Please join industry experts as they discuss White House Executive Order 14028, Improving the Nation’s Cybersecurity focusing on improving Threat Intelligence sharing and predictive security.
Speaker 1: Hi, everyone, thanks for joining our executive perspective series featuring the White House executive order and more. Today's session is called WHEO Foundational Concept, threat intelligence sharing to drive predictive security. Our speakers for today are Brianna Farro, Principal Engineer and Global Technical Director at McAfee. John Amorosi, Solutions Architect in Cybersecurity Strategist at McAfee in Jason White Solutions Architect at McAfee. At this time, I'd like to pass it off to them.
Jason White: Hello, thank you for joining our latest podcast in our series on the White House Executive Order Number 14028 improving the nation's cybersecurity. As previously mentioned, my name is Jason White Senior Solutions Architect for McAfee federal, and I'm joined today by Brianna Farro, McAfee, Principal Engineer and Global Technical Director for McAfee endpoint platform and threat intelligence products, as well as John Amorosi, McAfee Solutions Architect and Cybersecurity Strategist. Thank you both for joining me today. If you haven't had a chance to listen to McAfee's previous podcast on this executive order, I encourage you to do so the format of this podcast like the previous one will be a panel discussion with me posing questions to john and Briana as panelists. Today, we're going to be focusing specifically on section two of executive order 14028 that aims at establishing improved threat sharing by eliminating contracting hurdles for government partners and contractors that impede sharing of agency specific threat data, and also by creating expanded logging requirements, mandatory reporting scenarios and standards based incident sharing. John, my first question is for you. How will enhanced threat sharing improve the government cybersecurity, given the government's broad catalog of business partners across multiple market segments? Is unidirectional sharing going to be enough or should the government consider making threat sharing bidirectional?
John Amorosi: Thank you, Jason, for the question. That's certainly very topical for this particular executive order. Tackling the challenge of improving cyber threat intelligence certainly needs to be a multi-pronged approach. Historically, threat intelligence sharing has often been a one way push and unidirectional informational sharing for organizations to consume out of their existing tools, maybe perform additional investigation, and try to make sure they triage those appropriate threats that are known. Although that data has been proven valuable, the adversaries continue to push the envelope and expand other tradecraft beyond the speed at which these chicness traditional solutions are able to meet the demand. So starting to have solutions evolve, they do need to become a two ways street so that organizations can proactively gain awareness into what active campaigns are uniquely targeting their vertical, and how best to keep those particular countermeasures to respond to these threats in a more near real time fashion. Other strategies for agencies to consider is how to empower their security technology stack, not only as the engine for protection of evil to actively participate in sharing potentially malicious content, but with other sensor classes throughout the enterprise. This in turn allows the establishment of a local threat intelligence database that's unique for that particular agency. Or taking this approach, this set of capabilities should be automated as much as possible to reduce the mean time to detection within your organization. For example, if a threat first encountered on an endpoint should be could be evaluated by multiple detection engines up to including the sandbox technology, as part of a bi directional security communications fabric, if a malicious file were to be convicted, that reputation should automatically be known and propagated throughout all the other connected clients in the enterprise, further reducing potential taxes.
Briana Farro: And John, I mean, we have never ever in any organization seen any sort of process or bureaucracy hold up any sort of sharing, right? Not at all. Not at all. I think it's a good point. You know, we were looking to make sure that we're thinking about the sharing of threat intelligence differently. And that's part of what we're all talking about here today.
Jason White: Yeah, absolutely. Thank you. So, Brianna, there's been some talk that this particular executive order is a reaction to the solar wind supply chain attack that made headlines earlier this year, which makes sense, since it largely affected federal customers and but early warnings could have prevented wider spread attacks. What changes have you seen in the industry since these attacks and what role good cross sector threat intelligence have played in limiting the impact in a supply chain attack like that?
