Supply chain complexity is rising, and the public and private sectors are stronger together. The resulting approach is called cyber collective defense, and it’s changing how businesses and the federal government protect their supply chains.
On behalf of IronNet Cybersecurity, AWS and Carahsoft, we would like to welcome you to today's podcast focused around protecting government and corporate supply chains against key cyber threats at scale. With General Keith Alexander, founder and co-CEO at IronNet and Sandy Carter, vice president at AWS will discuss how a collective defense strategy can allow federal agencies to better understand their threat landscape and create shared situational awareness and collaboration.
Jamil Jaffer: We're very excited to be here today and to be participate in this webinar about a critically important issue of protecting supply chains in this currently challenging cybersecurity environment. I'm particularly honored to be kicking out his webinar with two esteemed speakers, Sandy Carter from AWS. Sandy is a VP for public sector partners in programs at AWS. She's a world renowned author, the author of Extreme Innovation: 3 Superpowers for Purpose and Profit. I was [inaudible 00:00:59] upon her research at Carnegie Mellon University.
She's got extensive experience in the cybersecurity arena, and serves as the chairman of the board of Girls in Tech and adjunct professor at Carnegie Mellon and in a variety of other roles. Sandy, we're so pleased to have you here today to quarterback this conversation.
And of course, we're also joined by General Keith Alexander, as Brandon pointed out the founder and co-CEO of IronNet Cybersecurity. Prior to starting up IronNet, General Alexander served for over 40 years at the US military, including completing a service as the director of the National Security Agency and founding commander of US Cyber Command. So with that, Sandy, over to you to ask some questions and [crosstalk 00:01:39].
Sandy Carter: Awesome. Thank you so much Jamil, it was awesome to be here with everyone, and hopefully everyone is ready for a phenomenal Q&A with General Alexander. I am a huge fan and I know many of you are as well. General, could you... There you go. Join us up on the screen.
General Keith Alexander: Yep.
Sandy Carter: Thank you. Welcome. How are you doing today, General Alexander?
General Keith Alexander: How're you doing Sandy? And Jamil, thanks for the great introduction, Jamil.
Sandy Carter: Yeah, we're excited to have you. How could it not be a great introduction with all the great things that you've done? Okay. I'm going to start us off with first a simple question, but a really important question for us, I think General. I noticed today there was a new report that came out that said 94% of CIOs for organizations, government agencies are concerned about cyber security. Could we just start out with a real basic question? How do you define cybersecurity?
General Keith Alexander: So cyber security is a security of your digital devices, your applications, your protocols, your software and networks. As we look at what's happening today in the digital environment, especially when we shelter in place, this becomes very important for companies that have their employees spread throughout the world and they have different devices coming in. So securing those devices across all of that enterprise is becoming a huge issue for all these companies. So I'm sure it's probably now at 96% just after that statement.
Sandy Carter: That's right. It is really important. It was always important before COVID, now it's even more important. And in fact, I was just reading the first hundred days, post-COVID report, I guess, during COVID report. And I'm curious General, what do you see as some of the very top trends in cybersecurity that everyone on this call should know about?
General Keith Alexander: I think there's a few trends that are really important for cybersecurity. First, understanding how adversaries get into your network, and the gaps they exploit, and filling those gaps is a very important concept. Most companies use signature-based only, and adversaries know how to get around signature-based by manipulating software and coming up with other command and control sites. So going to a behavioral analytic product to fill that gap is very important.
In doing that, it also provides the opportunity for companies to work together in collective defense. So those are the two issues that I think are going to really change the way we think about cyber security. Imagine if you would that our air traffic control system networks all the radar systems around the world, so that we have a common view for airliners and air traffic as it passes around. We don't have such a picture for cyber. And the consequence, each company defends themself.
We have sharing agreements and people can share what they know, what they can't share is what they don't know or what they might think is a problem. So imagine now if you could bring that picture to life and share, this would be a huge jump.
As an example, if you take the midsize bank coalition, 90 banks out there, and let's say each of them have 10 people in their security operations center, they're working on their information, and what they see is what they know. Imagine instead of that group of 10, you took all 90 and you put them into a pool of 900 working collectively on this problem set. We're going to see a change in how we defend in cybersecurity by using that collective defense approach.
