From an overabundance of data to resource and skills gaps, Federal cybersecurity teams are facing an uphill battle to achieve Federal mandates and secure systems against growing and evolving cyber threats. Emerging technologies, including artificial intelligence (AI) and machine learning (ML), can help technology leaders do more with less by analyzing large datasets and spotting unusual activity faster. Adding automated responses can deliver real-time security at scale, stopping threats before data loss. MeriTalk recently sat down with Dale McCloskey, vice president, Federal sales, and Michael Loefflad, senior director, sales engineering, at cybersecurity company SentinelOne to discuss how agencies can overcome uncertainties about AI and ML and tap into the technologies to keep government secure at mission speed.
MeriTalk: The Executive Order on Improving the Nation’s Cybersecurity (cyber EO) included guidance on sharing threat information across the public and private sectors to help proactively stop cyberattacks. The new National Cybersecurity Strategy (NCS) moves beyond sharing information to engaging the private sector in disruption activities. What has changed across the threat landscape between the cyber EO and the NCS that is putting a higher priority on disrupting cyber attackers before they strike?
McCloskey: Two factors are at play. The first is the recognition that while sharing threat information is important and necessary for governments and organizations to defend themselves against modern threat actors, it’s not always sufficient to deter or stop threat actors from continuing to engage in malicious activities. That takes a more collaborative, coordinated, and multi-dimensional disruptive approach, as outlined in the NCS. The second is that the NCS is directing the next steps that were outlined in the cyber EO. Sharing threat intelligence is a necessary foundation that provides factual insights for developing appropriate and proactive counteractions.
MeriTalk: The cyber EO pushed agencies to adopt a zero trust architecture. Since then, technology leaders have been getting zero trust strategies and guidelines from agencies including the Cybersecurity and Infrastructure Security Agency, the Office of Management and Budget (OMB) and the National Institute of Standards and Technology. Do the guidelines and mandates go far enough to protect agencies against an evolving threat landscape? What should agencies keep in mind as they work to meet the zero trust mandates to fully protect their environments?
Loefflad: The executive order, all of the mandates and guidelines, and the reference architectures have done a really good job of raising awareness of zero trust while helping agencies prioritize the changes that need to be made. The guidance is comprehensive and covers the full portfolio of IT assets across the enterprise. The pillar models simplify zero trust and help agencies approach the concepts in bite-sized chunks. They also do a good job of explaining that zero trust is not a point solution. It is a mindset and a strategy.
IT teams working through zero trust roadmaps should keep in mind that the threat landscape is always changing; therefore the zero trust architecture needs to be flexible, adaptable, and dynamic. Agencies should avoid static solutions and manual processes. They should also pay close attention to the foundational pillar of visibility and analytics. Having the right level of visibility and applying analytics allows agencies to monitor what should – and should not – be trusted. From there, agencies can build automatic response capabilities to respond at mission speed when an attacker compromises an environment.
MeriTalk: From the edge to the cloud to on-premises data centers, Federal environments are getting more complex. How can security teams gain visibility across all of their environments to identify and stop threats?
McCloskey: To gain visibility, agencies need to inventory what they have, whether on premises or in the cloud. From there, they can implement endpoint detection and response tools that provide cross coverage protection and visibility across all endpoints, cloud workloads, and identities. With those tools in place, they can focus on data collection, analysis, and log management across the enterprise, which was outlined in OMB’s M-21-31. When they can go back in time 30, 60, or 180 days and analyze the data, they can discern what is happening on the network and when, gain insights into threats, and find areas where they are exposed.
MeriTalk: Complex environments produce a great deal of data. With technology teams stretched thin, how can agencies effectively monitor and secure all of that data?
Loefflad: Leveraging emerging technologies like artificial intelligence (AI) and machine learning (ML) can help agencies with limited staff and budget see across complex environments. AI- and ML-driven algorithms can perform automated detection and response at speed and scale and can assist cybersecurity teams with threat research. They can also guide investigation flow and perform deep security analytics. Applying AI and ML technologies helps cybersecurity analysts do their job faster and from a more informed perspective, which allows them to respond quickly and more effectively.
MeriTalk: How are data analytics and threat intelligence tools evolving to support earlier identification of potential cyber threats?
McCloskey: Threat intelligence tools are continuing to mature and are allowing agencies to adapt to the changing threat landscape, but keeping pace with today’s threats is hard. Agencies need tools that offer integration capabilities that can seamlessly extract insights from different security environments. The challenge is sifting through the data and leveraging that threat intelligence so cybersecurity teams can make intelligent decisions about what is real and what requires action. The tools are evolving to offer this kind of big data analysis with performance, accuracy, and speed.
MeriTalk: How can AI and ML be used to support the directives in the cyber EO and National Cybersecurity Strategy?
Loeffeld: Cybersecurity is a big data problem, and agencies can be overwhelmed with the volume of data they are required to collect and analyze to meet the requirements in the cyber EO, National Cybersecurity Strategy, and OMB M-21-31. To meet the mandates, agencies need to go beyond storing the data to extract information and intelligence from it. That’s where AI and ML can really benefit agencies. AI and ML can analyze large datasets, extract information, determine trends, and look for anomalies. Then, in a reasonable amount of time and with a reasonable number of resources, it can trigger an automated response when malicious activity is detected. An example of this capability is SentinelOne’s Singularity™ platform, which uses AI and ML to capture data and metadata to mine through it quicker, resulting in faster and more adaptable and dynamic protections versus traditional manual analysis or a static protection environment.
