In a series of posts entitled Autonomous Everything, we are exploring automation in all its technological forms, including legacy working assumptions about the term itself. We began the series in June with a description of the first autonomous ship to cross the Atlantic Ocean. Autonomy is not just for the future of the automobile and personal mobility but includes a broad autonomous future in areas such as Security Automation, Automation and the Workforce, Automation – or Augmentation – of the workforce, and Automation of AI/Machine Learning Training Models and Industry Standardization.
Most recently, we took a look at the more familiar heavy industrial history of automation and global shipping port terminal operations, which have been the frontline in the tensions between labor, industry, and automation in the U.S. for decades. Port automation is also prescient in the context of the recent pandemic-induced supply chain bottlenecks, which strained port operations globally. Now, we are checking in with Junaid Islam, a well-known cybersecurity expert, about security automation and what is known as “Automated Continuous Threat Testing”.
Automated continuous threat testing was the topic of a recent Joint Cybersecurity Advisory (CSA) which was the “result of an analytic effort among the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), U.S. Cyber Command (USCC) – Cyber National Mission Force (CNMF), the Department of the Treasury (Treasury), the Australian Cyber Security Centre (ACSC), the Canadian Centre for Cyber Security (CCCS), and the United Kingdom’s National Cyber Security Centre (NCSC) to highlight continued malicious cyber activity by advanced persistent threat (APT) actors that the authoring agencies assess are affiliated with the Iranian Government’s Islamic Revolutionary Guard Corps (IRGC).” (1)
Junaid is a Senior Partner at OODA. He has over 30 years of experience in secure communications and has led the development of many network protocols including Multi-Level Precedence and Preemption (MLPP), MPLS priority queuing, Mobile IPv6 for Network Centric Warfare, and Software Defined Perimeter for Zero Trust. He founded Bivio Networks and Vidder, the first Zero Trust access control solution which he sold to Verizon. Currently, he advises the Department of Defense and NASA on networking projects and recently developed the first interference-aware routing algorithm. Junaid is also on the Board of XQ Message, a Zero Trust Data Protection start-up.
Security Automation: Continuous Automated Testing and Evaluation of Defenses
The Center for Threat-Informed Defense, a research project which builds on the foundation of MITRE ATT&CK™, is a non-profit, privately funded research and development organization operated by MITRE Engenuity. (1) The Center brings together this robust and rapidly growing community to conduct research in support of ATT&CK and accelerate innovation in threat-informed defense. (2) The following is from a recent post by The Center:
“Bloomberg highlighted a recent CISA alert last week, pointing out the importance of continuous automated tests and evaluation of defenses. Among other organizations, the Center received a nice acknowledgment for our work in this area. At the Center for Threat-Informed Defense, we work with the industry to advance threat-informed defense globally. We make our R&D products freely available under commercially friendly licenses to enable innovation and help defenders around the world. We aim for global impact and making our work freely available to all is a critical component of fulfilling our public interest mission.
Our R&D program is oriented around three core problem areas:
- Cyber Threat Intelligence – Increase operational effectiveness of threat-intel products and advance the global understanding of adversary behaviors.
- Test & Evaluation – Bring the adversary perspective to test and evaluate to understand defensive posture.
- Defensive Measures – Systematically advance our ability to detect and prevent adversary behaviors.
While this statement isn’t quite right, “CISA is making the recommendation in collaboration with the Center for Threat-Informed Defense, a 29-member nonprofit formed in 2019 that draws on MITRE’s framework.” We appreciate the recognition. We simply are not able to work with CISA or any government entity. Having said that, we love to see our work picked up and used by governments around the world. CISA is steadily improving its reporting making it much easier for teams to operationalize their alerts. That is exactly the kind of change we hope to see across the community.” (1)
The Bloomberg article referenced by the MITRE research center, US Cyber-Defense Agency Urges Companies to Automate Threat Testing, reported that CISA “is recommending for the first time that companies embrace automated continuous testing to protect against longstanding online threats.” (2)
“Automating security is great but it is not a replacement for a sound security strategy”
Daniel Pereira: Junaid, I am reaching out to you in the context of the Autonomous Everything Series we have been running on OODA Loop and, specifically, automated continuous threat testing. There was recent Bloomberg News coverage of the issue and a recent CISA Joint Advisory that prompted my reaching out to you.
