We have completed the ‘Protecting the Data of Australia’s Most Vulnerable Citizens Together – Collective Defence for the Care & Community Sector” webinar on May 19, 2021.
Hear from others in the Care and Community sector who have started the journey of Collective Cyber Defence to look after their staff, clients and the most vulnerable in the community and want others of a similar mission to join them.
Join IronNet’s co-founder and COO, General (Ret.) Brett Williams and Network Overdrive’s Managing Director, Greg Clarkson to discuss how organisations can come together to share threat behaviours and insights to keep the industry’s ecosystem cyber secure.
[Claire] To kick started this session, please.
[Greg] So well, thank you, Claire. Hello, everybody. Thanks for joining, it may be of interest to you to know that we’ve got a wide range of people that are attending today from direct welfare and care communities to health providers, insurance companies, and even some government representation. So, we want to thank you all for attending. And as Claire says, if you have any questions, please leave them in the comments below.
I want to start first by acknowledging the traditional custodians of the various lands in which we meet the Aboriginal and Torres Strait Islander people who may be participating in this webinar. And I wish to pay my respects to the elders past and present and emerging and recognize and celebrate the diversity of Aboriginal peoples and their ongoing cultures and connections in the lands and waters of Australia.
So, I want to explain first, before we get into the formal bits about why I’m here today, and why I’m excited about this presentation that’s about to happen. I’ve been CEO of network overdrive for 21 years. But before that, I was actually heavily involved in the welfare community sector as a youth worker. And in one of those examples, I worked at a youth centre that was absolutely in chaos, the property was being damaged, people were not feeling safe, and definitely, others didn’t want to attend as a result. In that example, the leader of that organization invited a Senior Director of another youth service to come in for a 12-week period. And as a young youth worker, I could never forget the experience of those 12 weeks, and how much the expert advice and involvement of another person in the network who knew how to do certain things could influence us. And basically, we transform that youth service, and that drop-in centre into a safe and caring community. I can also remember during my time where we would be regularly meeting with other people and other organizations, we’d be sharing information on cases, asking for advice of what other people might do in those situations. And overall, we helped each other to produce a better outcome for our clients and stakeholders. So these two ideas of having experts that would come in, impart their wisdom and their experience, give us ideas of best practice. And the peer-to-peer collaboration where we would help each other improve, I never forgot. So, when I found out about IronNet, and the ability to implement this collective sharing of knowledge in cyberspace and cybersecurity area, I got really excited. And that’s the reason why we’re having today’s event.
So, without further ado, I’d like to introduce US General (retired) Brett Williams to the stage, you may be interested to know that he has a very long reputation for many things that he was involved with. For example, he’s co-founder of IronNet cybersecurity, he served for nearly 33 years in the US Air Force. And his last assignment was as Director of Operations U.S. Cyber Command. In that position, he was responsible for the operations and defence of the Department of Defense networks, as well as the planning and execution of offensive actions in support of national security objectives.
You may be interested to know that General Williams is a highly experienced fighter pilot with more than 100 combat missions in the F 15. Sea. And during his time as a pilot, he had the opportunity to fly many times with members of the AAF as well as the Director of Communications at the US Pacific Command and the director of operations at us Cyber Command, he engaged routinely with the Australian military cyber components. And he even managed to spend a few days with his family on vacation in Sydney in 2009. So, he has some connections to Australia, and we welcome him to present to us today, you will hear how IronNet delivers the power of collective cybersecurity to defend organizations, sectors and nations.
And so please let me welcome Brett Williams to present his talk.
[Brett] Thank you. Alright, well, thanks very much for that introduction, Greg, and thanks for joining us today with this presentation. And particularly thanks to everyone for giving us your time today. And we look forward to talking to you about what we think is an approach that takes us away from what is a failed strategy that we tend to follow now where we try to defend one company or one enterprise at a time to an approach that allows us to really bring together all of our strengths against these threats. You know, appreciate what Greg mentioned and I, you know, while we were stationed in Japan, we had the opportunity to travel down to Australia with my wife and then I remember we had a very good time that they The thing I remember and I still don’t know if I was hoodwinked as a tourist, but I remember stopping at a pub in downtown Sydney that claimed to be the oldest pub and Sydney and I had a couple of pints there. So, I don’t know if it really was the oldest pub in Sydney. But I still remember that was a great experience. And we certainly enjoyed our time, although I did find, I’ve been to New York, I’ve been to Tokyo, and people talk about expensive cities. I remember Sydney being a pretty expensive city. But I had a great time there. And I look forward to getting back when COVID lets us all travel a bit more so.
