If anyone in IT can take the long view, it’s Martin Lee. A decade-long cybersecurity veteran, he started in the sector in 2003 by writing spam filters for a managed service provider. Nowadays, as the EMEA Lead at information security giant Cisco Talos, he’s moved on to bigger things. But as Lee repeatedly tells Tech Monitor, many of the sector’s fundamentals have stayed surprisingly constant. Consider, for instance, the value of AI in fighting blackhats, with the executive describing how self-learning systems to fight spam were common even in the 1990s.
It’s a similar story elsewhere too: Moore’s Law, he says, has proved “remarkably resilient” for years. Not that things are static. From innovative tactics like ransomware to a rise in state-sponsored hacking, experts like Lee must clearly remain agile. All the same, with experience on his side, the Cisco Talos veteran nonetheless believes that the battle against cybercrime remains “solvable within my lifetime.” In the following interview, edited for length and clarity, Lee explains how – focusing especially on the importance of education and cyber hygiene to keeping systems safe.
You’ve been the EMEA Lead at Cisco Talos since 2021. Can you give me a sense of the day-to-day rhythm of the job, and how it differs from your previous jobs in the security sector?
Martin Lee: I’ve now been doing cybersecurity since February 2003. I came into it entirely by accident, and really at a time before cybersecurity really existed, writing spam filters for a managed service provider in the UK. Over time, spam became more of an issue; malware sent over email started to become more of an issue. So I had a good idea of where our strengths and weaknesses are. We also started seeing some very different pieces of malware, very different from the high-volume ones that we were seeing. We didn’t know what it was at the time, but it turned out to be so-called ‘advanced persistent threats’: sophisticated, almost certainly state-sponsored malware.
“I think it’s an aberration that we even have people in my job trying to defend computers.”
I spent a long time refining our detection and identifying areas of weakness. And little by little, it started dawning on me that our problem wasn’t necessarily those last few pieces of malware, or the spam. It was actually that people didn’t understand what we were doing, and why it was important. Last year, the largest proportion of threats that were actually getting in was through unpatched systems, poor password choices, improperly secured user accounts, and social engineering – run-of-the-mill stuff that we actually know how to detect. But people aren’t prioritising this in the business.
So my role now is to look at how we get people to actually understand what is happening in the threat landscape, and take appropriate action. This kind of interview is exactly the type of thing that we do: let’s work with external agencies, with PR, with the media, with our partners, to get that message out there so that people make the right decisions.
We need new blood with new ideas and new ways of looking at the problem to come into the industry and take it further. Last week, we were at the National Quantum Computing Centre’s annual hackathon. We had students come in, gave them problems from industry, and then gave them genuine quantum computers to try and solve them.
I would like the problem to be solvable within my lifetime. I think it’s an aberration that we even have people in my job trying to defend computers. I would like my grandchildren to look back in utter incomprehension. ‘What does that mean, your computers got hacked? What does that mean, all our data was compromised and leaked? Why didn’t we just do X?’ I’m sure the next generation has the answer somewhere.
Cisco Talos works with vendors to patch 200 security vulnerabilities a year, even as black hat tactics like ransomware and wiper malware are becoming more sophisticated. Given the vast scale of the digital threat, how do you and your team prioritise what to focus on?
We have an entire team that’s dedicated to researching vulnerabilities in third-party products. We’re part of the Open Source Security Foundation, and have an entire team of vulnerability researchers looking for vulnerabilities. We very much see ourselves as being the team that defends the internet as a whole, and working together with the open-source software community to find tools – but also to look for vulnerabilities in open-source software, so we work together with software engineers to get those fixed.
So many systems are now built on top of the foundation of open-source software. If there’s a vulnerability found in one of those packages, then that affects so many systems. So it’s important that we find those and get them remediated. We also look at a whole range of other things. Basically, we’re looking for those vulnerabilities that creep in elsewhere. For every vulnerability that we find, and we help the publishers fix, that’s one less vulnerability that the bad guys can use to compromise us and our customers.
Also, these vulnerabilities that we find can be used to develop network detection to identify exploitation of them. Zero-day discovery is a whole part of everything that we do. It’s integral to our mission. We’re looking for the most significant vulnerabilities, but every one that we find, we want to get fixed.
An increasing number of cybersecurity incidents – from the ArcaneDoor attack on Cisco to a range of incidents in Ukraine – show the increasing influence of state-sponsored blackhats. Does this change the way you pinpoint and combat new threats?