And it's based on using behavioral analytics to create events and signatures, putting all that together using cloud-based solutions, you might be familiar with some, to now pull that data together and blast it back out so everybody sees the attacks. So I think that will revolutionize the way we think about cybersecurity in a very positive way.
Sandy Carter: That's a really interesting analogy. So based on that and how important cybersecurity is, do you feel today that cyber security has been raised high enough in the organization or to the right level in the organization to think about this concept of collective defense, if you would?
General Keith Alexander: So this is the challenge that CyCos face. How do we educate the C-suite and the board recognizing that many on the C-suite, not me, of course, but others are over 60? And their insights on the digital realm may not be as good as those who are born into it.
I look at my grandchildren, yes, I have 16. They play Fortnite, they are born on the web. They know how to do all this. Most of the C-suite that I run into are familiar, but they don't really understand it. So they see, I bought this product, I bought this product, I bought this product. I put all those together. I think I'm good. And the reality is you may not be good.
Many large organizations use up to 90 or more different capabilities, just integrating them is a huge problem. Integrating and updating them is not obtainable for most organizations. And the consequence, there are gaps that are created. And those gaps are what advanced threats exploit.
So helping the C-suite understand that is very important. I think giving them the insights and the analogies is where it really helps. I found in talking to some of our customer boards, that's been very helpful. They can use the analogy, they can understand that air traffic control, okay, that makes sense. Why we upgrade our [inaudible 00:08:12] radar speed.
We don't have somebody sending a message from one radar station to another saying, "Here's what the threat looks like." Or, "Here's where the airliner is right now." Imagine that, and that's the speed of an airliner is 500 plus miles per hour, but the speed of a packet is at the speed of light. Yet we're parsing that by email, and updating people that way.
So helping boards understand what needs to be done, that's the first part, and also helping the boards and C-suite understand the investment to go after risk is the second part. Many of these companies, reputational risk is on the line as they protect personally identifiable information for the customers they support. So, that becomes very important.
Sandy Carter: Awesome. So I think those are some really good lessons because I do believe that educating the board is really important because it is important for everybody to understand what's going on. You noted that the global threat environment is becoming more dangerous, and in particular, you highlighted some of the concerns that nations, states have and the heightened threat level. So where do you see particular areas of concern for the industry, particularly supply chain that various companies and agencies do rely upon today?
General Keith Alexander: That's a great question. I was just on a call earlier today with one of the government agencies looking at just this, how do you protect supply chains? And that's a very tough issue. As you know, the supply chains go way out and it spreads. Target is a great case in point, when you think about their supply chain and how they were hacked.
So the issue really becomes, how can I help my supply chain recognizing that many of the people who work in that supply chain don't have the revenue nor the capacity to really run a good security operations center? And in the Target case, they were using free software that was lagged behind, so they didn't see the threat. The supplier that added in the air conditioner supply. So when you think about that, what companies are now looking at and what many of our customers are saying, can you help us secure the supply chain?
Now the good thing about the cloud, yours and others is that you can do this more efficiently with the cloud, and really help them monetize this in a way that allows them to protect their supply chain and the roads into their company, and ensure that security using that kind of a collective approach.
What would be interesting, especially when you go up to things like the defense industrial base, you want to defend our nation's secrets and others are trying to steal those. And if you think about the development of programs in that defense, industrial base, there are thousands of companies that work in that supply chain. So getting an umbrella over them to help secure them is part of our future. And helping to educate people on just what that means is part of our future. We've got to do it.
I've seen numbers that are North of greater than $500 billion a year is stolen from this country in intellectual property. Every year. And so when you think about that, that's our future. And it's these little companies that are the innovation engine for that future. And people come in and steal what they're doing and replicate it elsewhere.
Sandy Carter: Now, General, you mentioned the cloud, and I get a lot of companies debating, is the cloud as secure as on-premises? And you just made a statement when you were talking about the supply chain that the cloud will help. Can you explain that? Do you think the cloud is more secure than on-premises?
General Keith Alexander: I think it can be, and of course the key is in securing. So when you think about the new operating process that we're going to go through, how do you connect all your people together into one environment? The cloud is going to be part of that. We already do a number of key applications for companies in the cloud, Salesforce, ServiceNow, IronNet's cloud, all those.