So with that, let me, Greg, I’ll go ahead and bring up a couple of slides that will help me make these points. And then while I’m doing that, I would like to emphasize that to everybody that I’m just going to take about the first 20 minutes here and kind of outline this concept of collective cyber defence. But what we really want to do is we want to hear from you, you know, what kind of problems you’re facing, what kind of challenges you have, you can enter those in the chat or, or once I finished with this letter duction, we’d be happy to entertain those. But you know, as always, we’d love to hear from you. And we want to talk about what interests you most as we go through our time together this morning. So I guess I would just start by saying that, you know, there, everybody on this call, I think understands, there’s no magic box, there’s no single piece of technology that you can buy, that’s going to keep the Russians or the Chinese or the Iranians or the criminals out of your network, you really have to have a holistic approach a combination of people process and technology to deal with today’s threats. And so that’s what I want to talk to you today about is this concept that we’ve developed an iron net, we refer to it as collective cyber defence. And fundamentally, it’s about how do we bring people that have similar interests? How do we bring people that have maybe faced similar threats? How do we bring people together so that we can capitalize on all of our strengths together to work against these common threats that we have in cyberspace? Because I can tell you that, that all of the hackers are very good at collaborating and working together. Yet on you know, on, let’s just call it the good guy side of this. We tend to work in stovepipes. And we can do defend a loan. And so, what we want to offer today is some concepts on how we might be able to change that strategy to something that allows us, to really bring all of our strings together to deal with these threats.
And just I’m not gonna spend a lot of time on the threat. But, you know, I usually like to think of it in two categories that the nation-state threats, and I think, and Australia and the AP, the broader APJ region that we’re concerned largely about the same threats about China and Russia and North Korea and Iran, and their motives and objectives. And we’ve clearly seen that, with things like the solar winds and the Microsoft Exchange and a number of other attacks, that over the last year or so we see the potential targets of nation-state attackers getting broader and broader. It used to be that you only worried about it if you were maybe part of a national critical infrastructure sector or large financial services company or something like that. But we’ve clearly seen the nation-state targeting become much broader. At the same time, you know, it’s still 85% of cyber-attacks are criminally motivated, they’re financially motivated. And so we have to be concerned equally with that criminal threat. But at the end of the day, what I’ve noticed since I left the United States Cyber Command about six years ago, is that there’s increasingly less and less difference between the expertise and the tactics and the techniques and the procedures of the nation-states and the criminals. For a variety of reasons. The things that we used to see that were only the province of nation-states are widely available to criminal groups. And so at the end of the day, no matter what business you’re in, no matter what sector you’re in, no matter how large your company is, you can no longer rely on legacy defences that you really have to think about how do I deal with potentially a fairly advanced attack, because a lot of these more advanced techniques are available to people with even moderate needs. And at the end of the day, we’re following you know, what I would refer to as a failed strategy. You know, most of you are technically oriented, have been involved with cybersecurity are familiar with it. And one of the analogies we tend to use is this idea of, you know, the castle walls or the moat, basically protecting the perimeter. And that strategy doesn’t work. It doesn’t work with legacy networks. It doesn’t work with people that have moved to the cloud, that we tend to still trust. You know, the credentials that came in. I assume that your credentials are good. And you’re allowed to go anywhere in this environment, or I assume the software is good because I’ve always used it and I don’t check up on it. Or I assume that if you’re allowed access to this data, you’re allowed access to all data. So this idea of perimeter security of not really examining everything that’s going on in the environment is a failed strategy, we’ve got to change that. And the other thing is, I’ve mentioned already is that we tend to defend one enterprise or one organization at a time. And so we see these attacks in isolation. And that is simply not an efficient way to deal with today’s threat. And so our belief and I’m going to articulate what I mean by this collective defence approach, but it’s all about how do we bring ourselves together? How do we capitalize on the investments we’ve already made? How do we create a situation where we multiply our forces so that we can deal with these threats. Now, one of the things I like to use is this, this analogy, and as, as was mentioned in the introduction, there my background as a fighter pilot, and I never flew off with a carrier, but I like this Navy analogy. And, you know, you may recognize this as one of the United States, aircraft carriers, it’s a very powerful ship, you know, it’s got missiles, it’s got radars, it’s got that sort of thing. But you know, this ship never goes to war like this. It goes to war like this, and it goes with other ships, it goes with airplanes, it goes with submarines, you can’t see it goes with satellites. The bottom line is, it takes everybody working together because everybody senses the environment differently. And everybody in this battle group has different capabilities. And so there are a number of analogies that come out of this battle group that will kind of lead me into a little more detail on this, this collective defence approach. You know, for example, one of the challenges we have with red Intel in cyberspace is that it’s too generalized. It’s not specific, it’s not necessarily relevant to us. And this carrier battle group has figured that out, you know, they, if