Week 6 CYBR 650 Blog


Week 6 Blog, but more a review of “Self-Defending Networks: AI and the Future of Cyber Defense”

I wrote an article review for a Risk Management class this week. The article discussed the need for financial IT risk analysts to start capitalizing on the advent of new technologies such as AI, blockchain, and cognitive computing. The article was mainly about framing how these technologies might introduce new risks or threat vectors, or how they can be leveraged to help them manage risks and controls better. Not a lot of specifics on what actually is going to change. AI sounds great, but what does it actually do? Also, what is now obsolete? This got me thinking about what the future of cyber security is going to look like. I have never actually worked in the industry (19 years in the military), receiving most of my knowledge through formal education, so my thoughts on this are still developing as I learn and gain experience.

Enterprise Immune System

I stumbled across a video from the MIT Technology Review of a talk given by Nicole Eagen titled Self-Defending Networks: AI and the Future of Cyber Defense. Eagen is the CEO of Darktrace, an AI company for cyber defense and she made some very interesting points about the future of cyber security. It really seems that we might be on the precipice of a mindset shift when you listen to speakers like her.

Her product is all about autonomous network detective efforts. Sort of like an immune system for an enterprise network. It can immediately recognize when a foreign body is inside, and take steps to isolate and eradicate it. Current security models don’t quite operate like this. We try to predict what might happen, and build controls to stop the attacks from taking place. We rely on a multitude of security systems to complement each other and secure our assets, and there are issues with this, especially when you look at attacks to come over the next decade.

There are many issues with this model. Many of these systems rely on signatures and historical attacks, but this can be faulty - as attack vectors are intentionally, and rapidly changing their methods. They know what systems you have; thus, they can understand how to eventually bypass or trick those systems.

So, what if the attack is a new one? Do older systems stand any chance of stopping it? Whitelist and blacklists are also not working, as attackers are always finding a way to fool the security. Fast spreading malware can replicate quicker than systems can comprehend what is happening. APT’s blend in well and move to slowly to be detected by people.

The issue is that setting a layered defense can be effective, but it will probably be exploited eventually. Standard controls are good at imagining what an attacker might try to do, and putting in controls to stop that…but not so good at detecting the unexpected. Ms. Eagen used a good example of a Las Vegas casino where a IoT thermostat was compromised. The attacker attempted to laterally move a sensitive database through the network so it could be exfil’d. The database administrators never thought to deny the thermostat from accessing the DB apparently. This is abnormal behavior that AI can detect.

Change in Mindset?

Ms. Eagen’s idea is to accept that they will get in, but focus on identifying, isolating, and responding to an attack by having AI systems on the network that are capable of finding the “not right”. These systems can sit on a network for 5-7 days and learn. The stated goal was 400 different data features from each packet. They are designed to learn and differentiate the benign versus the interesting through deep learning. Back to the immune system analogy, these systems understand what is “self” and what is “not-self” and responds autonomously to isolate and eradicate the anomaly.

Potential attacks on critical infrastructure are an important topic right now, and AI works great in SCADA environments. Machine to machine communication is much easier to predict and detect that “not right”. No Facebook or e-mail makes that an easier task. Personally, I don’t see a future cyber landscape where this kind of technology doesn’t play a major role. Attacks simply move too fast, or too quietly, and security is in prevent mode instead of seek and destroy mode.






Comments

Post a Comment

Popular posts from this blog

Week 5 CYBR 650 Blog

Image
Will Harry and Mae’s Diner Ever Listen to their Paid Consultants? This week in class we are working through the familiar (at least for Bellevue Cybersecurity students) Harry and Mae’s case study . This examines a franchise of diners, and depending on the class you are in, you examine it through the lens required…it could be risk management, secu re network design, or threat analysis. One item I got to thinking about this week is the individual franchises under a company like this, and how much leeway they have when deciding how to run their own infrastructure. This is especially important when the headquarters policies dictate an insecure implementation of the IT equipment, such as is the case with Harry and Mae's. In my specific experience with them, this will be the third time I have recommended basic security configurations without any visible action on their part. Point of Sale Security Certainly, a hot-topic over the last few years, point of sale devices a...
Read more

Week 7 CYBR 650 Blog

Week 7 Blog Its National Cybersecurity Awareness Month! October is designated as Cybersecurity Awareness Month , generally a time of the year for the Government to post some helpful guidelines for everyday people to read about how cyber security could impact their lives. Typically, these involve a good exposure of common threats and vulnerabilities to personnel without much direct cybersecurity knowledge. This year there are four themes for the four weeks of the month: Cybersecurity at home, careers in cybersecurity, workplace cybersecurity, and critical infrastructure cybersecurity.   More specifically, week 4, Oct. 22–26 will be about safeguarding the Nation’s Critical Infrastructure. When most read this they correctly assume this means energy, financial, and emergency systems or maybe centralized communications and transportation. Those are all considered critical infrastructure, and afforded enhanced protection resources through that designation. One item that many ma...
Read more

Finally Here!

Hello all, welcome to my blog covering the final course in the Bellevue Cybersecurity Master's program. This has been quite a journey, starting back in the Winter of 2014. I am fully aware that four years is kind of excessive to complete 12 classes, but I went through at a pace that allowed me to enjoy life and accomplish other goals at the same time. My original goal was to complete my MS degree before retiring from the Air Force. Well, I hit that retirement button yesterday, requesting a retirement date of next year. So pending the results of this course (and the concurrent Risk Management course), mission accomplished! A bit about me. I am 37 years old and currently residing in Anchorage, AK. I married my high school sweetheart 18 years ago, and we have three wonderful children. We love Alaska, and all of the amazing things that you can only do here. I have about a year left to enjoy it, before we retire and transition to civilian life in Colorado, my hometown. I love fishing,...
Read more