5 Questions with Allan Thomson, Chief Technology Officer, LookingGlass Cyber Solutions
1. You began your career as a Software Engineer, but later worked at Cisco as Principal Engineer, Threat Defense Systems, and now serve as Chief Technology Officer for the cybersecurity firm LookingGlass Cyber Solutions. What events led to your decision to pursue a career in cybersecurity?
In many respects, solving cybersecurity problems requires an understanding on how best to solve large scale distributed system challenges. The other key challenge I find exciting is how to harness machines and human behaviors in such a way to make organizations and their networks safer from attack. Building complex systems that harness data processing, data distribution and enrichment has been something I've worked on since the early days in my career. From the days of working on military grade network communication buses, RMON network monitoring systems all the way through to larger systems providing coordinated security telemetry and analytics, they all shared common traits on how to design and build scalable, secure systems. So, working in cybersecurity in many respects is a natural evolution of many projects that I've been part of most of my career.
2. Data breaches continue to make headlines. Attackers appear to have the advantage in the fight against cybercrime. What can security vendors -- and their customers -- do to counter that trend?
First off, the industry needs to start thinking differently. Continuing to invest in the same silo-d technology stacks and isolated products for different aspects of security will continue to fail achieving the goal of protecting organizations. We (the industry) need to bring collaboration and coordinated threat response to the level that allows us to be 5 steps ahead of where the adversary is. It is insufficient to introduce another security widget that does one thing great. We need 10 security capabilities that work together that make it impossible to outwit and outsmart the organization using those capabilities. We need to work together as an industry with interoperable solutions that go beyond simple data sharing. Truly effective security orchestration and collaboration on visibility are key.
3. LookingGlass Cyber Solutions and Farsight Security recently released a joint whitepaper, "Reducing Third-Party Risk Using Passive DNS Data." What is third-party risk and how significant is it to today's organizations?
When you consider that the majority of organizations (even smaller ones) rely on third-party services in networks, cloud, hosting, application software...etc, then ensuring your organization is secure is firmly tied to the security of your supply chain and other third-party vendors. The risk posed to your organization by adversaries can be tied directly to how dependent you are on those third parties and the risk to their systems, networks and personnel. The significance of ensuring a secure ecosystem for your own organization and your third parties is huge.
4. The whitepaper examines how continuous monitoring -- specifically using Farsight passive DNS data -- can help identify infrastructure vulnerabilities due to third-parties including supply-chain vendors, partners and more to simple misconfiguration issues. Can you please explain?
The whitepaper does a great job of going into the details on how Passive DNS data can assist with continuous monitoring of third parties. One of the key aspects of continuous monitoring is the term 'continuous'. Threats to your organization are not scheduled on a convenient basis. New adversarial infrastructure, hosting threats on new domains is being developed continuously and if your organization is not continuously assessing the risk to your own organization or third parties then it's entirely possible you will miss the early signs of an attack, or worse, the signs of an attack in action.
5. Despite the advent of machine learning, artificial intelligence and automation, you have spoken out about why the human element is the most critical component to threat intelligence. Please explain.
Machine learning and automation are vital components of a comprehensive cybersecurity solution where they can be used to highlight, focus and refine large data sets into data that should be considered for further review or analysis by humans. Machines can make the cybersecurity professional more effective whether it's in data crunching, data analysis or operational automation. Taking 10 million technical cyber indicators in less than a few minutes is impossible for a human being to process without significant machine help. But human experience and knowledge within the security field remains a vital component skill to leverage. Understanding behaviors, deductive reasoning, and motive-based action that result in applied security approaches are examples where they are not yet fully machine implementable and where the human being can assist. Unfortunately, the industry does not have enough skilled individuals, but, for the ones we do have, technology advances in machine-learning and automation can assist a lot.
Allan Thomson
