Panel: Threat Response Needs New ThinkingCisco's Jeetu Patel and Tom Gillis on Why a New Approach to Security Is Necessary
It's getting harder to distinguish between normal and unusual threat activity, with more sophisticated attacks exacerbated by hybrid work and soon - AI attacks. Defenders need correlated rather than isolated telemetry to get more signal and less noise, said Jeetu Patel and Tom Gillis of Cisco.
Security teams now need to look across multiple domains - email, web, endpoint and network - in a synchronized fashion to identify friend from foe. This needs machine scale for the quantity and quality of data and the correlation of different data sets across different domains. It can only be done through a platform, they said.
"It is essential for companies who cannot manage the complexity with 70 vendors and 70 different policy engines within their environments to make sure that they have fewer platforms. There will probably be half a dozen platforms," Patel said.
In this video interview with Information Security Media Group at RSA Conference 2023, Patel and Gillis also discuss:
- Creating a "synchronized symphony" of security defenses;
- How XDR with greater efficacy will redefine the security landscape;
- Why the security stack interface will change.
Patel spent more than five years leading Box's product and platform strategy. He previously served as general manager and chief executive of EMC's Syncplicity business unit. He was also chief marketing officer for the information intelligence group and chief strategy officer. Before EMC, Patel was president of Doculabs, co-owned by Forrester Research.
Gillis previously served as the senior vice president and general manager of networking and advanced security at VMware. Prior to that, he founded Bracket Computing in 2011 and served as its CEO. Before that, he was president and general manager of Cisco Systems' security technology group and vice president of marketing and co-founder of IronPort Systems, acquired by Cisco in 2007.
Mathew Schwartz: Hi, I am Mathew Schwartz with Information Security Media Group. And it's my pleasure to welcome back to the ISMG studio, Jeetu Patel and Tom Gillis of Cisco. Gentlemen, thank you so much for being here today.
Tom Gillis: Thanks for having us.
Jeetu Patel: Thanks for having us, Matt.
Schwartz: My pleasure. Well, there's a lot to discuss here. Let's start with the topic of your keynote - threat response, Jeetu, you said needs new thinking, what's flawed with the old way?
Patel: There are 3,500 vendors in the market. Most companies have 50 to 70 vendors. And despite all the investment, ransomware is on the rise. And so clearly, there's something that's not working. And the way we look at this is the market needs a different way to go out and have security defenses for the new, more increased sophistication of attacks that are happening. So if you think of a typical attack chain, it starts from email, you click on a link, it goes to the web, go to a website and download some kind of software on your machine. It kicks off some process. And before you know it, your malware is starting to traverse the network through lateral movement. And that has been defended thus far in isolated ways. There's someone that specializes in email, on the web, in the endpoint, or in the network. We'd like to make sure that we have a unified platform that can make sure that there's telemetry that's correlated across all of these rather than isolated, because when you have correlated telemetry, you can have far more signal. And the noise reduces as we go out it and that's the big kind of announcement that we made. And this gets even more important in the age of AI where the attacks are getting more sophisticated, but it's going to be hard to discern between what's real-life activity. That's normally, what does Matt do on a day-to-day basis versus this is a threat.
Schwartz: And if the threat is good enough, it can pretend to be what I'm doing on a daily basis. I want to bring Tom into the conversation. You talked about having a synchronized symphony of security defenses. This being the goal, because isolation of telemetry, as we were just discussing, is a big security Achilles' heel.
Schwartz: How do we get there?
Gillis: So let's think about the chain that Jeetu just referred to. So it starts with email, 80% of the ransomware attacks that we saw last year started with a phishing email. And remember, those phishing emails you get from the Nigerian prince, they were kind of absurdly, he's out there. But with tools like ChatGPT and other AI tools, the attackers are now going to be able to craft a phishing email that is going to be from someone you know, referencing something you did. For example, Hey, Tom, great to see you at the game on Saturday. I took some pictures of the kids. So who's not going to click on that? And so, as these attacks become more and more like real life, we need to look across multiple different domains - email, web, endpoint and network. You have to look across all of them in a synchronized fashion to be able to identify friend from foe. That's the symphony we're talking about.
Patel: And by the way, the interesting part over here is an attack. Typically, the first step of an attack is not just to go to a high-value asset. If you wanted to go out and steal credit card numbers, you don't start by going there. You start from an email, and you traverse through the different domains, so that eventually you get to the high-value asset, and then you exfiltrate the data. That's something that we have to keep in mind is, in order to get to that endpoint, you have to make sure that you follow the attack chain.