this carrier battle group is operating in the South China Sea, they really don’t care about threats that are operating in the Persian Gulf, for example. And then as they sense that environment that is near them, that environment, for example, in the South China Sea, you know, every one of these platforms can see the environment a little bit differently. And every one of them can contribute to a picture of a boat, we might call the attack surface a picture of the threats that would be inbound here. And as they share that information, you know, they are calling over the radio, they aren’t sending an email, they are uploading it to a server and batch downloading it a week later, everything is brought together in near real-time so that everybody has the same picture, maybe a common operational picture is one way to describe it. And so they have gotten very good at being able to capitalize on the capabilities of all the individual members of this group, to be able to get that picture of the threats that are relevant to them. Everybody has the same data about those threats. And so they can all collectively decide how to deal with those threats. The other thing they do is they don’t follow that perimeter strategy. For example, some of you may know that, that as we fly airplanes, we emit electronic codes and these codes. Well, one of the things that codes will tell you is that hey, I’m a friendly airplane. And so if this carrier battle group sees a target coming towards them, and it’s, we call it squawking if it’s squawking a friendly code, but it’s behaving in an unusual way, maybe it’s altitude, maybe it’s direction, maybe its speed is not typical for a friendly, they don’t go well at squawking, friendly, let’s just let it come in. No, they go, this is anomalous, this is odd behaviour for something that purports to be friendly, we need to go and check that out, we need to find out what is going on. We don’t trust just the fact that it says it’s friendly, and it says it’s trusted, we’re gonna go examine that and make sure that that in fact, is a friendly target and that it’s doing what it’s supposed to be doing. So so some of those concepts I find useful, especially you know, for the technical folks that are trying to explain some of this to people that are maybe less technical. But now let me take this down a level to how those concepts apply to this cybersecurity approach.
So really, there’s three components that we look at IronNet. Number one, we realize that we’ve got to be able to look past what we call signature detection. For many years, we’ve relied on knowing very basic things about the threat, the Internet Protocol, the address, the IP address, or the domain, or some other very basic things. And the challenge is that the adversaries can change those characteristics of their attack very easily. So as soon as we write a signature for an antivirus or firewall or an endpoint detection And the adversary makes a very small change, all of a sudden, we don’t detect that anymore. So the foundation of this collective defence approach is really based on behavioural detection, being able to look at the network environment. And to determine when there is something anomalous when there’s something strange going on in the environment. Why are these credentials doing this? Why is this service or this protocol or this application? Why is it behaving this way? Why are these DNS queries? Why do they look a little bit strange? So the foundation is looking beyond signatures and being able to say this is an unusual activity that probably or maybe indicates malicious activity, and I need to investigate that a bit closer. And then the second thing I need is I need visibility, just like that carrier battle group, it was able to get visibility over the entire attack surface it was concerned about, and we need to do the same thing with our cybersecurity, you know, I want to be able to see not just what’s happening to my environment, but I want to see the relevant attack surface to me. So I want to see other companies that look like me other companies that are maybe in the same geographic location, I certainly would like to see companies that are my supply chain or value chain that I share data with or rely upon, I want to see all of that attack surface so that I can maybe get an idea of when somebody is trying to get to me by going to somebody who’s less well defended. Or I can start being able to see that ad campaign is in progress because the certain event is happening across six or seven or eight other companies. And then when I can see that happening to other people that look like me, it allows me to be proactive to prepare when I can see that that attack or that event happening at another company. And now I can collaborate, I can see the metadata, the data about the threat, then I can start understanding Am I prepared to deal with that? Do I have that in my environment, maybe I just haven’t detected it yet? So all of that comes together with the behaviour of detection, the visibility, and then the collaboration over that information, to be able to bring together this collective defence concept. And so you’ll hear us refer to this the detection as iron defence is how we refer to it. And then that that collective defence piece, the visibility and collaboration as Iron Dome. So I would argue that what that brings for us is, is actionable attack intelligence. And the first thing I’ll do is differentiate attack intelligence from threat intelligence. So those of you that do work with threat intelligence feeds or have threat intelligence come into your company. I described that as what could happen. These are all the bad guys and all the things that they could possibly do. I want to move us to attack intelligence, I want to know what is happening, what’s happening to me what’s happening to people that look like me what’s happening to people in my supply chain. And I want to know, right now, I want to know in near real-time, I don’t want to have to wait for that to be uploaded batch downloaded to me and have me sort through it and figure out what’s going on. So when I can get to attack intelligence that takes me from what could happen to me to what is happening. And that’s very important because I can’t deal with all of the potential threats out there, I need to be able to focus my limited resources on the threats that are most relevant to me, and the ones that are actually occurring right now.
