Driving Forces for Security Automation
Author: Donnie Wendt
September 2019
Today’s cyber defenders find themselves at a disadvantage despite technological advances in cyber defense. Among the chief causes of this disadvantage is the asymmetry in a cyber conflict that favors the attacker [1,2,3]. The increasing sophistication of the attacks increases the defenders’ disadvantage. Finally, organizations face a growing shortage of cybersecurity professionals to meet the increasing demand [4,5].
Asymmetry and the Attacker's Advantage
Cyber attackers have the advantage because the attackers only need to exploit a single vulnerability whereas the defender has the much costlier task of mitigating all vulnerabilities [1,2,3]. Attackers can choose the time and place of the attack which further disadvantages the defenders [6]. The ease with which an attacker can acquire and use an exploit coupled with the low likelihood of detection favors the attackers [7]. Once inside a network, individual actors in the cyber domain can have an asymmetric advantage and possess highly dangerous capabilities [8].
The typical use of homogenous platforms for information systems by many organizations can significantly increase risk. The use of similar operating systems, hardware, and applications increases the reward for attackers who can develop exploits that target the vulnerabilities in dominate systems [6]. This static nature of systems and defenses contributes to the imbalance that favors the attackers. An attack that exploits a vulnerability in a popular software application can infect millions of machines [2]. Attackers can install and analyze local copies of available cyber-defense applications and tools to discover the weaknesses and how to avoid detection.
Due to adaptive threats and rapidly changing technology, organizations make decisions about cybersecurity investments with imperfect and incomplete knowledge. Instinct, experience, and informed judgment are necessary for the prevention of, detection of, and response to cyber threats [9]. However, companies often must navigate lengthy, bureaucratic processes to implement new security technology [3]. Attackers can implement, analyze, and use new technology immediately.
Well-known, static defenses are increasingly vulnerable to threats from well-resourced attackers engaged in targeted attacks [10]. The predominately static nature of cyber defenses often requires time-consuming processes to reconfigure if they can be reconfigured at all [11]. The time required to reconfigure security devices in response to an attack allows the attacker time to locate and exploit vulnerabilities. The study of adaptive cyber defenses seeks to address this asymmetric advantage enjoyed by the attacker.
The Increasing Sophistication of Attacks
A defender must first detect an attack before a response is possible. The increasing sophistication of attacks makes the identification of both successful and unsuccessful attacks more difficult. The detection of the attack should occur as early in the cyber-attack lifecycle, or cyber kill chain, as possible to minimize the ramifications of the attack [12]. Many of the sophisticated attacks, once inside a compromised network, seek to remain persistent. Such attacks are referred to as advanced persistent threats (APT). With an APT, the initial attack attempts to establish persistence from which to operate and call out to a command-and-control system [13]. The attacker can establish this persistence because organizations are often not aware of what software the organization has installed and running on each device. Even a device such as a printer can serve as the initial beachhead from which an APT can operate.
The financial industry is a leading target of APT threat actors who intend to steal high-value data [3]. Attackers who invest in an APT are highly motivated and will devote significant time to compromise a target to achieve a specific goal. Advanced persistent threat actors will map out multiple paths to reach the target and pivot their attack as necessary to reach the end goal [13]. With the expanding complexity of systems, organizations present an increasingly large attack surface. The greater the perimeter, or attack surface, the more opportunities for the attacker to penetrate the perimeter and establish a persistence within the environment [13]. Current signature and anomaly-based detection tools have not been fully successful in detecting APTs. Detection of APTs by either signature or anomaly detection methods is challenging because attackers craft APTs for a specific target and often use unique attack vectors [14].
In addition to the increased sophistication of attacks, the tools and techniques used by attackers are more advanced. The increased use of automation on the attacking side, including management platforms and autonomous botnets and viruses, increases the difficulty for traditional defenses to detect and mitigate the attacks [15]. These technological advances allow attackers to not only develop more advanced attacks, but also to decrease cost, time, and risks associated with launching an attack.
