When it comes to recent cybersecurity talks, the prevalent theme seemed to be, “We know we need to do something, but what?”
The recurring questions are: Where do we start, and how fast do we need to react to stop cyberattacks? What's become quite clear is that if we are to secure our digital world, we need to do it with technologies that run as fast as the networks and applications in which they operate — in milliseconds.
Repeated time and again in recent discussions is the need for proactive defensive measures in cybersecurity — and how quickly they must react to stop today's hacker. Even the language in the new cybersecurity billseems to fall short of true cybersecurity protection, as it is more based on the sharing of information to assist in the detection and recovery of a cyberattack rather than a proactive cybersecurity solution that would stop the attack.
And this leads to a few important questions: Is there a big disconnect between the public and the private sectors when it comes to what cybersecurity is suppose to achieve? If so, what is that disconnect, and how can we move forward?
THE SECTOR MISSIONS OF CYBERSECURITY ARE DIFFERENT
The way the public sector reacts to a cyberattack is much different from how the private sector reacts. When the public sector responds to an attack, officials immediately disclose the attack in order to obtain additional funds to fix it. In the private sector, however, officials don't want to disclose the attack because the company will take a stock hit — which would reduce revenue sources that could be used to fix the problem.
The public sector typically looks at problems after they've occurred and then tries to get funding to analyze the size of the problem and how to control it. The private sector tries to immediately address the problem, running it through a risk management process to evaluate how expensive it is and how much it will cost to fix.
Even private-sector technology providers' loyalties differ compared to their counterparts in the public sector. This was clear when 22 of the largest tech companies were firmly against the controversial Cybersecurity Information Sharing Act (CISA) due to their customers' privacy concerns. Knowing this, the passing of the recent cybersecurity bill by the U.S. Senate explains clearly why there is so much opposition between the two sectors: They haven't been on the same page from the start, because they serve different customers and operate their organizations very differently. Wespend a lot of time and money in cybersecurity only to be left with technologies that potentially deter attacks or historically define when and how the attack occurred.
Keith Alexander, a retired U.S. Army general and founder and CEO of IronNet Cybersecurity, made two straightforward comments about cybersecurity in a keynote address at the University of South Florida Cybersecurity Center Annual Conference earlier this year: “Our current cybersecurity technologies don't work," he said, and, "we need to focus on proactive defensive cybersecurity technologies."
Although Alexander called CISA “a good start,” the bill is now reaching its fifth year trying to get approval. It will then take years of public/private breach information-sharing before cyberattack improvements would be realized. Many are saying that passing this cybersecurity bill has taken so long that the solutions in addressing how cyberattacks suggested in the bill are now obsolete.
In an article focusing on cybersecurity insurance, Scott L. Vernick, a partner at Fox Rothschild LLP in Philadelphia called cyberlegislation a good first step, but “we shouldn't get carried away” about what it can and cannot accomplish given that cyberattackers “are changing what they're doing in milliseconds.”
The private sector's response to leading-edge cybersecurity technologies is not much better. Combine private-sector technology purchases with product lifecycle time frames, and it's nearly a guarantee that the "security" in cybersecurity will always be behind the curve. Both the public and private sectors are at fault here; they are more the reason for a lack of cybersecurity defensive technologies than part of the solution.
So where is the disconnect in truly understanding how to achieve superior cybersecurity solutions and rapidly offer leading-edge services that work?
When a large technology company or government research group evaluates a proof of concept for a fix to cyberattacks, that fix is immediately met with resistance, even if the technology works. From the government side, it is how that technology could work with technologies in already-funded programs —technologies that may be inferior, or even obsolete. These technologies are funded by big research grant monies that take so much time to get approved, the money and studies continue flowing even if the technology is going in the wrong direction.
Those in the corporate world may be caught between having a superior technology but needing to recoup investment of an inferior technology before that superior tech can be allowed in. And because years pass between these decisions being made, hackers have plenty of time to change their game plans. As these delays continue, hackers have time to obtain information from government entities, standards groups and corporate product releases that disclose what they're doing. So as big government and big business stifle new ideas in defense cybersecurity technologies, hackers can continually place themselves ahead of the obsolescence curve — always putting themselves in the position of cyberattack innovator.
