When it comes to learning how to deal with crime, who better to teach us than criminals? After all, crime is what they do for a living.
So believes Dr Ronald Layton, Vice President Converged Security Operations with Sallie Mae Bank, the US-based banking and loans provider and Founding Board Member of the Business Innovation Leaders Forum. He was recently in conversation with Forum Podcast Host Julian Patterson, reflecting on just what we can glean from watching how cybercriminals go about their business.
“When you’re at school, you’re told to do your own work, and if you don’t that’s called cheating,” he notes. “Then you get into the real world, and you find cheating is called collaboration. This is the big game changing move that cyber criminals have managed – to be more collaborative than the law enforcers. Law enforcement must learn from that.”
Criminals have profited from their competitive advantage to such an extent that the threat of cybercrime has become vast, ubiquitous, seemingly unmanageable. In their efforts to catch up, Layton thinks too much emphasis is being placed by the good guys on hunting for silver bullet answers. Would that life were that simple: “If the problem is multi-dimensional, then guess what – the answer has to be multi-dimensional too,” he points out. “From a tactical perspective, there are multiple things that you need to do on a continual basis to make sure that you are appropriately defended.”
Cyber criminals, being good at what they do, are forever scanning defences for inevitable vulnerabilities and finding new ways to exploit those. And they are getting better and better at this: “The threat actors have become much more nimble than the law enforcers,” says Layton. “As a defender, you’ve got to come up with various levels and lines of defence to have a chance.”
The bad guys aren’t just great at committing crime, they are also super slick at avoiding detection. That’s helped by the fact that while criminals are free to innovate and experiment, law enforcers are hampered by rules and codes: “That was a problem when I was a deputy director in the National Cybersecurity division in 2003,” recalls Layton. “It was a problem then, and it’s a problem today. And I think that it’s going to be a problem moving forward. The good guys play by a set of rules that the criminal actors do not. That’s the crux of why they’re so hard to catch.”
Dr Ron Layton is responsible for cybersecurity and asset protection at Sallie Mae, a US consumer bank. The former special agent has held a number of security posts in the public and private sectors, including Deputy Assistant Director of the United States Secret Service. He provided technology liaison to the White House in the Obama administration. He was also Deputy Director of the National Cybersecurity Division of Homeland Security, and programme director of the Secret Service Electronic Crimes Task Force.
Cybercrime’s secret weapon is that it’s a fairly low risk endeavour: “There’s a great difficulty with imposing things like risk and consequences on the people who do this,” he observes. “When I was a young law enforcement officer, I used to wonder who in the world would run into a bank and steal a sum of money. For one thing, you might get hurt, or you might get caught, then you might go to jail. Wouldn’t it be better to just have some type of electronic interface, or a computer application? You could sit on the other side of the world and do the same thing? Those fears have come true, because that’s what’s happening now.”
So how to regain advantage? What approaches might make a difference and reverse the tide? It’s important, says Layton, to remember that good security is not something you just bolt on, like putting a sun visor on your windshield. “You build it from the bottom up,” he says. “As you begin to build tools and services, you need to bake security in. That really hasn’t happened, and security is still often an afterthought. Good security takes time. It’s not about speed to market. Good security sometimes is a bit of a laggard.”
Effective security, he believes, is often at odds with commercial priorities: “Business people say it doesn’t have to be perfect, merely good enough. And that gap between perfect and good enough is exactly what attackers exploit.”
What the world doesn’t necessarily need, he says, is more security products whose job is to generate more and more alarms. It’s time to get smarter: “There is so much data generated from security events and alarms,” says Layton. “If I’ve got more than 100,000 alarms in a quarter, what am I supposed to do with that? Which are the alarms that I actually need to pay attention to? As ever, it’s about what to do with the data. I want to see is a focusing and harnessing of technology that means of the 35 alarms that you got in the last minute, you really need to pay attention to these two. And here’s what you need to do about it.”
One answer might lie in quantum mechanical computing: “If I give a job to a computer, and it takes 1,000 years to produce an output, a quantum computer will solve that same problem in 200 seconds,” he explains. “Now pair that with artificial intelligence. Is the computer now thinking for us? No, but it can determine if an event meets a condition. When you merge artificial intelligence and quantum mechanical computing, there are potential positive outcomes for cancer research, for space travel, for identifying actual security threats out of a mass of alarms, in real time. The possibilities are limitless and I can’t wait to see what we, as computer professionals, are going to do with these two technologies.”
Perhaps this holy combo could even help combat ransomware, the security threat du jour: “Ransomware is a problem, and it’s going to become more of a problem,” fears Layton. “Because it’s low risk, high reward, and there has been almost no consequence associated with this type of action. So why wouldn’t you do it? It goes back to collaboration, where if someone doesn’t have this skill set, they can simply buy it from the people that do, almost as a service. I have to say that a lot of these ransomware attacks could be thwarted by simple things like appropriate identity access management. A lot of attacks come from stolen credentials. Somebody gets into your network, moves laterally, encrypts your data, and then all of a sudden sends you a little note that they have changed the locks on your door and a key for those new locks will cost you $3 million. But that action would have never happened if you just understood more about what your perimeters should look like.”
It’s time to level the odds, argues Layton: “You’ve heard of bringing a knife to a gunfight,” he says. “Well, we’re not even bringing a knife. We’re bringing a bulletproof vest, which results in us becoming target practice. As long as one group in this fight continues to play offence, that means that you’ve got to continuously wear that bulletproof vest, to be always ready for the metaphorical bullets that are being fired at you. At some point there will be a robust debate about how to actually hit back at these criminal actors. We must start to look at more offensive techniques. Right now, we’re not really at war, we’re just managing as best we can by responding to whatever was the last event.”
By Guy Matthews, Editor of Innovate! a Business Innovation Leaders Forum publication
Listen to the full interview here on iTunes
Listen to the full interview here on Blubrry
Here is a useful link for further topical cybersecurity info:
Responses