Cyber operational readiness and a complex threat landscape
Mike Walls is the Managing Director, Security Operations and Analysis at EdgeWave. In this interview he discusses keeping pace with an increasingly complex threat landscape, cyber operational readiness, and the importance of the firewall in the modern security architecture.
Before joining EdgeWave, you were responsible for U.S. Navy cyber operational readiness, ensuring the security of over 300 ships, 4,000 aircraft and 400,000 servicemen – the world’s largest intranet. How did this complex job prepare you for your role at EdgeWave? What are some of the most interesting lessons you’ve learned?
In my role as Commander Task Force 1030/Commanding Officer Navy Information Operations Command, Norfolk I was responsible for the Navy’s cooperative cyber assessment team (Blue Team) and the non-cooperative cyber assessment team (Red Team). I also supported the Navy acquisition community with penetration testing teams.
As you might imagine, these teams played a critical role in the Navy’s cyberwar fighting effort by ensuring every ship, squadron, submarine, shore installation, and all Navy personnel (uniform and civilian) maintained the highest level of cyber readiness. My teams trained the Navy how to identify attacks, and more importantly, how to fight through a degraded network. The sailors and civilians who staffed these teams were exceptionally well-trained and experienced. They received custom training provided by the NSA as well as training from commercial entities.
Along with focusing on readiness, my team transformed into an operationally focused organization when Navy unclassified networks were compromised by a significant actor. We were on the front lines of what is considered to be the first cyber fight on Department of Defense networks – Operation Rolling Tide.
I mention these points because my experience as Task Force 1030 Commander provided me with a unique understanding of what it takes to be “cyber ready,” and an understanding of how to organize and fight in the cyber domain. That’s what I was brought onboard EdgeWave to do – organize a team with the same expertise, the same understanding of cyber readiness, and the same operational experience as my Team in TF 1030.
The most interesting lesson I learned is that every network is penetrable and most get compromised. We need to accept that and start thinking about detection, response and resilience.
Organizations have a hard time keeping pace with an increasingly complex threat landscape. The general trend is to take advantage of automation and have tools deliver actionable intelligence. You’ve said that “There is no replacement for human intelligence in the fight against terrorism, whether on the kinetic battlefield or in the cyber domain.” How does human intelligence enhance the information security products of the future?
A Navy friend and I were talking about SOC scalability and his approach was pretty straightforward: automate, automate, automate. When you think you’ve automated as much as you can, automate some more.
That being said, there will always be a requirement for human interaction at some level. I often say that even if automation were to take care of 98% of the problem, a human would have to manage the last 2%.
It’s important to remember that it takes the right human looking at the last 2%. Too often we try to leverage IT staff to perform security functions and the reality is that to get at the advanced threats you need a security expert.
Based on your experience, what is the importance of the firewall in the modern security architecture?
There is certainly a place for firewalls and other preventive technology. But we continue to see businesses that deploy the most advanced preventive technology getting hacked. That tells me that while these technologies may be slowing the adversary down, they are not completely effective. So we really need to take a hybrid approach to defending our networks by focusing on prevention AND detection. I made the point earlier that because it isn’t a question of “if” a network will be hacked, but “when.”
Businesses must incorporate detection capability in their defensive strategy. In my mind, it’s all about minimizing the time between compromise and detection to mitigate the damage a hacker can do to a business. The opening keynote speaker at the Recent Gartner IT Summit agreed. He suggested that businesses should change their resourcing paradigm from a 90 IT infrastructure/10% security approach to 60/40%. We can’t forget the response and resilience component.