Reimagining Cyber - real world perspectives on cybersecurity

The Future of Cyber Defense: Multi-Space and Machine Learning - Ep 100

Reimagining Cyber Season 1 Episode 100
Reimagining Cyber is 100 episodes old! The podcast began in December 2020 as a bi-weekly dive into cybersecurity and cyber resiliency. It is now a weekly affair and has become a regular feature in the Apple Podcast Technology charts. It is also one of the most respected shows in the cybersecurity genre. 

Hosts Rob Aragao and Stan Wisseman alternate between head-to-head discussions on the latest cyber topics of the day and guest interviews.  This week’s guest is Mark Fernandes,  Global CISO at CAE. Mark heads a team focused on cyber resilience, particularly in the critical sectors like aviation, defense and security. CAE is a prominent force in the defense and government, but it's also equally recognized in their commercial pilot training programs. With over 28 years of experience in cybersecurity, Mark has extensive knowledge in governance, analytics, intelligence, and advanced threat defense.


Follow or subscribe to the show on your preferred podcast platform.
Share the show with others in the cybersecurity world.
Get in touch via reimaginingcyber@gmail.com

[00:00:00] Stan Wisseman.: Welcome to another episode of Reimagining Cyber. This is Stan Wisseman along with my co host Rob Aragao. Rob, I was lucky enough to attend and work RSA this year. You were lucky enough not to attend and work RSA this year. It sort of depends on your perspective at the time, right? 

[00:00:21] Rob Aragao.: It actually does at the time.

[00:00:23] That's right. So, 

[00:00:25] Stan Wisseman.: uh, you know, There's always positioning of new innovations and technologies, but I think certainly a theme that came across was that, you know, the threat actors are. You know, as, as we were seeing everybody talk about A. I. and the fact that A. I. is available to, you know, shore up your defenses, threat actors are increasing the velocity of their attacks and using A.

[00:00:48] I. and their attacks, and we need to have greater awareness of those threats to be able to be effective, and we talk about resilience and, and we, we want to be able to, um, give examples of how you can be more resilient. 

[00:01:03] Rob Aragao.: Absolutely. I think, you know, threat intelligence, Stan, has always been something that, um, Our industry has leaned on to try to have, you know, better visibility of like actually what is coming their way, what is actually at their door.

[00:01:13] And I think our guest today will help shed a light on a different approach that helps you look further out and take more of a strategy that helps you defend forward in this new era of AI attacking us. 

[00:01:23] Stan Wisseman.: I couldn't agree more. And, and, and fortunately as our guest today, we have Mark Fernandez joining us.

[00:01:29] Mark is a global CISO at CAE and heads a team focused on cyber resilience, particularly in the critical sectors. Um, like aviation and defense and security, uh, CAE is a prominent force in the defense and government. But it's also equally recognized in their commercial pilot training programs. And with over 28 years of experience in cybersecurity, Mark has extensive knowledge in governance, analytics, intelligence, and advanced threat defense.

[00:01:56] Mark, would you like to add anything else to, you know, fill out your background a little bit for our listeners? And by the way, it's just great to have you on the show. 

[00:02:05] Mark Fernandes: Stan and Rob, it's good to connect with you folks as well. Um, nothing more to add, um, uh, you know, Stan, on, on that topic other than. You know what I've learned and hopefully we'll have a good session based on the journey that we three have had, obviously.

[00:02:20] Stan Wisseman.: And you have a very broad perspective on cybersecurity based on your background and experience. I mean, you've covered a lot of different areas of cyber. Um, so let's just start with a pretty open ended questions and say, you know, what, what are some of the major challenges that you're seeing out there today?

[00:02:37] Mark Fernandes: So I'll answer specifically on, uh, the type of challenges that, uh, a global CISA would have. In general, so I think it's very different than a system that has a single region or a single regulatory domain that they operated when you deal with a global company like CA, but any other global company. There are a lot of complexities when you deal with the changing structure from a regulation standpoint.

[00:03:08] Let's take about let's take data. For example, uh, data is viewed as being critical for national security and critical strategic interest for a lot of countries. And therefore, we're seeing a lot of countries release data sovereignty requirements. That means the data has to reside in those countries. And, and you look at, you know, what we have been experiencing in our industry around, you know, the rollout of SaaS based services that have not been built based on a lot of those data regulations.

[00:03:39] We run into some complexities associated with that. So, global CISOs have regulatory complexities, they have operating complexities, they have. Business viability complexities in terms of the outreach of their business and then visibility complexities as well. 

[00:03:57] Rob Aragao.: So, so, so Mark, one thing talking about the connection point to the business, right, which is critical.

[00:04:02] I think it's, it's the modern CISO, if you will, right? There's this shift that's happened. And, and I think a very positive one from that back office function and supporting again, and protecting organizations to being much more. Literally at the table now, right? It's the cyber breaches. different board requirements now, different regulations pushing that kind of amplifying the need to have that cyber presence, knowledge, um, is critical, right?

[00:04:29] And you have a lot of that experience. Just like to get your perspective, you know, one, why do you see, why do you feel, I guess, that that shift has, you know, Occurred, uh, and also translate it to the value points that you feel are coming from that type of actually elevation of this use of role 

[00:04:45] Mark Fernandes: for all.

[00:04:45] That's a really important question. And I think as we go through this discussion, we're going to talk about the traditional way of doing things versus the growth oriented way of doing things. Well, simplicity sake, I'll call it cyber 1. 0 and cyber 2. 0 so cyber 1. 0, which is a traditional thinking cyber is being viewed as the cost of doing business.

[00:05:05] It's hit the bottom line. It's generally being seen as adding friction, and also it's been viewed as an abstract capability with enterprises. Enterprises know that they need cyber as part of risk management, but generally through the employee base, they don't actually know what cyber actually does. And we, as a cyber community, actually lose a lot of opportunity in actually helping transform our sector, our craft with that, right?

[00:05:33] So, what we've been doing at Cyber 2. 0, to use that simplistic term, is look at cyber as a business enabler, being part of the growth strategy of a company, reducing friction, and obviously democratizing what cyber does with the rest of our employees. With our communities, and within our industry at large with other companies, et cetera.

[00:05:55] And when we go to the conversation, I'll talk about a few things around that. I'll share 1 story with you and specifically around the aviation space. In my team, we have, uh, a bunch of, uh, folks with different competency, everything from, uh, marketing to, uh, technical competency to architecture and everything in between.

[00:06:14] And I was, uh, integrate with the business. 1 person, um, came to me 1 day. And we were talking about using cyber to help develop new growth markets and be part of the business enabler in general. And she came to me and she goes, Mark, I got it. And I said to her, you know, what happened? She said, I went to an, I was there at a airport traveling with my family.

[00:06:41] And I always remember what he talked to me about, you know, security aviation and what it means to make sure that pilots are safe in the cockpit at the airport from gate in the whole kind of life cycle around flight. And I realized that everything we do actually supports my family, your family and everybody else.

[00:06:59] And I love that that story right around the role of cyber place. 

[00:07:03] Rob Aragao.: It's a great learning moment. Absolutely. 

[00:07:05] Stan Wisseman.: So, so Mark, you're, you're talking about that transformation from cybersecurity 1. 0 to 2. 0, right. And, um, you know, I guess one of the things I know you're, you have a great background in, in the context of intelligence.

[00:07:18] And I was wondering how that could be leveraged in your discussions with the board and executives and the rest of the enterprise to help with that, you know, alignment with the business and helping them. Perhaps see the value add that cyber can provide and you know, how, how effective is an intelligence sort of and giving you that, um, opportunity to talk about strategic goals and ultimately the overall objective of helping keep the enterprise secure.

[00:07:50] Mark Fernandes: That's a good question, Stan. So, you know, I think if you look at the traditional way of informing the board, it's generally be done based on. Key risk indicators, uh, risk dashboards. Uh, and specific outcomes around what you've achieved from a cyber perspective, and those are good, but those are viewed as theoretical and sometimes can be viewed as hyperbolic, right?

[00:08:17] They're designed to, you know, sort of move the boat towards a certain direction that you want. Threat intelligence, especially, especially what we're going to be talking about today is, is quantitative and is factual. And what that does is it brings some reality to the board that they feel it within themselves around what's the threat landscape for the company.

[00:08:43] They see trends, they see which views are being targeted. They see the general hygiene for the enterprise and they see motivation and directionality of those adversaries. And by that, it becomes a lot more real for them in terms of, you know, who's targeting a company, what are they going after, which BUs they're going after.

[00:09:06] Stan Wisseman.: Not just abstract, right? I mean, it's not abstract. 

[00:09:09] Mark Fernandes: It's directional. You're making, you're actually 

[00:09:11] Stan Wisseman.: doing attributes. If you can provide attribution, they, I guess, depending on the personalities of the executives and the board, that resonates with them, right? 

[00:09:21] Mark Fernandes: And it starts a healthy conversation Stan, right?

[00:09:23] Because what, what the board will invariably ask is, what do they want from us? Right? And that level of discussion is completely different discussion than looking at KRIs, right? 

[00:09:34] Rob Aragao.: Absolutely. Mark, let's, let's kind of delve into that a little bit deeper. So we all see, we all know there's the constant barrage of the different threats that are happening out there, right?

[00:09:45] Um, doesn't matter. We're vertical. Doesn't matter if it's government, right? It's, it's across the board. Now, I'd love to hear your perspective, you know, kind of get a little bit deeper into how you're reimagining the application of threat intelligence, the role of threat intelligence to really help address More of these, again, sophisticated types of threats that are coming our way.

[00:10:05] What are some of the different maybe examples you can share, the different approaches you're taking, like, let's get in deeper and talk about that. 

[00:10:11] Mark Fernandes: Sure. And, you know, I think the best way to, to say it simply is to once again go back to that cyber 1. 0 versus cyber 2. 0. If we think about, uh, the traditional way of looking at, The topic we're talking about today, threat intelligence, it's mostly around what an adversary has done.

[00:10:30] If you look at everything from IOCs to IOAs and all the traditional techniques using tactic techniques and procedures are all designed around the historical activity of the adversary. If we are to modernize our thinking around dealing with the next generation of adversaries, which are automated, intelligent, adaptive, we have to think about what an adversary wants to do.

[00:10:53] And what an adversary could do, and that has a different type of thinking in terms of capability and countermeasures, 

[00:11:02] Rob Aragao.: whatever, what are maybe some of the different kind of examples that you've come across, right? That kind of help back to the point that you were making earlier, lend a true understanding of what's actually occurring to pay attention to the attribution effect.

[00:11:15] Like, what really is an example that has been very much of an eye opener for you, if you could. 

[00:11:21] Mark Fernandes: Yeah. So let me, uh, quickly, uh, talk about the traditional way of declaring threat condition. So enterprises in general, uh, in the past have always stayed in a state of normal, you know, operation. So what, you know, what generally enterprises do is.

[00:11:40] They, you know, the general thematic is that cyber state is a state of normality because all the processes are designed around the state of the state of peace, right in general, but that's not what happens in terms of of what's going on the threat level changes. Right? So cyber 1. 0 threat conditions not declared enterprise threats are managed through an activity level analysis incidents investigations.

[00:12:09] Uh, and response capability, but it doesn't change the threat condition of the enterprise. Just like the military does. Military changes threat con level. You know that, right? Cyber 2. 0 uses an adaptable cyber threat declaration process. So it's based on the current condition of a global enterprise. And activities managed through the declaration.

[00:12:32] So, for example, if we take what happens in the military is you actually define the current state based on everything you know about your own operations, your digital value chain. And how they could be susceptible to a specified threat that changes to state alpha or state Charlie, and that actually changes the countermeasures and cyber defense processes put in place.

[00:12:54] So, for example, if you move from normal state, which is green, to a state Charlie, which is amber, there's, it changes the cyber defense capability from an organization. So what you do is you change from normal situational awareness to real time situational awareness. You do continuous evaluation from a counter adversary standpoint.

[00:13:16] You use priority threat advisory and intelligence to have eyes on glass on the adversary. You do continuous rep situation reporting, which means that it's reinforced through hunting and you do surveillance from a dark rep. So you look for, uh, changes in the techniques of that actor, et cetera. So what I'm saying is Saba 2.

[00:13:37] 0 is adaptable. 

[00:13:39] Stan Wisseman.: Again, keeping in that military context, um, it's sort of like going to battle stations when you're going to that Charlie or orange level. And you're, you know, basically deploying. Your, your crew on a, on the ship to their respective stations to. You know, be ready, um, and to monitor what they're assigned to.

[00:14:03] Um, are you seeing that in the commercial space though? I mean, is that something that, I mean, that it's happening and as far as trying to adopt that 2. 0 model of, of being, um, capable of, of shifting their controls or shifting their staff and an organization to a higher level of readiness? 

[00:14:22] Mark Fernandes: This, the change is happening, but it's low standard.

[00:14:26] So, if you think about where we've been and where we're going, cyber has generally been designed against a human adversary. We've all already seen that's changing. We are dealing with machine based adversaries. And in order to do that, we have to be in an adaptable state. So I would say there are organizations that are moving, but not fast enough.

[00:14:47] We need to, as an industry move faster in that. To be more adaptable. 

[00:14:53] Stan Wisseman.: So in the context of threat intelligence, I mean, as you mentioned, they're, they're the typical IOCs that most organizations are consuming. Now they have their SIM or some kind of log aggregation to monitor their environment that they have, whether it be on prem, hopefully cloud as well.

[00:15:13] Um, and they have An awareness of potentially how to align the threat intelligence that they're receiving from external feeds to the assets and potential vulnerabilities Exploits that could occur in their environment. How would you characterize that versus potentially looking further out? 

[00:15:37] Mark Fernandes: And that's, uh, that's a really good question and a segue into the defend forward thinking, right?

[00:15:44] If we, if we, if we look at traditional cyber, you kind of sit back, you, you take a defensive posture, you wait for the adversaries to target you. And you and you deal with it from a cyber defense standpoint associated with that. So the premise around SIM is based on that. You're monitoring the enterprise and you're waiting for the adversary to attack you, right?

[00:16:04] Uh, that is a traditional way. It's it's, you know, it's generally based on, uh, a reactive view of cyber attacks. The default defend forward approach is operating in contested space. Based on an adversary that's different, symmetrically different capability from who you are, because if you look, I mean, this is a common premise around cyber, the adversaries that are targeting us are targeting multiple companies.

[00:16:34] So the investment that they get are significant, right? So the resources afforded to them are not symmetric to what we can do from a cyber defense standpoint. So we have to be a lot more intelligent and effective and efficient against that. If we go back to the defense space, because, you know, Stan, you and I have been operating in that space in the past, they have a concept called A2AD, which is basically a strategy on how you deal with an asymmetric adversary.

[00:17:03] So, A2 is basically anti access and AD is anti denial. Anti access is basically movement in your theater, in your enterprise. 

[00:17:15] Stan Wisseman.: So, like a near space, things that are near you. 

[00:17:18] Mark Fernandes: In your space near space exactly near space and anti denial is defend forward as far space is basically you look at where the adversaries are and you build genealogy based on what they do right?

[00:17:31] So you're you take effectively what's called a multi space approach to cyber defense. 

[00:17:37] Stan Wisseman.: And so you are still doing your nearspace analysis, right? Because you want to know what's immediately around you and impact. But you, you're saying you, you get that additional insight by having that farsight, but what, what are some of the, I guess, technologies that would enable you to, you know, support that kind of multi space approach?

[00:17:56] Because, you know, as you mentioned, a lot of the historic. Technologies in the context of a sock are dealing with that near space. 

