Good afternoon. And thank you all for sticking with us. We're only another six hours to go today. No, it's a pleasure to be here. I'm sort of the, a little different topic here today, but I think it's going to hopefully resonate with a lot of you and hopefully we can provoke some interesting conversations either here or later, I asked our graphic artist to create a scary 1950 movies poster, and I think he did a great job. I wanna talk today about changing the economics of cybersecurity. We often talk about cybersecurity as a technology problem as a people problem, but fundamentally I see it often as simply an economics problem. And I think if we can look at cybersecurity and the tools and technologies and the processes and the cultures we create through a lens of economics, we may learn some new things that could be helpful.
So I wanna talk today about how cyber threat intelligence and the application of that with automation can help change the economics away from benefiting our adversaries towards benefiting us the defenders in cyber space. And, and just, just because I'm, I'm here outside the United States, I just wanted to share with you folks very briefly that the department of Homeland security is responsible for the protection of the civilian federal government in the United States. We have a mandatory role in that, but we also have a significant role in the voluntary protection of private sector partners in the United States and around the world. So we actually spend a fair amount of time working with people who don't have to work with us if they don't want to. And a lot of my work has been focused on how do we build connections throughout the private sector, both in the United States and around the world. And so I wanna talk to you a little about some of that at I'll start with an optimistic note.
I, I actually wanna take a little poll. This is not sophisticated. How many people here are confident that we are absolutely winning in cyberspace. I see no hands raised. Well, I, I think that is pretty convincing and or not. We are losing, I don't think anyone would say we are definitively winning and that's not because we're, we don't care about it. I think everyone, I meet cares about cybersecurity. It's not because we don't have interesting technologies and tools. It's not because we don't spend enough money on cybersecurity. You could argue that we need more trained and skilled people in cybersecurity, but we have a lot of those. So what is in fact, the what's happening here and, and more importantly, what are some of the solutions? So a couple of depressing charts, and these are all drawn from the Verizon data breach report. From last year.
This year's report basically tells the same story, but their graphs aren't as pretty or is terrifying. And the, the bottom line in looking at these, the bigger it is to the left, the worse it is. So the top chart is the time to compromise in the bottom is the time to exfiltration. As you see, time to compromise measured in either minutes or seconds is 90% time to compromise 90% measured in minutes or seconds. So this idea that we are going to have people keeping pace with the threats we face as our primary or our sole line defense is I would argue less than well thought out. The second was is interesting because, and this is in part, an artifact of, of what Verizon is focusing on in this report is the time till exfiltration. Well, you could look at that and say, oh, well that doesn't look as bad, cuz you know, it takes in, in, you know, two thirds, it takes days to exfiltrate data.
I would make one observation. First of all, that's not good. And second of all, that assumes that the goal of the adversary is the exfiltration of data, which you can argue, takes time to preposition resources, move laterally within the environment, find the information you want to you. You want to exfiltrate probably encrypt it, pack it, obscure it, and then ship it out. What if your goal is to turn everyone's machine into a brick, useless requiring, you know, complete reimaging, if that's even possible, then that literally can be happen in the next 10 milliseconds after the initial compromise. So these are hopefully a cause of significant concern. Then these two charts, the best way to re the best way to read them is that there's a huge gap between the time to compromise happening in days or less. And the time to detection the lower graph happening in days or less.
So adversaries are getting better, faster at compromising us quickly. And we are getting, we are far less in getting better, slower at detecting compromises. So hopefully this sets the stage. This is our motivating. This is the, the appetizer that gets us ready for our entree. There are industries that have dealt with the need for better automation. Before I just picked on one the telephone system, you know, there's maybe a somewhat apocryphal story than in the early 1920s. The United States, the bell system did a protect, did a projection that if they were to continue to expand their operations with the use of switchboard operators, who at that time for various reasons were all women, they would, at some point in the future need to employ every woman in the United States.
Scalability was a bit of a concern. And so the, the bell system understood that if they developed and leveraged technologies to automate increasing amounts of the switching process, that they could actually grow in a more cost effective manner, provide better customer service and everything else. And I would argue that while we are not at the manual switchboard stage, we are for any of you who remember the old days of telephone systems, we're kind of in the mechanical crossbar switching stage. We have some tools and technologies, but I don't think we employ them to the extent and at the level we need to.
