Prevention: Changing the Math of Cybersecurity Through Automated Defense

On June 21st our CEO, Mark McLaughlin, spoke in front of President Obama’s Commission on Enhancing National Cybersecurity. The Commission is holding open meetings around the country to hear from cybersecurity experts and gather input for a set of recommendations they are expected to announce in December. Mark was one of a handful of CEOs and technology officials from the Bay Area to present to the Commission at its conference focused on “Innovation for the Future of the Digital Economy.”

This Commission has its work cut out for them. Enhancing national cybersecurity is a massive challenge, and there are no simple, quick-fix solutions. Yet, it is a challenge that must be undertaken—and one that can be successful.

At the heart of the current cybersecurity battle is a math problem. Unfortunately, today, this math problem overwhelmingly favors our adversaries. Here’s why: The cost of computing power required for malicious actors to launch successful cyberattacks has been decreasing dramatically for decades. Coupled with the widespread availability of black market malware and exploits, our adversaries are able to conduct increasingly automated, successful attacks at little to no cost.

In the face of this automated onslaught, the network defender is generally relying on decades-old security technologies, often cobbled together as multiple layers of point products that are not designed to communicate with each other. This lack of automation and interoperability has become increasingly problematic as networks grow in complexity due to macro technology trends like the adoption of virtualization, software as a service (SaaS) technologies, cloud computing, mobility, and the internet of things. This increased complexity of enterprise architecture and independent security controls creates a dependence on one of the least scalable resources organizations have—people—to manually fight automated, machine-generated attacks. As defenders, we are simply losing the economics of the cybersecurity problem.

That’s why cybersecurity innovation must be focused on prevention.

Prevention means significantly decreasing the likelihood—and increasing the cost—of malicious actors launching a successful attack. We should not assume that attacks are going away or that all attacks can be stopped. The outcome we should strive for isn’t to eliminate all risk but to change the economics by making it more expensive in terms of resources, time and personal impact to launch a successful attack.

Innovative approaches—effectively applied to people, process and technology—can be one of the key principles in regaining leverage against our adversaries and achieving prevention.

First, we must develop technologies that work together seamlessly to enhance the security of individuals, enterprises, and the broader ecosystem. Simplification and automation are essential for making networks adequately defensible. Security technologies must be leveraged as part of natively integrated platforms, and capable of automatic reprogramming based on new threat information, to prevent threats across all stages of the attack lifecycle—on the network, in the cloud, and at the endpoint.

For example, Palo Alto Networks next-generation firewall customers around the world receive new preventive measures every five minutes – these average 1.1 MILLION new preventive measures week – based on the automated discoveries made by our WildFire advanced persistent threat detection capabilities. There is no way that people could manually generate this volume of prevention to keep up with the evolving threats seen across our base of 30,000+ customers.

To build upon such a platform, security technologies need to be fully integrated as part of a larger, global ecosystem. More specifically, this ecosystem must incentivize information sharing, leverage open source integration APIs, and develop interoperable technologies capable of automated security—including through partnership with complementary technologies from third-party companies.

We also need to ensure that our workforce is trained and leveraged with the right mix of automation. If we build our workforce development plans on a foundation of automated technology, we can ensure that we are recruiting and training people in a more targeted way for only those jobs that require a human’s sophistication and critical thinking. Absent automated defense, we are left with the impossible task of staffing every organization’s security operation’s center with tens of thousands of people simply responding to alerts of successful attacks. As our adversaries become increasingly automated, it is simply unscalable as a defense model to manually combat functions that could be more effectively addressed by automated technology.

Finally, we need to start educating children at the earliest possible age so that cybersecurity is fundamental. We must ensure that hands-on training with innovative security technologies is ingrained in educational curriculum. And we must leverage innovative technologies, like those that enable long-distance virtualized learning, to educate more people, and faster.

We applaud the tremendous work being done by the new Commission, and, as a company, were honored to be part of their deliberations. We hope if they only remembered one word from Mark’s presentation that it was “prevention.”