So you think about everybody's going to be operating in the cloud. And the cloud, if you think about the cloud, not as just a fuzzy object up there, but it actually has a great connection. So for Amazon, as an example, you have your ingest or your VPC flow logs. You have CloudTrail to track what's going on.
You have a way for companies like us to help by taking that data and looking for anomalies, we've been very successful in doing that, and see what processes a company may have operating in the cloud and bring that picture back together.
So the key is bring all that back together for companies as we go forward. So when you think about the cloud and how you're putting it together, we're going to have these hybrid capabilities in the future. It's there now, you're seeing it. You go to run applications there, it's more efficient.
Companies are moving data centers to the cloud. Getting the protection in the cloud is key to that. And the cloud companies, Amazon, Microsoft, Google, IBM, and others are going to race to secure that and show they have the best security.
And from my perspective, it is by bringing a comprehensive view of how companies work and help companies understand how to manage that risk. That's part of that future. I believe for all the small companies that we talked to, they would be more secure in the cloud because they can do things in the cloud that they can't do with their own infrastructure. So I think that's a value added.
So rather than try to stand up their own little data center and then try to run it and operate it, go to the cloud. And I think that's where you'll see a lot more go and those connections through VPNs and in the case of Amazon, going up there and now bringing things together, that will be part of our future.
Sandy Carter: Great. Thanks General. I know if you guys have more questions on this, there were several reports and things. So just let us know in the chat or in the Q&A, and we can get you some of those reports as well. So General, the next question I want to go to, I'm looking here at the topics that the audience really is interested in learning more about, and it's primarily trying to figure out the landscape of what's happening out there. What's the threat landscape look like?
So I know the Cyberspace Solarium Commission just recently issued a report called the New Social Compact around the concept of this collective defense that you mentioned earlier. So just so everybody knows the collective defense is the idea that companies and agency will work together in real time to determine the most effective way for industry and the government to respond at scale and scope of threats that we face. So can you explain how the move could also enable that kind of collective defense in the concept of that threat landscape?
General Keith Alexander: So let me do this in two steps. Let's talk about the threat landscape and what's coming at us. You see last week, a fairly significant attack, supposedly by China on Australia. And this was over a disagreement in the way Australia and China see several issues.
You may be surprised to hear that we have differences with China on a whole set of issues. And we have differences with Russia, Iran, North Korea, as do many countries. COVID is highlighting those differences. And when you think about the way that they were attacked, because they defend individually, and the government cannot see attacks on those individual companies or agencies, the impact is significant.
So the concept of collective defense says, let's take two parts. Let's create that radar system of threat related data, and that personally identifiable information, not the content of communications, but threat related information and share that so that all the companies that are working together understand what threats are coming at them, what's being done to secure them, and the government can see what's hitting them, hitting their nation and see how to stop it.
So if we could change immediately what's happening for example, in Australia, the first thing you do is say, "Look, let's put together your financial sector, your energy sector, healthcare sector, your government, all these different sectors, build those up into a collective and create this picture.
And now look at what's hitting you from all these different sites and then use that as a government to push back on whoever the attacker is, in this case, China, and show where that's coming from and how their command and control is going. And illuminate that not just to protect Australia, but for the rest of the world to see. We would call that name and shame. And as companies do that, we can help secure cybersecurity. So that collective defense strategy I think is critical for our future, and I'm glad the Solerean report had that in it.
Sandy Carter: Awesome. There are several questions coming in in the Q&A box, and I'll try to insert those in with the General as we go as well. And General, I'm going to take one right now because I do think it's really interesting. It comes from a Kathleen Davis. And she asks, the concern that she has is first recognizing the landscape. So you did a great job on that, but she wants to understand something about the added cost of migrating to the cloud to get to some of these security areas and some of this continuous monitoring. So does this collective defense plus the cloud plus the continuous monitoring, does it add to the cost and how would you justify those costs?
General Keith Alexander: So there's two parts to this, and that's, that is a great question, Kathleen. And I'll tell you what I did in government. So we had the same set of issues as how do we fund the cloud as we're moving different elements of our government capabilities to it? And instead of renewing some of our desktops, we went to virtual. So that was part one.
