Chris Young is the general manager of the Intel Security Group at the Intel Corporation, where he leads the company’s security practice. Young sat down with The Cipher Brief to discuss the evolving nature of the cyber threat and what businesses can do to better protect themselves.
The Cipher Brief: The cyber threat is constantly evolving. How can companies stay ahead of the threat? How much cybersecurity is enough?
Chris Young: I don’t think most organizations feel like they’re ahead, so a lot of people would like to catch up to where they need to be. But your second question is actually, in some ways, instructive for what a lot of organizations are facing. Most companies don’t have good metrics to determine if they are secure enough, have spent enough on their security, have implemented enough controls, or if they have enough people to deal with cybersecurity problems. We’re in a relatively immature industry. If you compare us to law enforcement, counter-terrorism, or any other established defense industry or methodology, cybersecurity is relatively young. What I find often is that we still are trying to develop the right frameworks, the right standards – in some cases the right language – and certainly the right metrics. We need these to determine how much risk we are actually carrying and how good we are, in any given organization, at dealing with the problem.
Now, I do think that’s changing. For example, some of the things I talk to customers about are how fast they can find the threat and how fast can they you respond. Those are some of the newer metrics that organizations are going to start to adopt as a way to get to the question that you asked at the beginning: “Am I good enough?”
TCB: Do you have any advice specific to small and medium sized enterprises? What would you say to companies that have limited resources but that are dealing with a threat on the same scale as those faced by large organizations?
CY: The good news is this – there are a lot of tools and technologies available in consumable ways for smaller companies. There are tools available in the cloud, for example. Whether you’re trying to protect your web gateways or your email gateways, there are a lot of cloud security services out there. For example, for small organizations that want to use cloud infrastructure, they can put their servers up in the cloud and protect them with our products.
My advice to smaller companies would be, if you have limited resources, take advantage of the scale and capabilities of the cloud because that will allow you to more easily layer in the right security pieces you need – as opposed to having to build up your whole IT infrastructure as well as all the security apparatus and run it yourself. You can outsource a lot of that – along with a good chunk of your IT infrastructure – if you’re leveraging newer ways of running IT, such as using the cloud.
TCB: Shifting briefly to cybercrime and cyber-espionage, the CEO of IBM recently said that cybercrime is “the greatest threat” to every company. How do you see that threat evolving, and do you have any specific advice to businesses in terms of mitigating that challenge?
CY: Here’s what I’m seeing. During the last five years we’ve cared about data breaches – people going after credit card and social security numbers, that sort of thing. Data breaches are becoming more targeted and personal in nature, and that is what we’re facing right now. But the evolution is pretty obvious to me. We’re going to be far more concerned about protecting assets going forward. This is especially true in the defense community.
We don’t have the reporting requirements for attacks on critical infrastructure today like we do for data breaches. Some people – who work in critical infrastructure environments – tell me breaches are happening there too. We just don’t have the disclosure laws like we do for data breaches, so we don’t hear about it as much in the media.
I think the next evolution after that is focused on physical safety. If I can run your car off the road because it’s connected to the internet, it’s a real issue we’re going to have to confront at some point as we look towards the future.
A lot of organizations ask, “What’s the risk that somebody is going to disrupt my organization?” That’s an asset question, and it’s going to become more and more important. The attackers are going to come in and use ransomware as a way to disrupt operations. They will make you pay to let you get back to business.
TCB: To what extent do you see cyber-espionage and cyber-crime as distinct entities? If you do a casual read of the news, the threat from state-sponsored actors – Russia, China, Iran – seems to be increasing. How should companies think about that threat as compared to the cyber-crime issue?
CY: There’s certainly overlap in some of the methodologies used to penetrate an organization and collect information. Although the actors might be similar, they are pursuing different goals.
The motivations behind espionage and cybercrime are fundamentally different. They are going to come from different groups and different types of organizations. I do think that any organization – public or private – has to think differently about crime and the motivations driving criminals versus nation states. It’s one of the reasons why, when you talk to CISO’s or law enforcement, they’re interested in understanding the motivation behind the attack so they can figure out where they should look next.
TCB: Most experts tell us that it is not a question if a company is going to be breached, it’s a question of when. What should companies be doing after they’ve been breached, and what are some of the common mistakes you’ve seen in terms of the response?
CY: It goes back to some of those metrics we talked about. First, readiness is critical, and you want to have good defenses. Threat defense is a life cycle; you’re either doing protection, detection, or correction. The fundamental element here is that those components of the threat defense life cycle all work in concert with one another, but traditionally, in cybersecurity, it’s all been about protection. Now the world is moving to detection and ultimately correction, or some people use the term “remediation.” My view is that all three of those are important, and most organizations are doing all three of them at any given point in time.
