essential for effective risk management.

Such collaboration is both an organizational and a technological challenge – and the organizational aspects depend upon the right technology.

The key to solving complex IT ops problems collaboratively, in fact, is to build a common engineering approach to managing risk across the concerns of the security and operations (ops) teams – in other words, a holistic approach to managing risk. 

Risk management starting point: site reliability engineering

By engineering, we mean a formal, quantitative approach to measuring and managing operational risks that can lead to reliability issues. The starting point for such an approach is site reliability engineering (SRE). 

SRE is a modern technique for managing the risks inherent in running complex, dynamic software deployments – risks like downtime, slowdowns, and the like that might have root causes anywhere, including the network, the software infrastructure, or deployed applications.

The practice of SRE requires dealing with ongoing tradeoffs. The ops team must be able to make fact-based judgments about whether to increase a service’s reliability (and hence, its cost), or lower its reliability and cost to increase the speed of development of the applications providing the service.

Error budgets: the key to site reliability engineering

Instead of targeting perfection – technology that never fails – the real question is just how far short of perfect reliability should an organization aim for. We call this quantity the error budget.

The error budget represents the total number of errors a particular service can accumulate over time before users become dissatisfied with the service.

Most importantly, the error budget should never equal zero. The operator’s goal should never be to entirely eliminate reliability issues, because such an approach would both be too costly and take too long – thus impacting the ability for the organization to deploy software quickly and run dynamic software at scale.

Instead, the operator should maintain an optimal balance among cost, speed, and reliability. Error budgets quantify this balance.

Bringing SRE to cybersecurity        

In order to bring the SRE approach to mitigating reliability risks to the cybersecurity team, it’s essential for the team to calculate risk scores for every observed event that might be relevant to the cybersecurity engineer. 

Risk scoring is an essential aspect of cybersecurity risk management. “Risk management… involves identifying all the IT resources and processes involved in creating and managing department records, identifying all the risks associated with these resources and processes, identifying the likelihood of each risk, and then applying people, processes, and technology to address those risks,” according to Jennifer Pittman-Leeper, Customer Engagement Manager for Tanium.

Risk scoring combined with cybersecurity-centric observability gives the cybersecurity engineer the raw data they need to make informed threat mitigation decisions, just as reliability-centric observability provides the SRE with the data they need to mitigate reliability issues.

Introducing the threat budget

Once we have a quantifiable, real-time measure of threats, then we can create an analogue to SRE for cybersecurity engineers.

We can posit the notion of a threat budget which would represent the total number of unmitigated threats a particular service can accumulate over time before a corresponding compromise adversely impacts the users of the service.

The essential insight here is that threat budgets should never be zero, since eliminating threats entirely would be too expensive and would slow the software effort down, just as error budgets of zero would. “Even the most comprehensive… cybersecurity program can’t afford to protect every IT asset and IT process to the greatest extent possible,” Pittman-Leeper continued. “IT investments will have to be prioritized.”

Some threat budget greater than zero, therefore, would reflect the optimal compromise among cost, time, and the risk of compromise. 

We might call this approach to threat budgets Service Threat Engineering, analogous to Site Reliability Engineering.

What Service Threat Engineering really means is that based upon risk scoring, cybersecurity engineers now have a quantifiable approach to achieving optimal threat mitigation that takes into account all of the relevant parameters, instead of relying upon personal expertise, tribal knowledge, and irrational expectations for cybersecurity effectiveness.

Holistic engineering for better collaboration

Even though risk scoring uses the word risk, I’ve used the word threat to differentiate Service Threat Engineering from SRE. After all, SRE is also about quantifying and managing risks – except with SRE, the risks are reliability-related rather than threat-related.

As a result, Service Threat Engineering is more than analogous to SRE. Rather, they are both approaches to managing two different, but related kinds of risks.

Cybersecurity compromises can certainly lead to reliability issues (ransomware and denial of service being two familiar examples). But there is more to this story.

Ops and security teams have always had a strained relationship, as they work on the same systems while having different priorities. Bringing threat management to the same level as SRE, however, may very well help these two teams align over similar approaches to managing risk.

