Mike Lloyd, Chief Technology Officer at RedSeal Networks, discussed the importance of Big Data and Security Analytics for organizations.
Jason Redlus: Tell us about your background and how you eventually found yourself as the Chief Technology Officer at RedSeal Networks. Did you envision getting swept into the information technology space?
Mike Lloyd: My background is in abstract mathematics and statistics. There’s an old comment about who goes in to statistics – those who are good with numbers, but lack the personality to be an accountant. But curiously, I’ve been doing essentially the same thing for nearly 30 years now – about once a decade, we change what we call it, but from my point of view, it’s the same. As an academic in the 80s, I got a doctorate in epidemiology – models of the spread of disease in a population. Those are all about neighbors – one person gets a disease, and they give it to their neighbors, who give it to theirs and so on. Then, in the 90s, I got to California and joined a startup doing network management. And how do network routers work? Well, one of them knows a network address, so it tells its neighbors, and they tell their neighbors, and so on. (That company – Netsys Technologies – was acquisition number 14 into Cisco, quite a while ago now.) In the 00s (oh-ohs), I moved from modeling networks to changing them, using advanced BGP tricks (a company called RouteScience that we sold to Avaya) – more of the same complex networking. And in the last few years, I found my way into security, and amazingly enough, it’s the same problem all over again – viruses, and spread of malware, over complex networks. So really, I’ve been doing the same thing all along – I suppose that means I lack imagination, or that I’ve found my real niche. The fact that we now use this same math for IT Security is interesting – I really enjoy this space, it’s highly dynamic, with a shifting enemy, and a lot riding on getting it right. But for me, it’s still the same work – teaching computers to think about complexity, so that we don’t have to. (I like visuals too – I talk about my job as playing with electronic crayons.)
What do you see as the big challenges in information security today?
In a word, “complexity.” Of course, I would say that, given that I’m a complexity specialist, but I really think it’s demonstrable, and I think professionals in IT Security agree with me. Every security team I meet is overloaded, understaffed and drowning in data. Nobody says, “If only I could get some security data” – we already attacked that problem, but like a dog chasing a car, we’ve got to figure out what to do now that we’ve caught it.
It doesn’t seem that the problem is really lack of funding – it’s lack of people. Even extremely wealthy organizations seem to agree – it’s not that we can’t pay, it’s that the talent simply isn’t out there. As one Wall St CISO put it, “We have negative unemployment in this industry,” and I think he’s right. This is a big challenge. We’ve inherited infrastructure that’s overgrown, out of control, and that nobody really understands in full, and we’ve got attackers who have adopted automation in a big way, so they can hunt down whatever defensive gaps you leave. We started out blind, so we deployed lots of sensing, but then we found the data just sits there in huge heaps, for want of smart people to make sense of it.
There is a lot of talk about big data in security. What is your perspective?
That’s right – Big Data is the flavor of the month, and not just in security. I’m happy to see this in general – it’s just recognition that data is critical to business decision making. In principle, this has great potential in our domain – what we generally call Security Analytics. But I see serious challenges ahead as we try to apply Big Data technologies developed for other problems – many of the standard tricks just won’t work. Most business decision making is about trends, about the herd – who’s buying what, which product lines are hot? Security is mostly about the opposite – who’s the outlier, and what are they doing that makes them different from the herd? It’s not a simple thing to invert the normal trend-identification tools from Big Data to study the off-trend, the abnormal. Some people hope that we can just subtract the trend and we’ll be left with the interesting data, but it’s not true – any statistician will tell you that once you subtract the trend, most of what you have left is noise. Sorting the signal from the noise is possible, but it’s hard work, and it’s all new data science.
Some people think I’m too pessimistic about this, and I don’t mean it that way. I do believe very strongly in Security Analytics, based on Big Data. I just think it’s harder than people anticipate – what we find is that data mountains need data mountaineers, and as I said earlier, the typical security team is more short on people than any other resource.
So that sounds challenging. Do you have any advice?
Sure – like climbing a mountain, security analytics is hard, but it can be done, and if you have the right temperament, it’s pretty exciting work. Let me shift off the mountain analogy for a second. When talking to people about Big Data and Security Analytics, I often ask them to imagine a World War II “war room” – think of the classic table in the middle of the room, with a map of the field of battle on it, and with people moving around counters to represent troops. Around the edge of the room there are telephones, with data feeds coming in from the outside world. There are specialists who take this outside data feed, process it, compare it to other intelligence, and then feed the updates to the people maintaining the map. This is how Security Analytics should work – you need to visualize the battlefield. The trick is to automate as much as possible – to take most of the people out of it, except those who are looking strategically at the situation and acting decisively.
The trouble, though, is that this vision is not easy to build today. Most organizations don’t even have the table in the middle – the map of the terrain, let alone a good list of counters to put on the map. Processing the incoming intelligence feeds is a real challenge – in a real war room, that’s hard to automate. In security today, there are many people working on this problem, and in my opinion we’re making great progress, but sometimes I think people are expecting instant enlightenment, when as an industry we’re still screwing together the pieces of wood to make the table in the middle of the room.