So our adversaries have robots technologies, highly automated and adaptive technologies that help them do what they do. And I would argue that we need some of our own. And again, I think there is no shortage of tools and technologies that are available and deployed and in use today in enterprises for their it security. However, and this is why I use the term robots, you know, to my mind. And this is not a particularly precise definition. A, a robot is a machine that operates at least somewhat autonomously. And what I see today is we have a lot of great tools, but an awful lot of them still, or our policies in how we deploy them, require people to ultimately do the things that are necessary to take action, to detect threats, prevent them from occurring or to mitigate the damage. And that's, I think the critical area where we need to do a little better.
So we have this interesting situation in cyberspace. And I was thinking about this a couple of years ago, when, when someone said, Richard, we need you to explain the work you're doing in automated cyber defense ecosystems for some of our top leadership. And I thought about it for a little while and I thought, well, interestingly, we have this asymmetry in the internet and that is in the internet. Pretty much everything is globally interconnected. I mean, it's a generalization, but I think it's largely true. So I can pretty much attack any system from any other, for any IP addressable node to any other IP addressable node, anywhere around the world. However, our defensive systems while technically interconnected are not at any logical level interconnected at all. And our adversaries exploit that asymmetry the fact that their attacks can transit the network. But we simply either through lack of investment, lack of imagination or, or just too many other things to do in the day, we haven't linked our defensive systems together in an effective way.
And that's really what I want people to think about that asymmetry. You know, I, someone asked me for an analogy and I said, it's kind of like if you're bloodstream could only carry viruses, but not white blood cells. Well then the, the viruses get all throughout your body, but your immune system wouldn't really be able to effective to operate effectively. So I believe that by sharing cyber threat intelligence, actionable machine readable information about threats as they occur, if we can create an ecosystem, that immune system where that information is shared as rapidly and consumed as automatically as possible that we can begin to have, we can begin to eliminate that asymmetry and that the effect of eliminating that asymmetry is to begin to increase the cost for our adversaries to attack us today. And if you read through any of the reports and the Verizon reports, as good as any, you know, the same attacks work not only day one and day 10 and day 20, but year one, year five, you know, that's wonderful amateurization of investments in attacker technology, right? It's a great business model. I I'd love to go to their conference and see them talk about that.
That's great if I build an exploit and I get to use it over and over and over again, and it's not that people are unaware of it. Well, I'm not talking about zero days in year four. I'm talking about simply that we have not connected our defensive systems in an effective way so that without human intervention, our systems are protected. That's what we need to do. If we do that, will we eliminate all cyber threats? No, but that's not our standard, our standard can we make significant inroads? Can we help our humans do a better job today? I see an awful lot of people run through the ringer by our technology. You know, we put, we, we set up a seam and we put this poor Analyst in front of it and they hit the button. And all of a sudden there's like a thousand alerts and they cry and go home.
You know, it's just too much. We, we, we are asking people to process volumes information that are not necessarily processable in, in, in any reasonable sense. So we ask them to sort of forego any, any, any real analytics, just to keep up with the fire hose of the data. So what we need to do is really re-architect things so that these robots tools and technologies that are first and foremost designed to take care of the things that we can from a policy standpoint, all agree should be done automatically and let them deal with the exceptions. Let them deal with the things sort of one or two layers above that. And for all the technologies that are out there. And I certainly spend a lot of time talking to people about the technologies that they deploy in their environments. In very few instances, do we really see organizations that are automating their cyber defenses to such a point that their security analysts actually can focus on tracking adversary behavior, making risk based decisions about trends in attacks, network, infrastructure, network architecture, cuz they're just trying to keep up.
We need to give analysts the tools and technologies that they need that ride on top of our robots. We need our Analyst to be, instead of looking at a million alerts to be looking at visualizations of threat actor movements across cyberspace so that our people and we, we, we need more people in cybersecurity. We need more cyber threat Analyst, but we don't need them to sit there and process alerts every day we need, we really need them. And I think I, if, if that's what I did every day, I would want to be doing something more appropriate for people using analytical skills and judgements and pattern recognition to understand what it is, where the adversary's gonna be next. And I think we have those opportunities to do that.
