In next-gen cyberattacks and vulnerabilities, you’re fighting the unknown. Building a catalog of trusted behavior to use as a baseline to determine what falls outside normal business variances is one such strategy to change the paradigm of response. CRITICALSTART’s Jordan Mauriello and Michael Balboni, former advisor to Homeland Security and President of Redland Strategies, talk about trusted behavior and evolving strategies.
JM: Hey guys, Jordan Mauriello with CRITICALSTART here, Senior Vice President of Managed Services. Today I have with me Michael Balboni, President of Redland Strategies, former Senator, Assemblyman, advisor to Homeland Security. Honored to have him here with us today. We’ve been doing some awesome discussions about things that we’re doing at CRITICALSTART and working with Redland Strategies.
JM: Today we wanted to take an opportunity just to talk to Michael about some general cybersecurity issues. He’s a major influencer in our community. I know many of you already know who he is and has had a major impact even on some of the legislature that we’ve seen around our industry too as well. We want to take the time to get some thoughts from him on some of the direction the industry’s going impact that some of the changes we see in cyber in general are having on national defense, the role of Senate and Congress, and where that’s going from a legislature perspective.
JM: We’re going to open up and have a nice, fun conversation here about some of these issues. Thank you so much for being with us, Michael.
MB: Thanks for having me Jordan, and thanks for your service to the country in the military.
JM: Thank you very much, sir. I appreciate your support.
MB: Maybe we need to change the whole paradigm of how we look at threats. Are we looking for the bad or should we look at behavior in a trusted kind of way? And maybe build a database, a registry, if you will, to be able to catalog what are the normal course of business operations that we know are trusted behavior and maybe create that baseline that if there’s a variance of that, that we can instantly go and say, “Whoa, that’s what we have to take a look at,” and everything else, you push it back and say, “No, no. Not coming in.” I think that might change the paradigm of response. I’m really interested in that strategy.
JM: Obviously, we agree with you on that one fundamentally as it’s part of our model even here is working off of a model where you’re building a trusted behavioral registry. I think that’s a paradigm shift that the industry has to seize. We constantly play this game where we’re chasing the known bad and always looking for how to identify bad in a higher fidelity mechanism or to add more detail enrichment to known bad, so that we can find it in this massive sea that we talked about earlier.
JM: It’s not working for a couple of reasons. You just talked about the attacker advantage. The attacker advantage is they only have to be right one time, right? We only have to be wrong one time to lose. The expectation that we would hit 100% as defenders is unrealistic. That’s why we have to have that resiliency. I think that’s why the model, the paradigm for analytics, for how we look at data insecurity has to be shifted so dramatically because we are not catching up. We’re definitely falling behind when it comes to that mechanism.
MB: We’re really obsessed with the infrastructure of security and we’re not data-centric. It goes back to your original comment about how we triage what we need to protect. You don’t need to protect everything. No, you don’t. I’m not saying that you should tolerate intrusions, tolerate breaches, but you should at the very least focus all of your efforts on protecting the main point of your company, your business, the people you serve, which is their data and the data you have as your company.
MB: From that perspective, we’ve got to be able to stop anything from getting into that environment. The question becomes “How do we do that effectively, timely?” One of the things that really gets me crazy is when I hear about the dwell time stories, that is the amount of time that malware will sit on a network before it’s discovered and addressed. In that time, so much damage can be done.
MB: As we talked about beforehand, surveilling the network for vulnerabilities, surveilling the network for assets that you might want to raise up in terms of their profile, we want to go get this stuff and then being able to use, to recognize other avenues to get into other networks. A lot of times, what we’re seeing now is that one of the attacks that that will be used is to take a network and make it to a bot network and basically commandeer that network and say, “Okay, now we’re going to use it and we’re going to attack others,” and then you send a note to the network administrator saying, “By the way, we’ve compromised your network. We’re going to use your network to attack others unless you pay this amount of ransom.”
JM: There’s no lack of invention or creativity from the development of different threat factors, but there is a lack of imagination when it comes to how we prevent those things from happening because we’re stuck in his defense, this castle keep type of mentality.
JM: I completely agree and I think you’re right. You see all these different creative mechanisms in the attack. You’ve talked about turning it into a botnet, whether that’s for attack or even for what we call crypto-jacking today. They’re going to take those systems and use the computing resources to mine cryptocurrency. We have all these creative mechanisms. Again, getting back to monetizing that threat. I think the dwell time remarks are dead on. I think some of the reports we’ve seen from some of the big players doing threat intelligence in our space, they’re scathing analysis of our industry’s capability when we’re looking at dwell times in excess of 45, 80, 120-day dwell times as averages in different sectors in our industry.
JM: You definitely see this massive difference in organizations and capability and there’s not a standard set maturity.