IQT Explains: Scaling Cyber for Future Conflicts

Transcript

[Music] in the complex world of cyber security a significant conflict is unfolding with Russia Ukraine China and Taiwan at its Forefront and it becomes even more complex as AI based capabilities are layered into the Dynamics amidst this technological chess game a practical concern emerges how does a nation maintain strategic as metric Advantage without drowning in an overwhelming sea of data and alerts each year iqt cyber experts select a focal point for research and strategic Council for both investment Endeavors and government Council the most recent findings cast a spotlight on the imperative task of scaling cyberdefense capabilities rooted in the lessons drawn from Ukraine's remarkable success in fending off Relentless Russian cyberaggression this most recent exploration reveals the fabric of what constitutes effective cyber defense rather than just a suite of Exquisite tools a Cadre of Citizen cyber Defenders or critical open source information our experts found that the success behind this defense was due to organic public private Partnerships join us as we delve into the nuances of scaling these crucial capabilities welcome to the iqt podcast I'm your host Vall sandera and today we'll explore scaling cyber defense joining me on today's show are two of my colleagues here at iqt Grant White and Dan Bach neck Grant is a partner on iq's investment team focusing on Cyber and Enterprise Technologies he's responsible for identifying compelling startups that align with government partner needs and leading the commercial diligence and investment process prior to joining iqt Grant worked at Bay and Company and was an intelligence officer in the US Marine Corps Grant is a graduate of Harvard Business School the University of Cambridge and Northwestern University Grant thanks for being here welcome thanks m Dan is a technology architect in iut cyber practice focusing on the themes of thread intelligence scalable Cyber Solutions and applied AI he's responsible for understanding the technical needs of iq's Partners and identifying and applying solutions from the startup ecosystem to help address those gaps previously Dan worked at the mitro corporation as a principal applied cyber security engineer Dan welcome good to have you thanks great to be here uh so let's get started uh with sort of the uh over the top you know view from the top question Grant maybe we'll start with your thoughts on why is this topic important now yeah it's interesting because there's sort of two answers to that question one is sort of idiosyncratic to some of the research that Dan and I were doing last year specifically looking at how successful Ukraine was in defending themselves from cyber attacks during sort the full scale invasion of Russia and one of the things we we sort of assumed we'd find and we're looking for is okay what was the novel toolkit of things that we saw occur and we used successfully to uh you know to help Ukraine defend themselves against Russia and what we found speaking to lots of uh organizations associated with you know supporting Ukrainian government critical infrastructure and Etc is that there was this incredibly robust um Coalition of some of the largest cyber vendors in the world who had been working with Ukrainian government and other critical infrastructure owners for for a decade at that point right far in advance of the fullscale conflict and one of the things as part of that conversation we discovered is you know the likelihood that that same perfect storm that same Coalition would occur again when we think about other conflicts is not necessarily so we may not see that same Coalition for a whole host of reasons and so one of the things Dan and I started thinking about was well what would you need to do to in the aggregate help replace that sort of capability what could our government Partners do to help understand how you would continuously identify vulnerability on networks you don't own at scale in a prioritized manner in a Taiwan for example or even in smaller conflicts on Albania or Costa Rica like what would that look like and what we sort of came to was this architecture around this is a massive massive data problem right it's a posthuman data problem to help to to do that at scale and this sort of conversation that Dan and I were having was simultaneously you know simultaneously we were having these conversations with our government Partners who have these massive OverWatch missions right the defense industrial base critical infrastructure all whole host of of requirements and also at the same time you know a lot of the Innovations we saw in AI they really really rely on being able to have a modern data infrastructure in place to take advantage of those Innovations and so these sort of three different facets these three different conversations we're having uh all kind of came together to understand well if we had to put together an architecture to understand how you would need to do this at scale both for future conflicts which is sort of where this thing started but also for Enterprises and our government Partners who have OverWatch missions how would you thinking about doing that right and so this is you know I think there's a lot of uh Tailwinds that created this conversation and why we think it's really important right now and was also some just research we were doing that led us here uh to see all these things sort of compounding and coming together at the same time that's interesting Dan your thoughts yeah yeah and I I I think Grant hit all the wave Toops correctly and and really well what we came up with is this architecture that he mentioned and uh it's really got three different tiers um we're talking about the data collection domain the data uh management domain and uh the data dissemination domain and these you