So when we use that 25% a year, then we moved 25% to the cloud, we could do that. There will be some expense. There's no doubt about it. When you think about... I'm dating myself, but you think about in the '90s, I was six at the time, I'm pretty sure. But if you go back to the '90s and you think about your phone, you had a phone, a wire phone in your house and it cost you $29 a month. That's your phone bill. Now you pick up your phone and you look at it, you're paying 200 bucks a month. And the reason is is you can do more on this phone than you could on the other. And the difference is worth it.
Now, when you think about transitioning and transforming companies to the cloud, what you'll be able to do are things that you cannot do in a still environment. It's not only security, it's visibility, it's a connectivity, it's running applications in the cloud. And in the aggregate, it will be cheaper, but you'll be doing more data.
I think nothing is as free or cheap as we think it's going to be. So Kathleen, that's a great question. I do think it may cost more, but this is where educating the board on, it costs more, but you're going to go to the cloud for a lot of things. It's digital advertising. It's Salesforce, it's all these different things that operate in the cloud right now, you're going to do that. Everybody's going to do that because it's part of the future.
And by the way, this can connect to the cloud. My phone, it can connect to the cloud, my computer, all of these things now are starting to connect. And as we do that, the attack surface is growing. So cybersecurity becomes an even greater issue. So educating people on the benefits of digitalizing in this new digital economy, and then the costs that go with it is part of that key.
I found that in talking with CEOs and CyCos, when the CEO's heard both sides, they funded it, not everybody's in that camp. Oftentimes it takes an event to get the CEOs to say, "Okay, what do I got to do to fix this? So it's not on my books. So Wall Street or the SEC, I want to make sure I do everything right now, put money on it." Don't wait to that.
And I think this is where we in the cybersecurity profession have an opportunity to inform people about cybersecurity. I'll tell you that, that was my experience in government working with both President Bush and President Obama. Both of them understood intellectually, this is going to be a big issue for our country. How do we go fix it?
And what they understood is, okay, at the end of the day, both would say, "Okay, I don't technically understand you handle it, work with Secretary Gates or this person here, but go work that." But they understood that it was important for our nation.
And that's where we've got to get the C-suite and boards. And I think events like this can help. And we do a number of discussions with boards as well as does the National Association of Corporate Directors.
Sandy Carter: Awesome, that's great. So I think we heard, and I see lots of people commenting on it's about getting buy-in about really understand the buy-in, that was your first point General upfront. Training and education are crucial. And I like your analogies, because I think that makes it real as well.
I'm going go on to the next one, because the next big question is how do we create this shared situation? So what I would like to know is, this works for public and private sector. How does IronNet deliver on the promise of this collective defense for any customer, public sector, private sector, how do you guys do that?
General Keith Alexander: So this was the longer part, was getting all the lawyers involved in the companies to say, "I can share these events and I don't have reputational risk. I don't have all these risks. How do I do that?" The energy sector to be really transparent, especially CEOs like Tom Fanning out of Southern, Nick Akins out of AEP said, "Look, keeping the grid up is our top priority. We will work together. We will share data and in a collective to ensure the security of that network."
And so in doing that, what they saw is that if they could share and we are now sharing that data, you have better defense. And what that means as you share events from behaviors, understand the behavior can be good or bad. So beaconing is a behavior, bad guys use beaconings to see the health and welfare of their malware implants in your system. Good people use beacons to check the health and welfare of their software on your system.
You may have a 100,000 beacons. For us to detect a beacon, you'd say, "Great, you found all the beacons. If there's 100,000, 999,998 are good. And I say to you, "You got to find the bad two." You're going to say, "Whoa, that's a lot of work, especially if it takes 30 minutes for a beacon or five minutes for beacon."
So you want software and an expert system to run, this becomes critical, and this is one of the things that we've added in. It's an expert system that looks at all those types of events, rank orders them, and then populates those up and say, here's events that look suspicious. And then they can look and cross-correlate that by behavior with other ones and say, "Wow, five of us have the same behavior of that type of beacon. That's odd." That means somebody is trying to get in.