Service Threat Engineering, therefore, targets the organizational challenges that continue to plague IT organizations – a strategic benefit that many organizations should welcome.

Learn how Tanium is bringing together teams, tools, and workflows with a Converged Endpoint Management platform.

Risk Management

Cybersecurity threats and their resulting breaches are top of mind for CIOs today. Managing such risks, however, is just one aspect of the entire IT risk management landscape that CIOs must address.

Equally important is reliability risk – the risks inherent in IT’s essential fragility. Issues might occur at anytime, anywhere across the complex hybrid IT landscape, potentially slowing or bringing down services.

Addressing such cybersecurity and reliability risks in separate silos is a recipe for failure. Collaboration across the respective responsible teams is essential for effective risk management.

Such collaboration is both an organizational and a technological challenge – and the organizational aspects depend upon the right technology.

The key to solving complex IT ops problems collaboratively, in fact, is to build a common engineering approach to managing risk across the concerns of the security and operations (ops) teams – in other words, a holistic approach to managing risk. 

Risk management starting point: site reliability engineering

By engineering, we mean a formal, quantitative approach to measuring and managing operational risks that can lead to reliability issues. The starting point for such an approach is site reliability engineering (SRE). 

SRE is a modern technique for managing the risks inherent in running complex, dynamic software deployments – risks like downtime, slowdowns, and the like that might have root causes anywhere, including the network, the software infrastructure, or deployed applications.

The practice of SRE requires dealing with ongoing tradeoffs. The ops team must be able to make fact-based judgments about whether to increase a service’s reliability (and hence, its cost), or lower its reliability and cost to increase the speed of development of the applications providing the service.

Error budgets: the key to site reliability engineering

Instead of targeting perfection – technology that never fails – the real question is just how far short of perfect reliability should an organization aim for. We call this quantity the error budget.

The error budget represents the total number of errors a particular service can accumulate over time before users become dissatisfied with the service.

Most importantly, the error budget should never equal zero. The operator’s goal should never be to entirely eliminate reliability issues, because such an approach would both be too costly and take too long – thus impacting the ability for the organization to deploy software quickly and run dynamic software at scale.

Instead, the operator should maintain an optimal balance among cost, speed, and reliability. Error budgets quantify this balance.

Bringing SRE to cybersecurity        

In order to bring the SRE approach to mitigating reliability risks to the cybersecurity team, it’s essential for the team to calculate risk scores for every observed event that might be relevant to the cybersecurity engineer. 

Risk scoring is an essential aspect of cybersecurity risk management. “Risk management… involves identifying all the IT resources and processes involved in creating and managing department records, identifying all the risks associated with these resources and processes, identifying the likelihood of each risk, and then applying people, processes, and technology to address those risks,” according to Jennifer Pittman-Leeper, Customer Engagement Manager for Tanium.

Risk scoring combined with cybersecurity-centric observability gives the cybersecurity engineer the raw data they need to make informed threat mitigation decisions, just as reliability-centric observability provides the SRE with the data they need to mitigate reliability issues.

Introducing the threat budget

Once we have a quantifiable, real-time measure of threats, then we can create an analogue to SRE for cybersecurity engineers.

We can posit the notion of a threat budget which would represent the total number of unmitigated threats a particular service can accumulate over time before a corresponding compromise adversely impacts the users of the service.

The essential insight here is that threat budgets should never be zero, since eliminating threats entirely would be too expensive and would slow the software effort down, just as error budgets of zero would. “Even the most comprehensive… cybersecurity program can’t afford to protect every IT asset and IT process to the greatest extent possible,” Pittman-Leeper continued. “IT investments will have to be prioritized.”

Some threat budget greater than zero, therefore, would reflect the optimal compromise among cost, time, and the risk of compromise. 

We might call this approach to threat budgets Service Threat Engineering, analogous to Site Reliability Engineering.

What Service Threat Engineering really means is that based upon risk scoring, cybersecurity engineers now have a quantifiable approach to achieving optimal threat mitigation that takes into account all of the relevant parameters, instead of relying upon personal expertise, tribal knowledge, and irrational expectations for cybersecurity effectiveness.

