The State of the Operational Ecosystem
Authors: Philip Reitinger and Tony Sager
September 2019
To paraphrase our friend and colleague Rich Struse, Chief Strategist for Cyber Threat Intelligence at MITRE, on most days cyberdefense feels like “our people are chasing their robots”[1].
In cyberspace, the bad guys have the upper hand: speed, anonymity, and leverage – essentially unbounded by space and time. They are also part of an integrated and automated criminal ecosystem featuring high return with low risk, easy access to attack toolsets, rental of infrastructure, global information sharing, and specialization (e.g., “money mules”, reconnaissance data). The incremental cost to extend attacks is often minimal, while the likelihood of being caught is negligible. They disrupt our operations, steal our intellectual property, force us to spend vast amounts of money and manpower, and raise our uncertainty via a fog of botnets, criminality, and subverted Web sites.
Meanwhile the vast majority of our defenders are in effect pinned down by relatively mundane problems: poorly engineered software, missing patches, unenforceable policies, poor configuration choices, and inconsistent and sometimes conflicting security controls. They are asked to support ever-increasing demands for the business use of technology, and connection to partners with unknown security properties, at a pace that doesn’t allow for thoughtful and secure integration. Technological developments like the Internet of Things increase the difficulty by orders of magnitude.
And yet there ought to be some “home court advantage” for defenders: control of their own IT; most attacks fall into a relatively small number of classes, taking advantage of a relatively small number of unique vulnerabilities over and over again; and fortunately (but sadly) there’s enough experience in dealing with attacks to develop playbooks or reusable procedures. Moreover, with (still) more good devices than bad across the Internet and subsidiary networks, defenders have a powerful platform for observation of network and device behavior and distributed, automated response to malicious activity.
There seem to be two clear requirements. The first is widespread reduction of vulnerability, what we might call “secure by near default.” Systems and software should be delivered and maintained in a secure state, and if the end user must take action, the effort required should be as close to zero as possible. Second, relying on our knowledge of common attacker tactics, techniques and procedures, and the availability of a broad sensing platform, networks should be able to defend themselves from the vast majority of threats, using automated collective defense.
All of this speaks to a need for much greater use of automation and standardization. And not just technology, but technology that is built directly into the architecture, made a natural part of acquisition, linked to policies, supported by training and operational processes, and adaptable to new information. We need all of this at a reasonable cost, built into commercial off-the-shelf products, and based on open industry standards.
For many of us, the roots of security automation go back to data, especially CVE and all the work that flowed from there into SCAP and related projects[2]. Abstractly, this meant standing back from the overwhelming cyber “Fog of More”[3], and looking across the broad community of cyberdefenders to see the problems that every defender had to solve on their own. For example, in Tony Sager’s part of the Defense Department, he watched DoD spend huge amounts of money and time just to collect, store, move, and reformat data from numerous sensors and other sources. By naming, numbering, and describing relevant things in open, machine-usable ways, we could start to build an environment of shared data, labor, and ideas. As the data that drives cyberdefense becomes more shareable and “frictionless”, we can turn our attention to use of that data – building in prevention, response, playbooks, and training.
At its heart, cyberdefense is a decision-making, risk-managing machine, fueled by information. We need to move from managing information technology to managing information. To gain the defensive advantage, machines and people must be able to rapidly collect, correlate, and use information of many types and from many sources (e.g., IT components, network devices, specialty security tools, threat data) in order to assess the current risks to our operations and take both automated and particularized action for prevention and response. These are all crucial defensive actions that need to be seen as part of a holistic cyberdefense machine that manages space and time to defensive advantage.
What’s really clear – none of can solve this problem alone. Beyond the public-private bumper stickers, we need a community to emerge that includes security practitioners, researchers, buyers, operators, educators, IT and security vendors, and policymakers.