Briana Farro: Yes, Jason. I mean, the biggest thing that I think I am we have seen is more of these attacks. You know, for a long time, organizations and entities were discussing how these types of attacks could occur, how critical they could be to infrastructure. You know, even in our own space, we have been participants in some of these types of scenarios in in the worldwide warfare on this type of a situation. But in specifics, you know, we've seen the Cassia attack just recently happened as well, which was very much around using the concept of a supply chain, and how information and management is being distributed to others using a service. And that's, that's been really something that is kicking up. I mean, even the mitre evaluations, the ingenuity evaluations that McAfee participates in, we've seen that the upcoming round for evaluation is going to be all about ransomware. And that's because it's being used so widely now. And so available being distributed and supplied as a service to attackers to sign up to or sign up for almost as a as a subcontractor. And to leverage in these types of attacks. For from a threat intelligence perspective, it goes back to what john was saying, the more information that I have, that I can correlate. And that's where it really comes into play me knowing about an IP address that an endpoint connected to and john, knowing that that endpoint was definitely attacked, and infected, believe it or not, that's a huge correlation, if it's an external IP address that I wouldn't normally be seeing in my environment. And there's no reason for communication to occur to I see that happen once, but I can't pinpoint what's communicating to it, or I don't know that something definitively happened to the endpoint that was doing. So I may think that it's some sort of an anomaly or misconfiguration in my environment that allowed that to happen. But when john knows that his system got infected by it, and it caused a serious situation, our sharing of that information is critical to not just us being better protected, and being able to stop attacks earlier in their lifecycle, but telling everybody else so that they can prevent those attacks moving forward as well. And that's really what we've started to see is if all organizations regardless of what type of business you do, starting to change that mindset. And I think the executive order is a perfect example of that, where you're saying, Listen, the way we've done business in the past, it's not going to cut it, we have to start thinking about how we can share while still being private about the items that we need to.
Jason White: Sure, yeah, no, that makes a lot of sense. I mean, the more information you have, right, the better you better, you can ultimately protect your systems. So like those The more you know, commercials, yeah. Remember those? Right? Those NBC PSA is right. So, so hey, John, if we all agree that improving thread sharing is a great first step for the government, but the next step should be focusing on how to enable thread sharing bidirectionally. Given your role as an architect, as the technology for rapidly sharing data across industry segments exist today, what would it look like?
John Amorosi: Great question. So So fortunately, it does exist today, and certainly dovetails into one of the key tenants that McAfee is trying to pioneer over several years, and evangelized to essentially reach the point where we have an open ecosystem and allow for a multitude of security technologies to be as extensible and flexible as possible, so that other vendors as well as other complimentary security technologies can benefit from the threat intelligence that either regenerate, or other third parties can be incorporated throughout that particular e go system. So one of those particular mechanisms that we use to share threat intelligence is called the data exchange layer or DSL for short. It's a very lightweight, high speed publish subscribe communications fabric, that security solutions can use distribute, distribute new information as it becomes available, and is made known. And so one of the first technologies that we built to actually leverage the Excel was our threat intelligence exchange, which essentially acts as a local database within the agency to centralize that reputation data that can inform all the other various downstream dx clients that are subscribing to that information, whether file becomes known, malicious or potentially doing good. So several of our various customers and even some of our E customers have kind of taken the next step to be able to further operationalize that particular threat intelligence, not just within their core network, but with other federated entities or partner organizations and communities that they also participate with. And so one of these particular solutions is known as a threat intelligence platform, such as Miss and tips are able to actually aggregate correlate and tag various different threat events in a centralized manner. So based on the various different organizational rules, that particular types of threat data can be shared and distributed, and actually made actionable by those other downstream entities. And what makes this pretty powerful is not only does Are you getting the benefit of that two way sharing of data throughout all these various different other community partners, but you can actually task additional workflows that can be further automated, above and beyond what may just be considered a known good So examples might be being able to perform a real time search or enterprises using and an EDR type solution. Maybe it's even updating their network security gateways to block michelisz malicious URLs or domains or even IP addresses, and even incorporate various different Analytics reports from the sandbox solution, so that you have more detailed IOCs to share with the other partners.
Jason White: Yeah, I guess, I guess.