McCloskey: The big data lakes that agencies have are definitely a challenge for meeting the mandates. It’s like finding a needle in a haystack. That’s where AI and ML come into play. Those technologies really help analysts focus on the right area of the haystack.
MeriTalk: What benefits do AI and ML bring to the security operations center (SOC) teams that want to implement cyber analytics?
Loeffeld: AI and ML are empowering technologies for augmenting the human-driven SOC functions. We know there is a talent shortage and skills gaps across Federal IT teams. Applying AI and ML can address some of those gaps. Agencies can use AI to assist in threat research and guide investigation workflows, enabling SOC analysts to make more informed decisions at a quicker pace to keep up with the threat actors in their environment. Recent AI and ML advancements are simplifying the cyber analyst’s experience, making it easier to assess a situation so the analyst can take quick and decisive action in response.
MeriTalk: There has been a lot of controversy recently surrounding the use of AI and ML. What should technology leaders consider when evaluating these technologies to strengthen cybersecurity?
McCloskey: AI and ML technologies are powerful tools that can be safely implemented within the boundaries of cybersecurity practices. When used effectively, they can strengthen security strategies and techniques. But like with any technology, especially emerging technology, there’s always some risk. IT leaders need to fully understand the power and capabilities of the tool and how to manage and mitigate the risks in their environment. While there is fear and doubt surrounding AI and ML in the public’s eye, at the end of the day, with the right safeguards put in place, AI and ML technologies are making a real impact in the fight against our cyber adversaries.
MeriTalk: The NCS calls for using all instruments of national power to make cyber actors incapable of threatening our national security. How can IT leaders in the public and private sectors support this ambitious goal?
Loefflad: At SentinelOne, we’re excited about the NCS. It’s particularly good to see the focus on collaboration and industry partnerships because we are fighting a common fight against our enemies. In support of that fight, it’s important for IT leaders to actively share information and insights that they are collecting in their own environments. This will help others stay up to date on the latest adversary TTPs (tactics, techniques, and procedures), apply lessons learned, and make headway against threat actors. It also allows government and industry to take protective actions on a larger scale that will likely have greater impact.
MeriTalk: The cybersecurity detection and response space is crowded, with many vendors competing and overlapping in the market. What differentiates SentinelOne’s approach and strategy from others in the market?
McCloskey: SentinelOne is a cybersecurity company that sits at the intersection of cloud, cybersecurity, and AI and machine learning. We have a strong track record of protecting customers against malicious campaigns. We offer a single platform with a unified console that helps agencies address multiple missions. The platform offers performance and efficacy out of the box against very tough adversaries in the field. It’s also easy to use. With point products, teams have to be trained on each product and console, which can be challenging – especially in the service branches where people rotate into cybersecurity roles roughly every two years. A single console unifying everything from endpoints to cloud workloads to large data lakes provides more holistic security. We are also proud of our Gartner Peer Insights reviews, where we have a lot of positive customer feedback on the capabilities of the platform.
Loefflad: The quality of SentinelOne’s AI and ML algorithms that perform detection and autonomous response is another key differentiator. We are continuing to invest in those technologies, both from a detection and response perspective as well as an enablement perspective to support SOC analysts and help them to do their jobs better. The cloud-native, AI-driven SentinelOne Platform uniquely delivers performance at scale, leveraging open integrations across the security stack to deliver robust, adaptable, and autonomous all-surface protections.
MeriTalk: SentinelOne recently announced new innovations at RSA 2023. Please tell us a little bit about them.
Loefflad: Cloud security was a dominant theme at RSA this year. We announced a partnership with Wiz, a cloud security company, for cloud security posture management. We already have cloud workload protection as part of the native SentinelOne portfolio. The Wiz integration will help us increase visibility, identify risks, and extend protections that we’re providing to cloud workloads.
We also announced SentinelOne’s SingularityTM security data lake, which is the embodiment of cloud, cybersecurity, and AI and ML. With the security data lake, IT teams can store big data cybersecurity information from many sources and do deep analysis across that data at scale, with performance, and at a reasonable cost. They can extract intel and insights to drive automated and autonomous responses.
AI and ML were also hot topics this year, especially around generative AI and natural language AI. We announced the use of generative AI to streamline the interface into our platform, which will help junior analysts perform deep threat analysis and investigations through a conversational interface as opposed to having to learn a complex programming or query language.
MeriTalk: Here’s a crystal ball question: What are your insights and predictions on the future of Federal cybersecurity and cybersecurity technology?
McCloskey: Cybersecurity is unpredictable. The one thing we can count on is that there will always be threats, and the tactics, techniques, and procedures that threat actors use will adapt and get more complex. As a cybersecurity company, we’re constantly trying to stay ahead of the enemy, and we’re doing that by leveraging our AI and ML capabilities to provide that platform for our customers to protect their assets. The use of AI and the automation that it provides will continue to grow and will help Federal IT leaders stay ahead of the adversaries.
Loefflad: From a threat perspective, for the first time in history we’re seeing cyber as part of a geopolitical warfighting domain. We can expect that to continue. Disinformation campaigns and critical infrastructure attacks will also continue to rise as methods of cyber warfare. While AI and ML are being used for good from a cybersecurity perspective, they can also be used by malicious actors for bad purposes. At SentinelOne, we are tracking those kinds of threat perspectives so that we can stay ahead of them. We’re committed to delivering the innovative and impactful cyber technology solutions that allow Federal agencies to stay ahead of these threats.