Holistic engineering for better collaboration

Even though risk scoring uses the word risk, I’ve used the word threat to differentiate Service Threat Engineering from SRE. After all, SRE is also about quantifying and managing risks – except with SRE, the risks are reliability-related rather than threat-related.

As a result, Service Threat Engineering is more than analogous to SRE. Rather, they are both approaches to managing two different, but related kinds of risks.

Cybersecurity compromises can certainly lead to reliability issues (ransomware and denial of service being two familiar examples). But there is more to this story.

Ops and security teams have always had a strained relationship, as they work on the same systems while having different priorities. Bringing threat management to the same level as SRE, however, may very well help these two teams align over similar approaches to managing risk.

Service Threat Engineering, therefore, targets the organizational challenges that continue to plague IT organizations – a strategic benefit that many organizations should welcome.

Learn how Tanium is bringing together teams, tools, and workflows with a Converged Endpoint Management platform.

Risk Management

Cybercrime is nothing new. The threats that accompany society’s increased digitalization have been explored in alarmist articles, science fiction movies, and everything in between for decades. But that doesn’t mean the need for robust cybersecurity isn’t real. Digital enhancement brings increasing digital risk. Stringent provisions are more necessary than ever. 

Cybercrime’s prevalence and costs are significant. The UN reported that cybercrime skyrocketed by 600% during the pandemic, a result of an almost overnight reliance on digital working, shopping, and communication. There was a 10% increase in the average total cost per security breach from 2020 to 2021, while a McAfee report estimates that the global cost of cybercrime has now reached over US$1 trillion. 

Easy targets: smart retail and smart cities 

The need for vigilant cybersecurity measures is paramount. The retail sector has proven especially vulnerable. Trustwave reports that retail is on the receiving end of 24% of all cyberattacks, more than any other industry. 

Retail’s reliance on mixed technology, pairing old point-of-sale systems like cash registers and in-store purchases with cloud-based e-commerce and administrative systems, makes it an ideal target for hackers. On top of that, retail’s customer data tends to be high value, often consisting of credit card details, phone numbers, and security questions and answers. The industry’s high staff turnover rate also makes it vulnerable. Some 64% of retailers report attempted attacks each month, with the cost of a hack to an e-commerce site currently averaging $4 million. In 2020, cyberattacks cost online retailers a remarkable £5.9 billion  in the UK alone

But the problem is not limited to e-commerce. Brick-and-mortar retail stores are at enormous risk too. In fact, part of the reason physical stores have become an easy target for cybercriminals is that in-store management is often inattentive, presuming that such attacks only take place online.  

That may have been true at one time, but many physical stores today are increasingly reliant on Internet of Things (IoT) devices. IoT solutions offer extraordinary benefits in-store: indoor navigation, presence detection, and preventive maintenance, to name a few. But if not properly secured, increased digitalization can leave retailers exposed. 

Smart cities and the Multi-Stakeholder Manifesto 

Equally vulnerable are smart cities. To thrive as intended, smart cities rely on a complex and interdependent network of devices, platforms, systems, and users, all contributing vital information that helps keep the engine running. But to be reliant on so many moving parts can leave gaps—exposing areas that bad faith actors know how to exploit.  

A key challenge for smart cities is integration and coordination. Cities are often made up of multiple municipalities, each of which typically has a different set of capabilities, different priorities, and different approaches to technology management. Increased communication among smart city stakeholders is vital for confronting cybersecurity threats. 

Some steps have already been taken to address such concerns. Over fifty civil society and industry representatives support the Multi-Stakeholder Manifesto, launched in 2021. The manifesto warns that cybercrime “poses new risks to human security, dignity, and equity” and that “no single actor can adequately counter them on their own.” It proposes a multi-stakeholder approach that puts protecting victims at the top of its agenda.  

“Governments around the world have long abused cybercrime measures and used cybercrime legislation to expand state control and criminalise the publication and dissemination of unwelcome content, to impose mass surveillance and curb privacy in the name of fighting terrorism,” the authors note. 

