Too many enterprises don't know where their networks begin and end, but Mark Hughes believes read teaming may be...
the best way to get those answers.
Hughes, CEO of BT Security, was one of several experts who spoke at the recent Securing the Enterprise conference at MIT's Computer Science and Artificial Intelligence Laboratory. The event, which was co-sponsored by BT Security, focused on discussing and sharing new cybersecurity strategies and approaches to replace current conventional wisdom.
During his keynote, Hughes talked about how enterprises often lack knowledge about how their IT environment and operations are structured and how red teaming has helped BT Security fill those knowledge gaps.
"That structure -- and understanding how organizations work so that you can create the necessary reflex to respond and regenerate when something goes wrong -- is really, really important," he said. "And a lot of organizations are inherently structured in a way that doesn't lend itself for them to be able to do that."
At the event, Hughes spoke with us about the benefits and challenges of taking an adversarial approach to security, as well as the hurdles facing enterprises that are making big cybersecurity investments. Here are excerpts from the conversation with Hughes.
Editor's note: This interview has been edited for clarity and length.
What are you seeing with enterprise customers in terms of their cybersecurity investments? Are most of them making significant investments?
Mark Hughes: Yes. Most large enterprises have bought a lot of security technology. They paid a lot of money, and they think they're OK. And then something happens to them, and they don't understand. I think the 'not doing anything' crowd is very small right now. You have to do at least something because of the regulations and laws.
In terms of cybersecurity products and services, are there too many companies and options? Is there too much noise in the space for enterprises to get a clear sense of what's being offered and what they need?
Hughes: I think so, yes. There are about 16,000 vendors out there, by our count. That's a lot. And it's hard to keep up with.
For BT, we run through product assessments with some basic questions: Does it do what it says? Does it scale? Can it be contextualized for our needs? What's interesting is that when I started talking to more customers, I found that many of them face the same problems. They're not sure what they need, and they're not sure who to buy it from. I think part of the issue is that we need to get back to a service discussion when it comes to products. As in, what is the service your product provides?
We're too focused, sometimes, on the underlying technology, and it makes this process harder. I think we need to look at specific use cases and figure out what you're looking to have, what your needs are and then go from there. Just get away from, for example, a [IBM] QRadar versus [Micro Focus] ArcSight discussion.
That's how I try to deal with the tsunami of new stuff out there, because there are so many new security companies, and everyone has a silver bullet. And there are some real silver bullets out there, but you have to be extremely careful. Some stuff might have fantastic tech, but it might not scale.
On the topic of technology, what do you see happening with machine learning and artificial intelligence? We've heard a lot of hype about these technologies in recent years, but are they living up to it?
Hughes: I think there are some misconceptions about these technologies. I think of them as more like 'Iron Man' than 'The Terminator.' And what I mean by that is the technology gives the security analyst something better to work with; it equips them with something that can enhance their ability to identify and stop threats. It's like Iron Man's suit. But the technology can't do it alone. You can't just turn it on like a Terminator and have it do exactly what you want without any help. I'm not saying it won't happen someday, but it will probably be a while.
And we have to remember that even with machine learning and AI, this stuff is still complicated. There's tons of data to analyze, there's lots of questions about your environment, and they're deep in the infrastructure. And a lot of that infrastructure is outsourced, so it's even harder to see what's going on with traffic flows, supply chains and things like that.
That's what I find time and again: There are a lot of little things that have nothing to do with security and the technology that lead to incidents like many of the breaches we've seen recently. My mantra is, 'Always be calm, and always be curious.' You have to be able to learn from your mistakes.
Mark HughesCEO, BT Security
You talked about red teaming during your keynote and what it taught BT about its structure and internal operations. Is that one of the ways you've learned from your mistakes?
Hughes: Yes. We're big believers in red teaming. We have red teaming internally, and we have red teaming for clients, as well. It's been huge for us. But there are some difficulties.
What I've found is that when you actually do the red teaming, it's great. I spend a lot of money finding skilled people, getting them ready and getting them familiar with our environment. We may spend a month or two getting ready, and then it's all blown up. You see where the holes are and where you're vulnerable, which is great. But how do you deal with the outcome?
People are the biggest challenge here. How do you deal with the embarrassment factor for the people that run and protect those systems that just got breached? We find that in our own organization, and we found the same thing in many of our customers.
Why does that matter so much? And how does BT Security deal with it?
Hughes: It's important because if you can't cut through the angst and embarrassment, then it doesn't matter what the red team found, because it's probably not going to be addressed. I think it's important to understand perspective of the people [behind the systems being targeted].
The IT teams are strapped for resources, and they probably look at the red teams and see them as prima donnas that are going to make their lives miserable. You've got to help them understand before the red teaming begins why you're doing this and what the benefits are going to be for them and the company long term.