Leveling the Cybersecurity Playing Field with AI, Machine Learning and Cloud

with Jonathan Cassar, CTO, Malta Information Technology Agency

Using artificial intelligence, machine learning and cloud to address cybersecurity challenges in the Public Sector.

The modern government Security Operations Center (SOC) monitors, detects, responds to, and mitigates cybersecurity threats and incidents, typically employing a combination of technologies such as artificial intelligence, machine learning, and cloud-based solutions to enhance its capabilities for threat detection and incident response. As cybersecurity techniques become increasingly sophisticated worldwide, public sector organizations are experiencing a growing threat from attacks by nation-state actors and cybercriminals. So, what can government-operated Security Operation Centers (SoCs) do to prepare for and respond to threats from nation-states and cybercriminals? We sat down with Jonathan Cassar to explore the evolution of SOCs and how public sector organizations can protect themselves.

Cassar is the Chief Technology Officer and Head of Information Security at the Malta Information Technology Agency (MITA), overseeing government digital workloads, infrastructure, network, and cybersecurity. In addition to the CTO’s office, the security department under his supervision is responsible for the cybersecurity of government digital assets hosted on their hybrid cloud. Cassar’s team manages security governance, compliance, risk assessments, incident response, and operates the security operations center.

Trends in global cybersecurity and the impact on the Public Sector

When examining cybersecurity trends on a global scale, particularly within the public sector, there is a notable increase in nation-state-sponsored activities over the past year. Approximately 53% of such activities have been directed at government and critical infrastructure organizations1. Cassar explains, “If a threat actor managed to disrupt the service and infrastructure, obviously there are consequences for the public safety, for the economy, even sometimes for the social stability of a country or region.”

“Fighting fire with fire”

While traditional practices like adopting cybersecurity best practices, investing in education and workforce development, and enhancing collaboration and information sharing are crucial, there is a need to “fight fire with fire.” Cassar explains that this involves leveraging AI and machine learning to provide comprehensive visibility, detection, and response capabilities. “Most organizations, and especially government organizations with large infrastructure, generate a lot of data, a lot of security events, and a lot of event data. This will be humanly impossible to go through,” he explains.

The use of AI, particularly in platforms like security information and event management, endpoint detection and response, and threat security monitoring, can equip government organizations with the tools and capabilities necessary to defend against sophisticated cyber threats. “We’ll create what we call patterns of life, and monitor any deviations from those patterns, and those baselines,” he continues. By establishing these baselines and patterns of life, deviations from normal behavior can be more easily detected and investigated by AI and hyperscale cloud technology, allowing for the efficient processing and analysis of large data sets.

Cassar elaborates with an example, “When it comes to identity monitoring, I use my identity in the morning from my office, and then after an hour, my identity is used from a different country. It would be a case of impossible travel. So that is an anomaly that is flagged, detected, and then investigated, and any deviations from normal baseline is investigated in the same way. This can only be done by using artificial intelligence and the use of hyper-scale and cloud to be able to consume and processes such large amounts of data.” Cassar continues to share that, while AI presents challenges, it also offers significant opportunities to enhance cybersecurity capabilities for detecting and responding to threats effectively.

In short, the approach of countering cyber threats with advanced technology, including hyperscale cloud, automation, machine learning, and artificial intelligence, is critical. Cassar feels that this strategy levels the playing field and allows government organizations to effectively defend against the increasing scale and sophistication of attacks. Relying solely on human efforts is insufficient but a combination of human expertise and cutting-edge technology is essential to combat these threats.

Best practices for modernizing SOCs in government

Cassar offers recommendations for modernizing government SOCs, emphasizing the need to establish the capability to detect threats at all stages of an attack. “I think that one of the first principles is to have a capability to detect threats through all stages of an attack. This can be done by using technologies like endpoint detection and response, network security monitoring, and security information event management. The data needs to be collected, analyzed from the various sources and there be able to identify malicious activities across the whole chain,” he explains.

