A Shared Ecosystem
Author: Aubrey Merchant-Dest
September 2019
Cybersecurity and risk management require context and visibility that is relevant and timely, consumable and actionable, using a taxonomy that everyone understands. We want to communicate the ‘so what and why should I care’ and understand the ‘what can I do,’ with a measure of cost, potential risk and likely consequence. Cybersecurity and risk management are symbiotic and affect individuals and enterprises alike. Loss of sensitive data can manifest in ways only limited by imagination, and Artificial Intelligence (AI) opens yet another set of outcomes which we are only now starting to question and grasp. Ethics, integrity and provenance are where we should focus, this is the cyber defense and risk management challenge moving forward. We’re approaching a point where loss of trust in the connected realm risks quality of life.
The majority of our focus in cyber defense thus far has been on identifying external threats, attempting to block them at the network perimeter or at some endpoint device. Data now resides in online applications, or shared services hosted externally. There’s value or convenience for businesses and consumers respectively, but risk is never eliminated, only transferred and/or accepted. Recall that ‘opportunity cost’ is the measure of loss or gain from an alternative not chosen. This is the realm of the Actuarial for large businesses, but how do we resolve that when the data or object can be used to manipulate individuals, creating public harms? The Centers for Disease Control (CDC) may be the best example for how we identify and mitigate public harms relative to cyber security and risk management. They identify threats, communicate a course of action that is clear and concise, and define a protocol understandable by all entities. This is exactly the challenge faced in our networked, connected world.
People, devices, applications and data are the demand and supply-chain in today’s global economy, and any one of these can introduce risks or threats to an environment. Challenges in risk and threat protection are exacerbated further as modern compute paradigms are adopted; for example, more distributed data requires more visibility and added controls/management. Automated approaches to code scanning, configuration management and threat protection are making a positive impact, though we still require correlated/converged visibility and contexts to get us to the next level. This could potentially be resolved through a ~universal taxonomy describing ‘publicly shareable attributes’ about risks and threats.
Person entities (PEs) and non-person entities (NPEs) are core to this equation, factored with anonymity and privacy concerns in mind. Consider medical devices and the data they collect and forward as a use case, what attributes are collected and correlated to mind your physical being? Are attackers targeting these or similar devices in another geography? That would be useful information to share, elevating awareness and preparing for an outcome. We need to share contexts, not the proprietary information that creates or identifies mal-activity or vulnerabilities. We don’t want to commoditize cybersecurity and risk loss of efficacy, but it must scale your existing workforce and blanket critical investments. Having a bigger picture view of everything relevant to your data property and/or community helps make for a safer environment.
If we took a CDC-like approach, we need to understand where threat is, what they are targeting and through which vulnerability, the type of endpoint and its hygiene, the targeted infrastructure, and other attributes useful for identifying the ‘hot zones’ or even pandemic cyber threats. In other words, is it viral, bacterial or fungal, and how is it contracted, what are the symptoms, and how is it treated or prevented?
In this approach, we don’t need to define or standardize on all the data. We would just need to have a set of commonly understood pieces of information, and that information would have to be designed intentionally to allow people to easily map from the global issue to their personal situation.
Today’s Operational Environment
Organizations benefit from the agility and efficiency that today’s environment promises, but still require the visibility and control possible with on-premise systems and tools. Organizational data will increasingly be housed within a Cloud Service Provider’s (CSPs) data center, but not all risk is mitigated in their environment. The shared responsibility model requires entities to manage data “in” the CSP platform/shared service, which requires constant configuration management to mitigate both technical and human factors.
Compounding this is that the definition of an endpoint continues to evolve. The future of cloud computing will be far more distributed than we currently imagine. Smart cities, autonomous vehicles and the continued proliferation of connected “things” will force further distribution of compute fabric closer to endpoints/sensors to improve real-time analytics and take actions at machine speed. This “edge computing” is a necessary component in the realm of “cyber physical systems” and therefore critical to risk management as we continue to innovate technical solutions. The new boundary is the data (and the services).
Context is Everything
There are many touchpoints supporting business continuity. Security or IT operations implement tools and technology that identify and mitigate risks which manifest from internal or external threats, but more context and visibility is needed to identify unusual behaviors which extend beyond the capability of traditional security stacks. Your data and applications extend to multiple properties, you need visibility and meaningful contexts to enable user and entity behavioral analytics (UEBA); to be clear we are referring to PE and NPE correlation. Identity proofing all touch points is paramount, but having some well-defined, set facts about entities accessing your resources is critical to making decisions at machine speed.
While today’s security tools can identify known and even novel threats, not all threats manifest as malware. Consider ‘deep fakes’ and the risk they present both personally and politically. We should consider asset management of digital information/objects similarly to entities (PE and NPE) that interact with it, and this is inclusive of communications from the network to the application layer protocols and the data itself. Applications are business oriented, networks provide connectivity, security tools detect and protect from threats, and they need to operate in unison, in cyber-relevant time. All of the interacting components can become sensors, essentially a detective at every corner to help assess, decide, and monitor. Sense-making of your operational environment becomes more achievable, and it can indeed span all of your data properties. We can now consider automating response and recovery procedures with confidence and reliability.
