Infosec Evolution Mimics Immune SystemSpotting Abnormal Behavior Automatically Without Need for Signatures
"Machines don't have time to understand ... actually they're not event smart. What machines are is fast. ... That's something a human can't do, but that's something that a machine must do to reject a piece of traffic," Phyllis Schneck, McAfee chief technology officer/public sector of security provider McAfee, says in an interview with GovInfoSecurity.com (transcript below).
"Concurrently," she says, "humans can look at this data, whether it is in pictures or numbers, and do investigations similar to what you might consider would happen in the physical infrastructure. We can map out and visualize where certain malicious connections have been made. We can tie machines together and identify, for example, what might make up a botnet. We can then use that to make better algorithms and heuristics that go back to those machines that go back to the data."
In the interview, Schneck discusses the evolution of IT security technology, and what types of wares are in the pipeline to safeguard organizations' digital assets. She says IT security technology is evolving to emulate a healthy human body with a strong immune system to battle infections routinely, perhaps inconspicuously.
"Just as your body defends against thousands of colds every year and you only maybe only get one, that's what these systems are designed to do: push off the enemy and push off malicious traffic, without it having to have a name, and certainly without it having to have a signature, just understanding what is good or legitimate and what is not well intended or not needed and being able to defend against that and get smarter as you do so," she says.
Having their various components interact with each other, Schneck says, the evolving infosec tools are having intelligence built in to recognize abnormal behavior within IT systems.
"The trend is to have more systems to rely more heavily on intelligence," Schneck says. "Signatures are not going to be the way of the future because we don't have time to put a name or a pattern on enemy behaviors and pass it out and block it. We really need to understand what that behavior is because they're faster than we are; they're stronger than we are. They don't have competitive boundaries, so it doesn't take them any time, reason, process or law to inflict bad things on us, and we have to respond in real time."
Schneck, in the interview, also addresses
- Why chief financial officers and other business leaders must become engaged with IT security;
- The growing importance of understanding situational awareness in defending IT systems; and
- Government agencies and other organizations moving toward continuous monitoring and away from check-box compliance.
Before being named CTO/public sector at McAfee, Schneck served as the company's vice president of threat intelligence. Schneck served as a commissioner and working group co-chair for the Commission on Cybersecurity for the 44th Presidency and for eight years as chair of the National Board of Directors of the FBI's InfraGard program.
According to her biography, Schneck holds three patents in high-performance and adaptive information security, and has six research publications in the areas of information security, real-time systems, telecom and software engineering. Before joining McAfee, she served as vice president of research integration at Secure Computing. Schneck holds a Ph.D. in computer science from Georgia Tech where she pioneered the field of information security and security-based high-performance computing.
Schneck was interviewed by GovInfoSecurity.com Executive Editor Eric Chabrow.
ERIC CHABROW: What are the threats organizations, such as governments, banks, healthcare providers and others will be dealing with in the next few years, and what are the challenges of not only identifying those threats, but developing solutions to combat them.
PHYLLIS SCHNECK: To look at what some of the challenges are, we face a very, very strong enemy, an enemy that knows no boundaries, an enemy that doesn't worry about civil liberties. They work very well and quickly, swiftly, with their governments, often government-sanctioned, and they are very, very smart, so they are able to do very malicious things very quickly, organized, elaborate threats. We've never seen an enemy like this before, on air, land and sea. It was never this quick. This is literally at the speed of light.
And, now that we look at protecting the cyberfront, we at McAfee believe, within our community that the solutions we provide need to be interlocked, meaning that to combat this enemy, all our products and capabilities and solutions need to talk to each other. They need to have a situational awareness that understands activity in all kinds of realms of cyber, from literally volumes of traffic to types of traffic all over the world, so that we can see, just like your body reacts to the immune system, we can use a form of global threat intelligence, to understand where this enemy is, and how to best protect every customer and every infrastructure in real time. We believe that some of these challenges can be met by working with an interlocked solution that is able to blanket infrastructures and become more aware. We know that this enemy is never going to be 100 percent predictable, and to be aware of activities all over different parts of infrastructures, because part of security is the ability to bounce back, and we believe very strongly that the combination of interlocked solutions and global threat intelligence will take this enemy out.
CHABROW: For a chief information security officer, a CISO, in six months or a couple of years from now, what kind of technologies will they need to be able to attack that? What are the technologies to help get a better understanding of the situation awareness, and handle it?
