DARPA Cybersecurity
John Davis of Palo Alto Networks talks about cybersecurity for the public and private sector. Department of Defense

John Davis has seen cyberthreats from both the public and private sector. Currently serving as the Vice President and Federal Chief Security Officer at cybersecurity firm Palo Alto Networks, Davis is responsible for expanding cybersecurity initiatives and improving policy for organizations and governments around the world.

Prior to his move to the private sector, Davis—a retired United States Army Major General—served as the Senior Military Advisor for Cyber to the Under Secretary of Defense for Policy and served as the Acting Deputy Assistant Secretary of Defense for Cyber Policy. He was awarded the Defense Superior Service Medal, Legion of Merit and the Bronze Star Medal for his service.

International Business Times: What tends to be the most difficult vulnerabilities for organizations to defend against and how can they improve their defenses?

John Davis: From my experience talking with the leaders and security professionals in both public and private sector organizations, the biggest and most difficult vulnerabilities continue to have the same thing in common.

The common theme is that basics matter, and even though cyber threats continue to grow in scope, sophistication and consequence, most of them are preventable through the implementation of the following solutions that span the aspects of human behavior, organizational processes and technology:

  • Basic online standards and discipline through training and education

  • Effective cyberthreat information sharing at scale and speed, and patching known vulnerabilities at scale and speed

  • The use of an automated and breach prevention-oriented platform approach that places “see the threat and stop the threat” capabilities at each point along the cyberthreat lifecycle, and consistently applies security controls across all environments including physical and virtual, on-premises and cloud, edge, data center and endpoint and IoT devices

In my view, the most difficult vulnerability continues to be the human dimension and we can see the evidence of this in the continued use of socially engineered phishing. The latest consequence of phishing is the explosion of ransomware campaigns. This makes capabilities that reduce the chance of credential theft increasingly critical in defending against this particular threat. However, the threat is never static and there’s always a risk of focusing on a "silver bullet" a distraction from other aspects of the threats the industry continues to face.

Newsweek is hosting a Structure Security Event in San Francisco, Sept. 26-27. Newsweek Media Group

Exploits and malware continue to take on many forms and I would advocate guarding against an over-focus on any particular threat. Instead, I would urge a consistent approach that accounts for all threats through comprehensive cyber education and training, cyberthreat information sharing, and an automated and prevention-oriented platform approach.

IBT: What current trend in cyber threats should organizations be preparing for?

Davis: In addition to ransomware, as well as the cautionary note not to over focus on any single threat, I have spoken with a growing number of leaders who are increasingly concerned about the move to IoT and the implications this can have on the security of our critical infrastructure.

More and more devices that lack security “baked in” are being connected to the information technology environment in the IoT phenomenon. No small portion of them represent operational technology that touches some of our most important functions as a nation and society, such as electric power, transportation, pharmaceuticals and healthcare systems, etcetera.

The fact is that most of these operational technology devices are not prepared for the cyberthreats they will face once connected. They lack “baked in” security features, they are not designed for automatic updates of prevention controls such as patching vulnerabilities, and their life spans generally exceed the significantly shorter cycles within the IT community (which means they risk outliving the support that could be provided by a much more dynamically changing security community).

So, these IoT devices are important to our national and economic security as well as our public safety because they are vulnerable to disruption, ransom and possibly even destruction. The recent Dyn attack that hijacked enormous amounts of connected, vulnerable devices, like video cameras for example, to overwhelm the bandwidth of major service providers was a wake-up call to many.

IBT: Is there anything government can learn from the private sector and vice versa when it comes to cyber defenses?

Davis: As a retired Major General who spent the last 10 years of his career in cyber organizations, I believe there is much government can learn from the private sector in a couple of important areas.

First, the private sector is leading the movement to cloud—public, private, hybrid and software as a service (SaaS)—and realizing enormous savings in capital expenditure while actually managing risks much more effectively.