[00:18:05] Mark Fernandes: So you, you said something, Stan, that's really important, which is you still need near space near space. It's a multi space approach, and they all have a different role to play, but they have their strengths and weaknesses near space tend to be a lot more granular in terms of the inspection claim.

[00:18:26] But if you want to call it that, and what it look, I mean, you could see all the way down to the characteristics of the execution being run by the adversary. That's near space. You can get very intimate to the threat. But near space have challenges in that you can't defend for when you can't see what's happening on the egress of the atmosphere in general.

[00:18:45] So, similarly, far space, which has you go forward, it has better visibility because it's far more broad, but it's not as grand in there because you can't see all the way up to the application level and see what they do. So what would you do so effectively, if you break it out into three spaces, so far space is used.

[00:19:06] Done using signals intelligence. It's basically not the traditional wiretapping, which is typically what's associated with signals intelligence, basically looking at global flows around the world. And making sense out of it, building patents, looking at adversary techniques around it. Midspace is what demarks off your enterprise by the enterprises, cloud workload, or whether it's a traditional data centers, or whether it's your remote offices.

[00:19:33] They all have demarked points. You're monitoring ingress and egress traffic, and you're making sense of them. And then mirror space is a traditional SIEM. All used in unison. 

[00:19:44] Rob Aragao.: Mark, one of the things kind of getting into the multi space discussion methodology approach, if you will, that I think is critical, um, and I would like to get your perspective on is, is the application machine learning, right?

[00:19:56] We know it's here to help us drive better insights. Much better visibility, uh, and ultimately, you know, again, help us with the defend forward strategy. What do you see that are, you know, kind of examples maybe that you could share? And also maybe connect the dots back into your kind of earlier analogy, which I love is, you know, that genealogy kind of connection point.

[00:20:16] It's a, it's a, in my opinion, it's almost like a simpler way of telling the story of value around this approach. 

[00:20:21] Mark Fernandes: Thank you, Rob, for that question. So I'll connect two topics together, uh, because we've talked about it briefly. So, first of all, machine learning and the second one is genealogy because, you know, the three of us have talked about genealogy quite a bit around that.

[00:20:34] So, we'll go back to the purpose around machine learning and context of intelligence 1. 0 versus intelligence 2. 0 and sorry for that simplistic way of referring to it. It's a lack of creativity on my point on my part. 

[00:20:48] Stan Wisseman.: It's okay. It's okay. 

[00:20:49] Mark Fernandes: So intelligence, traditional intelligence 1. 0 is what an adversary has done the basis for a lot of intelligence that we see in.

[00:20:57] Insider in general, what an adversary is now. But if we are to deal with the next generation of adversaries, we have to look at what they want to do and what they could do. And the reason is you have to look at the directionality motivation and what they're after in terms of doing that. Now, you don't just look at yourself, but you look at what they're doing across the sector, across the industry.

[00:21:18] And you use it to define patents, right? 

[00:21:20] Stan Wisseman.: I mean, Mark, in a summary, I mean, isn't that sort of like the core concept of resilience as well, you know, in the sense that you're anticipating, you know, and being able to adapt to, to what you think the adversary is doing? 

[00:21:30] Mark Fernandes: Exactly. 

[00:21:31] Stan Wisseman.: Because that's something we've talked, we've, we certainly have talked a lot about resilience, but you're just putting it in a little different context and phrase, phraseology.

[00:21:39] So yeah, that's good. 

[00:21:40] Mark Fernandes: Right. So let's, uh, Stan, uh, let's give some examples, right? So we brought up the term around genealogy. So let's look at, uh, the, the process of which adversaries target us. Right. So as we talked about, a lot of them are running a business and, and they have a P& L just like any enterprise, but creating offensive capability, that's sophisticated, especially zero day, uh, capability is costly and actors tend to reuse.

