Some Thoughts on the Future of Cyber-security

Transcription

1 Some Thoughts on the Future of Cyber-security Mike Thomas Information Assurance Directorate National Security Agency NSI IMPACT April

2 Introduction, or Why are we here? National security missions depend on cyber capabilities. These capabilities and their platforms face serious risks from external and internal threats. The cyber environment continues to expand and change. What will the future environment look like? How must cybersecurity evolve for that environment? NSI IMPACT April

3 Introduction - Particular Challenges 1. Threats are growing, but more importantly, they are diversifying. 2. Operational scale has increased, far beyond the feasible scope for manual operations. 3. Threat actor speed has increased; waiting until after compromise has occurred is no longer viable. Harm Time Defensive operations future Defensive operations today (mostly) NSI IMPACT April

4 Introduction Introduction Outline The future cyber environment Technology environment changes Operational environment changes Evolution of cyber-security & defensive cyber operations Core areas for evolution Area details (6, time permitting) Conclusions NSI IMPACT April

5 The Future Cyber Environment The future environment will include a broader technology base, greater diversity of context, and more dynamic structure. NSI IMPACT April

6 Future Environment Overview Evolving Operational Environment Demand for Mobility & Info Anywhere Cloud and Virtual Everything Rise of Cyber-Physical Systems Cyber- Evolving Network Environment General Trends Increased Scope of Threat Actors Changing practices and structural norms security & defense Traditional IA Services & Products NSI IMPACT April

7 Future Environment Technology Trends Ubiquitous and diverse virtualization servers, networks, storage, applications, desktops, etc. Migration to Clouds all levels, all domains, private and public Mobility and wireless Dynamic network infrastructure Software-Defined Networking (SDN), Automatic Switched Optical Networks (ASON), IPv6, etc. Rise of Cyber-Physical Systems (CPS) & the Internet of Things (IoT) sensors, industrial control, vehicles, buildings, etc. NSI IMPACT April

8 Future Environment Operational Context Demand for information anywhere, anytime Assumptions about data bound to geography no longer apply Expansion of threat actor goals Theft/espionage still important, but disruptive and destructive attacks are growing Threat actors leverage increasingly diverse trust relationships Explosion of security needs for Non-Person Entities Diffusion of perimeters and boundaries As boundaries lose definition, we can rely less on boundary-focused defenses; visibility and control must extend inward and outward Increased awareness of insider threats Technical and non-technical measures must include mitigations for risks posed by malicious and mis-guided insiders Modern networks blur definitions of insider and outsider NSI IMPACT April

9 Evolution of cyber-security and defensive operations To be successful at securing and defending future environments, we must embrace dramatic changes. Incremental improvements to current strategies and practices will not be sufficient. NSI IMPACT April

10 Evolution Overview Some core areas for evolution: 1. Strengthen fundamentals ( cyber discipline ) 2. Apply mitigation across system lifecycle and threat actor scope 3. Drive operations with data & analytics 4. Automate, automate, automate 5. Build & leverage skilled workforce 6. Integrate defensive cyber operations and counter-intelligence operations NSI IMPACT April

11 Evolution 1. Strengthen Fundamentals Build systems to be visible: Incorporate instrumentation to drive visibility Apply strong integrity mechanisms that can be validated Use virtualization system to monitor virtualized assets Build systems to be defensible: Use dynamic networking technologies to give defenders control of communication & connectivity Incorporate mechanisms for recovery Maintain strong identity for people, systems, and services Defend data by tagging and enforcing access control Know your critical assets ( crown jewels ) and track them! NSI IMPACT April

12 Evolution 2. Broaden Scope Threat actors can pursue their missions anywhere in the system lifecycle à we must consider and prioritize defense at the same breadth of scope System Lifecycle Development Integration Production Deployment Operation Retirement Reconnaissance Threat Actor Kill Chain Delivery Exploitation Installation & Propagation Command & Control Potential Mitigation Scope Typical Mitigation Focus Accomplish Mission Objectives including Left of Boom NSI IMPACT April

13 Evolution 3. Become Data-Driven Effective and actionable cyber situational awareness depends on: Accurate, timely system, actor, and activity data Data spanning relevant contexts (localà enterpriseà global, host & network, historical & current) Directed analysis analytics that combine diverse data sources into usable blue and red force representations Partnership & sharing are essential no single organization or group has sufficient visibility Defensive actions must be informed by context, current state, and threat actor intelligence NSI IMPACT April

14 Evolution 4. Automate Multiple factors are driving need for automation of cyber-security and defense operations. Challenge factor Size of opera6onal IT/network systems Speed of threat actor opera6ons Complexity of response ac6ons Automation need Automate visibility and control across large #s of assets Execute courses of ac6on at machine speed Orchestrate complex mul6- step responses across many elements Messaging/C&C Awareness Control Defenders NSI IMPACT April

15 Evolution 5. Leverage Skilled People Skilled and empowered cyber personnel are essential for success today, and will be even more in the future environment. Some elements of that workforce: Skills will be needed across a wide range of platforms and technologies (breadth doesn t just happen, it has to be crafted) Operators will need to understand defense and offense Sustained development will be necessary to keep up with technological and threat actor change National security cyber operations won t happen in a vacuum our staff must be prepared to operate joint all the time Experience is critical operators must be given hands-on practice before a crisis, and regularly over their careers NSI IMPACT April

16 Evolution 6. Integrate DCO & CI Mitigating insider threats requires analysis and response in both people (counter-intel) and technical (cyber) domains. Deter Prevent Detect Respond Anomaly detection, characterization, and response selection must be informed by both CI and cyber situational awareness. Cyber attacks can involve co-opting of insider identities there s no simple division between insider and other threats. Core cyber fundamentals make a clearer field for insider mitigation: Network visibility Data tagging and access control Strong identity NSI IMPACT April

17 Conclusions We have the all the necessary elements for success, but integrating and adopting them will require hard work. NSI IMPACT April

18 Conclusions Last bit before Q&A We can see the environment changes coming: All the trends are already well underway. All of them apply to National Security systems and missions we are not exempt! Threat actors are busy as each new model/ technology gains adoption, they exploit it. Our community possesses the building blocks for successful evolution. We have to assemble them together. Success is only possible as a community. NSI IMPACT April