The following is a paper written in November 2020 by Michael Conlin, Chief Business Analytic Officer, Department of Defense and Chip Block, Chief Solutions Architect of Evolver
We are currently living within a network-driven cybersecurity model. This model was designed to secure communications at levels that protect the underlying data, by hardening the perimeter and looking for intruders. The model originated in a simpler time. Most of the enterprise’s data and applications were isolated behind a perimeter. The perimeter could be identified and defended. Few users, and even fewer applications ‘poked their noses’ above the enterprise firewalls. Intruders were relatively easy to spot and interdict.
Today, however, connected systems are exploding and there is no network perimeter. IoT devices, cloud computing and other advances have created a continuously changing computing environment. Mobile users and teleworking from home are now the default, with many employees performing enterprise work on personal devices. Internet and social media sites are generating large volumes of data on consumers and citizens from outside the perimeter. Open data is now widely available and consumed. The edge of the enterprise has become so porous there isn’t a perimeter to speak of anymore.
There are two types of CISOs:
1. CISOs who have been hacked and know it;
2. CISOs who have been hacked but don’t know it.
Looking for intruders has become equally problematic. Cyber professionals feel compelled to constantly collect and share log data on an almost near real time basis. The common method is to collect log data from devices, applications, users, etc. and to aggregate massive files into an analysis system such as Splunk . From this aggregation, analytic methods are applied to detect anomalous behavior which is an indicator of a threat. In other words, our current approach to protecting our data is to create a massive amount of additional data that must also be managed and protected. In pursuing this model, we are moving large amounts of data from sensors to analysis systems to data aggregation locations to other analysis tools, all for the sake of finding the anomalous activity that indicates a threat. The cost in compute, storage and bandwidth is enormous. The sheer volume of data degrades the signal-to-noise ratio to the point the signal – traces of the intruder – is washed out. Additionally, the result is a fragile architecture that can be defeated with fairly simple disruptions to elements within the environment.
1B → 1KB → 1 MB
Every 1 byte of data payload (written to storage or read from storage) generates 1 KB of traffic on the data center LAN and 1 MB of traffic on the WAN.
Originally, the number of attack patterns by attackers was limited. Today, attackers have developed a wide range of attack vectors, utilizing everything from script-kiddie hacker sets to sophisticated Machine Learning algorithms. These innovations don’t just make detecting their actions difficult but in many cases undetectable within common log files. Further, almost all attack vectors now include the deletions or modification of logs by the attackers.
There are many efforts underway to make the current model perform better. They include improving log collection tools such as Splunk to store data better or creating better dashboards using Elasticsearch to better analyze the large amounts of data. Artificial Intelligence and Machine Learning projects are focused on detecting anomalous behavior using the large data sets. Though there are improvements, these efforts have not delivered significant improvement in performance. The old cybersecurity model doesn’t work anymore; we need a new one.
Here’s what the new cybersecurity model looks like
Wait, first tell me why I should care!
I know what you’re thinking. You’re thinking, “First I want to know why this new model is worth considering.” So let’s explore the sources of value:
- Increased protection of highest value mission assets
- Improved efficiency in detecting and responding to cyber attacks
- Reduction of system costs and bandwidth needed to support cybersecurity operations
- Adaptive cybersecurity that can adjust security based on mission needs and status
What needs to change is away from a network based cybersecurity approach to a data aware cybersecurity methodology. A data aware cybersecurity approach makes data protection an inherent element of the data creation and management itself, not based on the network infrastructure. Value is gained by increasing security while reducing the mission and financial requirements to share large amounts of data that contains miniscule amounts of relevant information. Additionally, the result is a more resilient, and less fragile architecture to what is currently being fielded.
OK, I’m interested. How does it work?
In order to dramatically improve cybersecurity performance, we need a new cybersecurity model. Here are some elements of that new model:
- Build cybersecurity protection capabilities directly into the data. In other words, data becomes self-aware and can only travel approved paths, be viewed by approved users and destroys itself after viewing based on currency and retention needs.