To effectively battle cybercrime, cooperation is required on a regional, national, and international level. Fractious regional and transnational relationships and opaque data management practices only fuel cybercrime’s rise. 

Problems and solutions 

The emergence of intelligent networks made up of billions of connected devices across a range of sectors has created a whole new world of vulnerabilities for cybercriminals to exploit. Some of the most common cybercrimes are phishing scams, ransomware, data breaches, distributed denial-of-service (DDoS) attacks, and supply chain disruptions. Cybersecurity must continually innovate and adapt to confront a diverse and ever-evolving range of threats.  

As such, many new solutions have presented themselves. WISeKey has emerged as a vital authentication and identification partner, while Darktrace employs AI as a tool of defense—preventing, detecting, responding, and recovering from cyberattacks at the very same time.  

Meanwhile, Li-Fi adoption grows every year. Because it’s line-of-sight, Li-Fi is more secure than Wi-Fi—it won’t leak through walls or even windows with the blinds closed. Additionally, it can be paired with high-quality lighting within the same luminaire

What next? 

Some 57% of large and midsize businesses cite security concerns as the top barrier to further IoT adoption. But the real issue is not the IoT or the systems that use it: it’s companies and systems that use the IoT without making sure robust cybersecurity measures are implemented and managed properly. 

The top tech companies in the world have pledged billions of dollars to strengthen cybersecurity and train skilled cybersecurity workers, an action that speaks to how seriously they are taking the threat.  

But cybersecurity is an issue that covers the whole spectrum of society. As Google’s global affairs chief, Kent Walker, said upon announcing the measures, “Robust cybersecurity ultimately depends on having the people to implement it.” So it makes sense to partner with a reliable expert in the field that is always keeping an eye on the latest threats and the evolving solutions that exist to counteract them. 

Just as one would feel responsible for the security of a guest in their home, so companies should feel responsible for those navigating their website, store, or purchasing their products. Investing in the best in cybersecurity is the only way to keep people — and their data — safe. 

Click here to find out more about how Signify’s LiFi systems provide high-speed connectivity and unique physical security.  

Security

With the global pandemic upending the traditional way we work, employees across every market sector in New Zealand are now spending their workdays alternating between offices, their homes and other locations. It’s a hybrid work model that Kiwis have embraced and it is here to stay.

At a recent CIO New Zealand roundtable event in Auckland, supported by Palo Alto Networks and Vodafone New Zealand, senior technology executives from organisations across Aotearoa discussed the challenge of keeping security front of mind when the workforce is dispersed.

Glenn Johnstone, Vodafone NZ’s Head of ICT Practices, highlighted the findings of their Disconnection report in which 30% of those surveyed said they would move roles if their employer didn’t offer remote working. But the productive benefits of working from home also bring a more complex IT environment to manage.

“The sheer number of smart devices in our lives means we are more vulnerable than we think. We’re connected through our phones, the printer, our cars, fridges, fish tanks – and any connection can be an issue. It means we need security across all devices; in the office, at home, anywhere and everywhere your people are connected,” says Johnstone.

“The other key aspect is implementing zero trust networking. If you’re working in the cloud, you have increased the surface area for cyber crime attacks by a factor of 60,” he adds.

Sean Duca, Palo Alto Networks’ Regional Chief Security Officer – Asia Pacific & Japan, echoes this. “With the primary focus now on safely and securely delivering work to our workers, irrespective of where they are, we need to think about where the data resides, who has access to it, and how it’s protected and accessed.”

How NZ companies are mitigating risk in a hybrid working environment

Joe Locandro, Chief Information Officer at Fletcher Building, praises the many productive benefits hybrid working has brought but highlights the challenges it brings from a security perspective.

“The computing edge has extended to people working from various ‘out of office’ locations including homes, hotels and different countries. In addition, most home computers are used by various family members. As a result, the potential for malware to become resident on home computers is increasing.”