Schwartz: So AI - bit of a buzzword - but I think a lot of potential there both for defensive, as we're talking about, but I was hearing at the RSA Conference, from some big names, they're extremely concerned about what AI is going to be doing, not least on the social engineering front as you feed things into it and get out what you need for attacks, targeted or otherwise. So as we're looking at AI, I guess there's a risk of focusing on how offenders are going to be using it. But how can we use AI more for good, for example, generating more enthusiasm in the SOC or helping SOC analysts? We've been talking for years about overload and trying to give them only what they need. What is the promise there, and when are we going to get there?
Patel: So firstly, I think AI is not a new concept. But what happened on November 30th was there was a step function improvement because of ChatGPT and language models and the machines' understanding of reasoning, and being able to talk in natural language in a much more kind of intuitive way. There's a lot of good that can be done with AI. There's also a lot of areas that we have to be concerned about. And you have to take a balanced approach at this. Neither can you be with rose-colored glasses on nor you can be completely pessimistic because any major technology innovation like this is going to have the downsides also accounted for especially given the scale of it. So where are we with AI? We think there's three major opportunities for AI insecurity. First one is, what can you do with AI to simplify the security stack. And you talked about the SOC analysts, we showed a concept of what that would look like in the future. And I don't think we're that far from that future happening, where the interface model that humans are going to use with machines might change quite a bit, where the mouse might not be the only dominant device for going out and providing input, you might have natural language and command prompts. But more importantly, you might have an interactive dialogue with the machine. And the way that we'd like to make sure that we think about this in the future is how does it augment human capacity and human knowledge, so that you can meaningfully increase the quality of insights that you're getting from AI. And not only automating the 80% that are is routine tasks so that you can focus on the 20% that aren't routine tasks, because right now, one of the big challenges that you see with SOC, is you just don't have enough people, to staff up everyone that you need. So if we can augment AI, that's going to be huge. So that's the first area - AI for simplifying the security stack. The second area is how can we make sure that as cyberattacks get more and more sophisticated, because of the use of AI, the Nigerian prince, that Tom talked about, is going to become more sophisticated, because he's not going to have typos in his email, and it's going to look like he met you last week at your daughter's basketball game. And those are things that we have to make sure that we can discern so that's going to be the second area is how do you have security that can be specifically designed to detect threats that are being more sophisticatedly done, as a result and a function of AI? And the third one is what do you need to do to make sure that AI models themselves get more secure. And so those are the three areas that we're going to be investing a lot of time, effort and resources on. And you should expect that there's going to be a continuous movement. But the one area that we've told customers is expect us to be the most sophisticated AI-powered end-to-end security platform on the planet.
Gillis: If anything, I'd add one thing what Jeetu said. What do we use to train the models and an asset that we have that is kind of new and interesting. We've got 20 years of incident response capability. We've had various sophisticated technicians that have written documents, here's what happened, here's how we responded, imagine we feed that into this AI model, what we can do for the SOC - 20 years of experience turned into software, it's interesting.
Patel: That's a important point, Tom, makes because if you think about the generic models that are out there right now, they don't give you the specifics that are required for a domain in a specific industry. No for large language models, for example, if you look at the major large language models that are out there, they might not be able to give you details on what is happening in your environment in for a specific security incident that you might be going out and investigating. And that's where I think there's an opportunity - what's going to happen in the market is there's going to be more specialization of models. And there's going to be more specialized telemetry and data that will be fed to the model so that you can provide very custom bespoke experiences for certain domains. Bloomberg just launched BloombergGPT because they wanted to make sure that they did something very specific for the fintech industry.
Schwartz: Let's talk about Cisco's new XDR announcement. How is this a game changer, Tom, for Cisco and for the industry?
Gillis: Well, we've alluded to this, it's too difficult. If you're only looking at one domain, it's too difficult to spot these patterns. So you have to look across multiple domains. So play that out in your head a little bit. So we need to look across email, web, endpoint and the network. We want to have sensors that live in email, web, endpoint and in the network to gather that telemetry. So I think it's accelerating the movement we've seen in the industry toward security platforms, where I'm dealing with a system that has multiple components not just a bunch of products, but a system that has components that work in each of these domains, shares that common telemetry, one common policy framework. And this is very much in line with the announcement we made last year around our vision behind the Cisco Security Cloud. And so how is the Cisco XDR addressing the limitations of current XDR solutions? Yeah, there's two areas we've focused on. The first is we have an open architecture. So we work with everything. But when we have native telemetry, meaning when we're in the data path, we get very high fidelity data that turns into security efficacy. The other area we focused on is the integration to respond. So we can do all kinds of clever things about, we saw something that looks a little suspicious. Let's take a snapshot. It looks even more suspicious. Let's do a Packet Capture. And then eventually you get to, it's a full-blown attack, we can stop it. But you've created an audit trail that allows you to automate the recovery process should a ransomware event occur.