Certainly at this moment in time, it’s a difficult geopolitical landscape. Spies will always spy. The James Bonds of this world no longer shimmy up a drain pipe with a miniature camera to photograph documents – they send a phishing attack. So understanding the different types of threat actors that are out there, identifying what their objectives might be, and what it is that they’re trying to achieve, is part of what we do.
The other bit is, what are they going about it? What tools are they using? Then for us, it’s like: ‘How do we detect that? How can we make it easy to detect and block these attacks?’ Again, it’s also about raising awareness so that people are aware of what’s going on. It’s murky: we see a blurring between criminal threat actors and state-sponsored threat actors. Criminals are potentially acting as proxy agents carrying out attacks that are inspired by – or having some kind of instruction from – the state but nevertheless are firmly rooted within the criminal fraternity.
So it’s about trying to understand this very murky and shifting threat landscape, identify the types of players – and then figure out how we make life difficult for them.
Given the enthusiasm for machine learning across tech more broadly, to what extent is Cisco Talos integrating AI into its malware detection and prevention systems?
I’m so happy you asked me that. This is stuff we’ve been using for 25 years in cybersecurity! Self-learning systems that are able to identify anomalies, and use that identification as a way of blocking attacks – we were doing this with Bayes, in the spam days in the late 1990s.
So, really, we are continuously looking at all the various techniques that we can to make better use of data and telemetry. The quantities of data are now way beyond what a human can look at meaningfully. So we are increasingly reliant on machines to be able to process that data and highlight what’s important. What’s the weirdest, strangest, most unusual thing that we’ve seen? That means that – for the everyday stuff – the machines can just take care of it. We don’t need human analysis. But to be able to triage those threats, we need human ingenuity, human creativity and human understanding.
We’ve been doing this for things like malware analysis for years now. And increasingly, we’re integrating further AI capabilities into the product set. All Cisco security tools are increasingly having more and more AI woven into them. But we’ve been doing this for years, and this is just a natural progression. As the algorithms get better, we have more data available for analysts, and we bring more and more computing capacity to bear to make sense of it.
From the perspective of CIOs and CISOs, where do you see threats to networking equipment coming from in future?
There are a couple of forces that we need to understand. One is just simply the rate of technological change. IT – and technology in general – is bringing all sorts of advantages to our lives. Moore’s Law remains remarkably resilient. We’re able to do more and more with computing devices. Those computing devices are getting cheaper, so they’re being deployed in more and more places. Fundamentally, humans aren’t particularly good at software engineering. Writing software is really, really hard, and getting software to do what you want it to do, and deliver that within budget, is not easy.
To have that software secure, not only must it do what it’s supposed to do, but also never do anything else. So with the state-of-the-art of software engineering at the moment, we have to expect that there are going to be vulnerabilities in whatever IT changes we’re rolling out. Whether that’s devices, IoT devices, or network devices, there are going to be vulnerabilities there.
An awful lot of focus on what we do in Cisco on removing those vulnerabilities early in the software development process, and then also trying to make patching easier, so that when vulnerabilities are discovered, it’s very simple and easy to remove them.
That is one force which is driving cybersecurity. The other is the set of opportunities for the bad guys. Certainly, criminals have refined and innovated over the years. The ransomware model, notably, is a very effective way of making money. So while there is money to be made in cybercrime, there will be criminals who will be out there, using their ingenuity and creativity to identify vulnerable systems and exploit them.
We also have that geopolitical environment, which means we have the resources of a nation-state put towards developing techniques for compromising systems. Nevertheless, a lot of these cyber weapons that are being developed are one-shot – because as soon as anyone in the security community identifies it, we can block it.
So I do like to think life isn’t that easy for nation-state threat actors. And then our other force is trying to get organisations to do the right thing – and make it easy for them to do the right thing. Far too often, we see companies doing the basics badly, and that’s letting the bad guys in. So the bad guys don’t need to be particularly innovative in order to exploit systems.
Forecast? We’re going to be using IT more and more. There are going to be vulnerabilities in that, and the bad guys are going to be looking at them. What we as a wider IT industry need to do is make their life difficult. Get the basics right, and then also just be paranoid and continuously hunt the bad guys, so that we can spot them as soon as they get anywhere in a network – and then kick them out as fast as possible.