Our guest

Nicolás is the Chief Information Security Officer (CISO) of
Corona; a
Colombian Multinational company dedicated to manufacturing ceramics for
home improvement, construction, industry, agriculture, and energy
markets. Corona has 20 production plants in Colombia, 3 in the US, 3 in
México and 3 in Central America.

AI in cybersecurity

We started by speaking about the emergence of machine learning (ML)
and artificial intelligence (AI) in cybersecurity, a hot topic right
now.

What is your opinion on the potential applications of ML and AI
in cybersecurity? Do you believe this potential is real, or it is
just a hype?

1. “My stand is halfway. A hype might be in one end, and a solve-it-all
   approach in the other.

2. I consider ML and AI as valuable approximations to leverage
   behavioral information for cybersecurity; for instance, to detect
   anomalies. We have a significant restriction with current detection
   systems: they work based on who the user is, not on his/her
   behavior. There is no behavioral baseline. Behavior-based intrusion
   detection enabled by AI is a step forward allowing organizations
   to be more efficient.

3. A kind of hype is present in how IT providers market their newest
   products and how they describe their applications. Some companies
   suggest something like ML and AI are the “solution to all
   problems.” Others sell ML and AI “embodied” as assistants to
   managerial decisions, conveying a robotic way of enforcing security
   policies and containing incidents. I don’t see myself doing that; I
   think we’re not there. Nonetheless, we haven’t learned enough —or
   adequately— about risks from the behavior of the users we protect;
   even less we can program machines to understand and leverage users’
   behavior. The machines’ capability to detect and restrain
   cyberattacks automatically is still far in the future. I think the
   human criterion, the human brain is and will continue to be
   essential for decision-making in cybersecurity. I do not deny these
   capabilities exists. In some AI-powered customer service
   applications, you cannot identify easily whether the other party is
   a robot. There are operations in which ML and AI could add value
   to our business, but I don’t see it as a replacement for high-order
   decision-making.”

Are you deploying ML or AI for your operations?

1. “Not yet. Two reasons for that: first, we have made a strategic
   decision not to be early adopters of new technology. We are
   conservative about managing risks, in part due to the market we
   serve. Investing in the latest solutions is expensive. I see other
   fronts where smaller investments have a greater impact on what I do
   with my team. We seek for small, incremental innovations. Second, we
   are not focused on forefront topics, like, for example, those Fluid Attacks
   is concentrated on. Our cybersecurity operations reach a
   variety of technologies. Some are legacy —for example, our core,
   production plants. Others, cutting-edge tech. In this heterogeneous
   environment, it is essential to have a strategy and a vision
   covering all assets.

2. Nevertheless, there is an opportunity in using AI in Industrial
   Networks or OT (Operational Technology). It should be feasible to
   deploy an AI practical application to better support our
   cybersecurity operations.

3. We trust on partners like Fluid Attacks, which are doing novel
   work at industry-level. Fluid Attacks invests resources in
   exploring and testing with stuff others don’t. Fluid Attacks’
   Hacking services are proof of
   that. A couple of times, I’ve read on the news stuff Fluid Attacks
   began to prototype and test months before.”

Innovation in cybersecurity

Even more commonplace than ML and AI, is innovation. What we do at
Fluid Attacks, many people describe it as innovation. Nicolás mentioned
about innovation at Corona, and we were curious to know more.

What do you consider you are doing differently in cybersecurity?
You mentioned you are convinced about the organization approach to
innovation.

1. “I am a critic of the traditional concept of innovation. Innovation
   is not an end for us; it is an attribute. For Corona, to innovate is
   to make things we already do, but differently; is to start doing
   things we previously didn’t do that support our business goals for
   real. In that way, we make innovation more understandable, more
   worldly; we remove the strange “pedestal,” where traditional
   innovation-speech seem to be. By actively seeking how we can do
   stuff differently, we create innovation, even if it is not new, but
   is disruptive for us, and more importantly, it delivers value to the
   business. We have found (and transformed) processes with no change
   for more than 130 years!

2. We have to be very assertive in investments in our business. Those
   should be centered mostly on detection capabilities, in knowing what
   is happening. No matter if fixing takes too long after detection.
   Why? Transparency and honesty. This is a responsible way to manage
   cybersecurity risks in a company with a traditional vision of risk
   management because it is easier to ask for resources for protections
   we don’t have.” (Interested in transparency and honesty? Take a
   look at The F*CK strategy)

3. “Last year we had an idea: what if we develop customized software
   for cyberintelligence? We needed to know what was going on beyond
   antivirus or firewalls alerts. We didn’t want to keep looking at
   mere associations among events (malware, the status of servers,
   business rules, etc.). We wanted to go further: to know “the status”
   of business processes from our cybersecurity operations. That
   involves mapping all IT assets and creating risk assessments
   quickly and easy to understand to company stakeholders. In other
   words, we wanted to establish a smooth communication to the business
   in the language of business. Think of it, for example, as a risk
   score linked to payroll processes, available before the start of the
   payroll cycle, allowing better decision-making.

4. We worked with another partner in developing a customized solution.
   We turned to agile methodologies, something new for us. The approach
   was so disruptive —in our terms— that it wasn’t necessary to include
   IT stakeholders during development. The technology supporting the
   soon-to-be solution was on the cloud and container-based. We avoided
   many committees and discussions. When I presented the product to the
   company, IT was surprised and told us: “this wasn’t discussed in X,
   Y and Z committees…” but once they saw the product live, they
   started to fantasize about stuff they could do by working
   differently.

5. An almost entirely functional product was serving us in less than
   ten months. And we won Corona’s innovation prize, the Prisma award.”

What does this software provides that you previously did not have?

1. “Timely detections, quicker reaction. We now identify some
   cybersecurity anomalies in 1.5 hours or 2. Before, we knew about
   breaches two days after incidents. We can now contain attacks when
   they are occurring. For example, for the first time, we could detect
   Fluid Attacks in our most recent ethical hacking project.”

Check out the second part of this interview,
in which we discuss risk
management, setbacks and lessons,
truths and lies in cybersecurity,
and user behaviors.

Interested in our approach?
We offer ethical hacking
in combination with automatic scans.
Take a look at our Continuous Hacking service.