Briana Farro: Actionability? Right, John that we were talking about? Sorry, Jason. You know, that actionability is what you want to get out of the threat intelligence? What does it mean, to me, a big box of mail doesn't do anything for me, I need to be able to action on it. And you know, john, you probably remember this, when we first came out with a data exchange layer, we used to describe it as kind of like the human body and the central nervous system, because it was that message highway, right at the same way that a neuron is firing information and actions and commands to the rest of the body. If it doesn't have a way to quickly get all those pieces there and respond, like I touch a hot stove, and my body needs to tell me pull back, you're being silly, you're touching something hot, stop doing that, if I don't have that action ability, and that responsiveness at that same speed, it's not very effective. But I need to be able to do it outside of my body, I need to be able to touch something else and have that same action, ability and response. So that action abilities is key and that ability to pull in not just your data or your particular sources, but your entire security architecture, right.
Jason White: Yeah, it sounds like, like, context is important. But what you ultimately are able to do with the data that you've collected is equal to or more important, right? It's great to have a bunch of information. But if I didn't know how to put it into motion and actually do something with it, it really doesn't do me any good having that data.
Briana Farro: Yeah, like I'm in analogy mood today, Jason sorry. So just one more, but when you're looking at the signs and tell you to walk or don't walk, you know, they've changed a lot of those to have a number countdown, right? Because people used to make the decision on their own like, ah, can I can I go? It's flashing now. You know, I have 15 seconds. I have to and with that context, you can make a better decision on your action. 15 How fast are you? You could probably make it to probably not so much.
Jason White: Yeah, no, that makes a lot of sense. Nine, it sounds like there's a lot that the federal government could even learn from what some of our EU customers are doing with threat intelligence. So that's, that's great. Kind of along that same. That same that same kind of vein, Brianna, in your role as global tech director for McAfee, you've had the opportunity to work with several McAfee customers across every industry vertical, kind of gives you a unique perspective. I think so. So my understanding is that the financial sector, despite competing interests, have partnered together to share data. Can you explain that you have an example where that's proven valuable? Are there other instances where you think sharing threat intelligence, cross sector like that could have proven valuable?
Briana Farro: Absolutely. So I did work with a lot of financial customers at one point, particularly before I became a tech director, when I was a sales engineer. And it was interesting to see, they knew that in their market space, they were a little bit more unique with the type of business they did, the type of equities that they handled. And so they recognize that other organizations and even vendors couldn't always help them understand what was going to happen to them in the threat space before it did. A lot of times they were targeted first. And this really created this kind of camaraderie to your point in the spirit of competition, still of connecting together, and understanding where they needed to discuss common ground common challenges they were coming up against with regulatory compliance, what that meant for security and architecture, and then ultimately, what it meant in the threat space. And so through organizations like MSI sack, they would have feeds like actual threat feeds, where they would share information, or they could bounce information off of each other, to share it in a safe place where it was confidential to them. So that one or organization or entity could give a heads up to another about things that they were seeing, especially when potentially an attack was going to do something like follow the sun model in a day, or it was going to target a certain organization first or a certain section of financial transactions. And we saw that that was very, very helpful for them, because it really allowed them to be better prepared to withstand an attack, because even if it wasn't the exact same IOC that they received from a business partner, they were actually able to understand and test out what that IOC would have been doing or what that file and that attack methodology would have been doing. And they could adjust their countermeasures to that, whether it was the exact same attack that was coming out or not. And that's huge with things like ransomware. So yeah, I think it's hugely helpful and could be helpful with other spaces. And when even vendors like us share information about what we see around ransomware attack types, you don't have to tweak and change your countermeasures to match that exact ransomware entity and actor and methodology. It's going to be common, the tools are going to be common, the attack vectors in the exploit methods are going to be common. So your ability to take that information, and that countermeasure and observable information and apply it in your organization is really, really key.
Jason White: Yeah, you know, Imagine to just given the fact that the government isn't just a standalone entity, right? They've got business partners across multiple sectors that in what that ultimately does is many of those can even connect them to government networks, right? It ultimately attacks their extends their attack surface, right? So the more there it's very important to government understand threat intelligence within their own environment. But being able to enable those partners I'd imagine would have paid dividends for them and ultimately protecting their tax service. Right?