Large organizations also have a need to centralize cybersecurity technologies for control and profit. This is the main reason for standards groups and open architectures that can put a thousand eyes on a particular cybersecurity architecture. There is value in these standards, but cybersecurity works at a very granular level — right down to individual, location and processes of the digital technology used. Essentially, use of the same cybersecurity solution may greatly differ depending on who, where, what and why it is used.
Most cybersecurity technologies are focused on protection and prevention by analyzing historically logged digital analysis techniques while adding access and encryption techniques for intrusion prevention. In reality, what's needed are technologies that audit in real time the uniquely targeted security policies and events of a particular process or ecosystem that often occur in milliseconds. This millisecond requirement has been echoed by both Arati Prabhakar, director of the Defense Advanced Research Projects Agency (DARPA) and an IEEE citation by the Department of Homeland Security's Peter Fonash and Phyllis Schneck inCybersecurity: From Months to Milliseconds. This need is now being demanded as a proactive cybersecurity requirement echoed by many industry and government leaders.
As a cybersecurity advisor, I have proposed the need for this millisecond cyberdefense capability —and I've found working and patented technologies available and ready for use to address this requirement. These technologies were already lab tested are well beyond proof of concept; they are ready for targeted deployment. What my associates and I struggle with, as do many innovative idea companies, is how to get this information out and technologies deployed within the established bureaucracies in both the public and private sectors.
If even working solutions can't find a rapid process of evaluation, hackers will always maintain the technological advantage. Do you think hackers submit proof of concept to bureaucratic oversight groups to see if their stuff works? Of course not. They just do it and see if it works; they aren't waiting for someone’s permission. And if we are to close the innovation window between needed cyberdefense technologies and advanced cyberattack technologies, we must find avenues of testing and deploying cyberdefense technologies in the same manner.
The process of evaluating hackers by determining how they hacked somebody is flawed. For starters, it takes too long to share the data without potentially disclosing personal information not related to the breach, as the scrubbing of non-pertinent private information could take months. By that time, the hacker has already morphed a new version of its cyberbreach exploit, which means those trying to protect against these attacks will just be playing catch-up.
We must focus on cybertechnologies that define the correct digital actions taking place and audit these events as they are used — which means tackling them in the millisecond windows in which our digital systems operate.
When it comes to cybersecurity, many recurring facts are oddly misunderstood. For starters, cybersecurity is local and it is often human-initiated, but then it operates as a microsecond machine-to-machine action that often cannot be traced.
From access to activation, we pass through multiple digital ecosystems with devices that can be leveraged to hack unrelated digital system processes in a millisecond. With millions more digitally enhanced devices projected in the near future, we need to effectively focus on authenticating, viewing, auditing or blocking these millisecond machine actions as they relate to the security policies of our accepted processes and digital ecosystems.
This is the reality of the millisecond machine action cyberworld we live in today — it's one that is rapidly growing, adding the potential of many more system breaches. If we are to enjoy the amazing digital technologies of today and the many more on our doorstep, we must find and deploy millisecond technologies that can defend cyberattacks ahead of the hacker.
Before delivering a keynote at the Florida Center for Cybersecurity 2015 Annual Conference, former NSA Director Keith Alexander spoke about his new startup and the direction cybersecurity must take to be successful.
In June of 2013, privacy advocate Edward Snowden exposed the National Security Agency's mass surveillance efforts — and it was during this time that Keith Alexander, a retired four-star general of the United States Army, served as the NSA's director. On March 28, 2014, after leading the agency through one of the toughest periods in its history, Alexander retired from his post
During this time, Alexander also served as commander of United States Cyber Command. And when he spoke at the 2013 Black Hat USA conference, he spoke about how as our dependence on information networks increases, it will take a team to eliminate vulnerabilities and counter the ever-growing threats to the network.
"We can succeed in securing it by building strong partnerships between and within the private and public sectors, encouraging information sharing and collaboration, and creating and leveraging the technology that affords us the opportunity to secure cyberspace," he said.
Now, as CEO of IronNet Cybersecurity, which offers an integrated, end-to-end approach to cybersecurity, Alexander is working to fill in a critical gap between cyberthreats and available security technology. Before delivering his keynote speech at the Florida Center for Cybersecurity 2015 Annual Conference, he sat down with me to answer a few questions.