Second, many Palo Alto Networks customers, for example, are realizing the power of the automated platform approach and reducing the amount of complexity in their network, endpoint and cloud environments instead of the traditional method of buying isolated point security products, deploying them in their various environments, and then figuring out how to make them work together (which normally means they can’t hire enough people to keep up).

As an example of the latter, there are still organizations that continue to believe that having hundreds of independent point solutions in their environment means “defense in depth.” I would argue that it actually only means “vendor in defense” and only increases complexity and creates the need for more resources.

There is also much that the private sector can learn from government. One of the most important things is the notion that cybersecurity is not an issue to be handed off to the technical community to handle. It is, in military terms, “Commanders’ business” and must involve senior level decision making. This is because of several factors that have emerged over that past decade or so.

The cyberthreat has grown in scale, scope, sophistication and impact. The threat no longer only impacts our ability to get to our online banking, or the loss of our personal information. It now represents a threat to our national and economic security as well as our public safety. As as result, what is happening at the technical level no longer stays at that level because it now impacts the organization overall, including its ability to perform its most vital tasks.

The balance between opportunity and risk has traditionally heavily favored opportunity in the IT world. This balance began to change first in government because of its understanding of changes in the cyberthreat environment. The private sector is now embracing this need for a change in the balance between opportunity and risk, and can learn from the many lessons that government has already experienced in this regard.

Additionally, initially government agencies led the way with cyberthreat information sharing, spearheading the automation and standardization of threat information sharing. With the passing of legislation in 2015, the private sector has also embraced this, especially since the primary hurdles of privacy and liability have been at least initially addressed in the law. For Palo Alto Networks in particular, we have been a pioneer in threat information sharing as a founding member of the Cyber Threat Alliance in 2014.

IBT: How can organizations become more nimble in their cyber security defenses in order to keep up with the evolving threat landscape?

Davis: There are at least three answers to enable greater agility in dealing with an increasingly agile threat landscape that involve leveraging automation. The threat is agile because it is automated, it shares information and tools very effectively and it continues to do more and more with fewer and fewer people. The cybersecurity community must do the same.

First, we must automate everything we can and save our people for the things that only people can do. Today we still live in a mostly manual mode based on human decisions and response to events after they have already occurred. We must move to an automated prevention-based approach—[as opposed to] detection and response only—and away from a model that relies so heavily on manual intervention because it doesn’t scale and means teams will always be chasing the threat – instead of preventing it.

Second, we must leverage cyberthreat intelligence and information sharing at scale and speed. This requires being a part of effective cyberthreat information sharing relationships or making sure your cybersecurity provider is part of one.

An excellent example is the Cyber Threat Alliance (CTA). This organization consists of more than a dozen cybersecurity companies, many competitors, who have agreed at the CEO level to share cyberthreat intelligence as a public good instead of a private commodity. The CTA members share information using an automated platform that enables the rapid consumption of resulting security controls within each company’s network environment and that of all its clients, and this is done through a standardized format.

Third, no organization has enough people to solve this problem without an innovation in technology that reduces the amount of people required to perform cybersecurity effectively. This requires more than the automation mentioned above. It requires an automated cybersecurity platform approach that puts “see the threat and stop the threat” capabilities at each point along the cyber threat lifecycle, and consistently applies security controls across all environments. Making an automated platform approach work at each point of the kill chain and across all environments requires deep technically engineered partnerships between leading technology companies that operate most effectively in these various environments, because different parts of the kill chain occur in different portions of those environments.

No one company can do it all – it takes strategic partnerships at a very technical level to do this well. For example, for Palo Alto Networks to apply consistent security across the cloud we partner with Amazon and Microsoft to engineer the technically integrated solution so that the customer doesn’t have to use their people, time and money to do that on their own. We do the same with VMWare for the virtual environments, and the same with Tanium at the endpoint level.

If an organization wants to outmaneuver a very agile threat, they need to do these three things because these techniques are already what many cyberthreat organizations are using.