Palo Alto Networks CSO Talks Risk Metrics, Algorithms & Automation
On the May 14 episode of VoiceAmerica Business Channel’s “Task Force 7 Radio,” host George Rettas sat down with Palo Alto Networks CSO, Rick Howard, to outline risk management, the security kill-chain and more.
Rettas kicked off the episode by discussing a recent market move. Software company Symantec recently suffered a steep drop-off in its stock price. News of this came last week, after the Wall Street Journal reported an audit committee’s internal investigation. The outcome of said audit may reportedly affect the company’s financials. Last week, Symantec stock closed down 33%, at $19.52 per share.
After this newsy introduction, Rettas leapt into his interview with Howard, who first discussed risk management frameworks.
“You need to be thinking about how well you’re protecting your organization from material impact,” the CSO said. “(I believe we’ve been) doing it wrong for 25 years.” He said that instead of the cyber security heat maps employed by CISOs and the like, more precise forecasts must be integrated into the security model.
Howard mentioned findings from Philip Tetlock and Dan Gardner’s book, “Superforecasting,” saying that the precise measurements, subsets and demographics spoke to ways in which risk is framed within organizations. A more operative question, he said, becomes: “Will the organization be materially impacted in the next three years?”
“There are books out there now that show us how we do that math,” Howard said. “I’m interested in moving the industry forward, away from heat maps and into more precise ways of doing things.”
With a focus in measuring risk, do CISOs lose the ability to communicate financial needs? Howard said technical, security-driven folks are not too good at this. “Most of us came up through the technical ranks,” Howard said. “We’re good at identifying technical risks, but we suffer when we try to convert that to business risk for board members. They don’t understand a vulnerability in some open-source web software. They don’t understand that. But, we (should) tell them that it’s a material risk to the organization if we don’t fix particular problems.”
On that same thread of organizational communication, Howard said that quantifying breach impact can absolutely be done. “It’s still a guess,” he said, “…but it’s a more precise guess with probabilities.” He added that the process becomes more mathematical. Then, applying the Bayes’ Algorithm on improving processes over time, you can gather evidence, create estimates and craft probabilities.
The CSO called cyber security risk no different from any other corporate risk. In fact, he said it’s not a risk, “it’s a vector.” Cyber security can afford companies unbelievable opportunities for change and profitability, or provide ways for “bad guys to take you down.”
ROI: Yes or No?
One debatable topic within cyber security is the concept of return on investment (ROI). Howard said that “there’s no ROI for the security spend. You’re trying to reduce risk; you’re not trying to make money off this.” He said CISOs should provide boards with an exceedance curve that shows the probability and cost of an inherent risk.
On understanding the impact of sound security controls, Howard said that one “metric” he’s encountered is: “How many people does it take to respond to an incident in your organization? If that number is going down over the years, then you’re doing the right thing. If it’s going up, you probably have a severe problem.”
In some circles, it seems, executives believe that quantifiable metrics for risk are simply “academic.” Howard provided a useful timeline and evolution of thought processes in response. He said that methods such as the Bayes’ Theorem help you deal with probabilities and change over time. When Thomas Bayes wrote it in the 1740s, it was cast aside until turned in by a friend to the Royal Society. However, the Bayes’ Theorem became a useful tool for grasping problems with unknown data sets: It was later used by Alan Turing in decrypting the Enigma machine during World War II, and by American scientists in the real-life case of the Red October submarine. It was later employed by Los Alamos scientists in developing the atomic bomb (based off predictions made for solitaire). It wasn’t until the birth of the personal computer (PC), however, in the late 1980s and early ’90s, when it became more mainstream – in solving numerous technical problems, or fleshing out risk.
'Defense In Depth' or 'Kill-Chain'?
Since these various evolutions have taken place in recent decades, another question becomes: Do “old” methods work? One is the “defense in depth” strategy. The “TF7 Radio” guest opined, “No, I haven’t really believed in defense in depth for a long time.” An advocate of the Lockheed Martin Kill-Chain Model made popular by a research team in 2010, Howard said that defense in depth worked in earlier days with a tiered approach to security. He said adversaries soon worked their way around the controls, though.
“With the kill-chain model, adversaries, as they attack victims – and regardless of motivations and tools – have to do five or six things: recon the network for weaknesses, craft a tool that leverages a weakness, deliver it to some endpoint, and, once they get it on the endpoint, they have to trick the user into running it. Once they own the box and ‘establish a beach head,’ they still haven’t successfully completed the mission yet.”
They then have to establish a command and control channel, traverse laterally in the network and ultimately exfiltrate data through the channel. “In the (kill-chain, you have) prevention controls at every phase… (You don’t employ) random controls… They’re all geared toward a specific adversary,” he said.
The CSO added that as an industry, cyber security is ill-equipped to handle additional “point products,” because of a people/resource scarcity. “We’ve known this for a long time,” Howard confirmed. “And vendors have known that, so they’ve come up with solutions. What’s emerged is the cyber security platform.” He called it “one simple box that does firewall stuff and prevention controls down the kill-chain.”
A possible solution for streamlining the security process, even with the kill-chain: employing automation. The Palo Alto Networks CSO told Rettas that the industry has trouble keeping up with indicators and controls manually. Automation, he said, helps reduce overhead and complete security tasks in real time. He calls this "Automatic Security Enterprise Orchestration."
In the final segment of the show, Howard provided his take on the present talent crisis.
“It’s mostly because we’re shooting ourselves in the foot,” he said, before referencing a substantial jobs shortfall (projection) for cyber security by 2019. The solution, he said, partly has to do with diversity and inclusion.
“If you’re hiring someone this year,” the “TF7 Radio” guest suggested, “and you’re rifling through a pile of resumes, and half of them are not minorities or women, go to HR and request a different pile… That’s the call to action.”
The "Task Force 7 Radio" recap is a weekly feature on the Cyber Security Hub.
To listen to this and past episodes of "Task Force 7 Radio," click here.
Find Howard on LinkedIn, here.
Be Sure To Check Out: Insider Threats Are The 'Next Big Wave Of Attacks': Securonix CEO & CTO