The following is taken from an address given by Cylance Chief Security & Trust Officer Malcolm Harkins to the United States Senate in March 2017. We believe it’s important enough to share with the public and start a dialogue so that we can band together to find the solutions we so clearly need, in order to secure our vastly-changing future.
Control Frameworks That Add Value
I have said for years that the core of business-driven security and the mission of the information risk and security team is “Protect to Enable.” When you are protecting to enable people, data, and the business, you are proactively engaged upfront and aligned with the business on the evaluation of how to achieve the business objective, while best optimizing your controls.
I achieve that through my “9 Box of Controls” approach. Let me explain my perspective on controls. My perspective is rooted in my experiences as a business leader and in my many years in Finance, including my role as a profit and loss manager for a billion-dollar business unit in the late 90s. It is a control philosophy that I have carried forward in my roles in security, but one that I believe is lacking in the industry.
An important aspect of this perspective is the concept of control friction. I’ve developed a simple framework called the 9 Box of Controls, which takes the issue of control friction into account when assessing the value, as well as the impact of any control, including information security. I believe that the 9 Box of Controls includes some actionable perspective that may be valuable to many organizations facing these universal risk challenges.
My conversations with peers at other companies have validated this view. Many of them are now using the 9 Box to drive not only tactical, but also strategic discussions in their organizations around where they are spending their resources today, and where they should be headed long term.
Types of Security Controls
There are three primary types of security controls: Prevention, Detection, and Response:
• Prevention occurs when an action or control prevents a vulnerability up front in the design and development, and prevents an infection or stops a cyberattack in its tracks before it affects users or the environment
• Detection means identifying the presence of a vulnerability, or detecting something malicious that has already entered the environment
• Response is a reaction to the discovery of a piece of malicious code, attempting to remove it after it has already affected the user or the organization
From a risk perspective, prevention focuses on minimizing vulnerability and the potential for harm, while detection and response focus on minimizing damage. When you are focused on minimizing damage, the main variables to turn the reactive risk dials are a) time to detect and b) time to contain.
There are also three primary approaches one can take to implement a control: Automated, Semi-Automated, and Manual.
• Automated control occurs entirely through machines
• Semi-automated control involves some level of human intervention
• Manual controls are managed entirely by hand
The combinations of these control types and automation levels comprise the cells of the 9 Box, as shown in the figure below:
Figure 1: The 9 Box of Controls
• Risk increases as we move from Prevention, to Detection, to Response.
• Cost increases as we move from Automated to Semi-automated to Manual controls.
A Note on Control Friction
However, there is a third dimension to the 9 Box: control friction. As we know, friction is the force that causes a moving object to slow down when it comes into contact with another object. Similarly, controls can impose a “drag coefficient” on business velocity—they can slow the user or a business process.
Just think of the groan issued by PC users when they switch on their machine to complete an urgent task, only to find it indisposed for the next half hour due to a patch or virus scan. Or think of the impact on time to market if your design or development practices are bogged down with slow and cumbersome security development lifecycles or privacy by design efforts.
However, friction is not a fundamental, immutable force like gravity or electromagnetism. Instead, we have the ability to determine exactly how much control friction we apply. Apply too much control friction, and business users may choose to circumvent IT security controls or the product security controls in the upfront design of technology. This adds not only cost, but it also adds risk: because the security team lacks visibility into the technology being created or used. Without this visibility, security teams cannot prevent vulnerabilities or compromises, detection becomes difficult, and in many cases, response after the fact becomes the only option.
If a business adheres to high-friction controls, the long-term effect can be the generation of systemic business risk. High-friction controls can hinder business velocity; the organization can lose time to market and the ability to innovate, and over the long term it may even lose market leadership.
NIST Cybersecurity Framework
Implementing the NIST (National Institute of Standards and Technology) Cybersecurity Framework and continuously walking through the macro steps that it outlines is also another approach we should all continue to adopt and promote.
· Prevention Steps: Identify and Protect
· Reaction Steps: Detect, Respond, and Recover
If implemented properly, the NIST framework can set the stage for having the right discussion within an organization on information risk. It can also, when viewed in the context of the 9 Box of Controls, drive a “shift left and shift down” to better enablement, which results in the lowest risk, lowest cost, least amount of liability, and lowest control friction spot – so we can all “Protect to Enable” not only our organizations for today and tomorrow, but also our customers.