Need for Security at Cyber Speed
Current human-centered cyber defense practices cannot keep pace with the speed and pace of the threats targeting organizations [16]. Further, the speed of attack versus speed of response gap is getting worse [17]. Defenders need to drastically increase the speed of both detection of and response to cyber-attacks. Organizations must automate many risk-based decisions to facilitate this increase in detection and response speed [17]. The human involvement must become more oversight and less direct involvement in the detection and response. The role of humans must shift from being predominately in-the-loop to being on-the-loop. With this shift, humans will review and validate conclusions based on machine-learning and artificial intelligence [18]. Increasing the speed and efficiency of detection and response also requires rapid exchange of threat and incident detail among the automated defense systems. Such rapid exchange will require interoperability between systems at the technical, semantic, and policy levels [17].
Continuing Data Breaches
The number of recent cyber-attacks and the media attention given to those attacks gives the impression that such attacks are increasing in frequency, becoming more organized, and are more damaging [19]. Many advanced and well-orchestrated cyber-attacks have targeted industry, military, and government infrastructures with the main goal being the exfiltration of data [14]. An example data breach involving a US company resulted in the theft of 40 million credit card numbers and associated personal information [20]. The direct costs associated with the damages and recovery from the breach totaled $61 million. The breached company also experienced a 46% drop in profit in one quarter.
Studies related to the costs of data breaches often look to quantify the direct costs of data breaches. If one considers the indirect costs, such as decreased profits and sales reductions, the actual costs of a data breach are likely much higher [20]. The average cost of a data breach continues to rise due to the increased frequency of cyber-attacks, increased remediation costs, and increased detection costs [21]. Large-scale breaches of data within the financial industry involving APTs are likely to continue. Cyber-attacks will remain a significant problem for financial institutions due largely to the complexity of the Internet and connected systems [22].
The Scarcity of Cybersecurity Professionals
Perhaps the chief driver of security automation derives from the shortage of cybersecurity professionals to deal with the increasing threats. The shortage of people with the requisite cybersecurity knowledge, skills, and abilities threatens to undermine the security of the systems upon which the financial industry relies and erode consumer confidence and trust in the financial institutions [23,24]. In a survey of security leaders by the Center for Strategic and International Studies (CSIS), 71 percent of the respondents stated that the cybersecurity skills shortage causes direct, measurable damage [25]. The same survey found that 25 percent of the respondents claim to have lost proprietary data through a cyber attack due to the cybersecurity skills gap.
Many sources report on the cybersecurity skills gap. The National Initiative of Cybersecurity Education (NICE), a program of the National Institute of Standards and Technology (NIST), found that there were 350,000 cybersecurity job openings in 2017 in the United States alone [5]. The shortage of cybersecurity professionals shows no signs of improvement in the near term. A 2015 study by International Information Systems Security Certification Consortium, better known as (ISC)², predicted a shortfall of 1.5 million cybersecurity professionals by 2019 [4]. Additional studies have ranged from a predicted current shortfall of one million cybersecurity professionals [26] to a shortfall approaching 3.5 million by 2021 [5]. The cybersecurity profession is not keeping up with the increased demand [24].
The increasing sophistication of cyber-attacks capable of avoiding detection and the increasing frequency of cyber-attacks are reasons for the continued increase in demands for cybersecurity professionals. Another critical reason for the cybersecurity demand is the ever-increasing information technology (IT) footprint [4]. The expansion into mobile devices and cloud environments in conjunction with an increasing array of security technologies are major drivers for the IT expansion. The need to secure an expanding perimeter with more security tools spreads already scarce cybersecurity resources even thinner.
A sign of the increasing scarcity of security professionals is increasing salaries [4]. The shortage of cybersecurity talent has led to increased compensation for cybersecurity professionals. Within surveyed countries, the median salary for cybersecurity jobs is at least 2.7 times the average wage [25]. In the US, cybersecurity jobs pay an average of nine percent more than other IT jobs.
Rising employee churn can also signal an increasing shortage of security professionals. The cyber workforce may be facing a burnout factor resulting in employment churn [4], and security operations centers (SOCs) are perhaps the hardest hit by burnout and employment churn [27]. Security analysts working in SOCs have unique skills and must operate in high-pressure situations to quickly analyze security events, decide on the response, and act to protect the company. Security analysts in the financial services industry face constant cyberattacks putting them under constant pressure to perform.
