Cisco's AI helps defenders detect threat actors

TK Keanini, Cisco's principal engineer, explains his job to ZDNet's Tonya Hall, "[We're] trying to make it harder for the bad guys to operate on our customers' networks."
Written by Tonya Hall, Contributor

TK Keanini offered ZDNet's Tonya Hall a closer look at Cisco's annual cybersecurity report and his job as the company's principal engineer. The 2018 report covers the evolution of malware, malicious encrypted web-traffic, and the rise of AI.

Watch the video interview above or read the full transcript below.

Tonya Hall: Threat actor and defender. The cat-and-mouse game of the 21st century. Hi, I'm Tonya Hall for ZDNet and joining me is TK Keanini. He is the Principal Engineer and Product Line CTO of Analytics for Cisco. Welcome, TK.

TK Keanini: Thanks. Hi.

Tonya Hall: Hi. Most people know what Cisco is. It's a world leader in networking, but what do you do as a Product Line CTO of Analytics?

TK Keanini: I work in the advanced threat group, so we have everything to do with basically trying to make it harder for the bad guys to operate on our customers' networks.

Read also: Slackengineers go head-to-head with Microsoft and Google

Tonya Hall: Cisco just released its 2018 Annual Cybersecurity Report. In it, Cisco covered the evolution of malware, malicious encrypted web traffic, and the rise of AI.

What's new in the evolution of malware?

TK Keanini: Well, for one it's always evolving. I've been involved in this game for quite some time, and I'm genuinely fascinated by the innovation on both sides, so we, as defenders, get better at our job, we sort of force the hand of the threat actors to evolve, to try new tricks, because frankly, their old tricks don't work. That goes round and round, and in this latest report, what you'll see is a lot of different techniques. One could say we've gotten a lot better at detecting them in their binary forms, so they're trying to hide things more in documents. That's kind of one angle of it.

The other one that is on a very, very sharp rise, and frankly, I'm surprised why it's so late, is a lot of their communication channels are in opaque tunnels, in encrypted channels. You have to ask yourself, "How much more expensive is it for them to encrypt their traffic?" And the answer is, "It doesn't cost them anything," so why isn't all their traffic encrypted? And what that means to defenders is, when they go opaque like that, standard methods of detection are not feasible.

What you're seeing, is that a lot of these threat actors are operating in networks. When they encrypt their traffic back, to sort-of their command and control, and things on the Internet, they completely go unseen. Without the right technology, they remain unseen, and they remain persistent on people's networks.

Tonya Hall: Tell me about the adoption of AI, and machine learning by security practitioners.

TK Keanini: That, again, comes down to two things. One is augmentation and automation. It really is a force multiplier for the workforce, particularly on the defender's side. No corporation can hire enough talented people to defend themselves. What's happening is, they're doing the right thing. They're really getting the machine to sort of be an augmentation of their detection, and an augmentation of their automation on their network. That's become really, really effective.

It's done two things, which is, it's made their existing staff more effective. They can address more incidents in a day. They also may be handed new findings; findings that they wouldn't have seen without very, very advanced machine learning. The machine, in a lot of ways, is almost sitting in the seat next to them, as they complete their workday, and that's become really effective.

Tonya Hall: What's the scope and impact of rogue users on malware infections and security failures?

TK Keanini: Well, that's the thing, not all threats come from the outside. There could be an insider threat, and that usually takes two forms. One is the form of a rogue user, so somebody with credentials with access, and can do damage. The other one that is, frankly, even more common, is somebody like you or me, who gets our credentials stolen.

Consider that scenario, which is, there's now a threat actor logging in as you, into the corporate environment, with your entitlements. That's become the harder one to find. Again, with the right AI and machine learning, you can really do what is called Behavior Analytics, and tell whether TK's gone insane today, or not. That's become really, really important, because here's the thing, is the attackers are no longer breaking into networks, they're just logging in, and that's become a real problem for defenders.

Tonya Hall: Internet of Things devices are mentioned in the report. What should IOT consumers look for in security for these devices?

TK Keanini: That's a tough one. Every industry, every sector has their version of IOT. My home, for instance, is full of IOT devices. Right? And a lot of them, once I buy them from a retailer, if they have a bug in it, and a security vulnerability, there's no way I can patch it. My version of patching is taking it out to the driveway and running it over with my car; because really, there's no saving it. That's become a problem because they remain vulnerable, and they remain sort of a minion, almost, for these threat actors to use. That's why we've seen these denial of service attacks leveraging IOTs. It's a real fertile ground, because these things go unpatched.

That's sort of one version of it. The IOT that is sort of fixable with a little bit of care and feeding is things like manufacturing, things like medical equipment. Those have to be fixable, because some of them, there's basically life consequences associated with it. In those cases, it's about narrowing the aperture of the target surface. Even if it can't be patched, there may be some counter measure you can wrap around it so that only certain traffic can get into it and out of it.

Read also:MakingAI communication more human

Tonya Hall: Okay, TK, talk about the cat and mouse game between threat actors and defenders. Where do you see it going?

TK Keanini: It just keeps on evolving. Honestly. I mean, if tomorrow I wake up with a brilliant idea, and I make it really hard on a bunch of people who do ransomware, they're going to meet up, and they're going to try and do better than I did. Right? That's why we've seen this big evolution.

Let's take sandboxing, for instance. Okay? For an example: we know that, frankly, we can get a malware sample that some threat actor has put together. We can put it in a sandbox. We can explode it. We can watch how it behaves. We can take some of those deterministic characteristics and then mechanize it for our machine learning, so if we ever see something that behaves like this, take it off the network. Okay? Real easy, right?

They've gotten smart enough to where they can actually try and detect whether there's a human looking at them and playing with them, versus a machine. In our sandboxing, we actually sometimes have to mimic what a human would do, like move a mouse. Do something like that, because they're thinking ... They're constantly asking, that program is constantly asking, "Am I in a machine? Am I in a machine?" or, "Am I interacting with a human?" We have to behave almost like they're sitting at a random desktop, because then they behave the way they would behave on that actor's desk. It's an example, but again, you can see kind of that cat-and-mouse game at play.

Tonya Hall: TK, you're certainly the expert of the evolution of threat and defender, and I really appreciate your insight. I know our audience is going to want to check out that report, and maybe they'll have some more questions for you.

If somebody wants to connect with you, or maybe get a copy of the report, how can they do that?

TK Keanini: Just come to Cisco, the Cisco.com. You can search or Google for the Annual Cybersecurity Report. I think it's the 11th annual security report.

I'm on Twitter. I'm at @tkeanini. Keanini is a Hawaiian name, so just spell out all the vowels. I'm on LinkedIn, just say hi.

Tonya Hall: Say hi. Well, thank you so much again. And if you want to follow me and more of my interviews, you can do that right here on ZDNet, or Tech Republic, or maybe find me on Twitter. I love to tweet. I'm at @TonyaHallRadio on Twitter, or find me on Facebook by searching for the Tonya Hall Show. Until next time.


MITunveils SoFi: This Nintendo-controlled underwater drone swims like a fish

MIT's robot could give marine biologists a less distracting way of capturing up-close footage of sea life.

MITlaunches MIT IQ, aims to spur human, artificial intelligence breakthroughs,bolster collaboration

Perhaps the biggest takeaways from MIT IQ are that algorithms need new approaches and multiple disciplines and research areas need to collaborate to drive AI breakthroughs.

Phonerage: MIT startup has find-and-fix tech for call service frustrationVideo

The technology can also help identify depression symptoms, and it may soon empower machines to act more human.

Editorial standards