- Combine data containerization, based on mission, with micro encryption at the data level in order to enable tighter control at the data source.
- Apply a zero-trust attitude based on the reality that no network, no data center, no compute core or chip is assumed to be safe place.
- Automate all controls and configuration. Use fit-for-purpose tools, scripts and digital recipes to manage 99966% of all management activity on IT resources (compute, storage, networking) regardless of whether they are hardware, software or services. Make it a firing offense for someone to access an engineering console without permission; then don’t grant permission.
- Move anomaly detection capabilities closer to the data source and as independent from the network as possible. Filter and discard as much log data as possible based on the rule that the value of the data is inversely proportional to its predictability. Use local detection capabilities to check log entries against authorized controls and drop all the entries that are benign. Only exchange anomalies and differential log data between systems
- Use Artificial Intelligence to:
- characterize, tag, store and deprecate data elements and sources.
- visualize data usage and paths in near real time
- develop common data models
- analyze usage patterns
- detect constantly changing attack patterns
- Implement evergreen management of all compute, storage and network devices, such that they routinely perform a complete software rebuild from the firmware up. Attack patterns are constantly changing, so the data aware environment must be designed to likewise constantly change. It’s harder to hit a moving target.
There is ongoing research and some commercial product offerings in each of these areas. What has not been applied is an overall data aware approach and strategy of how each of these areas can be combined for security purposes. Achieving a full data aware environment is a major undertaking and can take years to achieve. A number of changes to the baseline, however, can be achieved incrementally and result in major improvements along the path towards a data aware environment.
Sounds great, but what’s it going to cost me?
Let’s start with your baseline costs (Table 1). The natural tendency in measuring baseline spend is to look at the current operations from a financial perspective. The baseline cost of the current operational structure can be measured by: a) mission impact; b) effort, energy and attention; and c) financial spend.
The mission impact includes:
- Time to detection of cyber attack is currently slowed by the requirement to share massive log files, compute anomalies, communicate findings and respond
- Other mission areas are impacted by the large use of bandwidth and computing utilized to identify the anomaly and pattern recognition
The effort, energy and attention category is all about people:
- Highly skilled data engineers to curate, standardize and integrate very large, inconsistent and often dirty data sets
- Scarce, expensive cybersecurity professionals to review and analyze results for patterns
- Time and energy of senior executives all across the organization, consumed when breaches and compromises occur
The financial baseline spend includes:
- Large, highly expensive log generation, collection and analysis tools
- Network costs for the transfer of the large data sets
- Storage and compute costs for the large datasets
- Common spend across the network, the same investment to protect critical mission data and the seating chart for upcoming social events
Though there is a major savings from a financial perspective in moving to a data aware cyber strategy, the greatest savings is in mission accomplishments and performance. A key element of this is highest spend on highest value assets and a scalable cybersecurity model.
How can I be confident this is a real opportunity for improvement?
One of the most significant disruptions in digital modernization is the value shift to Software-Defined Everything (SDx). It ranges from software-defined businesses (Uber, Airbnb) to software-defined networks to software-defined data centers to software-defined infrastructure, etc. This shift has significantly accelerated the clockspeed of all commercial IT offerings, capabilities and functions – the ability to anticipate and adapt to change.
Meanwhile, software is increasingly componentized into smaller and smaller slices of functionality, a dynamic known as micro-segmentation. Micro-segmentation refers to the increasingly granular control of IT assets – application functionality, data, compute capacity, storage capacity, network capacity – as well as of workload visibility, management, and security controls. The result is the increasingly degree of self-awareness (and mutual-awareness) of each of these kinds of IT assets. This self-awareness is now seen in all classes of IT assets.
“SDx” is any physical item or function that can be automated or performed by software. SDx includes networking, , compute, storage, security, data center, perimeter, WAN, management fabrics, sensors, an so on.
Clockspeed is the ability to anticipate and adapt to change.