{"id":12928,"date":"2016-03-30T05:00:49","date_gmt":"2016-03-30T12:00:49","guid":{"rendered":"https:\/\/www.paloaltonetworks.com\/blog\/?p=12928"},"modified":"2016-03-29T18:45:14","modified_gmt":"2016-03-30T01:45:14","slug":"cso-four-imperatives-for-cybersecurity-success-in-the-digital-age-part-3","status":"publish","type":"post","link":"https:\/\/www2.paloaltonetworks.com\/blog\/2016\/03\/cso-four-imperatives-for-cybersecurity-success-in-the-digital-age-part-3\/","title":{"rendered":"Four Imperatives for Cybersecurity Success in the Digital Age: Part 3"},"content":{"rendered":"<p><em>Having joined Palo Alto Networks following a 35-year career in the U.S. military, the past decade of which I served in a variety of leadership positions in cyber operations, strategy and policy, I have found that many of the cybersecurity challenges we face from a national security perspective are the same in the broader international business world.<\/em><\/p>\n<p><em>This blog post series describes what I consider to be <strong>four major imperatives for cybersecurity success in the digital age<\/strong>, regardless of whether your organization is a part of the public or private sector.<\/em><\/p>\n<p>In my first two blogs, I covered Imperatives #1 and #2. Here are the major themes for each imperative:<\/p>\n<ul>\n<li>Imperative #1 \u2013 We must flip the scales (published <a href=\"https:\/\/www.paloaltonetworks.com\/blog\/2016\/02\/four-imperatives-for-cybersecurity-success-in-the-digital-age-part-1\/\" target=\"_blank\">February 16, 2016<\/a>)<\/li>\n<li>Imperative #2 \u2013 We must broaden our focus to sharpen our actions (<a href=\"https:\/\/www.paloaltonetworks.com\/blog\/2016\/03\/cso-four-imperatives-for-cybersecurity-success-in-the-digital-age-part-2\/\" target=\"_blank\">March 12, 2016<\/a>)<\/li>\n<li>Imperative #3 \u2013 We must change our approach<\/li>\n<li>Imperative #4 \u2013 We must work together<\/li>\n<\/ul>\n<h3><!--more-->Imperative #3 \u2013 WE MUST CHANGE OUR APPROACH<\/h3>\n<p>Before I get to the details, allow me to review some background and context, and then provide an executive summary of Imperative #3 in case the reader is pressed for time.<\/p>\n<p>As a reminder from my previous two blogs, I use the four factors in Figure 1 to explain the concept behind Imperative #3 in a comprehensive way.<\/p>\n<p><div style=\"max-width:100%\" data-width=\"500\"><span class=\"ar-custom\" style=\"padding-bottom:58.4%;\"><img loading=\"lazy\" decoding=\"async\"  class=\"aligncenter size-large wp-image-12929 lozad\"  data-src=\"https:\/\/www.paloaltonetworks.com\/blog\/wp-content\/uploads\/2016\/03\/JD-Imperatives-3_1-500x292.png\" alt=\"JD Imperatives 3_1\" width=\"500\" height=\"292\" srcset=\"https:\/\/www2.paloaltonetworks.com\/blog\/wp-content\/uploads\/2016\/03\/JD-Imperatives-3_1-500x292.png 500w, https:\/\/www2.paloaltonetworks.com\/blog\/wp-content\/uploads\/2016\/03\/JD-Imperatives-3_1-230x134.png 230w, https:\/\/www2.paloaltonetworks.com\/blog\/wp-content\/uploads\/2016\/03\/JD-Imperatives-3_1-768x449.png 768w, https:\/\/www2.paloaltonetworks.com\/blog\/wp-content\/uploads\/2016\/03\/JD-Imperatives-3_1-510x298.png 510w, https:\/\/www2.paloaltonetworks.com\/blog\/wp-content\/uploads\/2016\/03\/JD-Imperatives-3_1-68x40.png 68w, https:\/\/www2.paloaltonetworks.com\/blog\/wp-content\/uploads\/2016\/03\/JD-Imperatives-3_1.png 900w\" sizes=\"auto, (max-width: 500px) 100vw, 500px\" \/><\/span><\/div><\/p>\n<p style=\"text-align: center;\">Figure 1<\/p>\n<ul>\n<li><strong>Threat:<\/strong> This factor describes how the cyberthreat is evolving and how we are responding to those changes.<\/li>\n<li><strong>Policy and Strategy: <\/strong>Given our assessment of the overall environment, this factor describes what we <strong><em>should<\/em><\/strong> be doing and our strategy to align <strong>means<\/strong> (resources and capabilities \u2013 or the <em>what<\/em>) and <strong>ways<\/strong> (methods, priorities and concepts of operations \u2013 or the <em>how<\/em>) to achieve <strong>ends<\/strong> (goals and objectives \u2013 or the <em>why<\/em>).<\/li>\n<li><strong>Structure:<\/strong> This factor includes both organizational (human dimension) and architectural (technical dimension) aspects.