threatquotientthumb.jpg
 Image: ThreatQuotient

As the relentless tide of high-profile cybersecurity breaches continues through 2016 -- including Tesco Bank, Liberia, Dyn, Krebs on Security, the Democratic National Committee, to name just a few -- Tech Pro Research recently took the opportunity to speak with Jonathan Couch, SVP of Strategy at ThreatQuotient, a startup founded in 2013 to deliver a 'single-pane-of-glass' threat intelligence platform called ThreatQ.

Couch is a 20-year-plus veteran of the cybersecurity industry, whose career includes stints at iSIGHT Partners, Sytex Inc. and, before that, the US Air Force. We began by asking where, in general terms, the cybersecurity industry was 'at' right now.

"Unfortunately right now I think we're still in that area where the bad guys are winning. For twenty-plus years now, cybersecurity has been very reactive. We've moved from the 'prevent and defend' phase, where we developed firewalls and IDS and IPS -- 'let's build our walls and make sure nobody can get inside' -- without really knowing the kinds of attacks we were facing. Now, a lot of people are talking about 'detect and respond' -- how quickly can you find something that's got onto your network, get them off your network and protect yourself better that way. But that's still a very reactive mode, because in many ways the adversary has already won. With a lot of these attacks, as we're learning more about what's actually going on, it's six to eighteen months before an organisation detects that an attack actually occurred," said Couch.

SEE: IT leader's guide to the blockchain

Obviously, no CEO or CISO wants to discover a security breach at their organisation by reading about it in the press, or by fielding a deluge of customer complaints. So what can be done?

threatquotientjonathancouch.jpg
Jonathan Couch, SVP of Strategy at ThreatQuotient.
 Image: ThreatQuotient

"About a decade ago," said Couch, "the whole concept of commercial threat intelligence started popping up: how do we start taking a look at the adversary, how do we look at the bad guys out there that are trying to get into our networks, and figure out what they're doing before they get into our networks. Let's say I know that 'Anthony' is in London, and he's running malware against retail bank users to try and steal their credentials, so he can log in and take out money through ACH transactions, or whatever it might be. If I can, through my resources, determine that, then I can hand that information to the banks and say 'whether you've been targeted by Anthony yet or not, here's how he is operating, and here's what you need to look for, and how you can better protect yourself on your network'."

"While governments have been used to the concept of receiving threat intelligence to inform what they're going to do -- either militarily or as a government -- from a strategic level, commercial companies are just starting to get the hang of it," Couch continued. "How do I take this reporting on the people we're fighting against and integrate it into my operations in a way that shows a return on investment, in a way that can be commercialised, and supports my current investments in security?"

Threat intelligence is clearly a good idea in principle -- 'forewarned is forearmed', as the saying goes. But, Couch warned, organisations can easily become overwhelmed by the volume of data.

"We've now moved onto the second step: commercial industry has become aware of threat intelligence and a lot of boards of directors that don't want to see themselves in the newspapers, as well as the security operations folks, have decided 'OK, we want to get into threat intelligence, we want to be aware of the threats that are out there, be able to track the threat landscape, and how people are breaking into our networks, what they're trying to get to'. But they sign up for threat intelligence and are very quickly being overwhelmed with the amount of intelligence and data: it's like having to read twenty magazines, take that information and figure out how this affects my job today -- and tomorrow I've just got to do the same thing all over again."

So where does ThreatQuotient fit into today's threat intelligence market?

"ThreatQuotient's take on this is, we are a centralised platform where you can bring in all of the intelligence and things you know, both externally and internally, as you respond to breaches over the years. You can then learn from that: you take in different feeds, from FireEye or iSIGHT or CrowdStrike, from CERT UK, from other government organisations, and from industry organisations like FS-ISAC. ThreatQ will sit there and consume everything: it provides a knowledge base -- we call it a 'threat library' -- into which you can integrate the tools you've invested in on your network to help enrich the data, and perform analyses on it."

This is what ThreatQuotient's solution architecture looks like:

threatq-architecture.jpg
 Image: ThreatQuotient

So, if I'm a CIO or CISO, what's actually involved in deploying the ThreatQ platform?