know you kind of look at this as like a traditional security Operation Center workflow it even mirrors like an intelligence life cycle but when you when you start to understand it in the Cyber context what we found was a few nuances that make this unique for scaling cyber and securing infrastructure you don't own notably you need to have a very robust understanding of what your threat posture is and that is uh enabled through some of these external threat Telemetry um companies and data feeds also you need a really strong data management uh un like concept and that is something that we've seen uh is pretty unique and we can talk into that in a moment but I want to also highlight the dissemination domain so understanding that when this information is shared it is actionable at scale in an automated fashion such that the remediators can uh can kind of proactively and and even in an automated fashion defend their networks and apply these patches and understand insight into their Network that they don't necessarily wouldn't necessarily have otherwise Dan in your research you uncovered um actually both of you uncovered a phrase that I thought I found to be very interesting which is sort of the maintenance of an asymmetric Advantage uh when thinking about scaling cyber capabilities uh your thoughts on just what does an asymmetric Advantage look like how is it different than say you know any other asymetric advantage in another domain when it comes to cyber right yeah so there there's a million ways you can kind of uh parse this and look at this one helpful framework is viewing is borrowing uh kind of an adversarial approach from the milit AR and kinetic Warfare is finding that asymmetric Advantage which you know kind of refers to the um a a sort of capability that the that the adversary cannot defend against or does not expect and when you apply that in the Cyber realm what you're really talking about is and and um is finding exploits that an adversary doesn't think exists or doesn't even know exists on assets maybe the adversary maybe you're the adversary doesn't even know they have and exploiting those and uh finding these vulnerabilities and exploiting them and uh and and when we're talking about scaling cyber for defense um what we're really referring to here is like is is the ability to coales all of these different disparate data feeds disparate organizations public private Partnerships to enable uh scalable defense and that is something that we believe and we we think in our in our view we don't see currently occurring at scale it's occurring in Pockets um and uh certainly missions Mission organizations around the United States and and other and other countries even have pockets of this but when we're talking about what would an adversary what would confound an adversary the most robust sharing of quality Intel and being able to action that in automation at scale is something that would probably throw an adversary off in the Cyber realm that makes sense Grant your thoughts yeah I mean I agree with everything Dan said I think you know one of the things I would say is cyber is such a cat and mouse game there's constantly this question of like is this going to f the defender is it favoring the attacker usually I think favors the attacker typically um but there is new capabilities that enable you know that the the the adversary might not see coming that you know Etc there's also just the fundamental value of speed like how you can get that flywheel faster right I you know folks who understand like the UDA Loop like how do I observe Orient you know decide and act right how do I do that quicker and quicker and quicker than the enemy does and that is fundamentally only enabled I think think at this point with the amount of data you get you you have available as a cyber defender or an offensive actor by Automation and potentially the use of AI all of that is only going to be possible if you have the data resources in place you've got your data cataloging and your data monitoring and your governance and that data pipeline that um is enabling you to do all of these things faster and one of the fundamental problems in cyber is cyber has kind of been a lagger when it comes to Modern data infrastructure relative to many many other disciplines are there any uh lessons learned from other disciplines as you so mentioned uh that would be useful to perhaps adop or consider uh within the Cyber realm when it comes to at least data standards and and of course let me just put a an asterisk and suggest that any conversation about AI would be remiss if we didn't make mention of the the Trope you know good data uh good data in good data out yes 100% right and like and think about that like how are you how are you defining good data if you don't have a good understanding of your data catalog if you don't have a good understanding of how this data can be enriched by other data sources at your disposal and really being able to put all that data in a place where you can hopefully in an automated fashion surface insights that are valuable and potentially even insights that you know you wouldn't have queried for to begin with right this is one of the power of sort of the innovation of some of these AI Solutions right it will find things that you wouldn't even have thought to find or a human would not have been able to find not only just because of the scale but also just the way it would have done its investigation but I think one of the issues here is just um many other disciplines I think do not have some of the drawbacks that we've seen historically when it comes to cyber data right like most of the way we consume cyber data is these um vertically inated capabilities they do the collection the analysis and they give me an answer sort of thing right and all this data has historically sit in silos or you've taken all of your logs and you've thrown it into like a legacy Sim and like don't get me wrong there are plenty of use cases where that can be really valuable we have a lot of people who spend a lot of money on that and trained on that but if you wanted to disaggregate this collection this data management and sort of the insights you're basically trying to surface from this it's a kind of a different Paradigm that lots of other places like lots of other disciplines do I mean think about like all the ways that we deal with business intelligence that have Revenue impacts on it right I think there's a lot more thinking on that than we've seen in cyber and honestly part of this is there are um historical commercial disincentive disincentives to enabling data sharing right I want you to live in my platform I want you to be in my paint of glass not the other guy's paint of glass it's expensive to egress at times right there's a lot of inertia that exists in cyber that's made this hard but I think that is starting to change and I think partially because as more of your data this all this crazy heterogenous data is um not just those logs that would live in a Sim well I now want to do more with it I've got data science on the team and they want to do stuff with it and they're bringing tools they want to do with it and so I think we're starting to see this pressure to say there is more that we can do and there's this outside pressure saying we actually need to do a lot more because the the adversary is getting faster and if we're going to get as fast as they are we need to set up the data in a way where we can get that you know Flywheel spinning faster that makes a lot of sense Dan you know we've sort of painted a picture of where where we'd hope to be in the world uh when it comes to scaling cyber capabilities what are some of the fundamentals that need to exist in order to sort of achieve some of the ideals that Grant is alluding towards you think when we think about the momentum and what makes this better it sounds to me that there should be um undeniable truths that uh that exist at the foundation what are your thoughts on what those undeniable truths are so uh first of all we understand that in this context you have no insight into your it into the IT ecosystem that you're trying to secure um that is that is different than than how it's traditionally run but what that means is that you're not pulling endpoint detection Telemetry you're not pulling from firewalls you're not understanding what threats you're you're necessarily facing from the inside of your it Network so instead we have to rely on external data feeds and external threat intelligence and there's a broad span of really uh interesting companies and capabilities out there that are that are exploring the space here here um and if you think of Illuminating C2 infrastructure from the outside passive DNS understanding what is out there in the dark web and catalog and triaging that such that it is searchable and actionable by a Defender all of those are really interesting data feeds that one can use from a cyber threat U perspective we're also looking at different applications of as Grant mentioned some of the data management technology and one of them is the data mesh framework so in in this you know rather than using data Lakes like Grant mentioned you can use this uh data mesh concept which is a shared computational governance structure where the data product is not just a raw piece a rawad feed of data but it's actually a shared uh product between the consumer the data consumer and the data producer and in that way we're building in more of that schema mapping and auto parsing and cataloging and triaging such that when that data is shared to the end user they're able to action it in in in kind of like enable that flywheel that Grant mentioned and enable that Automation in a way that uh helps remediate um in the end I see your thoughts Grant I mean the only I I entirely agree with that I think one of the things I would add and and one of the things we think about a lot of inel is you know the the framework or the the construct that uh Dan was just talking about right when we think about applying scaled cyber in future conflicts right we don't own the networks run the Telemetry and and what we're trying to infer and and back into to understand what's the worst threats that we need to ensure get fixed fastest on the pieces of critical infrastructure that we care about the most that's a ton of data uh to get to that position but it exists right it's just we don't have a great job in managing it and so one of the things we think about inut a lot is that use case I just outlined and this sort of for future conflicts this is very much something that like we talk to our government Partners about whether it's this you know supporting uh Taiwan or Albania or Costa Rica or Ukraine right on one side um but also all these OverWatch missions I mentioned previously what we try to do is okay what are we seeing on the in the commercial realm and what what Innovative startups are we seeing that can help enable that use case relative to the Enterprise use cases that they may be immediately addressing right to get ARR this quarter and grow as a company and all this stuff you actually need to do as a startup or even a large commercial vendor and so one of the things I think that when we talk about this is we are I think starting to see that Enterprise pull for disaggregating this sort of vertically integrated stack into this you know uh architecture overview that that that Dan talked about the collection the data management the dissemination right we're starting to see some of that disaggregation right you see the large data Lake providers like the the data bricks and the snowflakes and AWS all having security data Lakes individual security data lak startups lots of companies doing the ETL step like how do I abstract away all this heterogeneity so that you don't really need to care about that we will we will make it into a place where you can use it once it gets there and because we're starting to see some of that one of the things I think you think about a lot is okay how can we use this relative to how the Enterprise is using it where they by the way do have access to their own internal networks right but take the meta capabilities out of that and turn it and apply it to this different use case where I don't see inside of the network but need to automatically get a sense of at the very least what is you know yeah where it is what it is like do I own it yeah is it on my Surface like is it on if is it on a Surface I care about is this an energy utility or financial services or TCO or is it like a mom and pop pizza shop which I don't really care about those are things that are really important to automatically get to quickly know cuz at the end of the day I think for the the use case we're talking about you want to be able to do is say here are the things that definitely are exposed likely have been owned they're talking to C2 they're critical to my in my they're critical in my stack exactly they're 100% critical they're on critical infrastructure from like a national security perspective like automatically knowing that for an entire country is kind of this provoc thing we're getting to but Inc you tell like our authoritative position on this is okay but what are the Technologies we're seeing commercially that we can take and leverage towards that mission to enable our ability to do that in the future and for future conflicts that makes sense and you both spent a lot of time on your research sort of studying as a case study Russia and Ukraine um and you came across I think a very Salient point which is simply that um through call it coincidence uh years and years of public private partnership amongst big vendors Cloud providers you know Etc um the UK Ukraine was able to sort of uh show up to the conflict with a better posture say than they would have without without the sort of cooperation without the part participation and and and collaboration with these outside entities um and I think the T of our discussion today talks about like wow that's a fragile thing to try to scale like you know you can't necessar count on that happening all the time but if we are thinking about this from the perspective of a paradigm shift like let's think about hey let's let's use this as an opportunity to think about things very differently if we're going to you know do away with um the philosophy of of of sort of cyber capabilities as as we know them now what are some of the things you think ought to break apart what are some of the thought processes or perspectives that ought to be broken apart in rethought um and maybe we'll take your thoughts on that first and and then we'll move to Grant after that sure yeah I mean there's there's like we said uh earlier there's there's a lot of places that are doing this in in like in bits and pieces like yes there there are places and of course the National Security strategy um being released you look at estonia's La third release of the their third re revelation of their uh or third uh revision of the national security strategy for for them and that is something that you know is pretty is pretty compelling right when you think about it and you look at what are what are the options that one could kind of pursue um from like a national perspective and you know we're thinking like National CTS National level socks that have the ability to integrate and and Mudge through all of this data and kind of have the authorities and position to make sense of it makes sense Grant your thought yeah I think one of the other things that's really interesting just from like a paradigm perspective like how you think about this problem is you know on one side what me and D are kind of talking about is like finding bad stuff and blocking uh segmenting getting it off the internet like all of these things that just you're you're reducing your attack surface basically right and for things that may have already been you know owned like you are uh you're remediating right as quickly as possible on the other side of the spectrum there is all this work about how do we secure by Design from the from the outset right how do we make sure that um what we're building is actually not so easily owned to begin with right and so I think one of the ways we think about like that is super important right that we are trying to make these things more resilient from the outset and I think what me and Dan are talking about is like while we're getting better at that right in the life cycle of those things and like things come offline and we and we turn over what what's deployed and and how secure it is one that is never going to be 100% solution we're never going to you know design everything to be 100% secure it's just it's always going to be ASM totic at least at some point but we're trying to like squeeze the balloon on both ends to some degree right how do we just get this flywheel so so fast that Max exploitation just doesn't have an asymmetric capability for the adversary right anymore while we are simultaneously Shoring up how resilient the systems we do deploy are so that we're basically just closing the Gap from both ends of the spectrum as fast as possible makes sense and for our listeners the secure by Design uh philosophy is predicated upon sort of thinking through how something at the outset is going to be uh impervious or or sort of rock like Rock Solid you know hardened against any and all attack and um for our listeners benefit and mine perhaps how does one even know that they're creating something that is secure by Design if they don't necessarily understand the universe of vectors of attack that might exist in the future let's just say if we're if we're thinking about this as a cat and mouse game well geez I mean I mean I will say one conversation that I've seen a lot online recently is like I think Stanford CS students don't have to have a security course like maybe start teaching security to software development is but that's not going to solve the problem but like it's a step in the right direction right right yeah so uh you know one step right to to that end is is the esbon movement right understanding uh you know it's the nutrition label for software right understanding what the heck is inside of whatever piece of software you're you're producing and what your dependencies are those are and and you know there there's so many more implications up the stack that get revealed when you do that properly uh and you talk about graph analytics and higher order uh um insights that you can pull out from all of this knowledge and understand okay if this package or dependency is owned am I owned where's my risk where's my exposure on this and you can't answer that unless you do this work up front and that's this whole concept of Shifting left and um you know it's a it is a valiant effort and like Grant said though um this is a this is a multi-prong problem so being able to address it from patching is not going to go away and uh and so we we're trying to like focus on that while not excluding you know we certainly at iqt invest heavily into this shift left problem um but it but we're also looking at you know what are the near-term uh uh opportunities for us that's right uh and I'm actually reminded of um a piece of work that came out of iqt lab so Shameless plug for iqt lab since I'm in the labs um nutrition labels you know we work on sort of an open source philosophy so we leverage and contribute a lot to the open source software community and uh the nutrition label became important to us as we worked with Partners in the US G that were very concerned about you know some of the models or some of the algorithms that we were releasing the open source hey what's yeah yeah what is in this thing it's in this thing and so the the nutrition label became sort of um part part of uh you know uh our regular operations of like sort of indicating like here are the things that went into this here's when here's when they were patch or these things that have sort of in you know discontinued stuff like that so certainly it seems like it's an important part of the the Cyber capability as well yeah I was say CU I one piece on that I think is really interesting is I there's this there's this like uh pattern you see in security at times which is I lack total visibility so first step like let me get visibility right and I feel like we saw this in OT we've see this with es bombs we see this with all of the threat intelligence and stuff we're selling today and all the internal Telemetry we pull and there's this first step which is I don't even know what I have on my network I don't even know what's in this software package like I don't even know what what I'm dealing with here right but that's always that first Echelon problem and then there's this next step which is awesome I know exactly I have an es bomb what do I do with this now like next step here right it's fun it's fun to think about and and it's really cool to see what the commercial Market's doing with that problem and that's what we're seeing we're seeing I think across the board if like this analogy I Ed of like squeezing the balloon like I think in cyber the idea is we're just trying to keep squeezing more bits of the balloon everywhere until we can just pop the thing and the enemy can't take advantage of I don't know fell apart pretty bad um but like but the point being like you know we we creep up on this stuff as we realize like I don't know what's on my OT Network I got to figure that out okay now what do I do about it right um and this is something that like I think uh it's really um exciting for us in qel is we get to look at the next generation of startups who are biting off that next piece of the problem set and saying like yes you've already got visibility but let me show you what you can do with it right but the more and more we do that the more and more data we have and the less and less we you know you got to solve that problem right yeah I'm also reminded of uh you know the questions of related to what is on my network the second question we often get is well what the heck is it doing and how do I know if it's behaving properly or improperly and that answer usually depends on a lot of factors time of day who's on the network what other types of devices but and then like and then you answer like so what and and that's where that it comes back to this external Telemetry feed of like understanding what's out there understanding what exploits are being actively exploited in the wild and understanding who's what APS what you know uh persistent threats and and what their tactics techniques and procedures are and H and how you're defended against those per industry or per company or per per field application like you know like I like this application is super vulnerable but guess what it's not business critical and they don't care right but a security team may have no idea if that application is business critical or not right in the same way we're like this IP totally got owned but it's on a mama and Pops peps shop so maybe I don't care about that but like all of that is important for figuring out with the very very little bit of resources at our disposal what we actually need to go do first and fastest which is why it's critical this data model build in that contextualization to this data so it's it's a lot of metadata it's a lot of um it's it's a lot of fields right and you can see this even in some of the schemas