IronNet | Dr Michael Ehrlich: Unpacking the cyber security challenge

IronNet | Dr Michael Ehrlich: Unpacking the cyber security challenge. (Credit: Unsplash)

IronNet | Dr Michael Ehrlich: Unpacking the cyber security challenge

Cyber security presents many challenges, and with events in Ukraine unfolding further, the question of how far cyber security has come is a hot topic.

Senior Solutions Analyst Dan Norman from ISF sat down with Dr Michael Ehrlich to discuss the current state of cyber security and where it’s headed.

In 2007 you actually helped draft portions of the national cyber initiative. But how does the state of cyber security today compare to 15 years ago, what are your perspectives on that? 

I think there are two or three main areas that have changed over the last 15 years. If we were to go back 15 years ago, 13 years ago, the attacks that were happening then from the criminal side, where really focused on things like credit card number theft. And so for the criminal to monetise what they do, they would have to access credit card information, and then somehow sell that or use that, it was really a two-step process. 

So today, obviously that’s changed. Now, it’s a one-step process in, what we call ransomware. And so the criminal element of cyber has figured out a much more effective way to monetise their skill set. Get access to an enterprise spread throughout that enterprise steal your IP and then shut down your enterprise with ransomware

And over the over the last 10 years or so where ransomware has really become prevalent, the other technology that’s helped that is cryptocurrency. Ten years ago it would be very hard for me to demand a million dollar ransom and get paid in funds that could not be traced. But today, that is very easy to do. 

So, the criminal element has moved on from stealing credit card information, things like that to rapid monetisation of what they do. So, that’s one big change. 

I think the other big change and where the world will continue to go is prior to 2010, you had nation-state attacks, but they were mostly focused, again, on stealing some sort of intellectual property from your adversaries. Back in 2010, with the advent of stuxnet in Iran, that was the very first time that there was in a cyberattack that led to real physical damage.

And not just shutting something down but real physical damage. Things being destroyed and so we all know that that capability exists out there. It’s something everyone is worried about you know whether the adversary is in our weather, it’s in our oil refineries that can do something, our nuclear plants, our manufacturing facilities, our drug facilities. 

That concern, I think is stronger now than it has ever been. So I think those are sort of two of the big areas. 

What are your perspectives on technology and implementation and the role that will play, through that lens of alliances, information sharing and things like that?

You know, the whole third party due diligence is tough. It’s really a tough game. First of all, the third party is going to answer the way that you hope they do because otherwise they don’t get your business. I can’t possibly go through source code and understand what is happening in a product I didn’t write.

So those are all real challenges. And so when you can’t do any of those things, really the best you can do and what you should do is have visibility into your network. Understand what’s on your network, understand what should be happening and understand when something changes, whether for the good or bad, understand what changes and what’s driving that change. 

So building on from that. What types of technologies are needed then for the future to transform cyber security? What kind of tangible technologies can we implement now? 

I think most organisations, most large organisations, that take cybersecurity seriously have already probably what I would call the minimum set. So the things like firewalls and web proxies, you know, everyone has those now. And you need to or you need to raise the bar, to make it hard for entry, a good adversary will be able to defeat those quite handily. 

Doesn’t mean you shouldn’t have them. You still need them because not everyone is a good adversary. I think there’s so many tools out there, there’s identity management tools, there’s all sorts of things that that we need as we live in a more connected world. As we move to cloud services. 

Many organisations, implement EDR –  endpoint detection, and response capabilities. And those are needed for a number of reasons. Both for vulnerability management, for patching, for updating, for controlling what applications you have running. But again, a good adversary will be able to subvert your endpoint agents. 

And so, if you were facing a good adversary, what I always recommend is something that actually inspects and analyses the network traffic. Because if your adversaries in your network, even if they can defeat your firewalls and your endpoint agents and your web proxies and even your identity and authorisation things, the one thing they must do is they must be on your network. Their traffic must be there. It may look like something else. It may be obfuscated or encrypted but fundamentally there is a connection from your organisation out to your adversary and sometimes the best way of finding that is in the network traffic. 

You know, the network traffic things started with very simple IDS IPSs, which have now sort of morphed into the next generation firewalls. But those are all rules based and rules are important. Don’t get me wrong. Signatures are important. They let us look out for things that have happened somewhere from a week ago, to 10 years ago and be able to spot those. 

But they’re not very good for finding the new attacks. And so, you really need algorithms. 

Fundamentally you need algorithms that learn about your environment, that apply some level of artificial intelligence and machine learning and can understand when an anomaly is present in your network that is potentially malicious. That can identify specific behaviours in your network that are potentially malicious. And so I think the rise of the NDR, not EDR, but NDR platform is going to be more important. 

How do you see the cyber warfare developing based on the conflict between Russia and Ukraine at the moment?

It’s been a very interesting time. Certainly from the Russian perspective, I think they’ve used a small fraction of their capabilities to aid in their goal of whatever their goal is. I’m not certain whether it’s to take over, or to destroy Ukraine. 

But certainly, they are doing the latter, trying to do the former. So if you look at the security reporting starting in late December early January, Microsoft identified new strains of effectively, the wiper viruses that were targeting the Ukraine government, just to start softening up that target. 

And then just prior to Russia actually moving into Ukraine there was the Viasat terminal attacks that took down terminals, not just in Ukraine but in a lot of the neighbouring countries as well. And so I think that was all easy takings for the Russians. 

To watch the full conversation, please click here.