Could real-time eForensics be the Answer to Cybersecurity and Analytics?

by Larry Karisny
June Addition

eForensics may be more than a good name for a magazine. Understanding what digital forensics does in real time may be the holy grail of cybersecurity. The information technlogy security industry explains cybersecurity in terms of complex algorithms or virus detection systems that only a scientist or software developer can understand. In reality what cybersecurity really is just the authenticated use of validated causal actions taking place in a predetermined process that is used to accomplish specific results.

Cybersecurity is achieved when theses action and processes are authenticated, viewed, analyzed, audited, activated or blocked in real time during data in motion. If we can do this we will be secure. We are not doing this today. With the ever increasing demand of security in ever increasing digitally intelligent world it may be time for paradigm shift if we are to reach true cybersecurity. It maybe time for real-time eForensics.

The seen of the crime
Most of us are familiar with forensics in the evaluation of a crime scene. There was a criminal incident that occurred and a team of forensic analysts come in to gather information that might lead to solving the crime. eForensics today is no different. A hack has occurred and a team of specialist sift through mounds of data, software,hardware, processes and people to determine how the systems processes have been breached. The commonality of both these forensic approaches is that they are both reviewing historical information and using tools and techniques that can analyze these historical incidents. These historical forensic approaches can in time possibly solve the crime or cyber breach but neither of these approaches can stop the crime or the hacker in advance.

The current cybersecurity methodologies using passive process monitoring are proving to be the wrong place and the wrong time in attempts to achieve system cybersecurity and intelligence analysis. To accomplish information technology security and intelligence we need to focus on technologies that stop and analyze information technology processes real-time during data in motion. This is where a technology paradigm shift needs to occur in the cybersecurity industry and real -time eForensics can accomplish this. Can our current cyber security and analytic technologies keep up?

Increased varieties of connected devices are being added daily to our already complex intelligent world. Unfortunately these intelligent technologies are being releases by the millions at the cost of increasing cybersecurity threats while using complicated digital intelligence analysis techniques that are neither effective nor can keep up with the amount of data input these system devices and software produce. Cybersecurity experts are beginning to realize that current passive process monitoring using historical data aggregation and database analytics techniques are no longer efficient or effective methodologies for cybersecurity and system intelligence.

Current approaches fail due to the inability to secure or properly analyze the many real-time messaging application actuaries that occur in our incceasingly complex digital intelligent system processes. The current historical passive security and analytical technologies only tell what might have happened after the causal action has occurred not what did happen. Monitoring active process causal actions in the process tell what actually is happening in real-time during networked data in motion which is where the point of new security and process analytics need to occur.

As we are increasingly connecting and interconnecting our digital intelligence in the forms of software, hardware, apps and now Internet of Things (IoT), These casual actions multiply making the process more complex and difficult to track. While these interconnected technologies continue to be leveraged in digital intelligence we are losing control of the where and when point of causal actions that are actually occurring in the system processes. This is point where securing and analyzing causal actions and processes need to be secured and analyzed. We are not doing this today.

Losing control of digital intelligence and cybersecurity
We have reached a point in intelligent operation complexity that even trained operators are not sure what the digital control systems actuators are actually initiating what actions in the process. We are losing control between human to machine and machine to machine system processes while we increasingly interconnected software, cloud and IoT application messages that in many cases are not secured, audited or even seen in the system process.

Causal messages are constantly being sent in real-time during data in motion in these complex system processes and can be exploited to manipulate the process results. Hackers know this and are successfully targeting and exploiting these weaknesses affecting every individual and every industry that uses digital intelligence in their information technology processes. Hackers have already attacked cars, homes, business process systems, factory control system and critical infrastructure control systems by manipulating the causal messaging action within these system processes.

The danger of algorithms and analytics in cybersecurity
For years we have had a false sense of security that was built around mathematical algorithms. This is what the encryption Intrusion Detection System (IDS) security has been based on for years. Recent disclosure of the NSA’s involvement of the control and release of these encryption algorithms and their direct relation with RSA has caused the loss of of considerable trust in cybersecurity industry. This combined with weaknesses found that were not able to be disclosed caused a boycott of major encryption scientists in the last RSA conference. The encryption games are over and for many the use of encryption in security is no longer technically effective and certainly not trusted.

Intrusion Dewtection Systems (IDS) security technologies are no better off now admitting they can’t stop denial of service attacks (DDoS ) while sophisticated and aggressive cyber weapons like Snake and Stuxnet are now part of the arsenal of cyber war weapons with critical infrastructure as its main target. Analytic approaches are also showing their weakness in being used in process action discovery. They are having difficulty even understanding what all the big data means and could fall victims to subjective analyst methodologies to explain what the historical data means. Clearly if we are to secure and understand all these new intelligent actions in our control processes we need new methods and even a new place confirming that these complex and layered control system actions are actually correct.