And then the second thing I would suggest to you is what makes that attack intelligence actionable. Are these four characteristics. One, it’s got to be specific, it’s got to be specific to me, it’s got to be important to me, I know that it’s a threat to me, it’s got to be timely. As I said, I would like to see this in near real-time. Because as everybody knows, the quicker we can detect these things, the earlier in the kill chain, we can detect these things, the better chance we have of mitigating the attack and lessening the damage and recovering our business and getting back to doing what we need to do. And then if I’m going to collaborate, I’ve got to be able to share what was referred to as the metadata about the threat. I’ve got to know all of the characteristics of the threat, all of that relevant metadata so that all of the smart people, all of those analysts and all of the other people that are going to deal with that threat, they have that metadata, they can all work from the same metadata and they can crowdsource or search their capabilities against that particular threat. Or in the case I see an attack against someone else, I can see about that metadata and understand what do I have to do to be prepared to defend against that attack. But the only way this works is that fourth characteristic is if we can anonymize this sharing of this data in real-time because companies are worried about you to know protecting, personally identifiable information about healthcare information proprietary information company information. companies don’t want to expose the fact whether that attack was successful or not. So for this collective defence to work, you have to be 100% sure that the data you’re sharing is only related to the threat. And everything about the company that’s sharing, is completely anonymized. There’s no way to identify exactly which companies shared that information, yet, we’re able to share what we actually need to work together, which is all of the metadata about the threat in a timely manner. And we know it’s specific and relevant because we’re looking at that attack surface that’s relevant to all of us. A couple of ways that we think about this is, is one is this idea of sector visibility. So as we talk about that, the care and community sector, for example, this could be you, it could be a number of communities in there that all have shared interests that likely face similar threats. And so having the ability to, to bring all of that capability for everyone to see, the threats that are, are against this sector as a whole. And then the other thing this allows us to do is, is, you know, maybe Company A in this picture, has a lot of resources and has some very capable cyber defence capabilities and personnel, whereas maybe company D has limited resources and may be relatively inexperienced personnel. Well, when we can get in this collective defence arrangement when we can share that metadata, and we have a way to collaborate, then we have a way for the stronger companies to help raise the capability of the companies that maybe aren’t as experienced. And then the second way that we think is very important to look at this is through this idea of a supply chain or a value chain. Just about no matter what kind of company you are, you’ve got other people that you rely on, there’s customers, their suppliers, there’s partners, there’s people that you share data and information with. And a lot of times somebody that wants to get at you, especially if maybe you’re a little bit better resource is to go through some of these partners that aren’t as well resourced. And if you’re the partner that’s not as well resourced, then you would certainly like to be part of this collective with a company that is stronger, that has more resources, has more capability so that we can contribute to the defence of that entire supply chain.
And so what this is about, at the end of the day, it’s about collaboration, right? It’s about being able to bring our collective strengths together to deal with these very common threats. And so what we’ve talked a lot about so far is, you know, this ability within the private sector to work within sectors, it’s also useful, we found to work across sectors, you know, somebody that’s been successful in financial services is likely to use the same technique, maybe in electric utilities, or oil and gas or any other sector. And so being able to collaborate and see that it’s very important. And then at the next level, what we’re working on very hard is, is now how do we bring? How do we bring the government into this collaboration environment, because all of us, our governments have access to intelligence information, our governments have authority to operate, you know, against the threat, and what we refer to as grey or red space to help stop some of these attacks before they get to us. But the government has no way to understand what’s going on in the private sector, you know, all of our governments are responsible, for defending our countries. But at the same time, you know, in many cases, the people that are on the front lines of this cyber defence of these critical sectors and other sectors are people that are in the private sector. So at the end of the day, we would like to expand this collaboration so that we can bring the capabilities and the authorities that the government has to be able to help augment the defence and participate in this collaborative environment to defend these things that are important to all of us, to our populations, to our people to our economies. And so with that, I will say thank you very much. I’m going to take down my slides, and we look forward to the discussion and any questions you might have.
[Kenny] All right. Perfect. Thank you so much, General Brett Williams, for your sharing and, and for staying up late as well. And Senator nighttime, so trust that you have your dinner. So I think general Brett will continue to stay on this call to answer any questions. So feel free to type in your questions via the chat window. You know, so we have, you know, a host of people here to kind of address some of these queries as well. But maybe just to summarize, right. And to add on to the point, I think security breaches are becoming increasingly commonplace and dangerous, right? So not only money is at stake, but you know, they have all these breaches have an appalling effect on the reputation trustworthiness and often proved to be a business killer, right? So, you know, most important is, you know, once the beta that’s stolen is available for cybercriminals to exploit. So I think it’s key to really, you know, come together as an organization to really relook at our security posture. And you know, how do we actually move away from the traditional approach