Locandro highlights the need to focus on the securing the edge with cyber products which cover “end point” protection, two-factor authentication as well as employees keeping up to date with virus protection software on home computers.

Waqar Qureshi, General Manager for Network & Technology at Horizon Energy Group, says they have developed a work-from-home policy for their organisation which includes awareness and responsibilities for accessing, storing and sharing the data/information.

SSO, MFA and VPN systems are also in place to restrict unauthorised access to accounts and systems.

Another attendee at the event says they are using a secure VPN, MFA around that; MFA around logins as well as the use of geo-fencing.

“In terms of people risk, there is a great deal of communication. We use town hall meetings and email bulletins to remind them of the importance of being vigilant. Everyone also has to undergo phishing training plus we are running SMX over our email which blocks/disables various functions,” the senior technology executive adds.

With organisations no longer having their applications in-house, being consumed as a service or apps running outside the traditional perimeter; many have simply looked at addressing the challenges by focusing on access and authorisation, but the need to inspect all traffic is paramount, says Palo Alto Networks’ Sean Duca.

“Attackers target the employee’s laptops and the applications they use thus, we need to inspect the traffic for each application. The attack surface will continue to grow and also be a target for cybercriminals, which means we must stay vigilant and can continuously identify when changes to our workforce happen when our employees are and watch our cloud estates at all times.”

Educating your organisation is key

Attendees at the roundtable event discussed best ways to get buy-in and further awareness of the importance of cybersecurity, both from the board and the wider organisation.

Joe Locandro says Fletcher Building’s management team and its board are briefed monthly on cyber statistics, activities and events.

“There is strong support on cyber programs from management. We regularly educate our employees about the potential of malware through scam emails, often alerting staff to current market scams as well as regular phishing exercises. We measure ‘click through’ rates on phishing exercises as well as [the] degree of difficulty to detect.”

Another attendee at the event says being transparent with the board is key. “Risk is the number one topic in my board paper and is always bright red. There are details then of the current situation, what we are doing about it, and current progress. We are using Essentials 8 to provide a framework and rigour which is easy to understand and define.”

Waqar Qureshi underlines the importance of every organisation investing in ICT staff training on cybersecurity “mainly to help them understand why certain policies, systems and processes are important. This includes all ICT staff, not just members of the security team. ICT helpdesk staff are generally the first touch point between ICT and users.”

The evolving threat landscape

Running legacy solutions that can’t meet the demands of a borderless workforce could see an impact on productivity and the solution may not be able to deal with modern-day threats.

“Every organisation should use this as a point in time to reassess and re-architect what the world looks like today and what it may look like tomorrow,” says Glen Johnstone. “In a dynamic and ever-changing world, businesses should look to a software-driven model as it will allow them to pivot and change according to their needs. How we work has changed, so we need to change our thinking and approaches.”

With the threat landscape evolving, Sean Duca advises that CIOs should be ever vigilant that:

The attack surface has grown. Be sure you know what an attacker can see and manage it accordingly.Know your assets in and outside of the organisation – each one acts as a potential entry point for an attacker.Secure your cloud estate: ensure you have visibility and control over each of the workloads and data repositories in the public clouds you operate in – look for consistent security, not piecemeal approaches in each.You no longer have a perimeter, you have perimeters: secure your data apps where they reside – use least privilege access with continuous trust verification and security inspection.Cyberattacks

By Haider Pasha, Sr. Director and Chief Security Officer for Emerging Markets at Palo Alto Networks

Cybersecurity has long been one of the most complex landscapes an organization must navigate; with each new threat or vulnerability, complexity continues to grow. This is especially true for organizations that have traditionally taken a point product approach to their security because implementing new security measures properly and reliably takes time and expertise. Today, as more businesses look to digitize their services, dealing with these cybersecurity challenges is no longer optional.

