Imagine that enemy planes have swooped down over your corporate headquarters and are now strafing the buildings, parking lots, and picnic areas where you eat lunch. Apart from maybe rushing down to the basement, what would be your reaction? What conclusion would you draw from such an event? My guess is that you would declare this an act of war, and that the incident and aftermath would change your life forever.
So why is it, dear reader, that when the modern version of such an attack occurs using cyber weapons, we do not have a similar reaction? One explanation is that most cyber attacks have been less spectacular. They do not, for example, require that your secretary dive for cover under her Ford truck in Parking Area B to avoid a bullet in the head. Cyber attacks are much more devious and subtle. They hit quietly.
But this does not make them any less devastating to society. In fact, their invisibility makes them insidious and difficult to prevent. What’s more, we’ve outsourced most critical infrastructure protection to the private sector – and perhaps unwittingly. The shift occurred with no hearings, no legislation, no executive orders. Enterprise security teams simply inherited the responsibility, often with no change in budget or authority.
I had the great pleasure to spend time last week discussing these issues with my new friend, Adi Dar, CEO of Israel-based Cyberbit, a subsidiary of defense electronics firm Elbit Systems. Adi shared with me the advantages of addressing cyber security from the perspective of warfighter. “We've tried to extrapolate the best techniques for traditional physical defense,” he said, “into commercial tools for modern cyber security.”
One observation I’ve always had trouble accepting, but that Adi stressed, is this: The enterprise security team is now the frontline for cyber civil defense. This is profound, because CISO teams were created to install McAfee on PCs, and to scold people who stubbornly share passwords, and to babysit PCI QSAs during site visits. How did these often poorly-funded groups - we all might ask - become our virtual national guards?
Well, it happened quickly and quietly. The good news, if there is any, is that cyber security solutions are improving, and companies like Cyberbit contribute to this evolution. Unlike most cyber start-ups, Cyberbit built its portfolio on the strength and foundation of real defense projects. “Our solutions grew from the practical needs of the Israeli government in dealing with emerging threat actors,” Adi explained.
The portfolio from Cyberbit is telling: It includes, for example, cyber range training and simulation that should be a requirement for every enterprise security team. Built to create realistic cyber battlefield situations, the simulator will sharpen the real-time skills of anyone fighting an advanced adversary. In the past, this meant trained military, In the present, this means (gulp) IT security teams just learning to interpret a Qualys report.
Cyberbit also offers advanced solutions for SOC automation – an absolute requirement for any protection environment dealing with a capable offense. Few modern CISO teams have considered the advantages of automated workflow to deal with real-time indicators. This is cool stuff, and I’m glad Cyberbit is bringing modern warfighting methods to commercial business teams. It should help us sleep at night.
The ICS, SCADA, and endpoint solutions from Cyberbit were also born in government. All address the most advanced threat, rather than the ankle-biting sort that has been the preoccupation of too many enterprise security teams to date. If we are going to push IT security staff to the front line, then we need to train them with the best tools for dealing with the toughest attacks. That is our global challenge.
I fully recognize that spinning commercial subsidiaries from defense companies is not a new idea. General Dynamics, Raytheon, and others discovered the value of spinning off teams for commercial security years ago. But the unique solution approach at Cyberbit, where offerings are driven from programs – and not the reverse, is an excellent way for us to honor our civil defenders – that is, the humble enterprise IT security teams.
Let me know what you think.