Don't get distracted by the shiny cyber machines
What will best-practice cybersecurity and risk management look like in 2020? Two themes kept emerging at the inaugural SINET61 cyber innovation conference in Sydney this week.
"A strong capability around threat intelligence", said Steve Glynn, chief information security officer (CISO) at ANZ Bank. It'll be about building an understanding of the threat actors, what they're trying to achieve, and what techniques will be needed to defeat them.
Latest Australian news
Threat intelligence was one of the hyper-repeated buzz phrases at SINET61. John Haig, head of security, risk and compliance at Dun & Bradstreet, was one of many speakers who mentioned the other: machine learning.
"Right at the minute we look at machine learning and deep learning and these kind of technologies, and we trust the human more than the machine," Haig said.
"I see some of these technologies maturing over the next four years, and being tested in real scenarios, with a human element being over the top. And after 2020, obviously I'd like to see that further mature and put more trust into the machine ... I'm never going to have enough people to be able to tackle the problem that we see today, and in the foreseeable future ... We need to be doing things smarter."
In my view, adopting techniques like threat intelligence sharing and machine learning are no-brainers.
We know we need to get better at cybersecurity. We know we have a massive skills shortage. We know that sharing information will mean we can learn from each other. And we know that computers can do the boring stuff faster, freeing up the humans for the thinking bits.
I'm therefore pleased to see examples like Britain's National Cyber Security Centre talking about sharing DNS blocking rules with the private sector. I daresay the Joint Cyber Threat Centres that Australia is building as part of its Cyber Security Strategy will be doing the same sort of thing,
But as with all new tools, there are risks.
Threat intelligence sharing, for example, might not always be useful, according to Nick Scott, head of security governance at National Australia Bank.
"Do we share everything we know about everything? No, we don't. And it's not about this exclusive club [of banking industry insiders]. If I share that piece of information, I don't know that you're actually going to be able to do anything with it," Scott told the conference.
"Some information can be shared and used by everyone across the industry, and have a purpose. Some other components, it might be [that] I've got a really deep piece of technical information, but to be able to make use of this, you're going to have to have a capability in your organisation to use that in a way that needs it. Without having that, there's no point in sharing some of that information."
Those thoughts were echoed by Michael Sentonas, vice-president for technology strategy with CrowdStrike.
"In the last two days there's been a lot of talk about threat intelligence sharing. That's all great, but how do people take threat intelligence, and find out what's a quality feed versus what's a rubbish feed? Buying threat intelligence from many different sources and having one that's really, really bad is going to spoil it for everyone. We need to be talking about that more," Sentonas said.
"How do people operationalise it? It's great for banks, but a small organisation may not be able to consume that.
"It's not about throwing out everything that you've done and going to silver bullets that talk about machine learning and other types of buzzy terms, but some of these technologies will complement the existing tools very well."
Haig reinforced the need to remember the basics of cyber hygiene.
"In a lot of organisations, to be honest with you, when you start to take a look, everyone's focused on doing all this really cool shiny brand-new everything. It looks great, and you've got these big screens up, and they have all these beautiful dashboards, and people look at that ," Haig said.
Watching the displays, but not much else, and certainly none of the boring-but-essential stuff.
As always, we need to remember that while all the new toys are fun, and the vendors love showing them off, the basics still have to be done.
As Glynn put it, "We need to do all the things that we've been doing to date, but better." And when he was asked to name the one thing he's asked of his business, it was a very human response.
"Stop clicking on those damn links."
Exactly. And you can't buy a machine to do that.