Q: In the cybersecurity industry, we call it the Wild Wild West. Did you ever think it was going to get this wild?
A: In 2007, after the distributed denial-of-service attack by Russian “hackers,” we predicted that the numbers of exploits and attacks would increase significantly, and we have seen just that. It is my personal assessment that these attacks will gain momentum as crises throughout the world evolve, especially in the Ukraine and Middle East.
Q. Recent attacks by China caused tense discussions in a recent U.S. visit by Chinese President Xi Jinping. You had warned of these state-sponsored attacks for years. Will the resulting U.S.-China cybersecurity agreement have an impact in cyberattacks or is there more needed?
A: Clearly there will be a significant need for more discussion and talks at every level — political, military and commercial. President Obama and President Xi Jinping have taken an important first step. We must now all help push this forward. In addition, we should concurrently work to improve our own defenses.
Q. Your are now CEO of a startup cybersecurity company, IronNet. How do your responsibilities differ from the past and what similarities are you seeing?
A: As commander of U.S. Cyber Command, my most important mission was to defend our nation from cyberattacks from our adversaries. I no longer have that responsibility. As the director of the National Security Agency, I was responsible for providing information on those attacking and exploiting our nation in cyberspace, providing intelligence to our national leaders and the Armed Forces, especially those in combat. And I was responsible, along with a great government team, in keeping our nation safe from terrorist attacks. The greatest privilege and honor I have had in my lifetime was leading the great military and civilian personnel at USCYBERCOM and NSA.
As the CEO of a cybersecurity company, we can continue the mission in cyberspace by providing key capabilities to the commercial sector and to the government to help them defend their networks. Cybersecurity requires a team effort — between government and industry, and with our allies. It is an honor to continue to serve and support this national effort in this new capacity.
Q: You have led some of the largest agencies in the federal government. As a startup, how difficult is it to get through these bureaucracies, and should industries like the ever-changing cybersecurity industry be addressed differently?
A: I have focused on working with the commercial sector as my top priority for a host of reasons. I think we can help provide a more defensible architecture and prepare the commercial sector for the time when cyberlegislation is approved and the sharing of cyberinformation can really flow.
Q. Cybersecurity software-as-a-service (CSaaS) is a new approach that is just beginning to catch on. This is a major focus of your new company. Can you tell us some of the advantages of CSaaS over typical cybersecurity offerings?
A. IronNet deploys a minimal set of hardware at customer locations. Software and services are provided out of our Security Operations Center (SOC), where we efficiently manage resources and capacity. Similar to the neighborhood watch concept, the SOC detects and mitigates threats within and across business sectors using a suite of technologies we call IronDome.
Q. We seem to be stuck with some older cybersecurity technologies that just can’t support us now or into the future. We are constantly playing catch-up with what the industry calls “patch and pray” reactionary cybersecurity rather than deploying needed real-time proactive cybersecurity. Are there any new technologies or approaches you see that will support these needed proactive cybersecurity services?
A: We need to move now to a new approach to cybersecurity — an approach that is proactive, agile and adaptive. The old reactive methods, which are based on static perimeter defenses, are not sufficient. Innovative approaches begin with the capability to have visibility across a company’s network, and this visibility needs to be in real time. Then, with this visibility, we can see how machines and people behave on the network, and we can identify changes in behavior. It is these changes in behavior that allow us to identify malicious activity and cyberattacks — and then to take steps necessary to protect a company’s network and data.
Q. What will be the focus of your Keynote Address in Tampa at the Florida Center for Cybersecurity 2015 Annual Conference this month?
A: Three key areas — the rapid evolution of technology, the evolution of threats in cyberspace and a roadmap to the future.
From hacking cars to stealing state secrets and instances of retaliation, there is a real-world awakening to just how expensive and dangerous it is to recover from a cyberattack.
Cybersecurity companies make billions of dollars in patching and reacting to the problem, but customers want proactive cybersecurity — not reactive analysis and temporary repairs. There are reasons this is not happening, and we must redirect both money and thinking in order to put the cybersecurity industry on the right track.