Briana Farro: Absolutely. And similarly, in the financial space, sometimes some of those entities had to change transact information between each other, right, if they were closing out, you know, one mortgage to another or something to that example. And very similarly, they might just have business partners or information they need to share on a given basis from a compliance perspective with something like a government entity. So we've been there, they needed to make sure that they were protecting themselves and their partners from transmitting threats or bad information back and forth that could cause or lead to an exploit or an attack. And so exactly, that was critically important. And it was how they helped implement that in those workflows as well.
Jason White: Yeah, that's great to get that there, see that there's industry examples that the government can potentially lean on that to get some additional insights. So john, one thing that you McAfee has been trying to draw out as part of our response to the executive order one for zero to eight is that many of the individual capabilities that they're asking agencies to deliver on, they all kind of feel like pieces of building a successful Zero Trust architecture, which is also specifically identified in the EO. So how does a robust threat intelligence layer relate to building a successful Zero Trust architecture?
John Amorosi: They certainly do relate and should work in tandem, especially given the nature of you know, where Zero Trust is trying to get our agencies to. And so one of the core tenants of the way in which we approach integrating or having those combined synergies between Zero Trust as well as threat intelligence, is as agencies began their journey and continue to explore various different components of Zero Trust in your enterprise, it absolutely should continue to play a key role in informing those policy decision processes as to whether user gains access to particular application or resource. So in the past decision as whether or not you gained access to this application was relatively static. And so now with given the nature of all of the various different exploits and vulnerabilities that were seen every day, you're able to incorporate a threat intelligence from a multitude of different sources, and have multiple mechanisms, especially as they become more diverse, and to be able to play a role in actually informing the way in which those policy enforcement points are able to incorporate and leverage those additional threat intelligence sources prior to granting access. So I think those two pieces, especially combined with device posture assessment, taking a far more dynamic approach in evaluating risk by using those agency threat intelligence sources, will be able to provide significant benefits overall, especially when trying to incorporate both components of the example.
Jason White: Yet imagine that becomes even more important to as more and more of agency assets are no longer within the traditional perimeter, right? I mean, as more and more people are being granted access to specific resources, being able to evaluate identity trust, and entity trust is probably going to be fairly critical to protecting those assets, wouldn't you think?
John Amorosi: Agreed. And I would say, even taking that one step further, we really need to be engineering and designing and building our architecture, really assuming that our primary assets and a lot of our very highly sensitive data is no longer really contained or constrained within the traditional four walls and perimeter. And it needs to be outside of the on the actual inputs themselves or where the actual data resides, whether that be in the cloud.
Jason White: Sure. Makes sense.
Briana Farro: Yeah, John, I mean, I think we need to make that assumption, right, is that at some point, it's going to land there. And even as we move towards things like desktop as a service, things like ctma become even more critical. And it's interesting, because zTa is not necessarily a brand new concept. It's been something that's been looked at for a while, and especially in the government space. I mean, there, you could argue that they've written the guidelines behind what is truly zTa architecture is, but it needs to be flexible nowadays, it can't be as rigid as it was. And so the best way to be able to allow access to authorized resources with following that model is to not just have that access list and that authorization list like we used to have, as you mentioned, it goes back to that context, Jason, that you were mentioning before the more context I have about something will allow me to provide that flexibility of when you should have access to something even though you're authorized to it and have been granted access. And when you should not based on like john said we're maybe where your device sources or if yesterday your device was fine and today it's infected.
Jason White: Yeah. Now it makes a lot of sense. So, you know, Briana, McAfee has a pretty extensive history. You’re collecting threat data. I mean, I've been here for 14 years now and GTI has been part of our vernacular for as long as I can remember right. And so in through the threat feeds in the in the research organization that we have, you know, leveraging historical data to build better technologies kind of been in the fiber of who we are right. So I'd be remiss if I didn't draw a parallel between what the government's attempting do and creating their own threat intelligence data lake and what McAfee is done with envision insights. So can you explain how Maccabees improved our own methods of threat intelligence through that particular platform? Are there lessons learned the government could benefit from or is there an opportunity to partner with the federal government to potentially improve their own data lakes or in the spirit of being bidirectional, improve insights?