"Usually it's your security team, or your threat intelligence team, that has a server on the network with our software loaded up on it, or it can be on your private cloud -- there are multiple deployment methods supported. Then all you need to do is start turning on all those intelligence feeds, and have somebody curate it."

And what does a mature up-and-running deployment look like?

"When I think of a fully mature organisation, I think of a lot of the larger banks out there," Couch said. "They're utilising threat intelligence not only from a security operations perspective -- I need to block these things from happening, or I've had a breach and I need to get them off my network -- but they're now utilising that to communicate back to the business. They're able to say, 'listen, we're involved in retail banking, here's the threat landscape around retail banking, how it's operating', and they can make similar statements about threats to the mobile platform, to wealth management, if that's a part of the business, and to mergers and acquisitions."

"Organisations are trying, through their security functions, to learn about how this is all being done in the cyber realm, and to bring that out and communicate it to the business," added Couch, stressing that security means not only preventing direct attacks on businesses and their employees, but also safeguarding valuable intellectual property.

SEE: Cybersecurity spotlight: The ransomware battle

Although this interview was conducted before the recent high-profile Dyn DDoS attack, which made use of the IoT-centric Mirai botnet, Couch had this to say on IoT security and threat intelligence: "Internet of Things is the 'thing' right now -- it used to be cloud, then it was mobile. In four or five years from now, it'll be something else. What people are realising is, threat intelligence over time will become the foundation on which we provide security to whatever those new things are. There's always going to the game of catch-up, but the industry is trying to move towards the model of resilience -- 'resilience' is the big term we'll hear over the next ten years: how do we build systems, and how do we build in security so that our networks are resilient, so they can recover auto-magically from all these different things that are going on."

The wave of IoT-related cyberattacks we're currently seeing certainly shows what happens when networks are built with insufficient security planning. But wasn't this entirely predictable?

"I've been involved in cybersecurity for over twenty years now, and I think the same thing still holds true: back in the mid-nineties we always talked about 'usability versus security' -- those are the design constraints that you're building under. And by default, whenever we move onto something new -- it happened with mobile, it's happening with IoT -- people will go with usability. They want to make things as easy to use as possible: they'll build it so it works, and afterwards they'll go 'oh, we probably need to secure this'."

SEE: Cybersecurity Research 2016: Weak Links, Digital Forensics, and International Concerns

Threat intelligence and nation-state cyberattacks

When Jonathan Couch spoke with Tech Pro Research, he had recently attended NIAS 2016, NATO's annual cybersecurity symposium, where he held a plenary session with over 1,000 cybersecurity professionals and decision-makers to discuss industry trends and NATO's future requirements for cyber defence. He also led a workshop on intelligence-driven security operations programs, examining how they can become proactive, anticipatory and adaptive.

So we asked Couch -- whose career experience is aligned closely with this area -- for his views on nation-state hacking and cyberwarfare.

"I think NATO is really trying to focus in on how to set itself up as an organisation -- and each of the member states' militaries -- to better fight the threat. You still have the army, the air force and the navy elements within everybody's militaries, while cyber has been something that's gone across all of those silos. My biggest takeaway from the NATO conference was, there was a lot of talk about setting up cyber as its own component -- so now you'll have army, air force, navy and maybe cyber as its own military service branch. This could drastically change how we approach the problem when we go to fight against nation states."

"Earlier on in my career I was on the offensive side within the US military," Couch explained, "and I know that the way you attack is to find 'seams' in people, process and technology that maybe aren't being looked at. So it may not be a direct attack against technology, but perhaps how a person is utilising technology in a certain way that I'm looking for. The way we're applying cyber equally across everything right now, it creates a lot of seams in our networks that are allowing these nation states to come in and take advantage. If we can organise and actually start up our own military service directly around cyber, that may allow us to approach the problem in a better way so that we can better protect and defend ourselves by offering up fewer seams for the adversary to find."

"There will always be attacks -- everybody will always advance their capabilities," Couch added, "so once we learn to defend ourselves better against whatever the Russians [for example] are doing now, they're going to develop new technologies. We just have to be agile enough and adaptable enough to identify what it is they're trying to do and then adjust our defences accordingly."

