Mark Graff on Cybersecurity Now and In the Future

A cyber security practitioner and thought leader for over 25 years, Mark Graff is the Founder and CEO at Tellagraff, LLCMark Graff, host of the weekly radio/podcast ‘CyberMatters with Mark Graff,’ is a seasoned Chief Information Security Officer, having filled that role for NASDAQ for three years and Lawrence Livermore National Laboratory for nine. While at NASDAQ, Graff founded and chaired the Cyber Security committee for the World Federation of Exchanges the first international organization of executives responsible for the cyber safety of the world’s stock exchanges. He was named Internet Security Executive of the Year for the Northeast United States in 2014.

Graff has lectured on risk analysis, the future of cyber security and privacy, and other topics before the American Academy for the Advancement of Science, the Federal Communications Commission, the Pentagon, the National Nuclear Security Administration, and many other U.S. national security facilities and “think tanks.” He has appeared as an expert witness on cyber security before both Congress and the Presidential Commission on Infrastructure Survivability, and served as an expert witness on electronic voting machine software for the state of California. In the 90s, he served two terms as chairman of the international Forum of Incident Response and Security Teams (FIRST), the world’s preeminent body of incident response (CSIRT) practitioners.

Graff’s 2015 book, “Enterprise Security Software: a Confluence of Disciplines” (Addison-Wesley Professional, 978-0321604118) explains how to work with software developers and security practitioners to produce integrated security solutions for business. His 2003 work, “Secure Coding: Principles and Practices”, has been used at dozens of universities around the world to teach how to design and build secure software-based systems.

Graff holds a B.S. in Computer Science from the University of Southern Mississippi. His base of operations is New York City.

LIFARS: What you think is the most underrated threat today, the one that not enough people worry about?
Mark: The obvious answer is the third-party risk. Your network is pretty much interacting with the networks of all your vendors, and there’s no telling what you might pick up from those kinds of connections.

LIFARS: You said that was the obvious answer. What is the non-obvious answer, the threat that’s really not on anybody’s radar?
Mark: Attack software developed by artificial intelligence. In the near future, we’ll see really really smart complex convoluted attack software that goes after dozens or hundreds of vulnerabilities and prospects at once, combining threat and exploitation in crosscurrents the human mind cannot fathom. That is what keeps me up at night.

LIFARS: However, wouldn’t AI and machine learning help security teams to better manage detecting threats and incident response function? If so, could you briefly explain how?

Mark: Sure. AI/machine learning techniques will greatly assist defenders as they adapt to the need for real-time — instantaneous — response. In fact, artificially intelligent adaptive defense is our only hope. In a handful of years, human-directed in-the-moment response to security events will be as outdated as those huge shoe-sized cell phones that the cool kids  carried around in a briefcase in the early nineties. AI will be more of a help to attackers, rather than defenders, because of the asymmetry of the cyber battlefield. Attackers only need to find a single weak spot, and drive through it.  Defenders need to create and maintain a perfect seal. To stretch a metaphor, one pin prick can puncture a good-sized, full functional balloon; and with AI-based software, there is no realistic limit to the size and complexity of an attack.

LIFARS: Let’s talk about a threat in the here and now. Thousands of small businesses are hit with ransomware attacks every day in the United States. We help deal with the consequences, but what is your best advice for small businesses to avoid ransomware to begin with?
Mark: Well, good cyber hygiene is the start. Employees need to understand not to click on that link! And of course, each endpoint and server and virtual image needs appropriate protection against viruses, worms, and other malware. Also, it goes without saying that companies, especially small businesses, need to keep their patches and updates current, installing stuff automatically as soon as it comes from a vendor. Small businesses almost never check vendor patches, or truly evaluate whether or not to install them; why not automate the process?  Finally, maybe the most important step is to make a policy decision ahead of time, and a plan: what will you do when disaster strikes? With ransomware, the main question is “Do we pay the ransom?” That’s not a policy decision you really want to be improvising under maximal stress, with your systems not working and your employees (and maybe even customers) frightened and frustrated.