SCHNECK: We already do a lot of this today. You know, we started with our EPO, which basically enables all new data and understanding for the products that are protecting you right now, to be viewed on a single console, as well as opening that up to over a hundred different partners, so that data from their products and monitoring, as well, can be viewed through that. This enables a CISO and their team to immediately, in one chat, see everything that affects, you know, in and around their perimeter, as well as internal to their network. What might be different, because really today, a larger challenge is not so much this botnet culture, which we can detect fairly easily, and actually prevent, it's this advanced persistent threat. And, I know that term has been overused, but what it really means is a very sanctioned, targeted and elaborate by nature threat, targeted to specific either people, companies, intellectual property, even countries, with either a financial or political interest.
And, the way to detect that - right now, they hide in the noise - but the two really strong things that have to happen to be able to detect that is, number one, we move some of the noise, which we do right now, with our products, but No. 2, understand that you have to show a CISO all in one view, an understanding, a situational awareness, if you will, of their network, and things that are applicable to their network, so how is the behavior on different networks, but that are also, for example, in the financial sector, or also in the energy sector.
Give these folks the opportunity to focus their brains and their teams on what might be different in that picture, on the really hard problems, and what these products are doing now, we mentioned Interlock, your intruder prevention can speak with your firewall, to some extent, with your gateway, with your mail security, with your web down to your end point, provide that situational awareness to, number one, remove the noise, so that some of this denial of service and virus activity, which is basically silly, and we can remove that, and No. 2, provide a structured situational awareness, like a dashboard, or a head-up display on an airplane that are actually in some sports cars, where while you're driving 100 miles an hour, or flying 300 miles an hour, you can get a better understanding of what's around you, and that will improve your performance and keep you safe.
CHABROW: When you deal with these new approaches, within your customers, your organizations, are you still basically dealing with their technology people or their CISOs, or there different responsibilities within organizations, to assure this kind of protection?
SCHNECK: That's a great question because we have learned over the past decade, I think, as a community, that one of the key advantages our adversaries have over us is that as humans in business, we tend not to communicate so well. And one of the things that we at McAfee have learned, and are helping to do is bridge this traditional gap between the information security side, and the other parts of a company or utility that might support electronic systems, for example, industrial control systems, and there's a popular word, SCADA, the subset of that - supervisory control and data acquisitions. We need those two sets of teams to be talking, because those systems now are connected. We have connected the systems that, for example, regulate the amount of electricity that goes into certain areas, or circuit relay open and close, even water amounts that go into components of the nuclear facility. We need those people with that expertise that run those systems, to finally be communicating with the people that run IT systems. We've connected those industrial control systems that control physical kinetic infrastructure to IP-based, Internet-protocol systems, that bring with them all the vulnerabilities that we've talked about on our Internet.
In order to really protect critical infrastructure, and systems that aren't typically IT that are now connected for efficiency, we need to get those two teams talking. We also try to get the information security teams talking with the chief financial officer, or one of their teams, because typically, you want your security budget to be strong enough to support your investment that will enable you and sustain you to build a resilient infrastructure forward. And, sometimes those budgets are just low enough that they can't afford to buy what they really need, and just high enough that they have to go buy something. What you find is, if companies are investing in what I'll call mediocre security infrastructure, they have to keep spending that money over and over every year. Whereas, if we can present a business case, on the money you actually save, and remain connected and protected, you want that triad of the financial side, the information security and traditional IT side, and the applicable infrastructures, the folks that run the electronic communication systems. And, we think that communication is very important, because security has to be a business enabler at the same time as we fight this giant adversary.
CHABROW: I'll shift a little bit to the government side. One of the big challenges facing federal government agencies is a move to continuous monitoring of IT systems, as directives from the White House and legislation before Congress shifts away from the checkbox approach of compliance required under the Federal Information Security Management Act, or FISMA. What other types of tools will McAfee and others be developing to help, not only government agencies, but others, to improve continuous monitoring of IT systems, to protect against vulnerabilities?
SCHNECK: Let me answer that question, if I may, in two parts. One is to address the compliance side. The biggest problems in the field of compliance today is that you can be compliant and not be secure. We would like to see more effort put toward whatever standards and rules were to come out, to make sure that those standards and regulations or legislation enable innovation, but they're not so narrowly pointed that you can't get better products in there, and that they are not so overly prescriptive that they actually inhibit the innovation that would not only develop better security, but motivate you to buy better security now. It's a very fine line. There are a lot of big brains working on that, but it's a big challenge, because you want to make sure, if you do put standards in place, that they, in the long run, enable innovation, and they don't put you in a box, where to your point, you check a box, and say, "Hey, I'm compliant." The thing is, the adversary loves this, because they know exactly where the other holes are, and all we have to do to remain compliant is plug this certain number. We want to fix that.
