Security is a journey, not a destination. Between new technologies, emerging threats and seismic shifts in the cultural landscape, nothing stays static for long. In that spirit, Scott Behm, Keysight Technologies’ Chief Information Security Officer, gives his take on leading enterprise security teams, how 2020 shook things up and what the future may have in store.
If we could rewind the clock two years, what could the IT world have done to better prepare for the diversity of risks offered by 2020?
2020 did indeed deliver the IT and cybersecurity community a diversity of trials and associated risks. Defending against increasingly sophisticated threat actors while addressing the people, process and technology challenges associated with enabling effective and secure remote work almost overnight has been interesting. On a positive note, we have all learned new ways to innovate and deliver. In some cases, we have yielded results even better than before.
As they say, hindsight is 20/20. In 2020, the IT world has proven its resiliency – and overall done well at enabling organisations to get the job done under extreme circumstances. Many lessons were learned along the way, and it most certainly wasn’t the same journey for all. Looking forward, a greater focus on scenario planning for unthinkable crises will help us better future-proof our institutions and interests.
If you learned tomorrow that you were the victim of a ransomware attack, what’s the first thing you’d do?
As you know, ransomware attacks – if successful – can have a major impact on their intended targets. As such, it is imperative that companies prepare using table top exercises, coordinated blind simulations (making participants believe it is the real thing) or purple team exercises to test not only their response but their ability to detect.
At Keysight, if we discovered or otherwise learned that there were indications of a ransomware attack, the SOC [security operations centre] would immediately enact the ransomware playbook. The designated incident commander would begin coordinating communications with both responders and business stakeholders. Concurrently, the SOC would work to understand the scope of the attack so appropriate containment and mitigation procedures begin as soon as possible.
What role do you think artificial intelligence (AI) and machine learning (ML) play in cybersecurity? What role can they play in the next five years? Do you think offensive use of ML will offset potential gains in security?
Artificial intelligence and machine learning are indeed starting to play a role in cyber defence. Today, AI/ML is helping in two areas:
In the future, AI / ML will likely help cyber defenders even more in these two areas as the technology improves. Looking forward, quantum computing algorithms combined with AI and ML may make predictive cyber defence a true reality. This is based on the premise that quantum computing can represent several states at the same time – which will enable faster processing of related data sets and result in high-speed, high-fidelity threat predictions. Whether or not this happens in five years is anyone’s guess.
How do you weigh the trade-off between “tool sprawl” and managing dozens of different security dashboards versus single-vendor solutions that might not be as good in all security categories? How do you consider the impact of management complexity?
In many cases, organisations do not entirely leverage their investments in cybersecurity defence and visibility tools. The full capabilities of existing cyber defences may not be deployed and existing configurations might not be tuned appropriately. So, do that first.
On cybersecurity defence: If the digital estate is entirely cloud-based from a single provider, leveraging the native cloud provider’s cybersecurity defence capabilities to the greatest extent possible may make sense. However, if the organisation’s architecture is hybrid cloud – or a mix of everything, including on-prem IT and OT, multiple cloud instances and edge computing – finding a single-vendor solution is likely impossible.
On cybersecurity visibility: Developing a flexible security architecture that allows all security-relevant data to be centrally collected for cross-referencing, contextualisation and alerting will enable the SOC to be most effective in detecting threats, regardless of the threat vector.
How do you evaluate new vendors on your network? Is the bar higher for new versus established vendors? What are your acceptance criteria?
Scanning the horizon for new and emerging cybersecurity technologies pays dividends. However, like the answer to the previous question, making sure that the existing investment is used to its full capability before chasing a shiny new toy is paramount.
If indeed it has been determined that the existing tool set is unlikely to address the emerging threats, an evaluation process should be started that would ultimately short-list one or two solutions. These solutions could then be extensively evaluated, first in a test environment and then in production. Structuring the evaluation as either concurrent “proof of value” engagements or fully paid, short-term subscriptions rolled out in parallel allows for a data-driven decision. The solution that provides the best value in terms of stability, scalability, performance and support wins.
To find out more information, visit: www.keysight.com