<\/li>\n<li><strong>Tactics, Techniques and Procedures (TTP)<\/strong>: This factor represents the tactical aspects of how we actually implement change where the rubber meets the road.<\/li>\n<\/ul>\n<p>In this third blog of the series, I\u2019d like to describe Imperative #3 using the concept model outlined above and step through the implications.<\/p>\n<p><div style=\"max-width:100%\" data-width=\"500\"><span class=\"ar-custom\" style=\"padding-bottom:14%;\"><img loading=\"lazy\" decoding=\"async\"  class=\"aligncenter size-large wp-image-12930 lozad\"  data-src=\"https:\/\/www.paloaltonetworks.com\/blog\/wp-content\/uploads\/2016\/03\/JD-Imperatives-3_2-500x70.png\" alt=\"JD Imperatives 3_2\" width=\"500\" height=\"70\" srcset=\"https:\/\/www2.paloaltonetworks.com\/blog\/wp-content\/uploads\/2016\/03\/JD-Imperatives-3_2-500x70.png 500w, https:\/\/www2.paloaltonetworks.com\/blog\/wp-content\/uploads\/2016\/03\/JD-Imperatives-3_2-230x32.png 230w, https:\/\/www2.paloaltonetworks.com\/blog\/wp-content\/uploads\/2016\/03\/JD-Imperatives-3_2-768x108.png 768w, https:\/\/www2.paloaltonetworks.com\/blog\/wp-content\/uploads\/2016\/03\/JD-Imperatives-3_2-510x71.png 510w, https:\/\/www2.paloaltonetworks.com\/blog\/wp-content\/uploads\/2016\/03\/JD-Imperatives-3_2-240x34.png 240w, https:\/\/www2.paloaltonetworks.com\/blog\/wp-content\/uploads\/2016\/03\/JD-Imperatives-3_2.png 900w\" sizes=\"auto, (max-width: 500px) 100vw, 500px\" \/><\/span><\/div> <div style=\"max-width:100%\" data-width=\"500\"><span class=\"ar-custom\" style=\"padding-bottom:49%;\"><img loading=\"lazy\" decoding=\"async\"  class=\"aligncenter size-large wp-image-12931 lozad\"  data-src=\"https:\/\/www.paloaltonetworks.com\/blog\/wp-content\/uploads\/2016\/03\/JD-Imperatives-3_3-500x245.png\" alt=\"JD Imperatives 3_3\" width=\"500\" height=\"245\" srcset=\"https:\/\/www2.paloaltonetworks.com\/blog\/wp-content\/uploads\/2016\/03\/JD-Imperatives-3_3-500x245.png 500w, https:\/\/www2.paloaltonetworks.com\/blog\/wp-content\/uploads\/2016\/03\/JD-Imperatives-3_3-230x113.png 230w, https:\/\/www2.paloaltonetworks.com\/blog\/wp-content\/uploads\/2016\/03\/JD-Imperatives-3_3-768x376.png 768w, https:\/\/www2.paloaltonetworks.com\/blog\/wp-content\/uploads\/2016\/03\/JD-Imperatives-3_3-510x250.png 510w, https:\/\/www2.paloaltonetworks.com\/blog\/wp-content\/uploads\/2016\/03\/JD-Imperatives-3_3-82x40.png 82w, https:\/\/www2.paloaltonetworks.com\/blog\/wp-content\/uploads\/2016\/03\/JD-Imperatives-3_3.png 900w\" sizes=\"auto, (max-width: 500px) 100vw, 500px\" \/><\/span><\/div><\/p>\n<p style=\"text-align: center;\">Figure 2<\/p>\n<h4>EXECUTIVE SUMMARY:<\/h4>\n<p>What we have been doing in the past simply isn\u2019t working. We <strong>MUST<\/strong> <strong>change our approach<\/strong>!<\/p>\n<p>The first change in approach is to move away from a focus on known threat signatures toward a focus on suspicious activity in order to <strong>make unknown threat signatures known as rapidly as possible<\/strong>. We must scale the discovery of indicators of compromise through <strong>automation<\/strong>, determine in near real time that there are malicious techniques being employed, produce mitigations for those bad techniques, and automatically push them out to adjust the security posture of our networks and devices. Doing so <strong>imposes increasing costs on adversaries<\/strong> because it forces them to change their entire breach playbooks.<\/p>\n<p>Next we must change our policies and strategies, recognizing that <strong>detection and response<\/strong>, while critical cybersecurity functions, <strong>are insufficient<\/strong> to resolve the problem on their own. It takes a <strong>strong prevention mindset<\/strong>, policies driven by the organization\u2019s leadership, and accompanying strategies that align resources and methods to achieve the desired results.