CTO Reflections: Beyond the Appliance
By: Michael Xie, Founder, President and CTO, Fortinet
For anyone reading the news regularly, it’s not hard to grasp that cyber threats are getting more sophisticated and damaging by the day. From a security technology provider’s perspective, I can add that tackling them is a fast mounting challenge for the millions of businesses that come under attack daily.
Modern cybersecurity technologies – assuming you have already put in place the right professionals, policies and processes − are a must but organizations deploying them need to look beyond the boxes that sit on their racks.
What underpins the security appliances is invisible, but plays a pivotal role in ensuring that those boxes block the threats that imperil your business. Threat intelligence − or more specifically, the security appliances’ ability to know the ins-and-outs of the evolving threat landscape and respond to them appropriately – is the fuel that powers your cyber defences.
Getting timely, accurate and predictive threat intelligence is much tougher than it sounds. It calls for a robust R&D set-up, which comprises a few components:
- Divide and conquer − In many aspects of business, large teams equate to large outputs. When trying to outsmart well motivated cybercriminals, however, following conventional wisdom seldom works well. In my experience, an effective threat research organisation should be made up of many small teams, with each team dedicated to a particular type of threat. Creating such research focuses boosts each team’s specialization and competency − leading to faster discovery of threats, and the identification of more threats − while shortening customer response times to incidents.
- Stay fleet-footed − Threat research teams must be nimble. The threat landscape is highly dynamic, changing by the day, or even hours and minutes. The teams must be able to adjust their priorities and refocus on the fly. At Fortinet, for instance, based on our projections of how the threat landscape will evolve, research plans are updated. From the new directions identified, researchers with the most appropriate skill sets are selected to join specific task forces to delve into those emerging threats. Examples of such threats in recent times include IoT, ransomware and autonomous malware.
- See the big picture − Researchers must be encouraged to think big and pursue their own interests, even if those interests don’t have a direct link to the company’s products. Research on IoT vulnerabilities, for instance, can deepen an enterprise security provider’s understanding of the threat landscape.
- Hone your instincts − Research leaders must train their teams to develop the acumen to identify a threat as important before that fact becomes obvious to all. Good threat researchers, for instance, have been warning for years that IoT vulnerabilities are the next big menace − before the Mirai IoT botnet appeared last September and made it plain to the world. Threats emerge and evolve swiftly. If a security provider is slow to research on them and react, its customers will be slow to get protected.
- Amass data – The more data a threat research team has access to, the greater the potential of its research outcome. Enlightened research organizations share – not hoard – information. At Fortinet, for example, beyond tapping the 3 million sensors we have deployed around the globe, we actively exchange threat intelligence with organizations like INTERPOL, NATO, KISA and other security technology providers through the Cyber Threat Alliance. In recent months, we have also succeeded in bringing on board more government entities and carriers globally. That’s a positive development, as it helps all parties build a bigger threat database to monitor, block and trace malware back to their sources.
- Invest in research technology – The days of manually analyzing threat information have long passed us by. Effective research teams need advanced tools to interpret and correlate the reams of data coming through to them every second. While today we have Content Pattern Recognition Languages (CPRLs) to help identify thousands of current and future virus variants with a single signature, the future belongs to technologies like big data analytics and artificial intelligence. Soon, AI in cybersecurity will constantly adapt to the growing attack surface. Today, human beings are performing the relatively complex tasks of connecting the dots, sharing data and applying that data to systems. In future, a mature AI system will be able to automate many of these complex decisions on its own.
No matter how advanced AI becomes, however, full automation – or the passing of 100% of the control to machines to make all the decisions all the time – is not attainable. Human intervention will still be needed. Big data and analytics platforms allow malware progression to be predicted but not malware mutation. Only the human mind could have foreseen that ransomware like Wannacry would embed the National Security Agency’s vulnerability exploits to propagate on unpatched systems.
Malware evolution will intrinsically follow human evolution and how people blend new technologies into their everyday life. If in the coming years, for instance, self-driving cars and wearable IoT find widespread adoption, cybercriminals will – as they have always done – find ways to ride the wave and exploit those cars and devices. Likewise, cryptocurrencies, if they continue to find favor at the rate they gained momentum this year, will attract herds of hackers.
The concept of automation is opening up many new possibilities for cybercriminals, and turning up the heat on organizations. As hackers step up the amount of automation in their malware, attacks will not only come at organizations faster, they will also reduce the time between breach and impact, and learn to avoid detection. Increasingly, firms will need to respond in near real time − in a coordinated fashion across the distributed network ecosystem, from IoT to the cloud. Not many enterprises have the capability to do this today, and that’s something CIOs should start worrying about.