I also hope that with the right discussion, we can all focus on not positioning the work of managing risk as an “either this or that” function. We need to recognize and remember compliance does not equal security. We need to avoid positioning business velocity vs. business control. We need to avoid positioning privacy as a balancing act against the need for security.
If we start with a mindset of trading these items off against each other, we will not be successful, because we will design our digital transformation to be at odds with the digital control needed to do this right. And then, we will be left with throwing money at symptoms after the fact, reactively detecting and responding to risk, rather than fixing the problem from the ground up.
How Emerging Technologies Can Help
Any future security architecture we implement must provide better prevention, and it must also be more flexible, dynamic, and more granular than traditional security models. A new architecture also needs to greatly improve threat management. We need to do this in the upfront design, development, and validation during the creation of technology, to reduce vulnerabilities well before the technology gets deployed.
And as new attacks appear, we need a security system that is able to recognize good from bad in milliseconds, so that it can stop the bad and allow the good.
For any attack that gets past these preventive controls, we need to be able to learn as much as we possibly can without compromising the user’s computing performance or privacy. This information enables us to investigate exactly what occurred, so we can take immediate action to mitigate the risk whilst also learning how to prevent similar attacks in the future.
A control architecture should assume that attempts at compromise are inevitable—but we should also understand that it is possible to achieve real prevention for 99% or more of risks that could occur, including that of malicious code and zero-day attacks caused by mutated malware. Should a piece of malicious code attempt to execute, we can then instantly apply artificial intelligence and machine learning to analyze the features of files, executables, and binaries to stop the code dead in its tracks before it has a chance to harm the environment.
For the remaining attacks—representing less than 1% of malware—we need to focus heavily on survivability. Blockchain has significant value well beyond well beyond the implications of a new form of money. By design, blockchains are inherently resistant to modification of the data. Once recorded, the data in a block cannot be altered retroactively. The implications then to use blockchains as a method to overcome many of the current weaknesses and vulnerabilities of the Internet, and usher in a new age of trusted secure transactions is significant.
Quantum computing also offers exciting possibilities to enhance security as well. As mentioned earlier, this type of leap forward in computing could allow for not only faster analysis and computation, but across more data sets. Reducing the time to discovery in simulations can be used not only to aid research into things like new materials, drugs, or industrial catalysts - the tactic can also reduce time spent on finding vulnerabilities in the design and development cycle for technology. This will then lower control friction on the developers of technology, and increase the probability that they can find and fix a vulnerability prior to deployment.
Doing so will not only lower secure design costs, it will speed up an organization’s time to market with technology that is inherently less vulnerable to attack. The final result will be a broad reduction of societal and individual risks.
Looking To The Future
Artificial intelligence, and more specifically machine learning, are here today and Cylance is already demonstrating the impact it can have. As I mentioned in the initial section of my testimony, Cylance is the first company to apply artificial intelligence, algorithmic science, and machine learning to cybersecurity to proactively improve the way companies, governments, and end-users solve the world’s most difficult security problems.
Using a breakthrough predictive analysis process, Cylance quickly and accurately identifies what is safe and what is a threat, not just what is in a blacklist or whitelist. By coupling sophisticated artificial intelligence and machine learning with a unique understanding of an attacker’s mentality, Cylance provides the technology and services to be truly predictive and preventive.
In the future, artificial intelligence and machine learning will also be able to solve other vexing issues that we face today, such as passwords and identity management used to authenticate and authorize users. We will also be able to mitigate distributed denial of service attacks, using the ability to predict (and thus prevent in an automated fashion) the flood of requests that can so easily disrupt an organization today.
J.F.K. once said, “The problems of the world cannot be solved by skeptics or cynics whose horizons are limited by the obvious realities. We need men who can dream of things that never were, and ask why not.” When artificial intelligence, quantum computing, and blockchain are combined with right approach and right architecture the reduction in risk, the reduction on the cost of control, and the reduction in the control friction experienced by users and business will be dramatic.
Cylance Chief Security & Trust Officer
Address to the United States Senate, March 2017