In the face of increasing cyber threats, learn about two key innovations that can help keep ahead of bad actors and keep your organization secure. Credit: Shutterstock By John Davis, Retired U.S. Army Major General and Vice President and Federal Chief Security Officer for Palo Alto Networks What critical innovations can change the balance in cybersecurity, providing those of us responsible for defending our organizations with more capabilities against those who would do us harm? This is not just a theoretical exercise. It is something all of us in cybersecurity need to understand — and a key national security priority. I’ve given this question considerable thought in my role advising many of my former colleagues and other leaders in the U.S. government. In my view, there are two key interrelated developments that can shift the cybersecurity paradigm. They are: Innovations in automation.Software-based advanced analytics — including big data, machine learning, behavior analytics, deep learning and, eventually, artificial intelligence. I’m not saying these innovations can reverse the historical advantage offense has had over defense. But improved use of automation — combined with software-based advanced analytics — can help level the playing field. Cyber threats are increasingly automated using advanced technology. Unfortunately, defense has continued to employ a strategy based mostly on human decision-making and manual responses taken after threat activities have occurred. This reactive strategy can’t keep pace against highly automated threats that operate at speed and scale. The defense has been losing — and will continue to lose — until we in the cybersecurity community fight machines with machines, software with software. Prevention is key Any good defensive strategy should be comprehensive with protection, detection, response, recovery, and resilience. Prevention is key, especially in today’s complex environment. That is where we have not invested enough — and where automation and advanced analytics can make an enormous difference. First, let me define what I mean by prevention, starting with understanding the basic cyberattack process, sometimes referred to as the cyber threat lifecycle. This process consists of seven steps: Probing;Developing a delivery mechanism to get to a victim or target;Exploiting a vulnerability in the network environment;Installing malicious code;Establishing a control channel;Escalating privileged access;Moving laterally within the network environment. These steps usually occur in that order, but not always. The final step defines a successful attack, which could be encrypting data for ransom; exfiltrating sensitive data; exposing embarrassing information; or disrupting/destroying targeted systems, devices, or data. Modern cyber threat actors can work their way through the attack process more quickly than ever with advanced software and machines. But the process still takes time — allowing defenders to see and stop a threat at any step in the process. To do so, however, defenders must have complete visibility across their network environment and be able to deliver protections everywhere automatically. Therefore, they need both sensors and enforcement points. Just seeing malicious activity without being able to stop it won’t change the dynamic between offense and defense. Tackling speed and scale Automation lets security teams fight machines with machines and save their most precious resource (people) to do things that only people can do better and faster than machines. This includes hunting and deep, high-end analysis. Any other approach will never keep pace with the speed and scale of modern cyberthreats. Software-based advanced analytics enable security teams to fight software with software. They make it possible to deploy sensors and enforcement points in all critical places in a network environment. More importantly, they enable the integration between the sensors and enforcement points. With advanced analytics, any type of suspicious behavior in a network environment can be quickly matched to the attack process used by all known threat actors or organizations. Analytics can even identify a threat never seen before or a possible threat not directly matched to a known bad signature or activity. Using machine learning algorithms, a decision can be rendered in near real-time — less than 10 minutes is state-of-the-art today — and a protection can be delivered automatically to stop the threat everywhere in the organization’s enterprise environment without the need for any human intervention. Defenders have access to an enormous amount of data from networks, endpoints, and clouds. The right kind of data includes cyber threat indicators of compromise as well as contextual information. It does not include traditional policy and legal landmines such as personally identifiable information, protected health information, intellectual property, or surveillance-related data. Leveraging this data, it is possible to act at speed and scale with a very high degree of precision, achieving false positive rates of less than one percent. The key to this kind of effective defense is complete, continuous, and consistent visibility and security controls across all elements of an organization’s network environment — from the network to the cloud (public, private, hybrid, multi, SAAS) to endpoint and IoT devices. Stopping threats, mitigating risk Cybersecurity protections that leverage automation and advanced analytics are available today and getting better as time goes by, with more of the right kinds of data to drive automated decisions and protections. Best case, the use of these two innovations enable security teams to see and stop cyber threats before they are successful, providing an advantage for the defense. Worst case, they let security teams limit the damage of a successful attack to something determined to be an acceptable level of risk. Why is this so important? Eliminating or reducing the advantage that cyber offense has over defense is critical to creating a more stable cyberspace. Traditionally, when offense has the advantage, it creates enormous instability. When defense has the advantage, it creates a more stable environment. We’re living in a world with an unacceptably high level of instability in the cyber domain. The risks of miscalculation, misinterpretation or even a plain mistake are just too high. Effective use of automation and software-based advanced analytics can help level the playing field between offense and defense and create a much more effective cybersecurity posture for any organization. About John Davis: John is a retired U.S. Army Major General and Vice President and Federal Chief Security Officer for Palo Alto Networks, where he is responsible for expanding cybersecurity initiatives and global policy for the international public sector and assisting governments around the world to successfully prevent cyber breaches. Related content brandpost Sponsored by Palo Alto Networks Bridging the gap between legacy tools and modern threats: Securing the cloud today Charting the course of cloud security: Bridging the divide between legacy tools and evolving modern threats. Gain visibility today. By Gonen Fink, SVP Products, Cortex & Prisma Cloud, Palo Alto Networks Jun 05, 2024 5 mins Cloud Computing brandpost Sponsored by Palo Alto Networks Is there a natural contradiction within AI-driven code in cloud-native security? Unveiling the duality: Harnessing AI's potential while safeguarding cloud-native security By Amol Mathur, SVP & GM of Prisma Cloud, Palo Alto Networks Jun 03, 2024 5 mins Artificial Intelligence Security brandpost Sponsored by Palo Alto Networks What CIOs need to know about the newly proposed Critical Infrastructure Cyber Incident Reporting Rule The current cybersecurity regulatory landscape continues to evolve, and CIRCIA’s incident reporting requirements are just one of the many emerging regulations organizations will need to observe. By Anand Oswal, Senior Vice President, and GM of Network Security at Palo Alto Networks May 15, 2024 5 mins Security brandpost Sponsored by Palo Alto Networks M&A action is gaining momentum, are your cloud security leaders prepared? Direct visibility is critical in M&A, and cloud-native application protection platforms (CNAPP) are ideal to provide this capability. By Amol Mathur, SVP & GM of Prisma Cloud, Palo Alto Networks Apr 25, 2024 4 mins Cloud Management PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe