SAN FRANCISCO — Cybersecurity professionals had a lot of catching up to do last week, as more than 26,000 of them convened at the first RSA Conference since the start of the COVID-19 crisis.
After a 28 months hiatus, the conference once again gathered top executives to discuss key problems in the cyber field, including the shortcomings of artificial intelligence (AI) in cyber defense and the need for united efforts against ransomware cartels.
Here are five takeaways from what Cybersecurity Dive overheard on the ground in San Francisco.
1. Cybersecurity demands a collective front
Cybercriminals are often better organized and responsive than the companies they target. This calls for cohesive, defensive action to counter the threat.
Every individual, company and government agency must participate in the defense of cyberspace, National Cyber Director Chris Inglis said at the event.
Transgressors are directing all of their resources and capabilities to initiate cyberattacks. There’s perhaps no better example of this than ransomware, which is “a syndicate operating against us,” Inglis said. “How can we respond with anything less? It takes a network to beat a network.”
Federal authorities will share very specific and timely information when they can. Oftentimes, however, warnings are very general. The government isn’t withholding information in these cases, he said, it just simply doesn’t have more to tell.
“We can sometimes predict thunderstorms and not lightning strikes,” Inglis said.
2. Attackers target human responses
Bad and probably worse days are coming for every organization.
Threat actors have done their homework, having shifted from poorly organized attacks to campaigns targeting specific leverage points, Charles Henderson, head of IBM Security’s X-Force unit, said in an interview.
“The attacker has evolved beyond just targeting a system and now they’re targeting a human response in their victims based on leverage,” he said.
“As attack strategies go beyond the digital strategy but into the human nature strategy, I think that’s a complexity that the industry I’m not sure is ready to tackle.”
With those dynamics at play, cybersecurity needs to move beyond information security strategies and become part of the overall business strategy, Henderson said.
“We’re going to have real-world repercussions,” he said. When gas stations, health providers and the price of commodities are impacted by cyberattacks, that’s a “kinetic effect of a digital problem.”
3. Organizations get 24 hours — if they’re lucky
Organizations are confronting a consistently exponential rise in cyberattacks, threats and ransomware demands.
“The ransomware attackers are continuing to get technically better,” Jen Miller-Osborn, deputy director of threat intelligence at Palo Alto Networks’ Unit 42, said in an interview.
Malware is advancing and some of the more aggressive and adept ransomware groups are quickly initiating zero-day attacks before developers can patch or otherwise address a flaw.
“You’re getting the point where you’re lucky if you might have 24 hours before there’s going to be widespread exploitation,” she said.
A similar race is now underway with respect to some advanced persistent threat campaigns because attackers are exploiting these same vulnerabilities at similar speed, according to Miller-Osborn.
“From a patching perspective, from an enterprise perspective, that’s pretty much impossible,” she said. “At that point, you’re having to look at other layered defenses.”
4. AI remains largely theoretical
Human expertise will always serve an irreplaceable role in cyber defense, but it’s not enough to thwart the pace and scale of attacks. “We as a defender community need to move our industry from defense at human speed to defending at machine speed,” Vasu Jakkal, corporate VP at Microsoft, said on stage.
This is where AI, the longstanding but seemingly mired source of hope, comes into play.
“There’s been a lot of hype about AI and it’s jaded some of us. And it’s true, for all that hype to date there are relatively few use cases” that are clear, accurate and attributable to AI, Jakkal said.
“But without AI we simply cannot scale our defenses at the rate of attack. To fight this asymmetric war, and it’s pretty asymmetric out there, we have to use AI,” she said.
AI works well at some security tasks today. It’s particularly good at detection and split-second decisions, such as determining whether an email or file might be malicious, according to Jakkal.
But to fulfill its promise AI must operate across domains to predict, detect, block and respond to attacks in real time. It should also, she said, understand the full scope of an attack while the attack is underway.
Jakkal claims this leap will be achieved in the next two years. Will that be enough and still relevant by then?
5. Cybercrime expected to hit $10.5 trillion by 2025
Cybercrime pays. Big time. It’s projected to reach $10.5 trillion by 2025, Forcepoint CEO Manny Rivelo said on stage.
“If you compare this to a gross domestic product, it would be the third-largest economy in the world behind the U.S. and China. So it is good business to hack. It is not going away,” he said.
And what has the industry done in response? “We’ve given you an alphabet soup of three- or four-letter acronyms,” Rivelo said.
EDR, IAM, MDR, MFA, NGFW, SASE, SIEM, SSE, XDR and ZTNA come to mind, for starters. It’s enough to make most people throw their hands up in despair.
“The world has just become just way, way too complex,” Rivelo said. “We need to fix this.”