<\/p>\n<p>An effective prevention-first policy means we must also change our approach by evolving from a legacy view that success is a result of bolting onto an organization\u2019s network enterprise a bunch of independent point solutions to a more <strong>natively integrated platform approach<\/strong>. The point solution approach looks at different \u201cpieces\u201d of the attack lifecycle and creates an enormous volume of alerts \u2013 mostly false positives \u2013 causing lots of work. None of the point solutions are natively integrated to communicate with each other to put the whole threat picture together, so that takes lots of equipment, bandwidth, time, people and money. Next-generation technology allows you to look at the <strong>entire lifecycle process as a whole<\/strong> in a <strong>single pass <\/strong>by design, and <strong>leverages automation<\/strong> to alert only on threat playbooks and block them across the network enterprise.<\/p>\n<p>Finally, at the procedural and technique level, there is magic in leveraging <strong>automation<\/strong> in ways we have not thus far. Traditionally, in a \u201cdetect and respond\u201d approach, we measure our \u201cincident response\u201d in days, weeks and months because we rely almost exclusively on <strong>human decision-making<\/strong> and <strong>manual<\/strong> action.\u00a0We must change our approach so that we <strong>leverage automation<\/strong> and save what only humans must, or are best suited to do for the slower, manual procedures. Automation in an <strong>integrated platform approach<\/strong> reduces your workload, gives you better visibility of potential attackers, and safely enables your organization to do its critical business functions.<\/p>\n<h4>DETAILED DESCRIPTION OF IMPERATIVE 3:<\/h4>\n<p><span style=\"text-decoration: underline;\"><strong>THREAT<\/strong><\/span><\/p>\n<p>So here\u2019s the first important change in approach.\u00a0We have to <strong>move from focusing on known threats and signatures to an approach that focuses on UNKNOWN threats<\/strong> \u2026 or at least making unknown threats known as quickly as possible (hopefully in near real time) so that we can then do something about them.<\/p>\n<p>We have a problem that is giving today\u2019s cyberthreats a significant advantage over our ability to secure and defend our networks. This problem pits a growing adversary marketplace that leverages information sharing, automation and the cloud at increasing speed and decreasing costs against an oftentimes slow, clumsy, manual and increasingly expensive cybersecurity community. Here\u2019s where we can begin to get ahead and increase the cost to cyber adversaries.<\/p>\n<p>If we can begin to scale the discovery of indicators of compromise through automation, determine that there are \u201cbad\u201d techniques being employed in near real time, produce mitigations for those bad techniques, and automatically push them out to adjust the security posture of our networks and devices, then we can begin to make a dent in adversaries\u2019 agility, flexibility and scale.<\/p>\n<p>Because remember, making an unknown threat known in a matter of minutes still means that something got through before it was discovered; but, if you can do what I just said in near real time, then because of the <strong>attack lifecycle<\/strong> process we know that it usually takes more than a few minutes to get through all the steps of an adversary playbook to achieve the final goal.\u00a0The lifecycle process requires almost any cyber actor to first gather information and perform reconnaissance, next conduct the initial compromise, then lay down an exploit or inject malware, establish command\/control, apply privileged movement through the network to get to the right location, and finally to achieve their objective, whether it be the exfiltration of information, disruption, deception or destruction.<\/p>\n<p>This takes time \u2013 usually at least hours, but it can take days, weeks and even months depending on how stealthy a cyber actor wants to be.<\/p>\n<p>So focusing on turning unknowns into knowns as quickly as possible forces the adversaries to change their entire playbooks at a rate that begins to put them on the wrong side of the problem.<\/p>\n<p><span style=\"text-decoration: underline;\"><strong>POLICY and STRATEGY<\/strong><\/span><\/p>\n<p>I believe this next point is critical if we want to deal effectively with something that not only threatens our national security but also threatens our international stability and economic vitality.