What do you think of first and foremost when you think of security automation? I also want to discuss the growth of security automation as a market sector – which is defined as “using automation for repetitive and time-consuming tasks for external cyber threats and internal information technology security.” And I knew you’d be perfect for a perspective on the pros and cons of people drinking the Kool-Aid on automating security – or any hype cycle in this market of cybersecurity solutions.
Junaid Islam: Automating security is great but it is not a replacement for a sound security strategy. Enterprises have become extremely complex with people working at home, extended supply chains, mobile devices, and cloud services. So if you say, “I’ve got all these security tasks. What if I automate some of this”? – this sounds appealing but it is critical to get everything right.
Automation is not a replacement for security basics. And the basics are: What’s your identity system? Having role-based access so only people who are authorized to access files or applications really have it. Making sure your firewall rules are up to date. Now, you can’t have good firewall rules unless you know the IP addresses of the servers you have in your office, as well as the virtual instances in the cloud.
Unless you do the basics of identity management, network partitioning, firewalls, and routing, jumping to or adopting new automated threat management systems won’t work. There are many exciting innovations coming from the security industry – such as machine learning-based automation. Very cool. Very positive. Right? But again, if you don’t have a good grasp of your enterprise, at best, you are not going to benefit. At worse, it will increase complexity and risk. Enterprises still need to invest in the basics.
“if you don’t have a good grasp of your Enterprise, at best, you are not going to benefit. At worse, it will add complexity and risk.”
So, the first the most important thing is that basic cybersecurity hygiene needs to be done no matter what. The second thing: then the question becomes, well, “What are we automating”? Automation tools are great, but you really must know what you’re automating, right? So this is where a zero-trust philosophy is very useful. The heart of zero trust is it is about using a risk model, not a compliance model, to manage your security priorities. MITRE ATT&CK is a great model with 12 tactics and 185 techniques. Unfortunately, you will never be able to get through that list in a timely enough fashion or have enough resources.
A zero-trust strategy can help an Enterprise adapt the MITRE threat matrix to its unique environment. The way zero trust works is you must have zero trust in something, and risk drives your prioritization. For example, you might be a company that has a lot of outsourcing. So your greatest risk would be your outsource partners, and how they connect with your applications and handle your data.
Similarly, your mission-critical data might be in the cloud. Or your applications might be handled by a third party. So now you have zero trust in that third party – that becomes your greatest risk. So the zero-trust strategy is a countermeasure to that.
Enterprises must have zero trust in something – and then focus on reducing that risk? Just buying automation tools for the sake of it, without focus will not yield results. Without focus automation efforts may focus on the wrong area. At worst it might even increase risk in the Enterprise because it’s going to produce so much data and automate things that aren’t really changing the risk profile.
“Enterprises should use a zero-trust philosophy or strategy to prioritize their resources. Then bring in the automation.”
Pereira: So this formative market creation phase of “security automation”: what is your visceral response to the Bloomberg article in this post, what they are identifying as “automated threat testing” and this idea we are exploring of a future marked by “autonomous everything”?
Islam: Enterprises should use a zero-trust philosophy or strategy to prioritize their resources. Then bring in the automation. I’ve looked at these automation tools. Most of them use machine learning, and they are powerful, but they are not plug-and-play. And that’s because machine learning-based automation tools need a data set. They collect data about your enterprise and then use specific models to analyze the data. These are cognitive models, which then generate alarms of unusual behavior.
So an example might look at people coming into your applications such as a supply chain partner. They are external to you. And then based on the data collected, which shows this is what they do 99% of the time, and here’s someone doing something different – it generates an alarm. But to get to that level of automation you would’ve had to do a lot of work on collecting the data and making sure that the machine learning model is properly working.
So the good news is once you get it working, ML-based automation is very powerful. But what people need to understand, there’s no shortcut or magic button here. You still must do the basic cyber strategy work and do the risk analysis. And then when you do bring in these new machine learning-based automation tools, there’s work in collecting the data and setting up the right alarms.
“…what people should think about is #1) these are very early days in the industry for ML-based automation, and #2) machine learning-based security tools require an investment in personnel. You have to build expertise on how to use it.”
