This week Islington’s Business Design Centre played host to the World Cybersecurity Congress 2017. With a schedule packed full of interesting sessions and discussions from speakers from a variety of different sectors and specialties, I headed over to North London to see what day one of the show had to offer.
Kicking things off was an engaging opening keynote presentation which explored current cybersecurity trends and frameworks, looking at what we are doing now and, more tellingly, what we are not getting right.
In this session the audience was given a definition of what cyber actually is: cyber is not just a compilation of all the latest technology, but it’s the binding of technology, people and process. A nice example given was that of the code decryption carried out by Alan Turing and his team at Bletchley Park during World War II. Turing knew the technology of the German Enigma scrambling machine was sound and perhaps impossible to crack, so he decided to attack the person operating the machine, unearthing certain flaws in how it was used, and then carried out what we would today call phishing attacks to find weaknesses to exploit.
Another interesting argument made was that, in cyber, technology is merely the pacing function, and there are some other key trends going on that we need to consider. The first is that cyberspace has wiped out our traditional sense of what geography is, or once was, but that cyber jurisdictions are still based on that ‘old’ sense of geography. Next is the internet’s creation of a new social order, whereby individuals (both friendly or malicious) can interact like never before – physical proximity means far less now. Thirdly, cyber proves that disparity continues to exist in the world and last, geopolitics plays an ever-growing role in the cyber-world.
So how are we doing with our cyber-defense frameworks? Well it appears not too well. We are still defending the wrong things (the perimeter); at the wrong time (responding after the event); and blaming the wrong people (boards turn to technologist to fix the problem).
Not all that encouraging, but there are things we can do! The audience was urged make the systems they deploy defensible, to then focus on actually defending those systems with operations, agility and by investing in the human, and to exercise all instruments of power.
Following this opening session was a panel discussion on cybercrime and its impact on the economy – with a focus on what role we can all play to defend against it.
Some interesting views were shared here, not least regarding whether or not there is a need for government to regulate the IT industry.
Opinions were slightly mixed on this, with one panelist recognizing the importance from a government perspective of implementing the right regulation, whilst others questioned whether regulating the IT industry is even a realistic possibility. Reasons for the latter were the capability of regulation to hamper innovation, the challenge of finding the right, skilled people to assess and enforce it in an industry already struggling with a big skills shortage, whether IT regulation could ever be prescriptive enough for such a diverse and demanding industry, and that there are simply far too many aspects to control.
Closing arguments were that we all have a responsibility to try and do the best we can to not put vulnerable code out on our systems, and that it is far more likely that the software market will become self-regulated, whereby we purchase the best services from the most reputable vendors, much like choosing a certain car brand over a lesser name.
Next up was a session exploring the new era of cyber-defense and the shift to self-learning, self-defending networks.
This intriguing presentation discussed the ways in which the threat landscape is evolving and how there is now a need for companies to adopt an enterprise ‘immune system’ defense model which operates much like the immune system of the human body.
The audience learned that the threat landscape is changing rapidly, and that far more complex attacks are using AI and their own machine learning to penetrate organizations, against the backdrop that is legacy security tools. However, legacy controls are constantly outpaced.
So, it appears it’s now time to turn to the human body. Well, not literally, but what’s interesting about the human immune system is that it’s not only designed to be attacked by things it’s never seen before, but it’s also able to self-learn and adapt to new threats, even without prior knowledge of them. By using an unsupervised, machine learning approach you can apply some of those principles to a business’s security strategy, creating an enterprise immune system which truly understands an organization by autonomously learning in real time, finding the threats that get through with 100% visibility and then using mathematics to quantify those risks, allowing the company to have a better understanding of everything within the network.
To conclude, spotting unusual behavior requires us to learn patterns of life, particularly with our users and our systems, and by doing that we can gain a richer view of what’s going on.
Lastly was a session for the CISOs and how business alignment can help secure cybersecurity budget objectives.
It was explained that the problems CISOs often face with getting access to the funds they need is that quantifying risk to business processes is challenging, it’s difficult to enumerate security spending, stating exactly how much security you need is tough and knowing whether you’re spending on the right things can be hard.
The key to overcoming these problems is by making our security frameworks consistent, repeatable and measurable over time by knowing our current state and by defining a target state for the future.
It also involves a solid understanding of the business which allows security leaders to tie-in what they are doing and what they want to achieve with the important business processes that the board resonates with. Likewise, defining your strategy by distilling clear strategic security priorities and communicating them is invaluable.
A take-home message was that the board needs to and should care about security; it’s every bit their responsibility as the security leader, but it’s the CISO's job to make them aware of that.
As you can see, plenty to ponder from a busy day at the World Cybersecurity Congress 2017 with some really interesting topics, themes and issues explored.