And we all benefit because in seeing that light, we can do that. And because there's no personally identifiable information, there is no content that can be shared with the government to say, "Look at this. Some nation, state or threat actor group is trying to get into this sector for bad reasons." Whether it's the FBI or, or defense department or the Intel community, they can now go look at and see who's trying to do that.
And that's where other nations are going to do the same thing. Then nations can look at this and say, "Let's take Australia and the United States. I like the Australians. They have good food and a great sense of humor. And they're being attacked." Imagine if they shared the attacks that are going on there at net speed with other nations, other nations could say, "Wow, I see indicators in my infrastructure of the same types of things." We would all be better defended.
So I think that also creates a way of partnering, not only within a country among all these sectors, but among countries for a collective and common defense for the future. I think we're going to see that happen.
Sandy Carter: Interesting. And I think your point about using machine learning to identify reduces the cost because now you're having teams just focus on really what matters. So back to Kathleen's question earlier about the cost, there are different elements in here that can help you reduce costs and make you more effective as well. It is probably one of the big points that I got out of what you just talked about.
General Keith Alexander: That's correct.
Sandy Carter: Another question I wanted to ask you about is we're going to stay on collective defense for a minute, and then I'll switch over to Stewart's question. So if you think about the collective defense, can that help address some of the workforce issues by allowing smaller companies? So some of these small subcontractors with less resource in the supply chain rely on larger security operations teams of bigger companies like prime contractors, what do you think?
General Keith Alexander: That's exactly right. And I should have mentioned it. Knowledge sharing is a key part of this. So when you look at all of the types of malware that's out there, it's phenomenal. There's all this stuff going on. And you say, so what's a domain generation algorithm? Why is that important to me? Or what's DNS tunneling? Domain name server tunneling. Why is that important?
Having an expert in that area saying, "Well, here's what's going on with DNS tunneling." And why that's important. So when I see something I can put in anonymously, this is DNS tunneling. Here's what it means. Here's why it's important. And when I press send, anybody who has that type of event would see that. And if it's malicious, everybody can benefit from it and say, "Wow, I'll be on the lookout for that." So that knowledge sharing really becomes the key to the future.
Many companies cannot afford a tier three, a top level cybersecurity analyst. They're going to go work for the big companies that pay a lot of money. So you're going to end up with a tier one, a lower level who can learn and become a tier three. And the best way to do that is by sharing knowledge and learning by working together. So that knowledge sharing through crowdsourcing is exactly one of the key things that we're driving.
Then if you add in what you mentioned that are machine learning and AI, you put that in there, there are two aspects of this that really help drive this system into the future. And that becomes important when you think about how adversaries are going to attack us. They're going to use polymorphic malware. Malware That they can adapt and trend really quick using multiple command control sites to attack a nation and enterprises within. To detect and block and fight back on that, we're going to need machine learning and AI on our defensive perimeters as well.
You can't do that with a signature based system because you know the signature and that's all you have. And the polymorphic system works around it in a signature based system, you gotta go find it again. What we're talking about is using a behavior. Think of this as an end dimensional array and end dimension space. That Anything that bubble that has to do with that behavior, we would see and identify as that event and everybody would benefit from that right away. So that machine learning AI, crowdsourcing, knowledge sharing is part of that future and where we're going.
Sandy Carter: That's great. That actually dovetails really well with Stewart's question. And again, I know we have a great audience out there. If you guys do have questions, enter into the Q&A, we've only got about five to seven minutes left, but if you put your question there, I'll attempt to get to those too.
I love Stewart's question because I get this question a lot. So there are so many individuals out there running hundreds and thousands of fake accounts, both foreign and domestic that attempt to influence public policy or corporate operations. How do you manage that? What do we do? What can we do about those fake accounts, if you would?
General Keith Alexander: So there's a couple aspects of a fake account. Now there's a fake account that's been created for perfect purposes. And then there are people who hijack credentials and go do something. Both of those are bad, right? So put both of those in there.
One of the ways that you go after that is by knowing how different elements within a company work. So let's say I'm an IT person, I normally do these sets of things. So you have a set of behaviors that indicate how your IT group works. What's normal or what's abnormal. Behavioral analysts can identify that.
For phishing like activities for people who are coming in to phish, now that's a whole different story. So there is phishing software. Of course, the problem with phishing software is the people who are phishing, figure out how to get around it.