Briana Farro: Absolutely. I mean, again, I think just in that bi directional aspect, it goes back to, if you're not putting data in, it can't be assessed in a certain way. Right? It's just not physically possible, we can only do limited assessment with what you have within your four walls, like john mentioned, and we can't give you comparatives that that assessment may not even be Is it a threat or not, that's something that may be accomplishable, within your four walls. But whether or not, you're the only one who's seen it, or there's 1000 other people who woke up yesterday and saw it, and now it's becoming more critical. He's really the differentiator there. So I do think the concept of understanding when and how to share information and where that might be viable, and working together with the government to understand where that is viable to provide them even better data back, and analysis back is really critically important. On top of that, in the spirit of the executive order, whatever they share helps protect others as well. Right. So that's, that's critical, as far as just, I guess, our security, morality, or whatever you would want to call it around that side of the fence. But specific to kind of what we've recently done with it with envision insights, you know, I would also encourage the government to exactly like you said, Look at what we've done for a long time we had, I don't even want to know what the terabyte or whatever petabytes storage of data is, I'm sure it's some like zygo byte or something that I don't even know the term for, that we've had. And we had this data and we use it to analyze whether or not there was a larger threat, whether or not there were correlations, whether or not we could put campaign information together all the things that you just mentioned, Jason, but that actionability that john was talking about earlier, that ability to translate that to something into really easy context for a customer, and to have them have some automation and avoid having to call us to find out if we had intelligence. And what it meant is not something we had taken the next step to. And we did, we finally did, we said, let's start with a basic concept, and then grow from there, instead of our customer having to call me and ask if they're protected from the latest malware that just ran with the kidzania, you know, piece of attack, Can I just tell them in a way that's easily accessible, that's accessible through a threat feed, like john mentioned, that's in my dashboard, like you mentioned that I can take out into a different workflow, whether that's missed, or some sort of other part of my security architecture. So check one, let's solve that problem. And we did, right, we said, well, we can tell you that we know about this, and these are the IOC's in the observables. And this is the coverage we have for it across these different components. But then why stop there? Yes, that solves one problem. But there's so much more that you can do with that data. And we looked at it in the sense of the fact of how can we help with that ship lift concept, right? Backfields never abandon the concept of protection first, before detection. And so why wouldn't we continue with that? And why can't we help? Why can't I tell John that not only is the IOC he's searching for related to a campaign, but he has systems that could protect against it if they had a different configuration in place? Because you know, sometimes we put configurations in place, and we kind of set them and forget them. And we're not always updating them to what they could be to provide the best security posture. So why can't I do that? And the answer is I could there was there wasn't an answer as to why I couldn't die. There were only answers as to why I could. And so that's what we did. We took a look at that and said I want to be able to tell john that dark side as a ransomware as a service is this type of campaign. It's sponsored by these threat groups and attackers, this is how it functions. These are the operating systems it can run on. Here's typical subcontractors, areas of the world that it's been seen in. Here are the tools that commonly uses the exploit methods and here's ways that you can protect against it. Here's valid countermeasures, signatures, your rules, etc. And more importantly, you have systems that either have seen an attack, you've gotten a detection, and you've either handled it or not, and or you have systems that could be attacked by these known IOCs and methodologies. And if you just flip the switch, you'll be protected with your countermeasures in place. So you know, to us that's really a method that could be grown upon it could be grown at a local database like john mentioned, you could take gotten thread intelligence and understand what is the descriptiveness that you can provide? And the actionability that you could provide on top of it?