for for uh that that uh both the government and open source are following is that there are fields for prioritization there are fields for what is this and and where does it exist in my ecosystem so the I local it environments can fill those fields in and better prioritize all of these 9.8 9.7 U as we're approaching our time I do want to address one other topic before we break and that and we' sort you sort of dovetailed into that Dan real nicely which is the role of the human being so you know we've talked about Paradigm shifts we've talked about AI we've talked about the you know overwhelming amount of data and and information love your thoughts on what is the role of the human if you you as we're rethinking uh scaling cyber capabilities we know we know what the human has done thus far with a network operator and a team of sort of cybercity forensics experts and analysts have done so far what does what does their role look like as we go into the future uh and Grant we'll start with you first yeah I think I mean the big thing for me is there there are a lot of other disciplines that are going to be iCal for doing this well going forward mly you need data scientists you need Engineers you need folks that are just outside of the Cyber analyst and that can be a cyber analyst who's been upskilled to you know data scientist or engineer but we need to think about this not as a uh give a bunch of data to a cyber analyst and then let them go figure out what the problem is you need data scientists who are part and parcel cross functional capabilities with this and like this is hard like it was funny I was talking to uh someone not long ago who was a siso and I was asking him about like how much data science do you have you know in in the in the company it's a large uh Financial Services firm and they were like well we have some obviously and they care about this and they're doing it well they're like but you know when I upskill a cyber analysts with a lot of data science they leave and go get a data science job like there's like yeah yeah like and so this is hard and there's so there's the those people you need to bring and then the other thing I think is those people want to bring the tools they know how to use to the problem and this goes just back to this like Silo data issue is like if you can't bring the tools you know how to use to help solve the problem because the data is not in a format that you can use or it's siloed in this weird way or it's got some weird query language you don't understand or whatever it becomes really really hard for that cross functional team to be successful yeah and I I'll just I'll just add that you know um one of the things I I kind of jokingly say and bored from a colleague is that there's not enough parking right stop building parking lots stop building parking garages for your analysts right we have to figure out ways to solve this in a post-human world and and because the everyone's drowning in data so so those parking spots need to be filled with yes sock analysts but sock analysts that understand that they're they need to they need to build in some of this Automation and and look at where we can where we can kind of uh cut cor not cut corners but but sort of end around the problem with with the smart application of of AI so you know we're seeing sock tasks being automated now and and in the marketplace there's there's there's companies that are you know working around this problem to be able to turn the crank on some of these rote tasks that soak up the majority of these analysts time and so I would say like be a part of the solution there not part of the problem well they're never part of the problem but you know it's it's it's just like you know being proactive on it and and saying like yeah let's um let's try and figure out ways to automate myself out of a job that's you know what gentlemen we're at time um if I had uh maybe 10 more seconds I would uh and I think I do I would like to end with your thoughts on where our listeners can turn to for more information if they're interested about this topic maybe a book a website just a blog post any quick thoughts on that I I'll put a sham it's not really Shameless since I didn't write this book at all but uh sandworm I think uh at one you didn't write that book I didn't write that book but I'll tell you what the author did come to did host a talk at iqt so if he's out there listening uh you know thank you for that that was that was fun um that book was excellent talked a lot about sort of the zero day exploits and learned a lot about sort of the the the Cyber War you know the cyber warfare tactics that were in use at the time specifically with like Russia and Ukraine and whatnot and other others as well uh so if anyone's interested feel free to to read that book um any other resources that you'd call out I mean one one thing that we we've uh asked our or we some portfolio companies right come to us and say hey we need up our game in cyber your local FBI field office has that capability they we we routinely refer them to to some of those organizations I love that you heard it here go talk to your local FBI Branch that's where to get Anem don't knock on their door Dan Grant thank you so much for your time today really appreciate it and to our listeners thank you for tuning in to today's episode of iqt explains on the iqt podcast please make sure to subscribe to the AC podcast so you don't miss out on future content and leave us a review or a comment to let us know what you thought of today's uh discussion or any other discussions you think we ought to have in the future I encourage you to check out our website at www.i.org to explore more content about Cutting Edge technology to support and deliver insights and capabilities essential for National Security Mission impact thank you and talk to you all next [Music] time