The first thing you can do is understand that threat defense is a life-cycle, and it’s not a point in time event. It’s happening all the time, and you always have to be concerned with it. You should also constantly be making sure that you’re in a position where, if you can’t protect, you have the mechanisms and abilities to detect and then ultimately correct or remediate that threat. That comes back to a number of questions. Do I test myself? Do I red team frequently? Do I have the ability to know how long it takes me to respond to and remediate an attack? Just understanding that baseline of where you are as an organization is critical.
Backing up all of that is a situational awareness problem. You need to understand what your assets are, what your organization looks like, and where someone might look to attack you. Ultimately, that might be where you’re going to find attackers coming in your direction.
Once you’ve got all of that done—and most organizations don’t—you also want to be in a position where you proactively go into your environment and hunt for threats. That means going out and looking for attacks, pieces of malware, indicators of compromise (IOCs) that you didn’t know were there – not just waiting for an alert to come into your security operations center.
TCB: You alluded earlier to the Internet of Things. What are some of the concerns you have about the increasing connectivity of everyday devices?
CY: Some of the challenges are relatively obvious – aka opening up more attack surfaces by connecting more devices. Other challenges are less obvious. When you connect more things, you enable new types of attacks and possibilities we hadn’t thought of. Nobody would have necessarily thought that bitcoin would enable ransomware, but it does. Part of the challenge in connecting all these new experiences and new devices will be that it will open up attack types that we hadn’t even presupposed because we are living in a world that didn’t exist before.
From a security perspective, what I like about our chances in a connected world is that we’re moving to a place where we’ve got more purpose-built devices and applications. This is important because it will allow our security model to evolve in a way that it couldn’t evolve when everyone was using a traditional PC or a server kind of environment. For those devices, you expect you can install anything you want on the computer that you use – anything in your browser, any application, you name it. That’s what the peak client server era has been all about in technology, and most of our security apparatus has been built up to deal with the threat to that open platform kind of architecture.
In a purpose-built system, we would have a model where, if I’m a provider of a connected vehicle, I should control every piece of software and firmware that runs on that device. Period. Why should the user be able to install anything if they don’t come through me? I curate what goes onto those devices and that shrinks the attack surface almost down to nothing.
TCB: What are your thoughts on the Cybersecurity Information Sharing Act? Proponents say that information sharing is the key to grappling with this problem. Others say that it is not a panacea, and it does not address the underlying factors that drive cyber incidents. What’s your take on the legislation and information sharing?
CY: I would say it’s a good start, but it’s not a panacea. The more intelligence that can be shared, the better we’re going to be at anticipating attacks and viewing the attacks that we just don’t see today. Here’s a good example on the subject of ransomware. Intel is part of something called the Cyber Threat Alliance, with Palo Alto and Symantec and Fortinet. We recently published a white paper after we got our threat researchers together and decided that there had to be some places where we could collaborate around threat intelligence and add value to our customer base. We spent some time on this and then, early this year, we decided to just focus on ransomware.
What we found was that because of our different business models, different product portfolios, and different customer bases, when we collectively looked at the problem, we actually were able to come up with a better picture of ransomware and all the different variants of CryptoWall 3 that are out there today. We also did some interested things such as tracking bitcoin accounts associated with these campaigns. And it proved to us that threat intelligence sharing actually works. We are able to provide better defenses collectively because we were sharing intelligence between and amongst ourselves. That was just a group of four or five companies, and I think that opportunity exists. It gets exponentially bigger when you talk about public-private sector and hundreds of companies – that is where it gets interesting.
TCB: You mentioned earlier that the cybersecurity industry is pretty new. One thing that we’ve heard when we talk to experts and people in the field is that there is still a shortage of cybersecurity professionals. How do we rectify that?
CY: We don’t have anywhere close to the amount of talent that we need. I’ll talk about two concepts: one is a Cyber Corps and the other is a Cyber National Guard. They’re flavors of the same idea. There is also a spectrum of skill sets that we need as well. We need hardcore technical types, but we also need lawyers who are trained in cybersecurity, and we need operational types, who are maybe a little technically savvy but are not technical specialists.
I think there’s a real opportunity for the federal government, like what we’ve done with the Peace Corps or what we do with the National Guard, to train a large number of people and to get them to be part of this mission. There will be a lot of demand for their skill sets in the private sector as they come through that period of service. I think that’s an interesting way to attack this problem, and do it en masse, as opposed to saying, “Well, we’re going to expect hundreds of companies to somehow collaborate and fund this at colleges and universities.” It’s too hard. These are the same kind of massive efforts that you want to see governments tackle.
I would love to see one of the candidates running for president this year pick this up and say, “Hey, when I get elected, this is one thing that I’m going to go do.” It might actually be something that we could all agree upon on a bipartisan basis.