Schwartz: Excellent. Lots of changes. ChatGPT, as you said, just at the end of last year, we're seeing so much innovation at a pace that possibly we've never, ever seen before. Certainly XDR is going to be changing. So where do you think we go from here?
Gillis: I think that there's a movement in the industry to think about platforms. And XDR is the best evidence of that. If that's true, if we can demonstrate greater levels of efficacy with a platform, it's going to redefine the vendor landscape. Remember the 3,500 different vendors that are out there, and the 75 solutions that the customer has to ingest? The movement toward platform is heading is a significant shift in the industry. And it redefines how we think about product excellence. Where's the product grade? I'm going to argue, it's at the platform level. When the whole is greater than the sum of the parts, we can do some magical things.
Patel: I probably say the other thing that you have to keep in mind, as we've been talking about platforms for a long time. The reason that it becomes pertinent now is because the sophistication of attacks has improved so much that it's hard to tell between a normal course of activity and an actual threat that could threaten your enterprise. And the only way to do go out and handle this is through machine scale, you can't do it through human scale anymore. And in machine scale, like Tom alluded, what's important is the quantity of data and the quality of data that you ingested. And, the correlation between different data sets across different domains. Those things can't be done through point solutions, they can only be done through a platform.
Schwartz: You were talking ransomware. The continuing innovation we've seen as criminals are trying to find new ways to make money and using any tool at their disposal to do so. I think that presages increasing sophistication, not less.
Patel: Yeah. And it's not just ransomware. It's insider attacks, espionage, nation-state attacks, all of these things kind of play into the mix over there. So it is essential at this point in time for companies who cannot go out and manage the complexity with 70 vendors and 70 different policy engines within their environment, they have to say, I need to make sure I have fewer platforms. They'll probably be half a dozen platforms, we will be one of them, Microsoft will be one of them. Palo Alto might be one of them. And then there'll be others that will try to aggregate to go out and become a platform, but there's not going to be that many - there's not going to be 3,500. There's not even going to be a dozen. There's going to be very few platforms that are end to end.
Schwartz: Jeetu, you run the security business. You also run the collaboration business at Cisco. We've seen major changes in how collaboration is happening. Do these two things tie together? If so, how?
Patel: Well, they very interestingly tie together much more relevantly than any of us had imagined because of what happened during COVID. And if you think about the pattern of work, right now, it's largely hybrid. Some people work from home, some from the office, some somewhere in the middle. And you're not always going to be connecting to systems to get your work done from a secure location on a secure network on a secure device. You might be on an unmanaged device at a local coffee shop, going out and connecting to your network and you have some very sensitive intellectual property that you're taking a look at. So security is going to play an increasingly more important role in hybrid work so that you can establish trust for the user and for the organization that they're going to be okay, and allowing that flexibility for users to work from anywhere. The second thing to keep in mind is if you look at the overall kind of domain, as people move from one location to the other, it's not that everyone works from the coffee shop all the time, it's not that they work from home all the time, it's not they work from the office all the time, you can't have different experiences. So you need to have the same experience no matter where you work from. And so that level of clarity and simplicity of the experience that no matter where you are, you open up your laptop, you connect, and you're going to be fine for any application. Whether it be a public application, like Workday or Salesforce, whether it be a private application, like your Order Management System, whether it be directly connected to cnn.com, we should make sure that the experience for the user is no different so that they don't have to say, well what, for this particular application, I have got to log on to VPN; for this particular application, I got to make sure that I have ZTNA. Over here, I don't need to do either of those things. Those get super confusing for the end user. And one of the big challenges we have to do is simplify the experience for the user so that they don't have to go out and have a lot of errors that they might be prone to because that causes more of a risk surface increase for breaches.
Schwartz: Definitely, you want to maintain assurance with users that they are being secured. But at the same time, as you were saying, with a synchronized symphony of security defenses, that has probably gotten a lot more difficult with all this remote work, and, trying to deliver these productivity tools, anytime, anywhere.
Patel: It's gotten more difficult and risky. So we have to make sure that there's a level of thinking going around, how are you going to make sure that something is productive and also secure for the user. And those can be opposing characteristics. You can't have someone say, do you want to be productive or do you want to be secure? It has to be an "and." And that's an area where we feel like we need to spend a lot of time and we've done a tremendous amount of work. And we do as much work as we do on the backend plumbing on making sure that the user experience is extremely simple for the user. The moment you do that the breaches because of negligence go down quite a bit.
Gillis: The goal is to frustrate attackers, not users.
Schwartz: That's a great mission statement.
Schwartz: Excellent. Well and hopefully we'll see more of that in the future as an industry because we definitely need that. Well, gentlemen, it's been a fascinating conversation. We've touched on a lot of things. Thanks so much for your time and insights today.
Gillis: Thank you.
Schwartz: I'm Mathew Schwartz with Information Security Media Group. Thank you for joining us.