Five Questions with Andrew Lewman



1. Recently, it has been mentioned that misattribution poses the biggest cybersecurity risk today. Why?

There are generally three questions during an investigation:

  • What happened?
  • Why did it happen?
  • Who did it?

The last question presents the largest challenge and the most risks when trying to elucidate an answer. Just like with shell companies, it's easy to create layers of indirection to distract from the real source of the attack and successful breach. Criminal organizations are beginning to specialize in various aspects of a successful breach. For example, some threat actors are specialists at penetration testing, others at the actual infiltration, and still others at the distribution of the stolen data. The risk is the victim organization focuses on only a single aspect of the event, and therefore misattributes the incident. Accurate attribution is the result of confidence levels and deep investigation into all possible candidates and actors.

2. Why is DNS critical to detecting and protecting against cyberattacks?

DNS packets are among the first sent/received in any Internet transaction. By paying attention to requests to domains which either aren't valid or are recently registered, an organization can look for these early indicators of compromise. Understanding what is being queried, when it is being queried, and who is the requester and the responder can provide a lot of information to help focus an investigation or flag some suspicious transactions.

3. Based on your experience working in both private and public sector, what more can be done to improve threat intelligence sharing between these institutions? Have we made any advances in this area?

The largest areas for improvement to solving a common problem, like cyber insecurity, are diversity and collaboration. In both the public and private sectors, correlating a diversity of sources, viewpoints, and expertise through a collaborative process where everyone is aware of the guidelines helps solve the common problem. Agencies, departments, and companies may all be experiencing similar risks and attacks. This common thread can help all of them better respond and more quickly address the core causes and resolve the issue. An example of this success was raised during a recent Gandi Root Zone panel, in which competing companies worked together to stop a debilitating distributed denial of service attack against DNS provider Dyn.

4. Cybersecurity staff shortages are critical. What can organizations do to encourage more men and women to enter – and stay – in this field?

I believe the industry is already making progress on this issue. Back in the 1990s when IT admins were in short supply, employers, education institutions, and the market all provided the incentives and resources to respond to that crisis. The short answer to addressing staff shortages is automation – having machines do the work for you when possible. Using orchestration tools to collect and collate data for presentation to staff can help the organization be more efficient with their resources. The longer answer is to educate more people about cybersecurity and get them into the field. Harvey Mudd College has done just this with great success.

5. During your career in the cybersecurity industry, what has been your most important lesson learned? Why?

Simplicity wins. And everything is a risk. Decide which risks are worth taking and mitigate them with simpler solutions. Compounding complexity with complex solutions doesn't help. A solution in whole may be complex, but breaking it down into simple steps and stages can help everyone understand the risks and their mitigations.

– Andrew Lewman is the Chief Revenue Officer with Farsight Security, Inc.