TODAY'S CYBERSECURITY BUSINESS: BAD START AND NEEDED CHANGE
When cybersecurity becomes a business rather than true protection, we have a problem. Unfortunately this is what it's become, and though some are calling it a flat-out scam, I wouldn't necessarily go that far.
There is so much vulnerability in networks and application software that even good cybersecurity developers are working with one hand tied behind their back. This has led to a hack-and-patch cybersecurity business that is a reactionary temporary repair — not an upfront cyberdefense. It takes months to even detect a breach and many more months to temporarily fix it. Companies are making billions in historically patching cyberattacks when customers want to spend their money to stop them from happening in the first place.
There is so much vulnerability in networks and application software that even good cybersecurity developers are working with one hand tied behind their back. This has led to a hack-and-patch cybersecurity business that is a reactionary temporary repair — not an upfront cyberdefense. It takes months to even detect a breach and many more months to temporarily fix it. Companies are making billions in historically patching cyberattacks when customers want to spend their money to stop them from happening in the first place.
Case in point: The Sony attack was disclosed on Nov. 24, 2014, and discussed in a recent 60 Minutes broadcast: Today there are still hundreds of technicians working to correct the problem. Since this attack, other companies and government agencies have been hacked, involving millions of people. This continues while the cybersecurity industry admits to limited cyberdefensive capabilities. In fact, the cybersecurity defensive positions are so weak that retaliatory offensive positions are being considered. What we have learned from earlier attacks is now being used to develop strategies to stop future attacks.
THE OPM BREACH AND LESSONS LEARNED
Nothing was more telling than the information disclosed in a report from the largest federal government breach ever on the U.S. Office of Personnel Management (OPM), which shows both desperation and hope as far as cybersecurity is concerned. The rapid disclosure of the attack may be easier for a government than a corporation that may take a stock hit, but the needed quick response is the same. The quicker the reaction to the breach, the less damage is most likely to occur.
One of the most impressive things that resulted from the OPM breach was the creation of a Cybersecurity Sprint Team that includes members from OMB's E-Gov Cyber Unit, DHS, the National Security Council Cybersecurity Directorate and the Defense Department. The team was charged with leading a 30-day review of "cybersecurity policies, procedures and practices," and issuing a Federal Civilian Cybersecurity Strategy based on its findings.
The sprint team will focus on eight priority areas:
- Protecting Data: Better protect data at rest and in transit
- Improving Situational Awareness: Improve indication and warning
- Increasing Cybersecurity Proficiency: Ensure a robust capacity to recruit and retain cybersecurity personnel
- Increase Awareness: Improve overall risk awareness by all users
- Standardizing and Automating Processes: Decrease time needed to manage configurations and patch vulnerabilities
- Controlling, Containing and Recovering from Incidents: Contain malware proliferation, privilege escalation and lateral movement; quickly identify and resolve events and incidents
- Strengthening Systems Lifecycle Security: Increase inherent security of platforms by buying more secure systems and retiring legacy systems in a timely manner
- Reducing Attack Surfaces: Decrease complexity and number of things defenders need to protect
The creation of the Cybersecurity Sprint Team and the unprecedented 30-day review that issued a Federal Civilian Cybersecurity Strategy based on its findings is a good sign of present and future responses to cyberbreaches. The key now is whether the recommendations from the Cybersecurity Sprint Team produce results.
STILL PLAYING CATCH-UP
Current cybersecurity technologies — that were designed years ago — are behind the curve. In a recent Federal Times article, Federal CIO Tony Scott explained that most of the systems — most of the technology we use every day — were designed and architected in the 1970s or 1990s, and even newer systems are built on that same framework. Scott said that future systems need to be designed with cybersecurity at the center, and agencies must also work to secure existing systems.
These needed changes in technology are often delayed by industry standards groups, government regulation, compliance and red tape, all of which create process delays and even danger when trying to get needed technological change in and operating. Hackers know this and target these weaknesses while being very agile and always changing. Both industry and government are recognizing they must offer avenues of responding to these changes, and are finding ways to cut all the red tape and get these need changes evaluated and deployed.