So does that mean that the usual nation-state hacking suspects -- Russia, China, North Korea -- are currently ahead of the game?

"Offence is always easier than defence," Couch noted. "They only need to get in once: as a defender, you need to protect everywhere. The part that disturbs me the most is that the attacks being conducted against us are not all that advanced. We're not seeing the best and brightest minds out there developing next-generation attacks: they're sending you an email and having you click on a link!"

"At times I feel that we, as a western culture, try to solve for the most difficult problem out there, rather than handling what we're faced with. And that's how I think, and I hope, that threat intelligence will help over the years: if we can report on what's actually being done, then maybe we can take a look at what the real problems are."

So if it's apparently so easy to access a nation's power grid, or a nuclear reactor, isn't it surprising that, so far, more malicious damage hasn't been done?

"That's a thing of politics versus technology," replied Couch. "In the late nineties, the Russians had very little capability in the cyber realm, and so -- very smart diplomatically -- they came out and said: 'listen, we equate a cyberattack with nuclear war: it's a weapon of mass destruction'. That stopped the US and most western governments in their tracks. Nobody wanted to cross that line, because they were thinking: 'OK, if we attack them, and we get caught, they're going to nuke us'. In reality, I think the Russians were just buying themselves time. Now we're in a culture where it's not equated with a weapon of mass destruction, although the end result of what you do might be: if the entire power grid in the US were to be blacked out, for example, that would be taken very seriously by our government -- much different to breaking into the US Democratic National Convention emails, for example."

Outlook

Wrapping up, we asked Couch how he saw the threat landscape evolving through 2017. Can we expect more of the same mix of attack types, some new threats, and will the good guys ever begin to get the upper hand?

"I definitely think ransomware will continue to evolve, and that'll probably remain in the top five or so threats," said Couch. "At first it was just 'I'm going to encrypt your data and you're going to pay me to decrypt it'. Well, organisations have now set up backups, so that if you come in an encrypt my data, I don't care -- I can just load it up from my backup. What they're doing now is, they're stealing your data and encrypting it in place, and making the threat of releasing it and destroying it so you won't get it back if you don't pay the ransom. There's lots of permutations of how ransomware could evolve in the coming years, based upon how we choose to defend against it."

"My guess is, in the next few years, IoT will probably be the number-one threat, as more organisations start to implement it and tie together a lot of their resources. It's a matter of watching the adversary: I don't think the adversary has yet figured out a way to make money off of it. Once we have the IoT set up in a way that businesses are relying on it, then you'll see some ransomware version of attacks against those systems."

And how will CxOs use a platform like ThreatQ to fight the good fight?

"We're not artificial intelligence, popping out reports that you can talk to the board about -- but a threat intelligence platform will have that kind of information in there. So an SOC analyst wants the more technical low-level information from the system, whereas the CEO and the board of directors want higher-level strategic insights. If an adversary has been targeting you consistently, the CISO can pull that information out and present it in a way that speaks to the board. We're going to see a lot more of that -- in fact, most of the US retailers now have what I call 'the designated geek' on the board, so they can understand the security threat landscape. Platforms like ours will help and support conversations like that."

"When it comes down to it," Couch emphasised, "it's all about the humans in the loop: humans are making security decisions; humans are at the other end of the keyboard, on the adversary side, attacking us; humans are the ones we need to communicate with in the business, to tell them what's going on and what needs to change in order to implement security better; humans are the ones that are overwhelmed by the numerous vendor technologies they need to protect themselves on their networks, and the thousands of inputs they're getting every day around threat intelligence."

Finally, artificial intelligence and machine learning are the topics du jour: so how do AI and ML fit into ThreatQuotient's plans?

"I think platforms like ours will be able to leverage machine learning and artificial intelligence, but they need to become richer -- where we are today, no organisation is going to take a machine's call over what to do over a human's call. A human still needs to be in the loop to make that ultimate decision. Until we can mature that kind of technology, it's not going to take over like a lot of people think it's going to."

Read more