Last week, I had the honor of addressing The Homeland Security Training Institute (HSTI) at the College of DuPage as part of the HSTI Live educational series. The event featured other prominent speakers at the forefront of cybersecurity defense, including:
Dave Tyson, CEO of CISO Insights, a global cybersecurity consultant and Nicole Darden Ford, Vice President and Chief Information Security Officer of Baxter Healthcare. Dave broke down complex cybersecurity issues making them relatable to the audience, a skill he’s also honed through his other business venture, CEO of cybereasylearning.com. Nicole shared her firsthand experiences dealing with the challenges and the successes of a modern CISO in the healthcare industry. Nicole has global responsibility for information security as well as information technology quality compliance and information governance.
I presented findings from the most recent Microsoft Security Intelligence Report v23, diving into themes and specifics behind old and new malware propagated through massive botnets, and phishing, and ransomware attacks. And, importantly, providing advice and guidance on steps organizations can take to help protect themselves and their critical assets.
It was a great set of talks that spawned a lot of interesting dialogs. After the event, I was stopped by someone who asked me why our cyber defenses aren’t sophisticated enough to stop all cyberattacks before they penetrate our systems. It’s a fair question, especially when you consider the substantial amount of annual investment organizations make in hardware, software, and human capital. For example, it’s not uncommon for regulated and larger businesses to have teams dedicated to 24/7, 365 surveillance and monitoring of their systems. Yet, the bad guys still get in, plant malware, compromise proprietary information, and reveal sensitive customer data.
As I thought more deeply about the question of why we can’t stop all attacks, I was reminded of Nassim Nicholas Taleb’s seminal book “The Black Swan: The Impact of the Highly Improbable.” Taleb dives into how some negative events, no matter how improbable they are, can cause massive consequences. This is within cybersecurity also as demonstrated by for example WannaCry. The attack cost organizations across the globe billions of dollars and made headlines for weeks! Yet far fewer people have heard of Bad Rabbit, largely because it was identified and stopped by Windows Defender Anti Virus in 14 minutes before it caused widespread damage. Catching new malware isn’t easy, but using layered machine learning from device to cloud and sharing that learning across systems rapidly is helping to find and catch new malware more quickly. With Bad Rabbit, after the first device encounter, the cloud protection service used detonation-based malware classification to block the file and protect subsequent users who downloaded the dangerous file.
Another example of rapid intelligent response spoiling a massive attack comes from March of this year. The malware, named Dofoil was a cryptocurrency miner that exhibited advanced cross-process injection techniques, persistence mechanisms, and evasion methods. Windows Defender AV picked up on behavior-based signals to identify the infection attempts and block more than 80,000 instances of the attack within milliseconds.
What is often overlooked or unseen in all the headlines, is that most of our cyber defenses are deeply effective, especially when you consider the sheer number of attacks enterprises face every day. It’s easy to lose sight of this when a devastating attack occurs and controls the news narrative. Microsoft threat data shared from partners, researchers, and law enforcement worldwide gives a clearer picture of the massive scale of data we’re regularly protecting. In a month, using the Intelligent Security Graph, we’re analyzing 400 billion emails, scanning 1.2 billion devices and 18 billion Bing web pages while detecting 5 billion threats. Again, I’m not suggesting we catch everything malicious as billions of pieces of data and hardware are scanned. We don’t. Some malware inevitably gets through our protective layers. But when you consider the scale of attacks, and the prominence of digital products and tools in enterprises, it’s important to remember that we as an industry of cybersecurity professionals very often get it right. Users all over the world are accustomed to switching on their devices and safely opening hundreds of emails a day, seeing the correct balance in their mobile banking app, and trusting their GPS to accurately guide them from point A to point B. Our digital lives are deeply intertwined with our personal and work lives, and more often than not, they coexist in harmony.
In sum, it’s true; the cybersecurity industry cannot claim the ability to stop all cyberattacks. But let’s not overlook all of the attacks that are detected and prevented every day. The hardworking cybersecurity professionals, the same ones I shared the stage with at The Homeland Security Training Institute at the College of DuPage, are advancing our capabilities to thwart cybercrimes every day. Yes, we’ve got work to do, this is an ongoing battle, but the wins and ongoing work deserve to be recognized too.