CYBERSECURITY: PICK UP THE PACE
A Brookings Institution think tank suggested that government needs to pick up the pace of funding research and acquiring the latest technology in the quickly changing software and electronics sectors. Even day-to-day operations are affected. When you have software upgrades happening every six months, on average, systems must be in place to accept these frequent upgrades. The bureaucracies of both government and business must change their procedures if they are ever to stay ahead in an industry in which change is the new normal.
The last RSA conference also warned of even a bigger problem. Are there enough people to deploy and operate these needed cybersecurity systems? Two studies validated these concerns in the conference and discussed what steps can be taken in correcting the problem. So how do we get better cybersecurity technologies out quickly while having enough personnel to rapidly respond to the ever-changing exploits? By using something called cybersecurity software as a service (CSaaS).
CSAAS: AN EMERGING TREND
CSaaS may not only address how to get advanced cybersecurity services in and updated, but also the industry's known personnel shortage. These system capabilities offer customers advanced cybersecurity services without the worries of complex design builds and necessary staffing to run these often complex services.
When former NSA Director Keith Alexander entered the private sector, he built a company with a goal of offering CSaaS. His company, IronNet, touts top personnel with more than 100 years of combined experience in top posts at the NSA, U.S. Cyber Command, National Counterterrorism Center and Army Intelligence. An initial version of IronNet’s CSaaS will be generally available later this year.
This CSaaS trend seems to be continuing with CloudLock — the industry's first CSaaS for the cloud. CloudLock was launched in 2011 with one simple goal in mind: to transform cloud security into a business enabler. Delivered as a service, CloudLock’s unified Cloud Security Fabric connects and secures any app natively from the cloud in the cloud through a series of CloudLock Cybersecurity APIs.
While most CSaaS services are focusing on the use of existing cybersecurity and software technologies, a company called Decision Zone is offering a completely new cybersecurity platform that is capable of securing multiple industries. Its CSaaS platform focuses on the use of a non-algorithmic fifth generation programming language (5GL) technologies. This patented technology runs in parallel to any existing network, hardware or software process platform and can detect cyberattack event anomalies in microseconds.
Our current cybersecurity technologies are still stuck in after-attack mode, while bureaucracies delay needed change. We must be able to rapidly deploy proactive systems or we will remain stuck in the dangerous game of cybersecurity catch-up or offensive cyberretaliation. Recent cyberattacks have already disclosed how costly and dangerous reactive cybersecurity approaches can be, offering tremendous lessons learned. It is now a matter of how we move forward.
It is refreshing to see the unprecedented responses by the Federal Government Cybersecurity Sprint Team in not only rapidly responding to attacks, but also offering both existing and new technologies avenues of addressing these attacks. We must continue to find ways to move and change quickly in addressing cybersecurity. It is a good sign that both government and industry are realizing this. They must now find procedures and avenues of funding and rapidly deploying these needed cybersecurity technologies advances.
Like the saying goes, “Pay me now or pay me later.” But in cybersecurity, “later” can be too much and too late.
From unlocking cars and opening garages to hacking a satellite, recent breach demonstrations made a clear point about cyberattacks: They are very real and can be very dangerous. And our current method of "fighting" these attacks is not working.
Two of the largest hacking conferences, Black Hat and DEF CON, highlighted some of the scariest vulnerabilities in cyberattacks today. From hacking a Wi-Fi connected rifle, a Tesla electric car, a Brinks safe and an electric skateboard, there seemed no end to the demonstrations of what a hacker can do.
From unlocking cars and opening garages to hacking a satellite, the breach demonstrations made a clear point about cyberattacks: They are very real and can be very dangerous.
Although content database hacking is still of concern, as seen shown by thePentagon's recent hacking of nonclassified emails, there seems to be a more dangerous and lethal capability now being demonstrated in our increasingly device-connected world. Gartner projects 25 billion connected vehicles will be in use by 2020, and a recent HP study shows that more than 70 percent of Internet of Things (IoT) devices have vulnerabilities that can be exploited.
Given these statistics, you'd think there would be an urgency to getting these “things” secured. But that is not so.
WHY DON’T WE SECURE THINGS?
Since we began writing software, we have put productivity and functionality ahead of security. For years, the short-term gain in using software to reduce operating costs (or sometimes just to have that new digital gadget) seemed to trump security.