The second part is, you know, what can we do with continuous monitoring, and what do we need to do forward. You may or may not be familiar with the HBSS (host-based security system) contract that McAfee has with the DOD. This is a fascinating solution to what I will call a national and global security problem. You have the ability now, with HBSS, to have a large footprint of technologies that, although they were coded independently, so you have built in redundancy, coded independently with different code bases within the company, worldwide, you also have the advantage that these technologies talk to each other, so they are communicating, and that's where you get your global threat intelligence. They are communicating with each other what they are seeing on different parts of the network, and they can combine that with intelligence that we provide, just pushed in from the outside, and what we are seeing, sort of, on the rest of the weather map. You can build on that. It gives you the opportunity to really expand that footprint and expand that intelligence, and plug the holes where the intruder might try to go. But, also, use that to build the intelligence, like a little ecosystem, if you will, or a cyber immune system. The longer it runs the way that it is, the smarter it gets about your network, and certainly the delta between any common behavior and what you might be seeing at any moment.
You want to build out this infrastructure, as we have done with HBSS, you know, and even more so across other parts of the government, so that you have created an almost biological system, where every millisecond when one component protects something, or sees something, all of those other McAfee components are now privy to that information, that are protecting that network. Just like your body defends against thousands of colds every year, and you only maybe get one, that's what these systems are designed to do, to push off the enemy, and push off malicious traffic, without it having to have a name, and certainly without it having to have a signature. Just understanding what's good, or legitimate, and what is not well-intended or not needed, and being able to defend against that, and get smarter as you do so. And, the more we can build on that HBSS footprint, the stronger we get. Again, we want to take out that enemy.
CHABROW: Are security systems today moving into the future, becoming more intelligent, as you characterize it, as biological systems?
SCHNECK: I believe that they are. I do know that we led this space, in terms of bringing out global threat intelligence, and this goes back to 15 years, when McAfee's first system, which at that time was Artemis, was able to understand, literally, tagged malware, by making a hash of it, and knew where it was on the planet at a given time, and who was distributing it. The trend is for more systems to rely more heavily on intelligence. Signatures just are not going to be the way of the future, because we don't have time to put a name and a pattern on enemy behaviors and then pass it out and block it. We really need to now understand what that behavior is, because they are faster than we are, they are stronger than we are. They don't have competitive boundaries. So, it doesn't take them any time, reason, process or law, to inflict bad things on us. And, we have to respond in real time.
CHABROW: You mentioned about how these threats are almost instantaneous, and they come about unexpectedly, and you have to be prepared for that. How important is it for a company like yours to understand the enemy, so that you can build products, or is that something that is really not important anymore, you just know that some bad things are happening, and you just have to figure the best way to deal with the bad stuff.
SCHNECK: I believe, strongly, that people are working, and need to understand the enemy. At McAfee, it is in our culture to be passionate about protecting our customers, and to protect people, and physical infrastructure, you have to understand what that threat is. That is why we, what that investigation that brought out the Aurora attack, the one that was publicized by Google with the Chinese.
But, machines don't have time to understand. Machines don't actually, they're not even smart. What machines are is fast. We use machines to calculate, literally, terabytes of data to make a decision in a millisecond. That's something a human can't do, but that's something that a machine must do to reject a piece of traffic. Because a machine lacks a human brain, to make a sort of cognitive correlation, if you will, on where that traffic has been, and who is bringing it in, and what the risk probability is of accepting it, the machine analyzes a lot of data, and then provides its results back, with speed.
Concurrently, humans can look at this data, whether it is in pictures or numbers, and do investigations similar to what you might consider would happen in the physical infrastructure. We can map out and visualize where certain malicious connections have been made. We can tie machines together and identify, for example, what might make up a botnet. We can then use that to make better algorithms and heuristics that go back to those machines that go back to the data. So, it really is two-fold. We also, at McAfee, have a tremendous effort. We work a lot with government and private sector, and also, it is very important with law enforcement. I chair the National Cyberfront Training Alliance, which is a 501(c)(3) nonprofit based in Pittsburgh, that brings companies together to bring the people, the analysis capability, some data, and agents of different agencies, whether it is the FBI or some others, as well as folks from the banking sector, energy, telecom, to bring under one roof some of that analysis, so that the humans can get a better understanding of the actual enemy. We also have people who work internationally with our government and law enforcement, to understand how that threat travels. All that goes back into the heuristics that work in real time, in milliseconds.