Jason White: Yeah, well, I one of the things that I really liked about that platform too, and it was kind of references something that john mentioned earlier, too, which is taking that threat intelligence data, and then making it you know, real time searchable within your environment to write the ability to, to integrate data across EDR. Next DR platforms to say, Okay, here's an emerging threat. I don't see any alerts yet. But let me go out and see if that might be resident in my environment, I think that's a pretty powerful tool to get really proactive in terms of trying to identify those threats before they make a major impact.
Briana Farro: Absolutely. And I mean, with those searches, in a typical hunt scenario, you get some data, maybe it's from a feed tip, right? And you might take action to search upon those. But you wouldn't get that prescriptive news to understand, okay, it's in my environment. But is there risk anywhere else? So we have kind of that two prong approach that he said, I have in one place to take action on from multiple mindsets.
Jason White: Yeah, that's great. So I really want to thank you guys, both again, for your time. But before we go, yeah, before we kind of got on here, and we kind of talked about giving, giving you guys kind of one last opportunity for any final thoughts. And I think we agreed that Brianna would provide those final thoughts. So I just, you know, what, I give you an opportunity here, do you have anything else that you'd like to offer up either about the executive order or threat intelligence, specifically, before we before we say I do?
Briana Farro: Well, John, Jason, always feel free to jump in here. This is a team effort. But I think the executive order for me was such a positive thing to see, I was really excited to see that a lot of the initiatives that in my opinion, the government had actually already been looking to take, we're putting down into some sort of formal statement that was a guideline, but that it allowed all entities to have a guideline to move off of. So you wouldn't have different parties trying to execute that in different ways. But also where potentially one organization wasn't necessarily getting the support that they needed to move forward with a project like that. Now, it's a requirement. So there should be no reason why there's not support given. And again, for me, I only see benefit there in understanding ways that even if it were just government entities, to government entities as a starting point, that that data sharing, could not put possibly provide a better opportunity for the organizations to protect themselves. And since these government entities are protecting some of the most absolutely critical things that we have here, at least within the US, it's really important. But it's a lesson that can be shared amongst like john said, multiple government entities, and it's things that they could all talk about together.
Jason White: I say you got to start somewhere, right? And so yeah.
Briana Farro: Yeah, exactly. And I mean, it provides kind of a just think, a little bit more of that open opportunity for sharing experiences as well, which is a really good statement to make. From a from a lead executive government perspective. The last thing is just around those kind of key points that we talked about, as you start to think about this executive order in this particular section, and how am I going to take on this threat intelligence component? Again, try to think about your threat intelligence, maybe a little bit differently than you have before. If you've been in other types of government with military think about how you would strategize around anything in the first place. How do I use my threat intelligence today? What types of intelligence am I not receiving? Would there be benefit to that? Do I have gaps? And if I just sat down at the table with another entity or a vendor to understand what types of threat intelligence they see and analyze, and where that could be beneficial? Maybe I should take that step to at least understand how it can help me and I want to look for that actionability, I want context that provides correlation that gives me the actual ability, because without that action, ability and flexibility, I can't move into the modern workspace where I'm going to have data coming from areas that it was not before that we're not restricted by four walls, and successfully have a flexible working environment that's secure.
Jason White: Yeah, that makes sense. Great. Well, I thank you both. Again, I've enjoyed our conversation today. And I think it's been really insightful. Before we go, I do want to put a quick plug in for our next event. And this particular series, we're going to focus on improved detection response. I think John's gonna be right in the blog, it's going to be coming out in a couple weeks. But in addition to that, McAfee is going to be hosting a capture the flag event on July 28. That's going to give people a great overview of our EDR capabilities. Not only that, but it's also going to give them the opportunity to test drive the solution and a little bit of a fun way. So, registrations now open, and we encourage all who are interested to attend that your registration for this event should result in you receiving an invitation for that event. But thank you for attending today. And we look forward to helping you succeed as you work to meet the requirements of the executive order. Thanks so much. Have a great day, everyone. Thank you.
Speaker 1: I'd like to take the time to thank our speakers for joining us today. To learn more, please visit www.mcafee.com/publicsector. If anyone has any follow up questions, please reach out to McAfeeMarketing@carahsoft.com. Thank you for listening in and have a great day.