Lockheed Martin CISO Jim Connelly: Nick’s Newsletter No. 44

Sign up for my newsletter to see more interviews with the biggest names in cybersecurity.

I love speaking to entrepreneurs each week because the vision and excitement that they have for their companies and products is infectious. All the excitement in the world however, does them no good if nobody wants to buy that product. This week I had the amazing opportunity to speak to the person ultimately responsible for making a lot of those purchase decisions for his organization: Lockheed Martin CISO Jim Connelly.

In the interview below, Jim and I discuss how Lockheed thinks about protecting itself against sophisticated adversaries, areas of cybersecurity on which entrepreneurs should focus, and Jim’s relationship with venture capitalists.

In the past few years we’ve seen defense contractors such as Lockheed and Raytheon expand further and further into the cybersecurity field through M&A. What do you think is driving this?

Lockheed Martin has been working on cyber for a long time. We’ve been a cybersecurity provider for the DoD as well as several federal and civil customers for quite some time. The market is actually just catching up with the real need and we’re seeing more and more companies getting into cyber.

Lockheed has its own suite of cybersecurity products. Do you use primarily Lockheed products or do you purchase products from outside companies as well? What’s the process like for finding and implementing these solutions?

There are two ways that we find and implement products:

  • A lot of the products that we take to market were developed by our internal team for use in the defense of Lockheed Martin’s network as a matter of necessity.   We also use all the products we sell. One example is our malware detection system and open-source platform, Laika Boss.  Many COTs products had issues with scale and others were ineffective against the adversary.
  • We do purchase many commercial technologies such as systems that provide more of a commodity function. We also acquired Industrial Defender in 2014, a leading cybersecurity provider for industrial control systems (ICS).

You mentioned that you develop solutions to protect against nation states; how do you think about protecting a network against someone with unlimited resources?

People say that in cybersecurity the defender has to be right every time whereas the adversary has to be right just once. Our team looked at this problem and developed the Cyber Kill Chain® methodology, which forces the adversary to be right across seven steps. This helps level the playing field.

Another way that we look to protect against the advanced persistent threat is through information sharing. Cybersecurity is a team sport, and we are constantly sharing information with the government and other trusted partners. Some of our biggest competitors are our greatest allies when it comes to information sharing.

Can you describe the Lockheed Martin Cyber Kill Chain®?

The Cyber Kill Chain® allows for proactive remediation of advanced threats across seven steps: reconnaissance, weaponization, delivery, exploitation, installation, command and control, and actions on objectives. The adversary follows these steps and using the Cyber Kill Chain® method, we have an opportunity to catch and remediate them at any point.

  • Reconnaissance: Information collection and target identification. Example: Adversary monitors conference website to select targets from conference attendees
  • Weaponization: Weaponize an otherwise clean document/url. Example: Adversary uses a tool to convert legitimate conference agenda into a malicious PDF document
  • Delivery: Get Malware to the target. Example: Email spoofing the conference organizer sent to the attendees with malicious PDF document attachment
  • Exploitation: Executes the malware. Example: If a user clicks, the malware exploits a vulnerability in Adobe Acrobat that allows malicious code to be injected
  • Installation: Compromise the target. Example: Malware hidden inside the PDF document installs itself on the victim’s computer
  • Command & Control (C2): Two way communications between target and controller. Example:  Malware silently (to the user) sends a beacon to the adversary’s network letting them know it is accessible
  • Actions on Objectives (Exfiltration): “Hands on Keyboard.” Example: Adversary has full access to every document on the victim’s system, and can move to network shares and hop from computer to computer inside the network

Stopping adversaries at any stage breaks the chain of attack. Adversaries must completely progress through all phases for success; this puts the odds in our favor as we only need to block them at any given one for success. Every intrusion is a chance to understand more about our adversaries and use their persistence to our advantage.

Are there any specific areas of security that the existing products don’t effectively address? In other words, in which areas should budding entrepreneurs be focused?

There are two areas that come to mind. First, we need better protection of data at the lowest level. There are some DLP products; however, the DLP market has grown stagnant over the last decade because there is no interoperability between DLP and rights management. We need products that can drive better protection at the data level as well as information rights management.

Second, we need better authentication solutions. Some of the solutions we use today are outdated. We really need to take the next leap. Two-factor authentication has to become ubiquitous; right now, it sometimes struggles to fit with the modern enterprise that emphasizes mobility and the Internet of Things.

You have the biggest cybersecurity firms in the world as part of theLockheed Cyber Security Alliance. Can you explain what the alliance does. Where does Lockheed fit in?

The alliance was started in 2009. The goal was to bring leading technology providers together, almost as a coalition to implement solutions. Lockheed Martin’s role is to be the hub of the alliance. As a large provider of IT services, we see the problems that our customers have and we work with the companies that are part of the alliance to resolve the issues.

You’ve said you have 3,500 employees focused on cyber. What are the different units in which they spend their time? 

Cyber is embedded into every platform and product we develop at Lockheed Martin. We have cyber talent spread out across the entire corporation. We are really a full spectrum cyber-shop.

Has it been hard to hire cyber talent?

There is zero percent unemployment in cyber, so it is definitely a challenge. I think more and more colleges are starting to catch up by putting more cyber-focused programs in place. When we first started down this path it was rare to see. To keep up with demand, we created cyber-related courses at Lockheed Martin for employee development.

We also have an awesome mission – defending LM and our customers’ mission – which helps attract new talent. Potential employees are really excited about what we do.

VCs often talk about having relationships with CTOs and CISOs that they can introduce to their portfolio companies. Do you have much interaction with VCs? 

I meet with some venture capitalists (VCs) on a yearly basis. The VCs want our opinion on where things are going and what’s important to us. During the meetings we typically learn about new companies, which we can invest in as well as purchase products. It’s a two-way street.

One thing I’ll tell you is scalability is a huge issue and a lot of VCs want our opinion on that. There are many security products that work great in a small lab, but when you try to bring them into an enterprise of our size, they don’t work. We’ve seen a lot of great ideas that don’t have the ability to scale. That is another gap in the cyber space.

The News:

Five key cybersecurity trends for 2016

  • HelpNet Security’s 2016 predictions include hackers increasingly targeting cloud providers and an increase in mobile malware and malvertising.

Iranian Hackers Infiltrated New York Dam in 2013

  • Iranian hackers hacked the control system of a dam in a New York City suburb several years ago. The incident, which is still classified, has since prompted discussions over the security of the United States’ critical infrastructure.

Bernie Sanders campaign improperly accessed Clinton voter data, DNC says

  • Several staffers with the Sanders campaign allegedly accessed confidential voter information obtained by Clinton’s campaign.

Pentagon weighs cyber-campaign against Islamic State

  • Some officials argue that the U.S. should shut off as many ISIS communication channels as possible, whereas others argue that ISIS’ communications provide a window into their whereabouts.

SEC Approves Plan to Issue Stock Via Bitcoin’s Blockchain

  • The SEC has approved Overstock.com’s plan to issue stock via the blockchain. Overstock has built the infrastructure for offering “cryptosecurities” and plans to offer the technology as a service for other companies. Overstock CEO Patrick Byrne sees the technology as a way to eliminate the middleman in the stock market.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s