So you need another set of behavioral capabilities to detect those phishing things to get by. We're very successful in doing that. Detecting when somebody says even the best trained people will click on something that really looks good.
Sandy Carter: My dad does this all the time.
General Keith Alexander: So when you think about that, so what you need is you need to stop that when a human makes a mistake, the machine's got to say, "Oop, he just made a mistake. Something's up. Tell somebody. He just passed these credentials. Let's go fix this." And solve that right there at speed. So you've got to have a capability to do that.
I think there are people who use multiple names, multiple sites out there, some are doing it just for good. You know, you have your work address, you have your home address, you have your kids' address, email addresses and stuff. So there are good things on that. And then there are people who use it for bad.
There are people who use modifications in names to get by and set up URLs that look real until you look at it really closely, and you see that L is really 1 and the machine would see that right away, but human might not. And the consequences is, it's going to the wrong site.
So this is part of how we've got to be educated and informed in the future, and how we've got to build a system that can detect just what I was talking about into the future. And, oh, by the way, if you're wondering, it is coffee, just so I'm clear.
Sandy Carter: Thank you so much General. I appreciate that. So I'm going to do one more question for you and the we'll start to close out. So this is coming in and some of the topics that the folks on the phone were interested in, and some of the questions, if I could group those together. The question is, can this process of collective defense, can it really scale? And do we have the people and the capability today ready to make that a reality?
General Keith Alexander: First, I believe it can scale. And I think that's part of our future. There is an awful lot of data, but this is the way we're going to secure our networks in the future. And what we have to get really good about is in the way we bring that data together is to take the elements of the data that we need, not all the data.
So when you look at communications, you don't need the content of communications. What you're really looking for is the behavior of packets within those communications. Is that normal? And if not, why not? And so you're going to scale that down automatically and then share that.
I believe this is part of the future for us. To understand what's going on, and to have ways of communicating that information at network speed among all these different groupings within a country and among countries, I do believe it'll scale.
Of course, this is where cloud providers are going to continuously increase the performance of their cloud capabilities just as on-prem computers continue to improve. And so as the clock speed and everything continues, you'll get better performance in many of these, but we have seen our performances is fine and we can keep up with that speed and we're growing at asymmetric place. So I think that exponential growth there will be huge for us. And I think it will show people what can be done.
Sandy Carter: Outstanding. Thank you General. First, I can listen to you all day, and it seems like you haven't lost one person. In fact, your audience has grown. So that's awesome. Hopefully you found this very helpful if you were on the line. If I could summarize some of the points besides all the great analogies that you do, you're the analogy king, I think, General, for sure.
Buy-in, make sure you have the right level of education, the right training. Look at great solutions that use some of the new technology like IronNet does with artificial intelligence and machine learning, and allow that to help you scale with everything that's going on overall in the threat landscape. Any other words of wisdom General, that you'd like to add for us?
General Keith Alexander: No, I'd say for all of you who are involved in this process, thanks for what you're doing. When I look at how our country started 250 years ago, I wasn't there just to be clear, it was citizens, soldiers working together to defend this nation. We now find ourselves in an interesting era where our nation's wealth, our knowledge is all on this network. 90 plus percent of that is owned by the commercial and civilian infrastructure.
So we are now in a very similar area where we have to work together with our government to help protect our nation's future. And that's not just us, that's all nations working together and doing that. And I believe the way to do it is through collective defense. And many of the ways of talking about this in the past, divided we fall. United, we stand. Well, that's what our country is built on and many others, and that's why we have governments. So I think this shows a path to the future for everybody. So thank you. Thank you, Sandy, for hosting this. Greatly appreciated.
Sandy Carter: And I want to do a big call out of thanks to Carahsoft as well as IronNet. General, I want to thank you for your service and everyone who participated today. Thank you so much again for your service, as well as the great questions and the great engagement as well.
Thanks for listening. If you would like more information on how Carahsoft, IronNet Cybersecurity, or AWS can assist your federal agency, please visit www.carahsoft.com. Feel free to email us as well at ironnetmarketing@carahsoft.com or awsmarketing@carahsoft.com. Thanks again for listening and have a great day.