Security Is A People Problem: Q&A With Awake's Gary Golomb
As the threat landscape continues to morph, and security teams stay apprised of the latest goings-on, it’s tough to set aside misinformation and act on “clear and present danger” to the business. Much of that issue has to do with both technology and the business culture.
So, in what ways has security evolved in recent years? Is that a root cause for the fragmentation we’ve seen? What is the way forward and what tool or principle will take us there? Is it human ingenuity, in all its glory, or fledgling security technology like AI or machine learning?
To get his take on these sizable topics, we spoke with Gary Golomb, Chief Research Officer at Awake Security.
Cyber Security Hub: What is your assessment of the current threat landscape?
Gary Golomb: I’m not one of those people who (goes) on about how quickly the threat landscape is evolving and how difficult it is to keep up. One way I can frame that is, I have a presentation – with slides in there where I list features of a particular type of malware. I the ask audience to guess what the family of malware is… (They typically guess that it’s a) really sophisticated strain. The actual answer is malware released in 1999, targeting Windows XP. Really, the point there is: the point of view that the threat landscape evolves extremely quickly – there’s some sensationalism around that. That said, it’s useful to start with that, then underscore the significance of my next statement: Over the past 4 years, it has evolved in ways that I definitely have not seen over the past 20 years. It’s really interesting. I used to say there were six or seven major evolutions – but they’re more intermediate evolutions.
[Editor’s Note: Here, Golomb outlined an attack timeline, from Unix to web server platforms, and web applications and clients (i.e., Windows worms) to the browser and its plugins.]
I think what we’re seeing now is a major evolution. If you go back 25-30 years, breaches were largely about configuration errors, exploiting people and processes; they involved system administration. Then, 25 years ago, we entered the era of remote exploits… To me, a much bigger evolution (is occurring and involves) attacks and breaches going back to people and process errors, configuration errors, system administration (etc.). These are higher-level patterns… And the fact is: technology is everywhere – cars, planes, satellites, smaller, cheaper things. The state of play is an absolute playground.
CSHub: Awake’s website says the Investigation Platform helps security teams detect threats – from file-less malware, malicious insiders, credential abuse and lateral movement. How can a CISO keep on top of all these potentially crippling issues?
Golomb: There’s good news and bad news here… I think for CISOs we need to focus on facts that they need to solve for. Look at different use cases. The good news is that there’s actually a common thread or lowest common denominator crossing all of those – characteristics they all have in common. The good news is also that they are something to focus on, and they can be managed. The bad news is: I think many teams, most teams, enterprise security teams that is, are ill-equipped to actually face this new reality, and manage that common thread between all these threats. (It really is a) new state of threats…
We’re moving to world (of) threat identification: discerning business-justified behavior, from out-of-scope behavior… I think one of the most important questions for CISOs to focus on is: How are you equipping your team to understand the flow of information in the business? CISOs have not had to ask or answer that before. The way threats are evolving, it’s a fundamental question that has to be answered.
CSHub: Given your experience in threat hunting, how have you seen the space evolve?
Golomb: There are a few different points to make here. The space is evolving, and there’s three major segments: threats and the (wide-ranging attention) around them, vendors and how they’re evolving, and the third involves enterprises themselves. The most dramatic evolution has been in the enterprise. Within the last five years, reverse engineers and DevSecOps (are) becoming commonplace in enterprises. It’s something to stop and think about. Roles that only existed in vendors are now making their way into the enterprise. Why? Why do you need a reverse engineer? You need to extract intelligence… And why DevSecOps people? You need integration developers and engineers to take intelligence and make it actionable. Really, the underlying point is: there’s a case to be made that vendors have not been keeping up with handling these things well enough, so enterprises have stepped in to drive that evolution.
CSHub: In terms of evolution, too, how do you see AI & machine learning impacting the enterprise in both the short and long term?
Golomb: In the short term, it’s simple (and) non-sensational: AI or machine learning is another methodology, a detection methodology. There was an evolution in the ’90s to where we are today; you can look at the question the same way. A long time ago, we just had signatures to identify activities of interest. Signatures evolved to anomaly detection, which evolved to behavioral analysis… So, we get to where we are now: machine learning or AI. It really just means statistical modeling. The important thing to understand in the near term is: the methodologies we talked about apply to AI as much as they do to signatures. Every single (technology) has strengths over the other. There are pros and cons, a cost benefit that you need to take into consideration. That’s the short-term view.
In the longer term though, it gets very interesting. Machine learning and AI (suggest a) remarkable power behind technology – in the ability to identify statistically interesting chains of data points, chains of behaviors. Nothing else can do this, including humans, or not as well, at least. In identifying how patterns exist, you end up with two categories of discoveries: types that AI can label, and ones it doesn’t know how to label… The more we use AI, and the longer we use AI, the more we discover. (This) allows people to come in and analyze those things… The more we use the technology, most people in the community (will) become knowledgeable. This allows humans to do what we do best. So, in the longer term: AI indirectly but very profoundly influences progress across the entire industry.
Is it fair to have (these) expectations – (that) AI will eventually be able to label everything of relevance to security teams? Where I’d draw the line is: You’ll always have what it can and cannot label. (It does) not fail because it can’t label. (That’s because) humans then put resources (into it). There are problems best served by human ingenuity – and that’s wrapped into the model.
CSHub: Is progress in the space hindered by an oversaturation of solutions? Is it actually a “culture” question?
Golomb: Yes, there are ways progress gets hindered… The way I kind of respond to that question is for all the doom and gloom out there – and there are undertones of it in what we’ve been talking about – in most ways, the state of security has actually never been better… Security is now a bigger business (than it was five years ago), and there’s more coverage. Breaches get sensationalized more than they ever have. The impact of some of these are phenomenally mind-blowing. But function (improves) as time goes on, (and we) collect more and more data. If we have events, there’s more data to be effective. Stepping back, I’d say: The state of enterprise security and its capability is incredibly better than even just five years ago, much less 10, 20, or 25 years ago.
CSHub: What’s one piece of advice you’d offer today’s security practitioner?
Golomb: This one piece of advice in is in two parts. Security is a people problem. What that means is we need to recognize it’s not malware that’s the problem, it’s not scripts, it’s not exploits, or patching. It’s that there are people who are incentivized to get access to data. The bar to do so has fluctuated. (But), it’s people on the other side of the equation, and people are creative. There are people on your team, your analysts. They need an environment that supports the same level of creativity and ingenuity. When you have an attacker who’s having fun doing work, and an analyst who’s miserable, it’s common sense what the effects will be. We need to focus on people and teams and recognize that what they’re facing are other people. The other part is, again, people – and the resources they’re managing… HR reps, accountants – these are folks who actually run the business. Analysts don’t (always) understand people of the business, or they don’t know how information flows. I don’t think we’ve understood how deep that statement goes.
Be Sure To Check Out: 'Cloud Is The Bigges Cyber Revolution Of Our Age': Tufin CEO Ruvi Kitov