But now that security breaches are costing billions of dollars -- and with billions of new connected things on the horizon that, if breached, could get you killed -- there at last has been new focus on cybersecurity. Unfortunately, however, today’s focus is on cybersecurity solutions that find where the attack occurred, not on solutions that actually proactively stop cyberattacks. There are reasons for this, and we need to take a good look at today’s cybersecurity technologies limitations to understand why.
In general, we don't secure things because we use software technologies and networks that were never designed for security. We write software that connects one thing to the next, and then connects to an open network with a bunch of data that is sitting there ready to take action via the software's command or a digital message. This tiny message event can occur in microseconds, and can do any of the great things we see today in digital device technology -- or any of the shocking security breaches we are beginning to see. Whether this microsecond message event could be activating the greatest new app ever seen or hacking an airplane, we are using the same software technologies to execute them.
IS WHAT YOU SEE WHAT YOU GET?
Today's cybersecurity models are caught in the historical aggregation of data consisting of terabytes of system logs that are waiting to be analyzed when something goes wrong. We have deterrent intrusion prevention technologies and historical detection technologies that use software patches to temporarily stop the breaches from reoccuring. In fact, the main focus of cybersecurity today is how to recover from the damage of a cyberattack by finding and patching the problem -- not actually stopping it from happening in the first place. These cybersecurity models are why things aren't properly secured today, and they must change.
We have been trusting the actions of software messaging units -- and the people who create and analyze them -- since the infancy of the digital age. It is these very messaging units that cyberattackers now exploit into actions they want. We need to deploy technologies that can proactively live-audit these message events and relate them to the workflow processes within a given ecosystem. We are wasting our time and money in trying to improve existing cybersecurity technology approaches. These technologies just can’t keep up with the volume of connected applications on the horizon, and they have no way of live-auditing the authenticity digital events and their workflow processes.
WHAT AND WHERE WE NEED TO SECURE
Almost all systems are interconnected to the Web. However, all systems work autonomously and, in most cases, locally. It is not your responsibility to secure your neighbor's garage door opener. It is their responsibility. These human-to-machine enhanced digital environments are called digital ecosystems. These ecosystems are defined not only by the person using their digital extension, but also by the interacting of other digital extensions by other people within the same ecosystem workflow. The business enterprise is a good example of local workflow and all of its digital extensions working locally within a specific ecosystem, and having the ability to connect to other larger remote ecosystems. You need to first define the correct local workflow process and its proper security policies before you can connect to a larger ecosystem. One of the best examples of this is incident response by public safety organizations.
Local public safety procedures and policies are put in place for disaster response to such things as tornadoes, hurricanes and explosions. The local authorities respond to the incident, they block and secure the area. Meanwhile, additional agencies come in to reinforce the area and add or collect incident intelligence using a variety of digital technologies. Each department has its own responsibilities and security policies but also takes part in an orchestrated cohesive response that consists of multiple actions and security policies. This is the basis behind the Department of Homeland Security and how it works -- there is secure orchestration and oversight of multiple agency ecosystems and events within a response area. And this is the way cybersecurity works.
Cyberattacks are local in nature, and the needed audits of workflow events also must be local. If the initial local response was audited as being incorrect, the orchestration of responses would also not be correct. Like the old computer saying goes, “garbage in, garbage out.”
If you review the list of devices hacked in the recent DECON and Black Hat conventions, you realize one thing very quickly: Cybersecurity attacks might be initiated remotely through the Internet, but the target of attack is very local (your car, garage, house, your business, a hospital, a power grid substation, a naval ship). Local cybersecurity is the point where you define what is yours and what isn't in your personal ecosystem and how you wish to securely interact, and how other ecosystems wish to securely interact with you.
TODAY’S DATA-DRIVEN MONITORING
Today's cybersecurity has approached a focus on recognizing and monitoring unauthorized access and manipulation of the utility functionality of data being transported by a network. A small messaging unit that activates a desired digital action, which is then historically stored in the system log. When something doesn't work right, the analysis of sometimes terabytes of system logs offers the possible answer to where the breach occurred. There are encryption and analytic formulas that try to protect and monitor data, but these approaches must make assumptions on the digital messages rather than just observe and audit what is happening in real time. You cannot do this by historically monitoring data at the utility function of the process. We need a way to live-monitor and live-audit what is really happening -- not try to later define what might have happened.
