The private sector has a pool of resources, talent and experience that the Cybersecurity and Infrastructure Security Agency (CISA) will be able to tap into to carry out its new authorities to conduct cyber threat hunting on federal civilian agency networks, says the head of the cyber security firm FireEye [FEYE].
“There are a lot of security folks that do threat hunting,” Kevin Mandia, FireEye’s CEO, told the House Homeland Security Committee on Feb. 26. “The reason we have to do threat hunting is not every product stops everything, period. There is no such thing as perfect security so you have to have the catcher’s mitt behind your products and CISA’s folks that do threat hunting will be able to tap the private sector and be trained by the private sector, so I think it’s exactly the right thing to do.”
Congress in the fiscal year 2021 defense authorization bill provided CISA with authorities to conduct cyber threat hunting activities on federal agency networks with or without their consent. Cyber threat hunting allows for the discovery of security weaknesses and gaps.
Mandia said that his company does threat hunting every day for thousands of customers. He also noted that Microsoft [MSFT] does threat hunting as well.
Both companies were represented at the House hearing, which examined the private sector’s role in responding to an ongoing breach likely being perpetrated by a Russian intelligence agency that was able to compromise software developed by the network management firm SolarWinds [SWI]. FireEye first disclosed the hack in December after discovering that it was one of the victims.
At least nine federal networks and around 100 private sector entities were breached by the hackers, who at a minimum are conducting espionage but have also raised concerns that their exploits have the potential to be disruptive.
Rep. John Katko (R-N.Y.), ranking member on the committee, asked Mandia about the costs and resources to do threat hunting and penetration testing. Mandia replied that it’s not as costly for the offense as it is the defense, adding “And I do believe that’s the best way to get unvarnished truth about security.”
Highlighting the “asymmetry between offense and defense,” Mandia said that “To have somebody perpetrate what would be perceived as offense, not a lot of resources. The problem is the 52-card pick up you play on the other side because of that asymmetry. One attacker can create work for hundreds of thousands of defenders. It’s a bad asymmetry in cyber space.”
While the U.S. is dominant in military hardware, other countries have figured out that if they train cyber hackers, they “can create work for potentially millions of defenders.”