\u00a0As a community we have traditionally taken an approach that focuses on <strong>detection<\/strong> and <strong>response<\/strong>.\u00a0I\u2019m not making light of those functions (detection and response) because they are, no doubt, vital.\u00a0But <strong>they are insufficient<\/strong>.\u00a0We are never going to get ahead of the problem, if we don\u2019t change our approach to <strong>focus first on prevention<\/strong>, while also having good detection, response and resilience in place.<\/p>\n<p>I believe this imperative starts at the leadership level of any organization; and, therefore, I include it as a policy category.\u00a0Once leadership buys in, the challenge is to turn a policy of prevention into a viable strategy and align any organization\u2019s limited resources with effective methods to achieve our goals and objectives.<\/p>\n<p><span style=\"text-decoration: underline;\"><strong>ARCHITECTURE<\/strong><\/span><\/p>\n<p>If you accept the change in approach to focus on prevention in addition to detection and response, how do you make that happen?\u00a0Is it possible?\u00a0I wouldn\u2019t be in this job if I didn\u2019t believe that not only is it possible but this imperative for change is driving the way our technology works at Palo Alto Networks right now!<\/p>\n<p>And here\u2019s the key to success from an architecture point of view: we must change our approach away from a <strong>legacy set of isolated point solutions<\/strong> randomly placed throughout the network architecture and normally installed in a \u201cbolted on\u201d model. In this model network security solutions don\u2019t talk to each other and don\u2019t effectively integrate with one another without a considerable amount of complexity, friction, bandwidth, energy and time consuming procedures, so the hope of stopping threats based on an endless number of known signatures usually means you\u2019re always in the business of cleaning up the disaster instead of preventing it in the first place.<\/p>\n<p>Let me paint a picture for you about this point that our Regional CSO for Europe and the Middle East, Greg Day, developed. It\u2019s very easy and low cost for an attacker to change just that one characteristic of a signature and reuse all the rest of a threat playbook. If we use a picture of an adversary\u2019s face as an example, then this is the equivalent of changing that person\u2019s eye color so you don\u2019t recognize the face anymore.<\/p>\n<p>Breaches, intrusions and attacks happen at CPU speed, so this \u201cpicture of a face\u201d is typically changing thousands of times in a minute. You need to be able to recognize the whole face. If you can do that, then even if the threat changes one characteristic of the lifecycle or breach playbook, you can still spot the adversary by recognizing the whole face and blocking the person.<\/p>\n<p>If you can do that, then it\u2019s very expensive and hard work for attackers to change their approach because they would have to change all the characteristics of their entire face (all the stages of their playbook for a breach). That\u2019s hard for them and expensive. So they are likely to go try somewhere else where their entire breach playbook or lifecycle is not blocked.<\/p>\n<p>But this is typically what happens now, using various point solutions for the different facial features (sticking with the face example). So let\u2019s say you have a threat with multiple stages of a breach playbook (a face with multiple features). And we have all these defenses, which are different tools designed to detect different aspects of a breach. These point solutions include legacy firewalls, URL filtering, antivirus, IPS, sandboxing, IDS, SSL decryption, and many more.<\/p>\n<p>The different tools generate hundreds or even thousands of alerts. Most of them are false positives. Think about all the analysis you must employ to sift through them. This high workload exists because different parts of this security stack all produce alerts <strong>independently<\/strong> from each other.