Pereira: So informally – intuition and experience – what is your percentile ranking on promising security automation versus vaporware so far? You have surveyed the land, and what would you say: 60% promising, 40% vaporware? Or vice versa?
Islam: I prefer to use the term machine learning-based security tools because the automation also could be using scripting. Scripting for security are really decades old. In fact, Cisco led to the widespread adoption of scripting 25 years ago when I worked there. When we are talking about automation today, we’re really talking about machine learning-based systems that can detect some variance in your enterprise, generate an alarm, and then initiate countermeasures.
For example you detect an IP flow coming in from your vendor but with a different address than usual. So, maybe this is a hacker? An example of a corrected action would be to shut it down the traffic by changing the firewall rule in real time. Having such a process automated is a game changer.
A few things to consider. Number one: these are very early days in the industry for ML-based automation. Number two: ML-based security tools require an investment in personnel. You have to build expertise on how to use it. You design the collection and threat model. You also have to test these scenarios. You have to trigger your alarms to make sure that the system will really work. Most people don’t understand machine learning-based automation does require that kind of investment.
“One of the biggest risks Enterprise’s face is lateral moving malware from Russia. That is something we really need to think about seriously, given the geopolitical reality.”
Pereira: It is uncanny how much what you are saying mirrors what I captured in our recent interview with Mergeflow CEO and OODA Network Member Florian Wolf on “Small Data”. You and Florian have similar insights and advice (which is always encouraging from a pattern recognition/strategic risk awareness perspective) and validate that we are framing the right research questions for our membership as well.
So this notion of an “IT flow” is something I have tracked for many years. There is some great work on the topic, not a lot, but it is a nice segue way to the specific recommendations discussed in the Bloomberg coverage of the joint CSA from CISA with multiple domestic and international agencies. The recommendation and they base it on MITRE Framework research, is automated threat testing. And the recommendation is that it be continuous – so that it is a flow, right? What is your response to the implications of this recommendation?
Islam: Since a cyberattack can happen anytime we need to go to a notion of continuous testing and verification as a countermeasure. “We’re doing an audit once a quarter” just doesn’t make sense because malware could creep into your system right after the audit is done.
Let me give you an example where automation makes a lot of sense: software. One of the biggest risks Enterprise’s face is lateral moving malware from Russia. Subsequently, Enterprises need to keep looking at the hash of the software and whether the software matches a known hash, if it’s been altered, or if an installation has happened on one of our laptops in our company or one of our servers. So that’s a great example where having automated security monitoring is fantastic because an attack could happen anytime on our software system. That is something Enterprises need to think about seriously, given the geopolitical reality.
OODAcon 2022
To register for OODAcon, go to: OODAcon 2022 – The Future of Exponential Innovation & Disruption
Security automation, automated continuous threat testing, machine learning-based security tools, big data, small data, artificial intelligence, and deep learning will be discussed at OODAcon 2022 – The Future of Exponential Innovation & Disruption on the following panels:
- The Future Hasn’t Arrived – Identifying the Next Generation of Technology Requirements
- Swimming with Black Swans – Innovation in an Age of Rapid Disruption
- The Disruptive Futures: Digital Self Sovereignty, Blockchain, and AI
- Open the Pod Bay Door – Resetting the Clock on Artificial Intelligence
- Twenty Years of Cyber Threat Intelligence
- Keynote Conversation with Congressman Will Hurd
OODAcon is about understanding the future and developing the resiliency to thrive and survive in an age of exponential disruption.
Society, technology, and institutions are confronting unprecedented change. The rapid acceleration of innovation, disruptive technologies and infrastructures, and new modes of network-enabled conflict require leaders to not only think outside the box but to think without the box.
The OODAcon conference series brings together the hackers, thinkers, strategists, disruptors, leaders, technologists, and creators with one foot in the future to discuss the most pressing issues of the day and provide insight into the ways technology is evolving. OODAcon is not just about understanding the future but developing the resiliency to thrive and survive in an age of disruption.
OODAcon is the next-generation event for understanding the next generation of risks and opportunities.
OODA Network Members receive a 50% discount on ticket prices. For more on network benefits and to sign up see: Join OODA Loop
Please register to attend today and be a part of the conversation.