"It doesn’t seem that the problem is really lack of funding – it’s lack of people. Even extremely wealthy organizations seem to agree – it’s not that we can’t pay, it’s that the talent simply isn’t out there."
What can a CIO or CISO do to get to the next level of Security Analytics.
We’ve learned a lot about the real world challenges in security analytics by now – about the way that most organizations don’t have a map of their infrastructure, or can’t process a single data feed effectively, let alone correlate them. Going back to the mountain analogy, we know where the mountaintop is, but it’s a long way up from where most CISO’s and CIO’s find themselves today. So we’re focusing on carving steps into the mountainside – making it easier to take steps towards that goal.
I talk to a lot of organizations about process maturity – about the journey towards Security Analytics. We break that journey into four major phases – four steps up the mountain. The first is to gather and map the environment – if you haven’t got a map, you can’t see anything, and you can’t manage what you can’t see. We are visual decision makers; every military commander knows this. This first step is almost a whole discipline unto itself. I sometimes liken this to one gear, out of a set of four – the idea being that the map is not the end goal, it’s a process. No map is ever perfect – as we like to say in mathematical modeling, a one-to-one scale map is pretty difficult to use – you can’t fold it up and put it in your pocket. So maps aren’t perfect, but you need to set up a discipline of gathering the best data you can, with automated indications of where data problems exist. Getting this process – this gear – spun up can be its own reward, even though it’s not yet getting you to the mountaintop.
The second gear is element analysis – classic rule-based testing, which still has a role even in advanced security analytics. Most security mistakes are still basic, with well understood remediation, so we have to automate the hunt for basic compliance with industry-wide best practices.
But clearly, that’s not enough to achieve full Security Analytics. The next level – the next gear – is to use system-wide analysis. Don’t just put pieces on the map in the war room – assess the situation, automatically, daily, so that you can tell the impact of the challenges. Like any war time commander, you will always have challenges – you will never be able to fix everything, but you have to know how capable you are to withstand attack anyway. An important point that a lot of people miss at first: you can’t get this from checklist thinking, looking at elements and compliance, in the “gear 2” sense I just talked about. You have to use system-level analysis, to look into interactions of our complex security defenses. This is the only way to uncover the significance of the findings, and to know where you really stand. By this point, your organization is making serious progress up the mountain.
Gear four, the final level that we can deliver effectively today, is automated risk assessment. As I say, most organizations have a lot of work to do to build up the basic “war room” for security analytics – it’s important not to aim right away for the top of the mountain. Some managers think, “If I make a vast enough pile of data, then I’ll be enlightened” – it just doesn’t work that way. A realistic goal today is to pull together your defensive information, and run “war games” or automated simulations of attacks, to find where your most important defensive gaps are, or where your next investment can have the biggest payoff.
What is your vision of the future of Security Analytics?
As I’ve said, there’s a great deal of Security Analytics that we already know how to build. However, we’re far from done. In the war room analogy, there are the “intelligence analysts” who process the incoming data – in real situations this is a high pressure, high skill, ultimately human task. The big question for our industry is, “How much of this work can be automated?”, and frankly, the jury is still out. Lots of organizations are putting a lot of energy into finding out.
I’m a cautious optimist on this point – I do think we can achieve something I’ll call “semi-automation” of processing for intelligence data. However, I want to be clear: I don’t think you can really deskill and automate away the job of a security analyst. There’s a great example of this from a different domain: chess. Garry Kasparov has some very interesting insights on the difference between human and computer chess. Of course, he would – he was a target, and eventually we got a computer to beat him in a match. But nowadays, he makes a great case that we got the question wrong. The really interesting question is not, “Who’s better at chess – a human or a computer?” – the really good one is, “How do you play the best chess on earth?” As it turns out, the answer is not “a computer.” The answer, as he and others have clearly demonstrated, is “with human/computer teams.” They have a name for this – it’s called Advanced Chess, for the simple reason that if you enter an Advanced Chess competition as a solo human or solo computer, you’re going to lose. We can see why – humans are great at intuition and big picture, but we’re terrible at details – we get tired. Computers are the opposite – they are inexhaustible, but dumb. So the best chess comes from joining the two in the right way.
I believe this is the path forward for the security industry too – we are building Advanced Security, meaning the ideal mix of human intuition and big-picture thinking with the right computer automation to assess every detail and every interaction, so the human makes no mistakes. This works for chess, and it works for defense of critical IT infrastructure too. I’m very happy to be part of the industry figuring out how to play the game at whole new levels of skill.
Dr. Mike Lloyd has more than 25 years of experience in the modeling and control of fast-moving, complex systems. He has been granted 21 patents on security, network assessment, and dynamic network control. Before joining RedSeal Networks, Dr. Lloyd was Chief Technology Officer at RouteScience Technologies (acquired by Avaya), where he pioneered self-optimizing networks.
Dr. Lloyd was previously principal architect at Cisco on the technology used to overlay MPLS VPN services across service provider backbones. He joined Cisco through the acquisition of Netsys Technologies, where he was the senior network modeling engineer. He holds a degree in mathematics from Trinity College, Dublin, Ireland, and a PhD in stochastic epidemic modeling
from Heriot-Watt University, Edinburgh, Scotland.