<\/p>\n<p><strong>There is a better approach<\/strong> in which all of the detection capability is built into a <strong>single platform that is designed from the start to work together<\/strong>, not retrofitted. This approach looks at the big picture \u2013 all the characteristics at once. This approach also \u201c<strong>self-learns\u201d in near real-time<\/strong>.<\/p>\n<p>Here\u2019s what I mean by being designed to work together. In the point solution model, the information about a suspected cyberthreat goes to the first component (say AV) and is unpacked so that it can be inspected and a response, created. After it\u2019s unpacked, the unpacked version is discarded and the package is passed on to the next component (say URL filtering), unpacked and discarded\u2026and again\u2026and again.<\/p>\n<p>In the first place, doing this unpacking many times is expensive because it is resource hungry and it\u2019s been done over and over again. You need a lot of hardware to support this approach.<\/p>\n<p>Secondly, it\u2019s very difficult to manually correlate the results from each of the inspections to look at the context of what you have found \u2013 to form the big picture. Incidentally, 30 percent of traffic coming into networks today is encrypted, which makes the unpacking process even harder. This manual multi-pass approach is slow.<\/p>\n<p>We must change from this approach to an \u201c<strong>integrated platform<\/strong>\u201d approach.\u00a0The key is to <strong>natively integrate<\/strong> the approach so that network security, endpoint device security, and the analytical backbone to feed the network and endpoint security with near the real time discovery of previously unknown threat signatures enables an organization to actually <strong>prevent<\/strong> adversaries from stepping through the attack lifecycle process and completing their intended objective.\u00a0This is possible with an integrated platform approach.<\/p>\n<p>That means the unpacking happens once, and all the cyber breach characteristics are searched for afterward. That means it\u2019s <strong>automated<\/strong> and <strong>fast<\/strong>. Instead of alerting every time a suspicious characteristic is found, it looks at the big picture, only alerting when there is high confidence that an actual breach is taking place \u2013 when there is high confidence that there is a match to the entire face instead of just one of many facial features.<\/p>\n<p>As well as alerting you, it <strong>blocks<\/strong> all the combinations of what your adversary is trying to do. It does this by self-learning and reprogramming itself. It can only do this because of the speed at which it operates. The result is fewer alerts to deal with, better visibility of what is happening, and automated blocking or prevention actions taking place.<\/p>\n<p><span style=\"text-decoration: underline;\"><strong>TTP<\/strong><\/span><\/p>\n<p>Down where the rubber meets the road at the tactical, procedural level, here\u2019s the other key to successfully moving from a legacy to a \u201cnext generation\u201d approach.\u00a0We are taking a page from the threat itself with this imperative for change.\u00a0Today\u2019s advanced threats, even the modestly advanced ones, don\u2019t operate at manual speed.\u00a0<strong>They operate at the speed of automation<\/strong>.<\/p>\n<p>The threat is always going to beat our manual efforts to defend when they leverage automation and cloud to come at us in \u201cnth degree\u201d permutations of code adjustments (like changing different facial features thousands of times a minute), and that\u2019s exactly what they do.\u00a0We have to do the same thing to gain an advantage over the threat and change our approach from a procedural point of view.<\/p>\n<p>Traditionally, in a \u201cdetect and respond\u201d approach, we measure our \u201cincident response\u201d in days, weeks and even months because we rely almost exclusively on human decision-making and manual action.\u00a0However, when it comes to the issue of human-based, manual action versus leveraging the power and scale of automation, we must change our approach so that we <strong>leverage automation<\/strong> and save what only humans must or are best suited to do for the slower, manual procedures.