Every new tool must be installed, tested, and validated, and then people must be trained to leverage them well. On average, organizations are adopting dozens of different products, services, and tools for their cybersecurity. So, finding ways to make implementing cybersecurity smoother, faster, and more efficient has become a key goal for cybersecurity professionals. As businesses plan for a post-pandemic and digitally accelerated era, many CISOs across multiple industries strive for simplicity and focus on reducing their security vendor blueprint as part of their annual KPIs. Implementation, in particular, has always been an important consideration for successful cybersecurity programs because of the time, expense, personnel, and expertise often required not only to implement individual point products but to stitch them together in order to avoid security gaps while also eliminating redundancies. In the event of a serious incident, security operations center (SOC) analysts typically confess to switching between multiple vendor consoles and event types in order to decipher alerts. Organizations and teams need a better approach, so they’re not either continually exposed or overworked from the alerts created by overlap.

Implementation Benefits of Cybersecurity Platforms

Research conducted by Palo Alto Networks with a wide range of its customers, supplemented by additional first-person, one-on-one interviews, highlighted a range of implementation benefits that result from taking a platform approach to cybersecurity architecture. By definition, a platform is the culmination of integrated points, such as integrated threat intelligence using automation and orchestration across a variety of security tools to take action against incidents in real time and as one system. This approach helps ease the procurement, management, and operations of the cybersecurity stack while reducing cyber risk. Deploying multiple products from different vendors typically requires a level of expertise beyond the capabilities of many in-house teams. Rather than “buying” implementation resources from consultants or cybersecurity services companies, organizations are looking for a more integrated approach to solutions implementation. Platforms, such as those provided by Palo Alto Networks, smooth and facilitate implementation while reducing the risk often associated with integrating different products in a seamless manner

Identifying the Top Areas of Value

Respondents surveyed on the implementation benefits pinpointed five specific areas where a platform approach delivers tangible value:

Reducing solutions complexity and the number of integration pointsDecreasing deployment timeCutting the risk of time and budget overrunsTrimming deployment effort and personnel “touches”Reducing the amount of practitioner and user training

On average, respondents said that our platforms helped them reduce solution complexity and the number of integration points by 29%, while each of the other four benefits resulted in savings of approximately 23.3%. As organizations evolve their cloud infrastructure, for example, taking a platform approach helps reduce the number of vendors required to secure multiple instances on the cloud, such as containers, serverless systems, and traditional virtual machines. By binding the cloud security tools under one management system, the complexity of deployment as well as the procurement process means that customers are able to scale their cloud infrastructure much faster than before.

This generally translates to cost savings in the form of faster security policy updates, incident management lifecycles, and reduction of alerts. In fact, according to calculations made by Palo Alto Networks related to customers’ actual implementation costs, a typical organization can achieve an annual economic benefit of more than $500,000 by utilizing a cybersecurity platform model for solutions implementation. In customer interviews, those operational and financial benefits of implementation were brought into greater focus.

“Earlier on, we had at least four to six different integration points just for firewalls and endpoint security before we went with Palo Alto,” said one customer. Using Palo Alto Networks platforms, customers are able to standardize and unify security policies and reduce their risk exposure due to the likelihood of reduced human errors.

As a platform-based approach encourages an open consortium of cybersecurity vendors, customers see the value of this ecosystem: “Having one ecosystem really does get a lot of efficiencies with integrations being so seamless.” Yet another client put it succinctly: “People already know how to do troubleshooting.”

Another tangential yet very important implementation benefit to platforms is the ability to overcome the much-discussed cybersecurity skills gap. By consolidating all cybersecurity tools under the same architecture with easy integration and common connectors, organizations alleviate the need for armies of technical staff—each with different certifications and experiences—to integrate new tools as the need occurs.

As organizations look for comprehensive solutions and services to secure the network, cloud, and endpoint and optimize their SOC, our Palo Alto Networks portfolio of platforms allows them best-in-class capabilities along with leading third-party evaluations and efficacy tests, and together, deliver coordinated security enforcement across our customers.

Read the full research study here.

About Haider Pasha:

Haider Pasha is Sr. Director and Chief Security Officer for Emerging Markets at Palo Alto Networks. Over the course of his 20 year IT career, Mr. Pasha has held various certifications, including CCNP, CCSP, CISSP, CCIE (Security) and CEH.

Cyberattacks, IT Leadership