Steve Grobman, senior VP and CTO, McAfee, talks about how to maximise the effectiveness of defense technologies and thwart the evasion techniques of bad actors.
McAfee’s latest threat report says bad guys are also leveraging new tech such as AI to evade detection. How can we deal with this challenge?
This is a problem the industry has had for decades – attackers building tools and changing it enough to evade the existing software. Now, our approach is different. Because we are able to update things like threat intelligence when there is an attack and even if it’s successful once, we are able to quickly add defensive capabilities for it. One of the challenges with solutions exclusively focused on machine learning is that they need additional training or need to look for new threat vectors. We use multiple technologies to defend against that kind of scenario.
Is it a good idea to automate security operations and how important is the human factor?
Yes, you need the human element, especially in organisations that are likely to be targeted. What I am alluding to is clearly we need to defend consumers and it is very difficult to get consumers to understand the nuances of security. But, organisations need to work with technology to optimise it for their environments and look for new threat scenarios that are potentially unique to them.
Is it time to plan to fail and limit the damage?
I think it’s important to understand there are different levels of a breach and every organization has a risk curve. What I mean by that is every enterprise is going to have a high probability of a small breach. When I think about cybersecurity, the objective is not to eliminate risks but to understand what are the actions you can take to lower risks.
Do you advocate a zero-trust security model?
Models are good for thought process but it’s important not to be beholden to a particular model – understanding the unique requirements of an organization is more critical. I will give you an example of my own internal security group at McAfee and our CISO works for me. His previous job was in an energy company. Now, if you look at the two companies, McAfee is a high-tech engineering company compared to the highly regulated nuclear energy company where he was working before. The way you think about running those two environments is very different. There is no one right answer because it is very situational and if you ask me, thinking about risk as a spectrum of impact is one of the most important things you can do.
Can AI and machine learning help us to find the needle in a needle stack?
To a large degree, yes. But, part of the problem is that there is a massive amount of data and finding the right data is what really matters. Even with AI and ML, we get many potential candidate situations that are malicious. Let me give you an example of behavioural analytics, which is a hot topic today. One of the classic examples given is that an employee typically works from 8-5 and all the sudden there is a spike of them doing something at 3 in the morning, which raises the flag. What if that was the day when their boss called them for some report that is required urgently and they were working at that hour? There is a lot of false positives in security and I do think we have good data science tools at our disposal to manage this problem.
We have seen a surge in DDoS attacks lately. Why aren’t we able to prevent this type of attacks?
I would say DoS attacks with DDoS being one variant. Doing harm to an organization is something we are seeing new variants of. We have all these disk wipers and ransomware campaigns that hold systems to ransom as opposed to data. It is always easy to detect malicious activity but denial of service or disruption to a system is a difficult category to react to.