I wanted to make a, a mention of a, of, of a, a system that we've implemented at the department of Homeland security. That's actually available to any organization around the world that wants to participate. It's a cyber threat intelligence feed that provides real time machine readable, cyber threat indicators that you can use for the protection of your networks and systems or your customers, networks and systems. We started this about a year, really two years ago, but it, it really got off the ground about a year ago, it's called automated indicator sharing and to date we've I think as of the end of last month had shared almost 390,000 indicators and that curve is trending up rapidly. And the whole point here is, and I tell people, if you're going to have a human Analyst at the other end of AIS, interpreting the data, please don't bother.
It's not worth your time. AIS is intended to be hooked into your infrastructure so that you can begin to automatically process that data. And I I'm happy to talk to anyone afterwards, if you're interested in, in, in getting involved in AIS, it's a, it's a free service that we provide, but it's the kind of thinking that I really wanna encourage that is I've gotten this new threat feed, not how, how can I subject my people to it, but how can I have systems and technologies that will process that data consistent with rules and governance that people have established, but once that's in place, then our humans deal with the exceptions, not with the flood of data. There's a lot of work still to be done. And I am not standing up here saying that the robots will solve all our problems. We have a lot of work to do.
There's a lot of some, some hard science problems and there's definitely some hard engineering problems in prioritizing and risk scoring of threat intelligence of de-duplication prioritization, filtering and winnowing, very exciting concept of, of sightings reportings. There's a lot of work yet to be done. And I, I want to be clear about that. And there's a lot of opportunity, I think for innovative organizations and technology solutions, but ultimately we need our graphs to start looking like this with the time to detection and the cost to prevent threats are trending down significantly. And we really need our adversaries graphs to look like this. And most importantly, our adversaries need to start launching attacks. And in the first hour they work real well. And in the second hour, Hey, what happened? This isn't working anymore. Get them to introduce people into the equation and they can start enjoying the economics that we've suffered for from, for a long, long time. As I like to say for too long, our people have chased their robots. It's about time for our adversaries people to chase our robots. Thank you.
Great presentation, Richard. I like it very much. So being a former C I very much appreciate your approach. Individuals looking at it from an economic point of view. We have a number of questions from the audience, which like which one would like to start maybe from the top.
Sure. That would be great. So the first question is isn't there a problem people don't like to share their vulnerabilities? Let me be really clear. We're talking about cyber threat indicators. We're not talking about what you're vulnerable to. We're not talking about incidents. An incident is someone broken my house and stole 550 euros worth of silverware. An indicator is there's a blue van circling the neighborhood with a broken taillight and that, that people look suspicious. So cyber threat indicators and cyber threat intelligence is not about your vulnerability. It's a it's characteristics of attackers, traffic, and tools that can be detected in our networks.
Very good. Next one. SMEs and homes.
Is that small meaning enterprise? Yes. Yeah. So, so that's a, the interesting, an excellent question about, well, what about for small enterprises home market? I think for everything I've said today is very applicable to large enterprises and it's absolutely essential for small businesses and the home market because they have, I'm never going to have a cyber threat Analyst at home. My local coffee shop is never gonna have an it department nor should they automated solutions to filter and detect threats and prevent bad things from happening is an absolute essential in the small medium enterprise in the home market. It's, it's only a luxury for large enterprises.
Okay. So next is, can we, I it's long introduction, can you quantify the threat percentage offset when implemented?
So I would say not at the moment. I think if there was one big to do or an ask is that we need to start, we need to start tracking measures to create good metrics. I think over the next couple years, we'll actually be able to start publishing metrics about the, you know, quantity or percentage of threats that have been detected before they actually made a negative impact. And the, but that's definitely worked still to be done.
And two questions regarding the architecture. Have you developed AIS in-house
So AIS is that technology that implements it is for historical reasons developed in-house, but we actually are in the middle of a procurement for a commercial solution. Okay. They're built on top of two standard sticks and taxi, which I created at the department of Homeland security, which we now as of 2015 transition to be governed by Oasis and the cyber threat technical committee.
And I would like to change your last one. Are you already using machine learning technologies?
Yes. And the nice thing is that this is just not a DHS initiative. This is really a global ecosystem in marketplace, and there are any number of organizations that have started to use machine learning, to interpret cyber threat intelligence, to look for similarities in threat intelligence. I think that's a huge, that's a huge growth area. It's a huge opportunity. And the key thing here is we have our data in structured in a, in a structured representation. So one of the big challenges in machine learning is often the normalization of data you're getting from lots of sources. We've taken care of that. So I believe that data scientists can, can get right to the business of a, of applying machine learning to the problems.
Very good. Thank you very much. Thank you.