Adding security while adding intelligence
Intelligent control systems are faced with a two edge sword of needing digital intelligence and securing this intelligence. They need the digital intelligence to assist in physical security and the monitoring complex process systems processes while also faced with making sure this digital intelligence can’t be access or exploited by hackers. In critical infrastructure applications, such as the process control of a power grid, there is no room for error or good enough security. When you have machine to machine (M2M) IoT or cloud services sending actuary messages without human intervention, these system processes must be digital authenticated, viewed, audited and blocked in real-time data in motion in order to be effectively secured and analyzed.

Having focused in critical infrastructure cybersecurity for years, my many industry colleges and I have come to a similar conclusion. The cybersecurity and analytical methodologies used today are flawed and cannot achieve the stringent security requirements or the volume of analytical data needed to protected and understand our increasing complex and interconnected control system operations. In fact both Intrusion Prevention System (IPS) security and Intrusion Detection System (IDS) security methodologies are increasing showing security prevention and detection failures.

Current analytical approaches cannot even scale to address the billions of applications and terabytes of big data need to be evaluuated in the increasing complex processes. We must deploy security technologies that can secure and understand the millions of causal events and interconnected causal events that take place in the control system process on the network. This can be done by using an active business process monitoring process firewall during on the network the data input data in motion point of digital intelligence transfer. This is where the beginning of a new paradigm shift is occurring and where real-time eForensics can be achieved.

The paradigm shift of Intelligent Cybersecurity
A recent MIT paper addressing both physical and digital security found that the current cybersecurity solutions focusing on securing data and networks are 50 year old technologies were really made for the electrical-mechanical processes and not the digital processes. Rather than focus on securing networks and data the study suggested that security must target at the causal action which is the true point of system security. The new approaches detect anomalies not meant in the causal action and system process. The difference in these approaches is determining at what point in the data in motion is the causal identified secured and how it is analyzed.

Layer 7 Firewall is an active monitoring system on the network that secures the device against rogue applications (example: smartphone private information accesses by unauthorized apps.) OSI layer numbers are commonly used to discuss networking topics. A troubleshooter may describe an issue caused by a user to be a layer 8 issue. As the industry jokingly refers this as layer 8, in reality this human to system causal action event is where true authenticated application security must be achieved.

The layer 7 OS firewall can secure the application but there needs to be an additional message intelligence layer if we are to secure active live message applications that are continually active in the transfer of system intelligence. There are constant data in motion message actuaries that are constantly creating real-time causal action in a typical control system process. This is where things really get switch on or off and desired or undesired actions need to be authenticated viewed, audited, activated and blocked. This message application intelligence firewall needs to be placed at the data in motion flow of desired process not the end to end points of data transfer on the network. Securing data end points has been a main stay in cybersecurity for years but can no longer secure the billions of actuaries predicted in cloud and IoT systems.

The intelligent causal action fix
Security companies are beginning to understand the importance of anomaly detection and its relationship to the system process. They all though have the same problem of using historical security and analyzing methodologies in detecting of the anomaly at the data output level. They use algorithms in the protection of the input to output data and then use analytics to determine the anomaly. The end point of these methodologies are at the historical data output level and does not offer the security of digital intelligence or the analysis of the anomaly to take place during the real-time data in motion data input level.

After many years of work and research a patented anomaly detection approach from a company called Decision Zone has uniquely accomplished the ability to authenticate, view, audit, activate and block terabytes of real time digital intelligence in milliseconds at the input data in motion level. Today’s security systems use a passive monitoring collection and aggregation data methodologies on the network and analyzes this information at the historical data output level. Decision Zone offers active application message monitoring on the network using graphical process rules and utilizing its patented causal inference engine. This new intelligent process layer firewall can protect the application infrastructure against any unauthorized causal action or system process.

This significant achievement by Decision-Zone offers a paradigm shift in cybersecurity methodologies by uniquely addressing security and system intelligence at real-time data in motion data input level. It doesn’t not use historical data output or analytics to evaluate the anomaly which is currently allowing hacker a window of system exploit. It uses process logic mapping to validate the interactions of the multiple layers of causal action processes which allows it the ability to even detect human to machine and machine to machine causal action process errors.

If we are going to continue remove to human intervention from our control system processes while allowing layers of human to machine and machine to machine actions to occur in these systems, we must use a method to real time secure and analysis the casual events and the intelligence processes in the system. Decision Zone offers a unique data in motion application message firewall that can authenticate, view, evaluate, audit, activate and block any causal actions across any software, hardware, cloud or IoT platform. For a more thorough explanation of this capability see the presentation Layer 8 Process Firewall (L8PF) or go the

Spending years in the networking world I like many of my colleagues considered cybersecurity the protection of the end to end network and its data flow. This information transport has served us for many years but is now showing its weaknesses as does the IPS and IDS security technologies that are currently protected it. With everything today being about the cloud, the app and the IoT, we must apply new security methodologies to secure these growing and ever increasingly interconnected intelligent system technologies.

Hackers are exploiting the causal actions of the process and are manipulating message application system actions to their benefit. We must move the firewall from protection of the output data transport systems to the real-time data in motion data input level if we are to stop these cyber breach actions and achieve true cybersecurity and analytical system intelligence. The use of real-time eForensics in evaluating and security causal events and system processes are critical to the understand and security of digital intelligence today and in the future.

No comments: