15 April 2016
Blogs by author: Ben Azvine, Head of Security Futures Practice
Dr Ben Azvine is responsible for BT’s security innovation strategy and helped to lay the groundwork for BT’s award winning capability for Security Threat Monitoring.
In this interview, Ben explains how the cyber threat landscape is evolving and how new developments in technology – especially Artificial Intelligence – will help us address the threats of tomorrow.
Cyber security: one of the top 3 business priorities
Tell us a little about your background and current role at BT.
Ben Azvine: As Global Head of Security Innovation at BT my role is to look 2-5 years into the future and prepare for the coming challenges. I think it is the best time in the history of technology to be involved in security because it is such a dynamic area. Security is not just a technology issue; it is also a business and board-level issue. I would say that cyber security is currently one of the top 3 priorities for business and hence we receive a lot of support from top management to accelerate technology in this field.
My background is in Artificial Intelligence (AI). I used to be a full time academic in the field and even today maintain active contact with academia through a number of visiting professorships, which allows me to talk about some of the challenges ahead and perhaps inspire bright people to work in the security field. I joined BT about 20 years ago and have spent most of my time leading R&D programs in intelligent systems. We strive to build intelligent networks and intelligent assistants that help people do their job better. Basically I like inventing things. I have approximately 50 patent and patent applications in my name. I really enjoy coming up with new things and in that task I’m supported by a fantastic team of people all over the world.
Security is not just a technology issue; it is also a business and board-level issue.
The cost and evolutions of cybercrime
How has the cyber threat landscape evolved in your opinion? Are the types of threats changing and is there any change in how these threats impact our personal and professional lives?
Ben Azvine: You only have to turn on your TV to learn about the latest cyber-attacks on individuals, companies and governments. The reality is that criminals are constantly coming up with new ways of attack, creating approximately $400 billion in annual losses. Nobody is immune. Ninety percent of companies have reported a security breach. Every second approximately 18 people are victims of cybercrime. Both the frequency and the importance of the attacks are increasing. The numbers are pretty worrying but on a positive note this is also a major opportunity for companies to invest in new security capabilities. This is a really vibrant technology right now and there are plenty of financial incentives to increase R&D investment.
What threats should worry us most?
Ben Azvine: I have seen figures that about 80% of financial crime on the internet is done by coordinated groups, but I don’t think all crime is performed by financially motivated people. There are lone hackers who are in it simply to impress their friends or make a name for themselves. But worst of all are the ideologically and politically motivated hackers. Financially motivated hackers tend to go after the easiest targets, so it you can deter them by having good defences, they often choose the easiest targets. But ideologically motivated hackers go after specific targets and they don’t give up. This creates a more persistent threat. We don’t always hear about the damage they do but it is very significant. We have to be aware that the threat environment is evolving rapidly. Crime that can cause disruption to critical infrastructure is probably the biggest threat we should worry about.
Artificial Intelligence: predictive analytics and data at the service of cyber security
How is predictive analytics helping us protect ourselves against cyber threats? In that regard, can you tell us more about the SATURN project?
Ben Azvine: SATURN is a technology we developed here at BT labs. Like many innovations, the initial area of our focus led the creation of something far more valuable than we originally thought. Initially we were interested in creating a model that would help us understand the impact of breaches on critical national infrastructure. For example, what would the impact be on telecommunications or the road infrastructure if the electricity network was attacked? We commenced research on this about 5-6 years ago. There are basically two ways to approach this. One way is to develop mathematical models of each national infrastructure and then model how they would impact on each other.
The problem with this approach is that it is very difficult to link together the existing models of such infrastructure. Also, once you build such a model it would be out of date almost immediately because of the dynamic nature of the world. Hence, due to the rapid pace of change we decided to abandon the top down approach and use a more data-driven approach instead that looks at actual incidents in the past, collects vast amounts of data from various sources about such incidents and then link them together with the help of human experts.
There are three key elements to a security strategy: prevention, detection and response.
The challenge here is how to combine and organise such vast amounts of data. The SATURN acronym (Self-organizing Adaptive Technology Underlying Resilient Networks) refers to the principle that the data needs to self-organise so that it can be interacted with by human beings and used to spot anomalies. One of the first applications of SATURN was to investigate cable theft crime on our networks.
What makes SATURN so powerful is that it can handle any type of data. It is not limited to structured data. It handles data from social media, news feeds, and internal log systems. The data self-organises and humans subsequently interact with the data through visualisation tools, providing a holistic view of data sets and their interrelationships. People can also spot anomalies not seen before that a computer would not be able to detect.
We have packaged all these capabilities with our security threat monitoring solution, giving customers the means to analyse their network and systems data and spot potential security problems. For BT this has been one of the fastest transitions from idea to the development of the technology to access for customers. It only took 2-3 years because the benefits were so great. Essentially it is clever web-based software that uses AI to turn data from multiple sources into pictures that humans can interactively analyse. It enables you to detect anomalies much faster than before – from days to minutes, from hours to seconds. The computers are doing the processing but the humans are spotting the anomalies.
There are three key elements to a security strategy: prevention, detection and response. With SATURN we address detection. Here the aim is to detect an attack while it is happening, ideally within seconds of it starting. But we also want to predict the next stages of the attack. Essentially we have developed software that is trained to look for specific phases of an attack. We look for low-level signs of an attack that we can extract from our network logs. However, the data is so noisy that we cannot monitor everything. Hence we rely on the knowledge of our experts, the knowledge we have of the different types and stages of an attack, and we train our software robots to keep an eye out for these stages. This gives us time to react. By predicting the next stages of an attack, and the timings of such next phases, you will know whether you have time to respond.
Addressing the concerns about the future impact of AI
What role do you think Artificial Intelligence will play in our personal security and the way we keep our organisations safe? A lot of people seem concerned about the future impact of AI.
Ben Azvine: I think there are two future scenarios of AI: there is the scary scenario of robot domination. But there is another more positive scenario where AI is used to make our lives easier and more secure, where we ‘augment’ humans.
For example, an immediate benefit of AI would be in the area of authentication. AI could be used to free people from the passwords shackle. People have difficulty remembering all their passwords which creates a great deal of frustrations as they struggle to log into their laptop or phone. There has been a lot of research on biometrics and tokens but none of these solutions are very user friendly. With AI we are able to look at the way people speak, or even the way they log into their machine as a means to automate authentication.
I’m a big fan of human-centred AI where people are in control but where lots of the laborious processing and preparation are done by computers.
Machine Learning systems could also be used to learn from people by observing them with a view to automating the more routine elements of their tasks. One big prize in that regard would be to automate the response to security breaches, although I would caution that we should never relinquish control completely to robots in security. I’m a big fan of human-centred AI where people are in control but where lots of the laborious processing and preparation are done by computers.
Security in the Internet of (Every)Thing(s)
Let’s talk about the Internet of Things (IoT). Installing antivirus software on your PC is a no-brainer, but what can you do when the device to be protected is a toy or a toaster? Around five billion devices are already connected to the Internet of Things and by 2020 this could rise to 25 billion. How will this be secured? Will there be new methodologies or will we need to accept more vulnerability?
Ben Azvine: I think IoT will make our lives easier and boost business. And the more data we collect the more it will help us make smarter decisions.
However, from a security perspective every device could potentially be a vulnerability. I think there are three key security challenges we need to deal with.
- Most security measures today are designed for high power, high cost devices; with IoT we need to develop cost-effective encryption and monitoring for low power, low cost sensors and devices. Essentially this is a scale issue; we will need to sell enough of such solutions so that costs decline. That will happen.
- The second challenge is concerned with trust and data integrity. For example, how do we protect our networks from spoofing attacks? How do we prevent people from intercepting messages from your electricity meter, or even worse, your pace maker? Antivirus and encryption technology is needed so that criminals cannot break into IoT communications.
- The third challenge is privacy and data protection. I think this will make or break IoT. There are so many potential points of data collection and when you put all of that together it becomes easy to identify people. I think we have the necessary techniques available to address this issue but we need to use them properly, from the start. That is a key pillar of BT’s capabilities: providing a secure platform for people to store data and build apps on top of that data.
It reminds me of the early days of cloud computing. Back then we also worried about security. I am sure we will solve these issues but it will require more awareness and cooperation among device manufacturers, network operators and consumers. We need to establish best practice and promote vendors that comply with best practice. Today a lot of vendors are still making rooky mistakes such as storing passwords in firmware as plain text. Those are not difficult problems to overcome, it just requires rigour in following basic principles and best practice.
The misperceptions and reality of cloud security
Security and the cloud: what do you see as the major risks and how can they be avoided?
Ben Azvine: There is still a huge gap between perception and reality. Cloud security is much better than people believe it to be. Some people express concern about having their emails in the cloud, but they’re perfectly comfortable having them on their phone or laptop which isn’t password protected and can be left on a train. Cloud providers are in the business of securing their data and apps, so I would have more faith in a cloud provider than placing my data on a USB stick.
However, there are challenges:
- Firstly, we need to be able to manage the security of virtual applications and machines in the same way as we secure our physical machines. When I buy a laptop in a store I immediately install security software. I should be doing the same in the virtual domain. As providers our task is to make it easy to do so. Ideally, we should be securing applications as they are being created. At BT we have created technology that scans virtual environments and creates intelligent security.
- Secondly, as people store more data they become more vulnerable as targets for hackers. We need a simple way to add more security measures around data access. Even cloud providers should not have access to the data of their customers. Fortunately, there is good technology available to govern access to data.
- Finally, there is the issue of compliance. With data moving freely to the best available resource there is potential to create compliance issues around the geographic location of where data is stored. We need to improve trust in the cloud by giving people more control and visibility over where their data is stored.
Looking ahead: cyber security in the future
What do you see as the biggest headaches for the CISO and CIO today and in the future? Can they be expected to do a decent job when the CFO is cutting costs?
Ben Azvine: We have to change the way we think about security. A lot of the disruption and cost is due to a focus on prevention as opposed to detection. We cannot stop everything. Instead we should promote a more risk-aware culture. The traditional security model is the coconut; a hard shell that keeps you safe inside. But that model has holes in the shell; it is outdated. We should focus on the avocado model: protect the crown jewels, the stone in the middle. Spend most of your resources on protecting the crown jewels and for the rest focus on detection, monitoring and responding. That is the only way to meet the competing objectives of costs versus security.
Let’s look a little further in the future. What will next-generation information security look like in your opinion?
Ben Azvine: That’s my playground! I think cyber defence will become more analytical and predictive. Within a few years we will have real-time response to cyber-attacks.
The time it takes to respond to cyber-attacks will reduce dramatically. I think more human centred security measures will emerge, that will help people make decisions, both personally but also around corporate and national security. I also see a world without passwords. I have a vision of AI that authenticates you in the same way your friend authenticates you.
Quantum computing is a huge opportunity given the processing speed it promises but it is also a huge threat from a security perspective since ultra-fast computing power could theoretically be used to crack current encryption techniques. So how will we provide encryption-based protection in a quantum world? There are promising developments in the areas of Quantum Key Distribution and post Quantum Cryptography which will help meet these challenges.
To conclude, are you optimistic? Is the future bright?
Ben Azvine: Yes, absolutely. Obviously there are big challenges ahead but this is the best time to get into the field. I’m very optimistic that we will have the people to meet the challenges in the future. There is a lot of interest in the field, but we need to keep up our investment, because the bad guys are investing in their capabilities all the time too. Also, at BT I’m feeling confident. We have one of the largest security organisations in the world with 14 global security operations centres. It gives us a unique perspective.
Connect with us in our BT Let’s Talk LinkedIn Group, to discuss the future of cyber security.