Furthermore, Cassar stresses the importance of thoroughly investigating all alerts. He points out that, “this can be done by using technology such as orchestration, automation, and response, and use artificial intelligence to help you triage, prioritize, and also enrich the alerts with contextual information and threat intelligence.” Additionally, he highlights the significance of collecting forensic evidence for investigation and remediation, emphasizing the role of security automation in relieving SOC analysts from repetitive tasks like correlation and validation. Cassar underlines that, “Automation does not mean replacing human analysts with AI or machines, but it’s a matter of augmenting our human capabilities to better achieve our outcomes.”    

Lastly, Cassar share that is essential to leverage threat intelligence from diverse sources and collaborate with external agencies and partners to gain a comprehensive view of the infrastructure, “You can’t work on your own, but threat intelligence needs to come from different sources. So, it’s important to have a number of agreements with different agencies, with through partners who can provide you with this information, and that you provide them with similar information.”

Strategies for enhancing cybersecurity in government and critical infrastructure

Government and Critical Infrastructure organizations face unique challenges as they defend against nation-sponsored cyber threat activity. The complexity of public sector organizations, with challenges in coordination, collaboration, governance, and policy oversight, makes them appealing targets for threat actors. Cassar shared that establishing an effective government-operated Security Operations Center (SOC) strategy involves aligning it with the business goals and risk tolerance of government organizations. ” “I think that we’ve been going through a transformation when it comes to security operations and where the security department is not the function that says no to everything. But it is the function that enables the business to reach its objectives.” 

The strategy prioritizes the security of assets and services, defines roles and responsibilities, and includes metrics and key performance indicators (KPIs) for evaluating SOC performance. Advanced technology tools are essential for enhancing visibility, detection capabilities, and incident response across the environment, allowing for better risk management. A higher level of visibility empowers organizations to take calculated risks when they have the capability to prevent, detect, and respond to security incidents. Cassar explains, “If I have no visibility on a particular system, I don’t know what’s happening. I’m not inclined to take any risks over there. But if I increase my level of visibility, and I know what is happening, and I know that I have certain response capabilities, and I am open for more risk, or I’m open to implement different things, because there as long as I have the visibility, then I have the capabilities to prevent, detect, and respond. So, I think that is part of an important aspect when it comes to a SOC strategy.”

Standard practices like adhering to IT infrastructure standards, following frameworks such as NIST or ISO, conducting regular vulnerability assessments, penetration testing, threat hunting, and auditing remain crucial components of an effective SOC strategy.

According to Cassar, the human factor is also pivotal, as cybersecurity training and awareness are essential for preventing social engineering attacks and other security threats. Education and awareness play a crucial role alongside processes and technology in safeguarding against cyber threats. “I think people are one of the first defenses and the last defenses when it comes to cybersecurity. Most attack vectors we see come through emails or social engineering, where the person, the human plays an important role there to manage to stop this particular attack chain. So, I think education and awareness are just as important as the processes and the technology.”

Approaches to addressing the cybersecurity talent gap in government

The conversation moves to how government organizations can take steps to attract and retain cyber talent and how a holistic approach integrating people, technology, policy, and process modernization helps for managing a government security operation center effectively. Cassar acknowledges a compensation disparity between the public and private sectors but highlights several factors that can attract and retain cyber talent within government organizations. These include the exposure and opportunities for growth, rotation and promotion, the use of different platforms and technologies for learning, and the mission and impact on the public and national security. He adds, “I think fostering a positive work culture, where you find the support and collaboration that you need to be effective in your work, is another important element when it comes to choosing where you work and how also you can attract and retain talent when it comes to cybersecurity.”

1 Microsoft Digital Defense Report 2023 (MDDR)

To find out more:

• Read the 2023 Microsoft Digital Defense Report
• Find out how Microsoft Security helps protect people and data against cyberthreats
• Learn about Microsoft Security Copilot

Listen to this episode on any of these podcast platforms:

Spotify

Apple Podcasts

Google Podcasts

Deezer

Libsyn