Security is a journey, not a destination. Between new technologies, emerging threats, and seismic shifts in the cultural landscape, nothing stays static for long. In that spirit, we caught up with Scott Behm, Keysight Technologies' chief information security officer, to get his take on leading enterprise security teams, how 2020 shook things up, and what the future may have in store.

2020 did indeed deliver the IT and cybersecurity community a diversity of trials and associated risks. Defending against increasingly sophisticated threat actors while addressing the people, process, and technology challenges associated with enabling effective and secure remote work almost overnight has definitely been interesting. On a positive note, we have all learned new ways to innovate and deliver. In some cases, we have yielded results even better than before.

As they say, hindsight is 20/20. In 2020, the IT world has proven its resiliency and, overall, done well at enabling organizations to get the job done under extreme circumstances. Many lessons were learned along the way, and it most certainly wasn't the same journey for all. Looking forward, a greater focus on scenario planning for unthinkable crises will help us better future proof our institutions and interests.

 As you know, ransomware attacks if successful can have a major impact on their intended targets. As such, it is imperative that companies prepare using tabletop exercises, coordinated blind simulations (making participants believe it is the real thing), or purple team exercises to test not only their response but their ability to detect.

At Keysight, if we discovered or otherwise learned that there were indications of a ransomware attack, the SOC [security operations center] would immediately enact the ransomware playbook. The designated incident commander would begin coordinating communications with both responders and business stakeholders. Concurrently, the SOC would work to understand the scope of the attack, so appropriate containment and mitigation procedures begin as soon as possible.

Artificial intelligence and machine learning are indeed starting to play a role in cyber defense. Today, AI / ML is helping in two areas:

·eliminating the ever increasing false positives the SOC has to sift through to find the truly actionable alerts
·improving the ability to detect and alert on anomalous behavior or network activity

In the future, AI / ML will likely help cyber defenders even more in these two areas as the technology improves. Looking forward, quantum computing algorithms combined with AI and ML may make predictive cyber defense a true reality. This is based on the premise that quantum computing is able to represent several states at the same time which will enable faster processing of related data sets and result in high speed, high fidelity threat predictions. Whether or not this happens in five years is anyone's guess.

In many cases, organizations do not entirely leverage their investments in cybersecurity defense and visibility tools. The full capabilities of existing cyber defenses may not be deployed, and existing configurations might not be tuned appropriately. So, do that first. 

On cybersecurity defense: If the digital estate is entirely cloud-based from a single provider, leveraging the native cloud provider's cybersecurity defense capabilities to the greatest extent possible may make sense. However, if the organization's architecture is hybrid cloud or a mix of everything, including on prem IT and OT, multiple cloud instances, and edge computing  finding a single vendor solution is likely impossible.

On cybersecurity visibility: Developing a flexible security architecture that allows all security relevant data to be centrally collected for cross referencing, contextualization, and alerting will enable the SOC to be most effective in detecting threats, regardless of the threat vector.

Scanning the horizon for new and emerging cybersecurity technologies pays dividends. However, similar to the answer to the previous question, making sure that the existing investment is used to its full capability before chasing a shiny new toy is paramount.

If indeed it has been determined that the existing tool set is unlikely to address the emerging threats, an evaluation process should be started that would ultimately short list one or two solutions. These solutions could then be extensively evaluated, first in a test environment and then in production. Structuring the evaluation as either concurrent `proof of value' engagements or fully paid, short term subscriptions rolled out in parallel allows for a data driven decision. The solution that provides the best value in terms of stability, scalability, performance, and support wins. And the  process repeats.