Fortnite got it right: When it comes to defending against cyber attacks, we need to do battle as a team. A couple years ago when I witnessed my 16 grandchildren scattered throughout the house playing the game, I realized something: Even if they had been playing from their respective homes, they would have still been collaborating and strategizing, just as effectively, to survive on the island. This was collective defense at work.
Now, I don’t mean to imply that collective defense for cybersecurity is child’s play, a game. But we can look to the underlying aspects of this collaborative approach to change the current cybersecurity playing field, which simply isn’t working.
Based on my experience with the U.S. Cyber Command, I can say that the offense always won by actively creating new exploits, constantly modifying malware, massively scaling at a level that’s almost unimaginable, and escalating to nation-level attacks employed by Russia, China, Iran, North Korea — and many other rogue, non-nation state actors.
Today, cybersecurity defense that brings together organizations, states, and nations in a real-time network to defend against cyber attacks is the only way to compete. Every week, when I meet with private and public sector leaders struggling against the relentless onslaught of cyber attacks, I become more determined in the collective defense mission.
The bigger picture of collective defense
To understand why we must adopt a new approach, we need to take a hard look at why current approaches to cyber defense aren’t working. Today, operators defend in relative isolation with only a narrow view of the network. This siloed and limited visibility makes it very difficult — nearly impossible — to understand the offensive strategy at play or, worse, the best defensive plan to mitigate the threats.
Although CISOs and SOCs may already share information “manually” via text, email, or phone, there is both lag time and the inability to see across the industry in near real time, at the same time. This business-as-usual approach to cyber defense provides a limited picture for defenders to plan their best moves as aligned stakeholders. All the while, the threat’s dwell time is expanding, and losses due to delayed response are piling up.
We need collective defense to shape the future of cybersecurity. With collective defense, we can adopt a posture like that of air traffic controllers (or networked Fortnite survivalists) to see more and act quickly on the bigger picture.
The key elements of collective defense
As the cyber “safe zone” is shrinking every day, we can defend it with the following elements:
Network traffic analysis (NTA) based on behavioral analytics
Let’s face it: false positives are the bane of every SOC operator’s existence. Behavioral analytics driven by machine learning can improve detection efficacy, but math alone is not enough. We need human intuition and insights augmented by world class AI and ML techniques to be effective. IronNet’s collective defense draws on an expert system that takes the experience of some of our nation’s top cyber defenders and combines those insights with advanced AI/ML. It is only with these capabilities in a highly scalable NTA system that cyber defenders can keep up with determined cyber adversaries that have almost unlimited budgets and time to attack enterprises every day.
From the situational context, knowledge sharing can happen in near-real time through crowdsourcing and immersive user interfaces of the threat landscape. As I have mentioned, one of the frustrations when I had Cyber Command was that we couldn’t see attacks on our country. With automatic, machine-speed threat sharing and collaboration between public and private enterprises, we now can arm the commercial sector with the ability to see threats, share that knowledge with each other, and anonymously share that information with the government so that they can use all the levels of power at their disposal to defend the nation.
There are two types of sharing knowledge. One is through the ability to see threats and understand the attacker’s Tactics, Techniques, and Procedures (TTPs). Knowing these insights will help enterprises identify threats within their environment and, equally as important, “prove the negative” that if there is an attack using similar TTPs, an enterprise’s own security teams and cybersecurity defense can detect and mitigate that threat. Proving the negative gives executives the confidence that when their security teams say that they have analyzed the threat, they have simulated the attack and are confident that the organization has the means to defend it.
The other type is knowledge sharing is based on crowdsourcing and collaboration with peer enterprises. Cyber adversaries share attack methods, tools, and insights with each other to improve their offensive capabilities. Isn’t it time that cyber defenders do the same? Defenders currently do work together, but unfortunately this often happens in an ad-hoc manner with a small subset of individuals. What if we could collaborate at scale? That is what collective defense aims to do: to enable public and private companies within a supply chain, industry, state, or nation to work together against a threat in real-time. The ability to pool knowledge and to leverage shared insights improves cyber detection and risk mitigation for the collective, and it prevents the attacker from reusing the same TTPs to “cherry-pick” enterprises individually as they do today. Anonymously sharing these insights with the government allows the government to take action against that threat at the national level in order to neutralize or lessen the impact of the threat to enterprises under their jurisdiction.
Training and human intelligence
As AWS CEO Andy Jassy has said, “There is no compression algorithm for experience.” The human part of the cyber defense equation, driven by the field’s top cyber analysts, is critical. It is not just deploying security tools but also exercising your team’s ability to detect and respond to simulated threats and to practice how to work with peers to defend against that threat. Training and great people are the key elements of successful teams. It is what many of us at IronNet have done prior to joining the company. It is what we do today. I am proud of the expert DNA that is at the heart of IronNet: our cyber hunters, red team, engineers, and data scientists represent the best in the industry. At the end of the day, the technology has to be top-notch, but combining the technology with human curiosity and expert intuition is the real game-changer.
We defend together. We win together.
The inherent nature of this networking approach to cybersecurity is a defensive posture. Cyber attacks are rampant, constantly changing, and laser-focused on the payoff (such as intellectual property, the backbone of our thriving digital economy). Without question, we need collective defense. Armed with behavioral analytics and near-real time knowledge sharing, we can act more proactively and strategically to win the cyber war together, battle by battle.