On April 8, we aired the first of our new IronNet Engage webinars, Cybersecurity’s Tectonic Shift: A Call for Collaboration. Our first episode featured IronNet’s co-CEO and founder, General (Ret.) Keith Alexander, and IronNet CMO Russ Cobb, and introduced the concept of Collective Defense.
General Alexander set the stage clearly by acknowledging the current state of the world as we deal with COVID-19. He says, “We’re going to have to change the way we think about cyber, the way we think about buying, about working. We’re going to see more companies go virtual and more people working from home. And as we do that, we’re seeing a shift in the attack surface that adversaries can use to go after our intellectual property and our companies.”
Watch the on-demand webinar to hear the rest of the conversation about how Collective Defense is providing companies with a scalable and effective way to deal with this new threat landscape.
Your questions, answered
Viewers submitted several questions that General Alexander and Russ ran out of time to answer, so we’re posting those here, along with answers from various IronNet experts. NOTE: We took some liberty with clarifying abbreviations or unclear language in questions.
What thought has been put to the ROI possibilities for participating companies (in participating in a "Collective Defense")?
From Anthony Grenga, IronNet Director of Cyber Operations:
First, our detections are based on behavioral analytics, not just signatures. So, as a member of IronDome, you receive immediate notifications about alerts within your environment that may have been initially identified in other IronDome members’ environments. This increases your security posture and forces attackers to not only modify IOCs, but also change major aspects of the behavior. Think of IronDome as a "force multiplier" for NTA-based domain and IP correlation. For example, some businesses do not have the manpower to investigate all security alerts. But as an IronDome member, they instantly benefit from shared industry knowledge and evaluation of network traffic for every rated correlation. IronDome is an extension of your SOC workforce.
Thanks to General Alexander from a USCG veteran! How do you see the increasing need for agile collaboration across all organizational departments, rather than "cyberspooks" just staying hidden in the SOC? I know at NSA, GEN Alexander had an agile standup briefing every morning!
From Major General (Ret) Brett Williams, IronNet Chief Operating Officer:
Thanks for the question. I fully agree that we need to collaborate across organizations and ensure that those who have deep technical experience either in offense or defense have an opportunity to share that expertise. At IronNet, we have embraced the application of agile and scrum. Doing so allows us to form cross-functional teams where all the resident expertise has an opportunity to work together and solve the problem. The area that is most critical for us is having the data scientists work closely with the cyber analysts and hunters. The data scientists are experts at writing algorithms to detect anomalous behavior within networks, but it takes the cyber experts to provide feedback on what detections are most likely to indicate malicious activity. It takes bringing together very diverse skill sets in a productive way to achieve a true collective defense solution that is based on behavioral analytics to detect attacks.
Is the SMB/ WFH market something IronNet is working with now or just critical industry?
From Russ Cobb, IronNet CMO:
We prioritize the protection of critical infrastructure sector companies because they are vital to our public health and safety, our economic security, and our national security. Within those sectors, we have predominantly focused on larger companies because of their relative cybersecurity maturity and because protecting them provides scale benefits within their sector and across other sectors. It has simply been a question of prioritization.
That said, we do address smaller companies within these sectors and think that increased network security through behavioral analytics and participation in our Collective Defense model will benefit most any size company. Often, smaller companies don't have the technical or human resources to combat advanced cyber threats and can indeed become prime targets. We serve some SMB companies directly and others, increasingly, through our growing MSSP partner network. If you are a SMB company and want to learn more, we would be happy to engage with you.
Data sharing is important, but isn't this a big data problem? We have a lot of ISACs [information sharing and analysis centers], but we are still very poor at sensemaking and generating actionable intelligence. How can we collaborate, but also how can we connect the dots so people are not buried in data or data mining?
From Don Closser, IronNet Chief Product Officer:
This is a great question and is right at the heart of IronNet’s Collective Defense concept: actionable intelligence without the alert fatigue. One of the biggest challenges at the outset is getting people -- companies of all sizes, agencies, and governments -- to share data at a granular enough level to create a real common operating picture. In many ways, that's about creating a new construct, building on the excellent work that's already been done on threat sharing and creating new trust models. But as you correctly point out, once the data is being shared, the core goals have to be multifaceted and include making sense of the data (e.g., understanding the environment), generating actionable intelligence that ideally is new and novel, and creating opportunities for collaboration on defensive measures -- both in identifying threats and taking action against them -- so that entities need not stand alone any longer.
This latter piece is a big data problem that requires advanced analytics and highly capable systems on the front end, powered by supervised and unsupervised learning capabilities on the back end, as well as the ability to identify new and novel threats and trends at speed and scale. Essentially, the same revolution that happened in signals intelligence in the post-9/11 era -- having data analysis go from taking hours, days or weeks and turning it into finished, actionable intelligence in "realtime" (i.e., minutes and seconds) -- needs to happen in the cybersecurity arena.
Given that this information, in order to be truly effective, would need to be consolidated by "everyone" for the visibility of "everyone,” what are the thoughts around ensuring the accuracy of the information contributed as well as controlling who has visibility to the data to prevent adversaries using our own data and observations against us?
From Patrick Collard, IronNet Director of Data Science:
Information accuracy is ensured by the advanced correlations and notifications we provide in IronDome, specifically identifying discrepancies in ratings where, intentionally or unintentionally, analyst assessments differ.
Visibility is controlled by additional aggregation and analysis performed within IronDome. The implementation is similar to how a user's location may be shared with Google but other users only have visibility of where there's traffic. Behavioral events are consolidated within IronDome for analysis and correlation and the minimized behaviors are not shared directly or with everyone. The current types of information shared and conditions for sharing are:
- IOCs associated with behaviors marked malicious are shared with everyone
- Temporal features as well as analyst comments and ratings are shared with participants who have correlated behaviors but the minimized behaviors themselves are not shared.
How are you addressing encrypted (443/ SSL) malicious traffic and/or SSL/TLS DNS (DoH)? How are you inspecting that?
From David Rose, Customer Success Project Manager:
We can detect attacks even if malicious traffic is encrypted because we're looking at behaviors, not signatures. In addition to traditional signature approaches like JA3 for SSL, we also examine properties of SSL certificates and identify anomalies (cert chain, entropy of each field, length, etc...).
As a math major, the notion of anonymity is not achievable. Communications of the ACM [Association for Computing Machinery] has published articles on this. Essentially, there are always patterns, and it is possible to identify a unique individual. Do you have new approaches to making the shared data 100% anonymous?
From Patrick Collard, IronNet Director of Data Science:
We do not employ any new approaches to traditional anonymization. However, the efficacy of de-anonymization techniques is largely tied to the level of granularity and volume of shared information. We believe we have struck the right balance between anonymity, security, and collaboration for what information gets shared, to whom, and under what conditions.