Everything and Everyone is an Endpoint
Humans, connected devices, hypervisors, containers and workloads are all endpoints. Applications and information determine the demand and supply-chain. That’s a lot of touchpoints to support supply-side business operations, all necessitating consistent configuration management and policy control, and privacy/attribute protections. Security tools aid in identification and mitigation of risk or threats from internal or external sources, but context, visibility and analytics are necessary to track and reveal unusual behaviors which extend beyond the typical security stack. Today these two sets of information are not easily correlated to support more timely and effective decisions, there’s a need for rapid convergence. Seemingly unrelated and even remote ‘signals’ when properly correlated can pinpoint high-value ‘noise’ early. Yes, we’re talking SIGINT for a connected world, a CDC-like approach, with a threat intelligence overlay.
The real need is to log and detect activity in a manner that makes it easier to relate to the threat (in your context) to understand your exposure, risk, and mitigations, if you determine you are or may become infected. That requires a level of visibility and understanding that we currently do not have about our end-to-end system interactions and the transports connecting them. Networks, endpoints and cloud applications of today utilize APIs to generate log data that can assist to inform security operations, and they all provide sensor-like capability and can contribute to sense-making. The human factor may be the ultimate challenge, we are souls with built-in sensors, but how do we respond to the unknown and/or unusual? Think of a type of truth-table factored with experience or otherwise learned, reactive to stresses past or present. Think about the effect of a well-crafted phish or an urgent SMS from a loved one. Point is that a larger community can benefit from ~attribution and relate it to a larger concern. Think about that in context of SIGINT, bigger picture intelligence. This approach should facilitate broader critical thinking about cyber awareness.
Today’s Threat Environment
Irrespective of the size of your organization, threat protection and intelligence should be an integrated component of risk management and cybersecurity protection. It is useful to understand the threat landscape even when you don’t have direct exposure. You gain insight on how your organization might be affected and the potential impact to systems health, and/or to understand how threats are evolving, where they are moving. You see and understand this early in the cycle and stay in front of a situation
Mature security operations likely utilize both commercial and open source intelligence feeds for additional context and improved dimensionality. Public/private information sharing occurs with authorities when threats are egregious enough to warrant national security concerns or potential pandemic.
Optimum information sharing requires a trusted-source, and trust can gain or wane. There’s plenty of useful threat intelligence available if you’re able to parse and correlate it to your environment. Put another way, the intelligence must be easily relatable and relevant, answering the so what and why should I care questions, the only questions actually that matter, and do so at a useful point in time.
Bridging Threat and Network Defense Communities
As we’ve been leading up to, let’s define what a CDC approach to cybersecurity and risk management would require. It is a protocol, actually, for risk management and intelligence collection and dissemination, sufficiently abstracted for wide comprehension. It then would support a ~universal plug-in architecture, a platform ideally, an integration fabric minimally; an open platform that gives you control over your enterprise telemetry and security data: how much you collect, how long you retain it, and where it resides. It also provides a standard, cross-product schema for analytics, reports, and dashboards. It links PEs and NPEs to applications and/or objects, everything contributes to sense-making.
It normalizes the event data that it collects from different sources to match a minimum, common standard, using the same attribute names and values for equivalent events. The schema is an extensible information model that defines one common taxonomy for the event data that is collected from different products. The schema is also a cross-product standard that is maintained and upgraded as necessary; it defines the event types and groups them in a number of categories.
Extensible – important to ensure interface points to ensure extension to know and understand capabilities, information, or policies. A starting point would be persons, devices, transports, applications, data, frequency, geography, etc.
Open, Orchestrated, Managed, and Protected Integration – as more and more sense- and decision-making are performed by analytics and algorithms, the orchestration needs to connect capabilities (not products and services, but maybe even packages of them to meet a capability) in a way that can be clearly articulated, synchronized, monitored, assessed, measured, and secured.
Maintain Trust – we must be careful to guard against possible negative outcomes as we depend more on automation and artificial intelligence. Trust is additive and subtractive, provenance must be well understood and controlled. Think multiple notary public roles, distributed and coordinated hierarchically.
Giant Steps Are What We Take (Walking on the Moon)
Do you recall Bird Flu (Avian Flu)? The CDC website defines the basics, provides guidance and updates, as well as prevention, treatment and subtypes/variations. This answers the ‘so what and why should I care’ as well as the ‘what can/should I do.’ It does so in terms and contexts easily understood by the community at large, across the globe. Cybersecurity and risk management should be no different. The Department of Homeland Security implemented ‘see something, say something’ many years ago, and while you can argue its effectiveness, the intention is simple to understand. We all play a role and have societal responsibilities, we need to adapt this to cybersecurity, realizing the potential for risk, contributing to early identification and risk mitigation for the greater good.
Stop for a moment and consider the number of connected devices that support commerce and social communications, then consider the variables related to hygiene of devices and (un)intentions of human factors. It’s difficult to wrap your head around the volume and variables. Technologists should believe technology is about humans and not gadgets. But bad actors see something very similar, opportunity to exploit technology to deliver an outcome, and they’re playing us in ways that should offend us all.
Every connected device has some ability to report some activity, what is needed is a mechanism to correlate otherwise loose signals to identify activity of interest. This requires sense-making attributes to be converged and analyzed to include end-to-end communications. We can understand where threats are emanating and if they were stopped up or downstream. But that takes coordination across multiple entities (service providers, equipment vendors and others). We all have a view of cybersecurity and risk management, but it is generally constrained to specific areas of focus or specialization. Network folks are concerned with uptime and availability, security operations have the very same concern but from a different vantage point. The cost is cheaper if we can block it at the network/transport layer. It’s time to create an overlay model to gain additional visibility and contexts. Only then can we improve end-to-end situational awareness and improve our risk management game.
