Toward Omniscient Cybersecurity Systems
May 20, 2015
Cybersecurity systems suffer from compartmentalization. Vulnerability management systems know which software revisions are installed on which systems, but have no idea how endpoints and servers are connected together. Similarly, an anti-malware gateway can perform static and dynamic analysis on a suspicious file but doesn't know if a user downloaded analogous malware when she was connected to the Internet on a public network.
Yup, cybersecurity is simply a classic example of one hand not knowing what the other is doing.
CISOs recognize this disjointed situation and many are undertaking cybersecurity integration projects to address this problem. This is certainly a step in the right direction, but I find that a lot of these projects are one-off point-to-point integration efforts. Good idea, but CISOs should be pushing toward an ambitious endgame – omniscient cybersecurity systems.
Now I know this sounds like science fiction and may remind some of my federal government reader friends of John Poindexter’s Total Information Awareness (TIA) DARPA project of the early 2000s. Nevertheless, CISOs need a central cybersecurity systems that:
- Knows everything about every system on the network. I truly mean everything – a unique system identity, system configuration, system behavior, etc., about every server, PC, mobile device, printer, IoT sensor/actuator. By "system," I also mean applications, databases, scripts, and services too. All system activities and changes should be reported back to the omniscient cybersecurity system in real-time. Oh yeah, system knowledge must include physical devices, VMs, and cloud-based workloads.
- Provides the same capabilities about the network. This includes an understanding of the network devices themselves (i.e. identity, configuration, behavior, etc.), but goes much further. Security analysts need a detailed map of how all systems are connected together (including a description of all network security controls and where they reside on the network) for risk assessment and mitigation. They also need to know about network behavior and activities like port scans, protocol tunneling, suspicious connections, unknown encrypted packets, etc. Again, this omniscience should extend into virtual networks and the cloud.
- Can pivot up-and-down the technology stack. One security analyst may want to start with a network view and peer up the stack at applications and databases. Another may begin by investigating an application administrator’s activities as they progress toward several databases containing sensitive data, while a third investigation may progress from an internal user to a business partner’s inventory system. Security analysts need the freedom to look at any IT asset, combination of IT assets, or interactions between IT assets, from any angle.
- Understands context. Rather than piece together a breadcrumb trail on their own, security analysts can use a helping hand from time-to-time. Individual events may be benign but may indicate a clear attack pattern in combination. Rules and dashboards are helpful but a truly omniscient cybersecurity system should be instrumented with algorithms and intelligence to detect patterns. At the very least, these systems should present analysts with alerts based upon suspicious cumulative activities rather than individual events.
- Include threat intelligence. Internal data collection, processing, and analytics should be supplemented with threat intelligence from the wild. Once again, external threat intelligence should be correlated with internal system and network behavior for pattern matching, risk assessment, alerting, and presentation.
- Help out with visual analytics. Bar charts and pie charts are okay but it’s time that cybersecurity take the next step toward visual analytics. To get there, the industry must put a lot more work into cognitive psychology, display technology, and leading-edge graphical interfaces. While this effort is in its genesis, vendors like Click Security, Lancope, and Raytheon Cyber Products are forging ahead with visual analytics interfaces. Finally, the industry group VizSec is championing this effort, bringing together academia, government, and industry thought leaders in this area.
In summary, CISOs need a single system or an integrated architecture that can tell them everything about everything – in real-time. This system must be smart enough to recognize patterns and offer user-friendly visual analytics interfaces enabling analysts to easily pivot from one data point to all others. Armed with this type of system, cybersecurity professionals could move on to the next task – automated remediation and security operations.
The omniscient cybersecurity system I’ve described here is unavailable today but vendors like HP, IBM, LogRhythm, RSA, and Splunk are certainly moving in this direction. My guess is that omniscient cybersecurity will also include big data technology from vendors like Palantir, Platfora, Sqrrl, or Zettaset. Regardless of where this technology comes from however, CISOs need it ASAP.