[00:22:13] techniques and methods, right? What genealogy does is it tries to determine what those are and tries to look at directionality on that. So let's now go back to the comparison. So Intel 1. 0 looks at indicators of attack and indicators of compromise and what an actor has done. But if you apply genealogy to Farspace, which is signals intelligence, you can use adjacent methods to look at patterns.

[00:22:41] Let me give you a couple of examples. You can look at C2 environment that an actor has used and use probability matching to say they're using the same C2 environment because once again they've bought a lot of the resource rights of the C2 environment so you tend to see patterns. You tend to see similar x509 certificates or characteristics of x509 certificates that are used, certificates used for SSL.

[00:23:06] Then you start to see similar type of protocol execution the way the software was compiled being used. And I've also seen it, uh, characteristics covered by genealogy from machine learning where you see a similar compilation characteristics. So, for example, that was an adversary that use Delphi for compilation.

[00:23:28] And the adversary didn't change the time clock on his, on her, on his compilation. And it would always show epoch time zero, which was 0, 0, 0, UTC, 1st of Jan, 1970. If you looked at the compilation on the code, it had that, that timestamp. For all the characteristics, so that allowed genealogy to look at the linkage of that and a probabilistic matching to the actor 

[00:23:56] Stan Wisseman.: and give you that attribution.

[00:23:58] Yeah, 

[00:23:59] Rob Aragao.: little sloppy, but good example of how they went wrong. Picked up on that very interesting, 

[00:24:04] Stan Wisseman.: but how I guess a broader question. So you have this awareness now, right? Of the threat beyond just again, your near space. How does that reshape your strategy? I mean, we just talked about the fact that you need to adapt.

[00:24:21] Um, if, if, if you're looking at, you know, thwarting these attacks, um, are, are you, again, going back to your, your defense analogy, um, with that greater awareness, you're able to push into battle station mode or to a different level of, of, of heightened, um, activity by your defensive side, if you know you're being, you know, at the cusp of being attacked by a you 

[00:24:52] Mark Fernandes: Yes, so let's, and that's a really good question, Sam.

[00:24:55] Let's contextualize it based on the dynamic threat declaration process that you just mentioned around this. If we, if we make the assumption that the new reality, the new paradigm shift of cyber defense is being adaptable, it's also looking at the directionality. Because if you think of, let's say, a threat actor that wants to launch a denial of service against said enterprise, It's not something that they can turn on right away.

[00:25:20] Stan Wisseman.: They have to stage it, right? 

[00:25:22] Mark Fernandes: They, what they often do is they do dry runs, uh, because they have a ramp up capability. They're the command and control structures federated. So they have to do ramp up capability. Uh, now, if you have signals, which is fire space, You can start to see those patterns as it's time to ramp up.

[00:25:41] And if we connect it back to the adaptable threat level, you know that you have to actually change your response time just in time, right? That will allow you to do things, resiliency, you talked about it, such as moving workload, deploying, uh, you know, um, sinkhole capability, or dynamic diversion technology, et cetera, that will help you deal with those threats in a way that's just in time adaptable.

[00:26:08] Rob Aragao.: Very interesting. Very interesting. I think when we started the podcast, Mark, we purposely named it reimagining cyber. And our goal is to bring in people that, you know, are really taking a different approach. Um, and what you've just done, I think, you know, the audience will truly appreciate is a completely different Different thought process and how you deal with threat intelligence and properly leverage it, but more so is the way you painted the picture of we're, we're needing to be much more adaptive, right?

[00:26:34] It is shifting to the machines, AI combating us, and therefore the better intelligence we have on the far space aspects will help us better protect our environment. And that defend forward strategy absolutely becomes very, very applicable to cyber. So thank you so much. It's a pleasure having a good friend come back on.

[00:26:55] And share perspective but also reality of how you're actually going forward in your battle against the bad guys And we truly appreciate your time. 

[00:27:04] Mark Fernandes: Thank you rob and stan. It's been a pleasure and uh, hopefully we'll do this sometime soon So, thank you so much as well. 

[00:27:09] Rob Aragao.: Hey, 

[00:27:09] Stan Wisseman.: thanks mark

People on this episode