Most people in technology agree that cyberthreats will be one of the biggest dangers we face in the coming years. In our increasingly-connected world, we’re more vulnerable than ever before and the threat of one bad actor taking out an entire power grid or critical network system is real. Retired Army Major General John Davis knows this better than most. While leading a task force responsible for directing the operations and defense of the DOD networks, the U.S. was hit with a cyberattack that infected a number of critical networks. John had to lead the charge against the malicious code, and he believes the event was a key factor in the creation of U.S. Cyber Command, which John served as a director of.
Today, John is the Chief Security officer for the Federal Sector of Palo Alto Networks, and he spends his time telling the story of that attack to illustrate the need for enhanced cybersecurity everywhere. On this episode of IT Visionaries, John discusses how he dealt with the attack, the ways cybersecurity has changed, and why the way forward is with a prevention mindset.
Best Advice: “Learn to speak the language of business and risk management rather than the language of technology.”
Key Takeaways:
- The security landscape today
- Building transparency and clarity
- John’s first-hand experience stopping cyber attacks against America
- Advice on how to improve your security
What does the security landscape look like?
Some people have called this the fourth industrial revolution. The digital environment provides us opportunities and there’s no stopping it. We’re on a path with no u-turns. We’re connecting everyone and everything in the digital environment, which makes us more dependant on those connections. That makes us increasingly vulnerable. The risk isn’t that the scale will increase, but the impact of the vulnerabilities will become more dangerous. We’re increasingly connecting life-saving devices, power grids and just about everything else to each other or to the cloud, so we need to secure it. John emphasizes that it’s not just about the loss of personal information anymore. National security, economic viability and public safety are becoming at risk and there is a possibility that people can lose their lives. And one of the main hurdles that needs to be overcome is that the average consumer is still late to understand this. Until they are impacted by this in a meaningful way, they’ll stay behind in their understanding of the risks.
“As we are all increasingly connecting nearly everyone and everything in the digital environment, we are increasingly dependent on it for everything that we do, including our personal and public safety, our economic competitiveness, even our national and international security. As a result of this path that we’re on, we’re also increasingly vulnerable. And as we connect everyone and everything, the risks aren’t just that the scale is going to increase.”
How to create transparency and clarity
Most of the risks can be known, and John believes that is part of his job. You have to put things in meaningful terms that are not super technical. It’s possible to explain the risks and security landscape in a way that everyone can understand.
John’s last decade in the military was in cyber science, so he has an understanding of how cyber threats operate. He also learned how to explain that in an understandable way. He also discovered that a lot of attacks are totally preventable if you follow a few steps and rely on some of the innovations that have occurred. When you’re too late, you’re playing catch-up and you have to figure out how to clean up the mess. You should have a prevention mindset instead, which means you have to understand the attacks on a deeper level in order to successfully implement a preventative mindset.
When it comes to business or enterprise, everyone has a role to play. It’s not just about what the company does or what individual employees do to prevent attacks. Everyone has to do their part and even if they do, a determined threat or bad actor will still find a way to get in. When that happens, you have to make sure that when something gets in, there’s a process to stop it before severe damage is done.
John explains that attacks follow a similar pattern that involves, recon, probing, development of a delivery mechanism, there’s a weaponization process, an exploitation of a vulnerability in an environment, the installation of malicious code, the establishment of a control channel, which leads to escalating privileged access and then lateral movement to get to the part of the network you want to be in to achieve your end goal. It’s a time-consuming process if you want to be stealthy, but new technology like machine learning and automation, are contributing to threats happening faster. And, if you can detect the threat at some point during the process, you can stop them.
Things people can do to protect themselves: You have to be suspicious of emails. Treat your screen like you would someone random coming to your front door. Use different passwords and use multi-factor authentication.
“I’m talking about being suspicious of emails. You know, like you would be suspicious of anybody who shows up at your front door before you let him in — treat your screen the same way. [You should be] updating patches, making sure you have strong passwords, making sure you’re using multi-factor authentication. There are a lot of things that every single person, regardless of whether you’re in a military organization or in a business or just at home, a lot of things that everybody can do just to really prevent most everything that we’re seeing.”
