Innovation more understandable"We make innovation more understandable, more worldly."
Nicolás is the Chief Information Security Officer (CISO) of Corona; a Colombian Multinational company dedicated to manufacturing ceramics for home improvement, construction, industry, agriculture, and energy markets. Corona has 20 production plants in Colombia, 3 in the US, 3 in México and 3 in Central America.
AI in cybersecurity
We started by speaking about the emergence of machine learning (ML) and artificial intelligence (AI) in cybersecurity, a hot topic right now.
What is your opinion on the potential applications of ML and AI in cybersecurity? Do you believe this potential is real, or it is just a hype?
My stand is halfway. A hype might be in one end, and a solve-it-all approach in the other.
I consider ML and AI as valuable approximations to leverage behavioral information for cybersecurity; for instance, to detect anomalies. We have a significant restriction with current detection systems: they work based on who the user is, not on his/her behavior. There is no behavioral baseline. Behavior-based intrusion detection enabled by AI is a step forward allowing organizations to be more efficient.
A kind of hype is present in how IT providers market their newest products and how they describe their applications. Some companies suggest something like ML and AI are the “solution to all problems.” Others sell ML and AI “embodied” as assistants to managerial decisions, conveying a robotic way of enforcing security policies and containing incidents. I don’t see myself doing that; I think we’re not there. Nonetheless, we haven’t learned enough —or adequately— about risks from the behavior of the users we protect; even less we can program machines to understand and leverage users’ behavior. The machines’ capability to detect and restrain cyberattacks automatically is still far in the future. I think the human criterion, the human brain is and will continue to be essential for decision-making in cybersecurity. I do not deny these capabilities exists. In some AI-powered customer service applications, you cannot identify easily whether the other party is a robot. There are operations in which ML and AI could add value to our business, but I don’t see it as a replacement for high-order decision-making.
Are you deploying ML or AI for your operations?
Not yet. Two reasons for that: first, we have made a strategic decision not to be early adopters of new technology. We are conservative about managing risks, in part due to the market we serve. Investing in the latest solutions is expensive. I see other fronts where smaller investments have a greater impact on what I do with my team. We seek for small, incremental innovations. Second, we are not focused on forefront topics, like, for example, those Fluid Attacks is concentrated on. Our cybersecurity operations reach a variety of technologies. Some are legacy —for example, our core, production plants. Others, cutting-edge tech. In this heterogeneous environment, it is essential to have a strategy and a vision covering all assets.
Nevertheless, there is an opportunity in using AI in Industrial Networks or OT (Operational Technology). It should be feasible to deploy an AI practical application to better support our cybersecurity operations.
We trust on partners like Fluid Attacks, which are doing novel work at industry-level. Fluid Attacks invests resources in exploring and testing with stuff others don’t. Fluid Attacks’ Hacking services are proof of that. A couple of times, I’ve read on the news stuff Fluid Attacks began to prototype and test months before.
Innovation in cybersecurity
Even more commonplace than ML and AI, is innovation. What we do at Fluid Attacks, many people describe it as innovation. Nicolás mentioned about innovation at Corona, and we were curious to know more.
What do you consider you are doing differently in cybersecurity? You mentioned you are convinced about the organization approach to innovation.
I am a critic of the traditional concept of innovation. Innovation is not an end for us; it is an attribute. For Corona, to innovate is to make things we already do, but differently; is to start doing things we previously didn’t do that support our business goals for real. In that way, we make innovation more understandable, more worldly; we remove the strange “pedestal,” where traditional innovation-speech seem to be. By actively seeking how we can do stuff differently, we create innovation, even if it is not new, but is disruptive for us, and more importantly, it delivers value to the business. We have found (and transformed) processes with no change for more than 130 years!
We have to be very assertive in investments in our business. Those should be centered mostly on detection capabilities, in knowing what is happening. No matter if fixing takes too long after detection. Why? Transparency and honesty. This is a responsible way to manage cybersecurity risks in a company with a traditional vision of risk management because it is easier to ask for resources for protections we don’t have.
(Interested in transparency and honesty? Take a look at The F*CK strategy)
Last year we had an idea: what if we develop customized software for cyberintelligence? We needed to know what was going on beyond antivirus or firewalls alerts. We didn’t want to keep looking at mere associations among events (malware, the status of servers, business rules, etc.). We wanted to go further: to know “the status” of business processes from our cybersecurity operations. That involves mapping all IT assets and creating risk assessments quickly and easy to understand to company stakeholders. In other words, we wanted to establish a smooth communication to the business in the language of business. Think of it, for example, as a risk score linked to payroll processes, available before the start of the payroll cycle, allowing better decision-making.
We worked with another partner in developing a customized solution. We turned to agile methodologies, something new for us. The approach was so disruptive —in our terms— that it wasn’t necessary to include IT stakeholders during development. The technology supporting the soon-to-be solution was on the cloud and container-based. We avoided many committees and discussions. When I presented the product to the company, IT was surprised and told us: “this wasn’t discussed in X, Y and Z committees…” but once they saw the product live, they started to fantasize about stuff they could do by working differently.
An almost entirely functional product was serving us in less than ten months. And we won Corona’s innovation prize, the Prisma award.
What does this software provides that you previously did not have?
Timely detections, quicker reaction. We now identify some cybersecurity anomalies in 1.5 hours or 2. Before, we knew about breaches two days after incidents. We can now contain attacks when they are occurring. For example, for the first time, we could detect Fluid Attacks in our most recent ethical hacking project.
We will post the second part soon, in which we discuss risk management,setbacks and lessons, truths and lies in cybersecurity, and user behaviors.
Data scientist in training.!