<\/p>\n<p>Here, <strong>cloud<\/strong> capabilities are vital.\u00a0This can raise concerns regarding a number of issues, so we believe that you have to allow for different types of cloud options, such as true cloud versus on-premises cloud capabilities.<\/p>\n<p>So how do you make sure that this model can scale to whatever shape and size your organization will grow to? Remember, current organizations take different products from different vendors to look for the different characteristics that adversaries might use. And they try to integrate these in some way, mostly using manual procedures and people to look at the different alerts. That\u2019s labor- and resource-intensive and focused on detecting and responding <strong>after<\/strong> they have been breached.<\/p>\n<p>The use of <strong>automated procedures and techniques<\/strong> in an <strong>integrated platform approach<\/strong> can reduce your workload and give you better visibility of potential attackers. This is the capability of <strong>next-generation technology<\/strong> and helps an organization to securely manage traffic coming into the network, so that critical business functions can go on uninterrupted. This is a big step toward <strong>prevention<\/strong> and <strong>state-of-the-art cybersecurity<\/strong>.<\/p>\n<h4>CONCLUSION:<\/h4>\n<p>Imperative #3 is about changing our approach:<\/p>\n<ol>\n<li>From a threat focus on known signatures to suspicious techniques and <strong>making unknown signatures known rapidly<\/strong>.<\/li>\n<li>From a policy and strategy focus on detection and response to <strong>prevention first<\/strong>.<\/li>\n<li>From an architectural structure focus on retrofitted legacy point solutions that don\u2019t communicate effectively or efficiently to a <strong>natively integrated platform<\/strong>.<\/li>\n<li>From a procedure\/technique focus on human-based manual action to <strong>automated action<\/strong>.<\/li>\n<\/ol>\n<p>Taken together, these four different factors represent an imperative for future change if we want our cybersecurity efforts to be successful in the digital age, so that we can continue to place our trust in the digital environment while more effectively managing the growing risks associated with that same environment.<\/p>\n<p>The final blog in this series will be about the tremendous advantage that the cybersecurity community can gain by leveraging a strong team approach and building effective partnerships because, in today\u2019s advanced threat environment, you simply cannot go it alone and be successful.<\/p>\n<p><em>Written by John A. Davis, Major General (Retired) United States Army,\u00a0and Vice President and Federal Chief Security Officer (CSO) for Palo Alto Networks<\/em><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Having joined Palo Alto Networks following a 35-year career in the U.S. military, the past decade of which I served in a variety of leadership positions in cyber operations, strategy and policy, &hellip;<\/p>\n","protected":false},"author":152,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[89,1766,155],"tags":[1771],"coauthors":[1503],"class_list":["post-12928","post","type-post","status-publish","format-standard","hentry","category-ciociso","category-cso-perspective","category-cybersecurity-2","tag-imperatives-for-cybersecurity-success"],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts\/12928","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/users\/152"}],"replies":[{"embeddable":true,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/comments?post=12928"}],"version-history":[{"count":5,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts\/12928\/revisions"}],"predecessor-version":[{"id":12936,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts\/12928\/revisions\/12936"}],"wp:attachment":[{"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/media?parent=12928"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/categories?post=12928"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/tags?post=12928"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/coauthors?post=12928"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}