Who are the stakeholders John works with?
Normally with Palo Alto Networks, John is working with the CIO and CISO crowd. But John has worked with everyone in the C-suite. In the military, it’s commanders, cybersecurity teams, and officers.
There is a long list of things these folks are worried about, and a common problem many of them had is fighting for the budget to get the people, technology, and processes in place for their organizations. Some also worry about how to measure risk. Boards don’t want to hear the technospeak about cybersecurity. Instead, all they want to know is the level of risk the company is facing, how much risk is acceptable, and the options to mitigate the risks. Then they want metrics to show that the way they’re investing money to mitigate risk is working.
First-hand experience with cyber attacks
In 2008, John was a one-star general assigned to lead a task force responsible for directing the operations and defense of the DOD networks. About a month into the job, John got a call that there was malicious code in some very serious networks. In order to deal with this situation, John implemented Operation Buckshot Yankee to identify where the code was and to make sure no sensitive information was lifted from the networks. Soon after this attack, U.S. Cyber Command was created and in 2010, John was named the first director of current operations of the command. In the same way that the government tried to unify the process of dealing with cyber attacks, John wants other companies and organizations to try to find a way to unify their processes and find a balance between interest groups within the organizations.
“It was a near catastrophe for the military. And in my view, that was the event that it was like the straw that broke the camel’s back in the decision to create U.S. Cyber command….As a result of a near catastrophe, senior leadership realized the consequence of the failed organizational structure and model that we had in 2008, and made the decision to bring together the people who operate the network, the people who defend the network, the intelligence that supports them as well as the ability to provide cyber capabilities to integrate offensively along with every other military capability, air, maritime land capabilities. So that was a pretty big life-altering example to me of this realization that we better get our act together. What happened was we put the integrity of our classified networks at risk, which would have caused severe national security consequences.”
“We brought together the offense, the defense, the operations of the network and the intelligence. Now we were able to do a much better job of the offense informing the defense and vice versa. So we could really, as defenders, we could really understand this attack process and, and the different types of techniques that could be used.”
Advice for those looking to improve their security
John usually tells real-world war stories like the Buckshot Yankee example in order to illustrate just how serious cybersecurity is. He buckets best practices into four categories.
1) Basics matter: This includes using strong passwords, being suspicious, etc.
2) Having the Right Mindset: We’ve lived in a model of detecting and responding after the fact. That needs to shift to a focus on prevention.
3) Use Software: We’ve been fighting machines with humans. The threat has gotten good at leveraging automation and software-based analytics. We need to leverage that too with tools like machine learning.
4) Understand how threats operate.
“If you get people to understand the basics, I think you can prevent 80 to 90% of what we’re seeing happening around the world today.”
“You have to wrap this thing in an overall context of consistent and continuous visibility and security controls across all those pieces of the environment. If it’s not consistent security and visibility, then you’re looking through a soda straw at different parts of your enterprise environment and you’re trying to piece all that together. And that usually overwhelms the security teams that are trying to figure out what’s going on in their environment. If you take the approach of consistent and continuous visibility and security controls across all those different parts of a very complex environment these days, then you’re able to more consistently use those buckets and it gives you the opportunity to catch a breach before it’s successful.”
Tools can help with security
According to John, humans are one of the most vulnerable factors of the security process. You don’t have to replace humans, but you can augment their work and create a more reliable and sustainable system if you use technology and specific tools built to detect and prevent attacks.
“Organizations like mine, we see the trend that’s happening now is really good cybersecurity organizations figure out how to do [cybersecurity] for you so that you come in with an integrated platform, an integrated suite of products that are all designed from the beginning to connect with and inform and work with one another rather than relying on the security team to go figure out how to do all that.”
Mentions:
Palo Alto Networks Federal Ignite 2019, a security conference for the future, brings together leading cybersecurity professionals and government officials for panels and keynotes on Next-Generation security priorities along with hands-on training, best practices and new innovations on Thursday, October 10, and Friday, October 11, in Washington, D.C. Register at ignitefed.paloaltonetworks.com.