Adding autonomy to cyber security technologies for faster responses attacks and vulnerabilities as well have having more of these technologies work seamlessly together are two key needs, say officials from the Defense and Homeland Security departments.
Terry Halvorsen, the chief information officer at the Defense Department, says he needs autonomy in a hurry.
“When you look at the volume of data I collect today on all the sensors I have, I can’t make if valuable fast enough,” Halvorsen says at the annual National Security Telecommunications Advisory Committee (NSTAC) meeting. “I actually think we will need to get to a point within the next 24 months where basic cyber security, parts of that are already done autonomous.”
There isn’t time to react now, Halvorsen says. Autonomous technologies will need to be able to isolate parts of the network or send out customized patches. DoD has systems now that can’t be patched the normal way by companies so they need custom patching.
Andy Ozment, assistant secretary for Cyber Security and Communications within the Department of Homeland Security, says there is demand for disparate cyber security solutions that are provided by different vendors to easily integrate with each other. This interoperability is linked to the autonomy that Halvorsen wants, he says.
“No matter what way we take this in the future we’re going to have a lot of new technologies out there, and I do love the burst of innovation that we’re seeing, but if you’re either in the government as a chief information security officer or in the private sector…you’re biggest challenge right now is not can I buy a cool box, it’s can I get all my cool boxes to talk to each other and act in a concerted fashion,” Ozment says at the NSTAC meeting, which was held for the first time ever in Silicon Valley. “And so we’re very focused on how do we…orchestrate all of these different boxes so that they have interoperable communications, they can communicate with each other and understand each other, and then we can automate their actions so that they can operate on these large volumes of data much more rapidly without a human in the loop.”
Ozment isn’t optimistic that this level of interoperability will happen any time soon.
“We are very far away from a standardized way of accomplishing that and I think that’s going to be a major need that we see at any large enterprise” private or public, he says.
The need for various products to be interoperable will become more apparent as certain products gain market share, Ozment says. He says at the moment there are too many security products “too survive.”
When a product, particularly one that detects adversaries, has one percent market share it may “look really good” but it’s also “not significant enough for the adversaries to pay attention and counter them.” However, he says, “My concern is when they start to get 30 percent market share then the adversaries will just change their behavior so they’re not detected by the product any more. So things look great when small, but when they scale and become popular are probably going to become dramatically less effective. So that’s a real concern for me.”
Halvorsen agrees with Ozment that industry basically needs to work better together to deliver solutions that everyone needs. He says “there are very few solutions that are going to be solved by one company’s products” so the “companies that partner better and bring a more diverse set of solutions are going to do well.”
Companies tout the interoperable capabilities of their products but all it really means is “we make it work,” Halvorsen says. It works but not necessarily well, he says.
“I need things made at the beginning to work well together, not that we banged the pipes together and it all works,” Halvorsen says.
Industry exchanging data with each other isn’t easy but companies need to talk to each other as much as government agencies do “and actually be part of the partnership with us,” Halvorsen says. The companies that do this with regard to DoD solutions “are going to do better…than companies that do not,” he says.
Ozment says that the DHS Continuous Diagnostics and Monitoring program, called CDM, is meant to bring cyber security technologies into the federal government that can integrate with each other to give agency and department chief information security officers “an integrated picture of risk.” The program is aimed at enhancing the monitoring of traffic inside of government networks.
“And if your technology cannot be integrated into that CDM program we want nothing to do with it,” Ozment says.
Another capability need is being able to log data faster “in a way that makes sense,” Halvorsen says.
“We have some requirements to know what has happened in the past and the forensics of that,” Halvorsen says. “It’s really hard to get that data quickly. Another place where autonomous, or at least automation would be good.”