The cybersecurity skills gap likely cannot be addressed simply by adding more cybersecurity professionals. In addition to an increase in security professionals, the cybersecurity skills gap requires proactive threat hunting facilitated by advanced analytics, real-time threat awareness provided by comprehensive intelligence, and security architectures that are integrated. Though people with untapped cybersecurity potential do exist, the number of people capable of performing in a cybersecurity position effectively over time is likely limited [23]. Even if all viable candidates entered cybersecurity there might still be a significant shortage unless the demand for cybersecurity professionals can be contained. Technological advances in security and the use of automation can help address the demand side of the equation.
References
[1] Carter, K. M., Okhravi, H., & Riordan, J. (2014). Quantitative analysis of active cyber defenses based on temporal platform diversity. OALib Journal. Retrieved from http://arxiv.org/abs/1401.8255v1
[2] Okhravi, H., Streilein, W. W., & Bauer, K. S. (2016). Moving target techniques: Leveraging uncertainty for cyber defense. Lincoln Laboratory Journal, 22(1), 100-109. Retrieved from https://pdfs.semanticscholar.org/15ea/51017d7395fd9cddd626704d1fc82fc42e3e.pdf
[3] Tounsi, W., & Rais, H. (2018). A survey on technical threat intelligence in the age of sophisticated cyber attacks. Computers & Security, 72, 212-233. doi:10.1016/j.cose.2017.09.001
[4] Suby, M., & Dickson, F. (2015). The 2015 (ISC)2 Global Information Security Workforce Study. Mountain View, CA: Frost & Sullivan. Retrieved from https://www.boozallen.com/content/dam/boozallen/documents/Viewpoints/2015/04/frostsullivan-ISC2-global-information-security-workforce-2015.pdf
[5] Morgan, S. (2017). Cybersecurity Jobs Report: 2017 Edition. Herjavec Group. Retrieved from https://www.herjavecgroup.com/wp-content/uploads/2017/06/HG-and-CV-The-Cybersecurity-Jobs-Report-2017.pdf
[6] Winterrose, M. L., Carter, K. M., Wagner, N., & Streilien, W. W. (2014). Adaptive attacker strategy development against moving target cyber defenses. ModSim World (pp. 1-11). Hampton, VA: ModSim World.
[7] Zheng, D. E., & Lewis, J. A. (2015). Cyber Threat Information Sharing: Recommendations for Congress and the Administration. Washington, DC: Center for Strategic & International Studies. Retrieved from https://www.csis.org/analysis/cyber-threat-information-sharing
[8] Rivera, J., & Hare, F. (2014). The deployment of attribution agnostic cyberdefense constructs and internally based cyberthreat countermeasures. 6th International Conference on Cyber Conflict (pp. 99-116). Tallinn, Estonia: NATO CCD COE Publications. doi:10.1109/CYCON.2014.6916398
[9] Garvey, P. R., & Patel, S. H. (2014). Analytical frameworks to assess the effectiveness and economic-returns of cybersecurity investments. IEEE Military Communications Conference (pp. 136-145). Baltimore, MD: IEEE. doi:10.1109/MILCOM.2014.29
[10] Soule, N., Simidchieva, B., Yaman, F., Loyall, J., Atighetchi, M., Carvalho, M., . . . Myers, D. F. (2015). Quantifying & Minimizing attack surfaces containing moving target defenses. Resilience Week. Philadelphia, PA: IEEE. doi:10.1109/RWEEK.2015.7287449
[11] Zhu, M., Hu, Z., & Liu, P. (2014). Reinforcement learning algorithms for adaptive cyber defense against Heartbleed. Moving Target Defense (pp. 51-58). Scottsdale, AZ: ACM. doi:10.1145/2663474.2663481
[12] Fonash, P. M. (2012). Identifying cyber ecosystem security capabilities. CrossTalk(September/October), 15-22. Retrieved from https://secwww.jhuapl.edu/IACD/Resources/Reference_Materials/Resilient_Cyber_Ecosystem_Capabilities.pdf
