On August 27, LogRhythm hosted a panel focused on “Tapping Global Threat Intelligence to Secure Enterprise Networks” at Ruth’s Chris Steakhouse in Crystal City. The panel participants included Sameer Bhalotra, COO of Impermium and former Senior Director for Cybersecurity at the White House; Bob Gourley, Publisher, CTOvision; Todd G. Myers, Senior Architect at the National Geospatial-Intelligence Agency and the Intelligence Community Information Technology Enterprise (IC ITE) Chair for the Geospatial Integration Joint Venture Leadership Network (GI JVLN) to the Office of the Director of National Intelligence (ODNI); and Chris Petersen, CTO at LogRhythm; with moderator Betsy Schmidt Chase, the Federal Business Development Manager at LogRhythm.
Discussions began with a question to the panel addressing the biggest threat to the United States’ national security. Todd G. Myers was the first to speak, saying that the biggest threat would be attacks against our many interconnected systems in ways that could cause cascading failures. These threats are compounded by many systems being vertical in nature when they should be horizontal or elastic.
Chris Petersen followed with his opinion that the biggest threat to national security is industrial espionage. Petersen stressed that this is the biggest threat since it is underway now. Industrial espionage gives our foes access to things we worked to create that they do not deserve and this steals from our collective future.
Sameer Bhalotra said the worst attacks would be those on the power grid or the continuing mass threat of theft of intellectual property. He added a developing concern of attacks on financial markets and mentioned concerns of new types of theft like Bitcoin losses.
Bob Gourley reminded all that if the question is on the biggest national security threat we should all keep in mind that the threat of destruction of our way of life must be deterred and that means deterrence of nuclear war remains of critical importance. There are cyber dimensions to this threat, and we must protect our command and control systems in peace so no adversary believes they can be tempted to conduct cyber attacks against us. Gourley said steps should be taken to defend the PC and client world against cyber attacks, but underscored that this is the old infrastructure. The age of the PC really is over. We are now in the age of mobile computing, and very soon this will morph to a new age of ubiquitous computing. We need to think of the security of everything and anything connected to the Internet.
Todd Myers was asked to comment on best practices which could be used for architecting in security, especially around protection of enterprises. Todd took the opportunity to underscore that security has to be architected in at the beginning, not tacked on at the end. This means designing early at the device and platform and network. He also underscored the importance of encryption.
Chris Petersen answered the next question on the topic of changes in architecture. Petersen replied that there is a need to stay consistent with what needs to be adopted. He stressed that verticals are pervasive to honey-pots. Using the honey-pot tactic to find infiltrators of a network helps to identify whom the infiltrators are and what they are attempting to accomplish. This tactic helps to better understand the adversary.
Sameer Bhalotra addressed the same question saying that there is a need for security analytics. Sensors should be looking for problems and gathering data to conduct further analysis. Data needs to be collected to find out what occurred when a breach took place.
Bob Gourley took the next question of what is the latest and greatest technology. He said he knows that people and process are of critical importance but technology too must be implemented smartly, and from there he mentioned that a well-instrumented enterprise can make it very hard for an adversary to remain undetected. A well-instrumented enterprise can give indications of the adversary prior to a breach and help fight them after breach. Additionally, this lays the foundation for the most important capability in security, the means to automatically remediate and restore back to a known good state.
Petersen pointed out that technology and automation will make people better at combating cyber threats.
Betsy Schmidt Chase presented the next question on the topic of the Cybersecurity Information Sharing Act (CISA). CISA requires the Federal Government, including the Director of National Intelligence (DNI), the Secretary of DHS, the Secretary of Defense and the Attorney General to develop and promulgate procedures and oversight relating to information sharing regarding cyber threats. It also provides liability and antitrust protections for entities providing information within the limits of the Act.
The first question asked centered on what are the best practices that should be employed to develop a reasonable framework for information sharing under CISA. Myers began by addressing the issue of capturing knowledge and going forward with it. There is a problem with people not wanting to share information because they prefer to control what they know. There is a necessity surrounding accessible and centralized knowledge that will support information sharing. There is value in “putting things in a place to accelerate knowledge sharing.”
Bob Gourley responded, saying that information sharing is more a matter of “trust based relationships.” Would sharing information be beneficial or detrimental?
With information sharing, Bhalotra said that some of the data is in the middle ground, not necessarily the silver bullet, nor does it have zero value. There is hesitancy due to privacy concerns. The biggest issue with information sharing is due to a lack of automation, said Bhalotra, and legal overhead. He stated that information sharing is not smooth, but in the West Coast it is now legal for the private sector to share with other private sector industries; it is happening more and more.
Petersen said that it is vital to know what the enemy is talking about. Responding effectively and quickly is fundamental when an enemy infiltrates a network.
The next question addressed whether privacy should be given up. Gourley was the first to tackle the question by saying that, “it seems sometimes like there are two sides and no middle ground.” It is hard, because how can the government not interfere and steal from adversaries, if extreme privacy restrictions are in place. “What should we do to steal adversary secrets,” Gourley asked rhetorically.
“There is always an insider threat” replied Myers, “there is always the black swan.” There is an inherent need to protect what we put down. The term insider threat is one of this day and age, one that will become something completely different in the years to come.
“Insider threat is really outsider [threat],” Petersen said. With privacy, there is a willingness to pose as an insider threat.
Before, there was no way to compare analytics, now there is, Bhalotra stated, “now we can detect bad behavior when we know what to look for.” Within the private sector, employees do not want to be spied on, that is more the accepted culture of the government. In DC, the loss of privacy is expected, whereas on the West Coast it is atypical.
Gourley closed the panel with his statement; an adversary can be found and detected when there is an instrumented network with the right design that can act on the adversary.
The panel was received with a warm round of applause, while Chris Petersen prepared his next presentation. He presented on LogRhythm’s Security Intelligence Maturity Model, which will soon be available.