[13] Byrne, D. J. (2015). Cyber-attack methods, why they work on us, and what to do. AIAA SPACE 2015 Conference and Exposition (pp. 1-10). Pasadena, CA: American Institute of Aeronautics and Astronautics. doi:doi.org/10.2514/6.2015-4576
[14] Virvilis, N., Serrano, O. S., & Vanautgaerden, B. (2014). Changing the game: The art of deceiving sophisticated attackers. 6th International Conference on Cyber Conflict (pp. 87-97). Tallinn, Estonia: NATO CCD COE Publications. doi:10.1109/CYCON.2014.6916397
[15] Atighetchi, M., Benyo, B., Eskridge, T. c., & Last, D. (2016). A decision engine for configuration of proactive defenses: Challenges and concepts. Resilience Week (pp. 8-12). Chicago, IL: IEEE. doi:10.1109/RWEEK.2016.7573299
[16] Johns Hopkins Applied Physics Laboratory. (2016). Integrated Adaptive Cyber Defense (IACD) Baseline Reference Architecture. Laurel, MD: Johns Hopkins Applied Physics Laboratory. Retrieved from https://secwww.jhuapl.edu/IACD/Resources/Architecture/IACD Baseline Reference Architecture - Final 0PR.pdf
[17] Fonash, P., & Schneck, P. (2015, January). Cybersecurity: From months to milliseconds. Computer, 42-50. doi:10.1109/MC.2015.11
[18] Willett, K. D. (2015). Integrated adaptive cyberspace defense: Secure orchestration. International Command and Control Research Technology Symposium. Annapolis, MD. Retrieved from https://pdfs.semanticscholar.org/a228/81b8a046e7eab11acf647d530c2a3b03b762.pdf
[19] Cavelty, M. D. (2014). Breaking the cyber-security dilemma: Aligning security needs and removing vulnerabilities. Science and Engineering Ethics, 20(3), 701-715. doi:10.1007/s11948-014-9551-y
[20] Soomro, Z. A., Shah, M. H., & Ahmed, J. (2016). Information security management needs more holistic approach: A literature review. International Journal of Information Management, 36, 215-225. doi:10.1016/j.ijinfomgt.2015.11.009
[21] Joyce, A. L., Evans, N., Tanzman, E. A., & Israeli, D. (2016). International cyber incident repository system: Information sharing on a global scale. International Conference on Cyber Conflict (pp. 63-68). Washington, DC: IEEE. doi:10.1109/CYCONUS.2016.7836618
[22] Zheng, R., Lu, W., & Xu, S. (2015). Active cyber defense dynamics exhibiting rich phenomena. HotSoS. Urbana, IL: ACM. doi:10.1145/2746194.2746196
[23] Cobb, S. (2016). Mind this gap: Criminal hacking and the global cybersecurity skills shortage, a critical analysis. Virus Bulletin Conference (pp. 1-8). Denver, CO: Virus Bulletin. Retrieved from https://www.virusbulletin.com/uploads/pdf/magazine/2016/VB2016-Cobb.pdf
[24] ISACA. (2017). State of cyber security 2017: Current trends in workforce development. Schaumburg, Illinois: ISACA. Retrieved from https://cybersecurity.isaca.org/state-of-cybersecurity
[25] Center for Strategic and International Studies. (2016). Hacking the skills shortage: A Study of the international shortage in cybersecurity skills. Santa Clara, CA: Intel Security. Retrieved from https://www.mcafee.com/us/resources/reports/rp-hacking-skills-shortage.pdf
[26] Cisco. (2015). Mitigating the cybersecurity skills shortage: Top insights and actions from Cisco Security Advisory Services. Cisco. Retrieved from https://www.cisco.com/c/dam/en/us/products/collateral/security/cybersecurity-talent.pdf
[27] Hull, J. L. (2017). Analyst burnout in the cyber security operation center - CSOC: A phenomenological study (Doctoral dissertation). Retrieved from Proquest Dissertations and Theses database. (UMI No. 10282755)