True cybersecurity can only be achieved by live-monitoring and live-auditing whatthe data does in real time not how it does it. To understand this better, I will use one of the most concerning examples of what hackers are doing today. If a hacker has encrypted a hidden exploit that is in your system readied for activation at any time, how would you stop it? The data-driven security model can't see it, and can't even modify or stop the action because it is encrypted. In fact, the only way to monitor the encrypted hidden exploit is by activating it. In the current data-driven monitoring, we will find this exploit in the historical logs -- which is too late. This is the point where an available live model-driven monitoring approach is needed -- and the only way to stop an attack of this nature in microseconds.
Model-driven monitoring has some unique functionality in cybersecurity due to some of its distinctive attributes. First and foremost, it is done live. From observation to audit to response to mapping the secured orchestration of multiple systems, model-driven monitoring focuses on live actions and interactions within specific and multiple digital ecosystems. To better understand effectiveness of model-driven monitoring security, let's look at the hacking examples discussed earlier. Every hacking demonstration was done within the framework of a specific digital ecosystem. The network and data utility function of the targeted ecosystem were then manipulated.
Live model-driven monitoring recognizes the exact real system message polices and events that are occurring and does not use human or analytic analysis of aggregated data in historical system logs. Model-driven monitoring can be used in the orchestration of any ecosystem -- and even multiple ecosystems -- offering the secure orchestrated monitoring of more complex systems. From enterprise, to smartphones to cars to planes to naval ships to atomic power plants to even the human body, model-driven monitoring offers live observation, audit, response and mapping for any process or control system, no matter what hardware, software or network utility it runs on.
Of additional importance in model-driven monitoring is that the live information patterns do not require the retrieval of historical system logs for observation, audit, response and mapping. These features are what gives the monitoring approach not only its live capabilities, but additional security and privacy capabilities not found in current data-driven models. Rather than having vulnerable stored data telling the system what to do, model-driven monitoring graphically demonstrates under the specified system event policies what the system is actually doing in real time without leaving a digital trail. These stored digital trails left by the data-driven model are not only why people are hacking, but are becoming serious privacy issues as we continue to add more connected devices to personal and business ecosystems. For more information on model-driven modeling, see: Model-Driven Monitoring: An Application of Graph Transformation for Design by Contract.
MONITOR IT OR STOP IT
A few concerns with current cybersecurity technologies is that they focus primarily on patching problems and making money, rather than actually securing things. Current cyberattack responses and the current cybersecurity technologies offered are more focused on the whodunnit than not letting it happen in the first place. Just looking at cyberattack headlines, you'll find the reactionary response of something that actually happened months ago. These slow-to-react responses are due to the utility systems data-driven monitoring cybersecurity approaches rather than live model-driven monitoring. We currently live in a world of unmonitored microsecond machine messages that can properly activate or even manipulate the actions of virtually any automated ecosystem.
If we are to enjoy the tremendous capabilities that our new digital communities will bring us, we must then also offer the most economical and technologically superior technologies in the protection and use of these new digital technologies. If we can't prove the security and privacy of these upcoming technologies, then we will dangerously play the risk game of productivity and functionality versus security and privacy.
The hacking demonstrations at Black Hat and DEFCON have proven that we are reaching a whole new level of cyberattacks: the deadly ones. We need to fix these cybersecurity issues now or stop the deployment of billions of digital things that clearly can cause us harm.
BY LARRY KARISNY / JULY 2, 2015
The Einstein and Continuous Diagnostics and Mitigation cybersecurity programs have been hailed as the cornerstone of repelling cyberthreats in real-time -- but it turns out this is not actually the case.
A massive cyberattack at the U.S. Office of Personnel Management (OPM) exposed the personal information of as many as 4 million federal employees. Though this type of news is not unusual, this particular case is different given that a multi-billion-dollar federal civilian cyberdefense systems was hacked. The cyberdefense systems supposedly protecting the OPM are Department of Homeland Security programs known as Einstein and Continuous Diagnostics and Mitigation (CDM) -- and were hailed as the cornerstone of repelling cyberthreats in real time.
Unfortunately this is not actually the case, as it took five months to discover the intrusion -- hackers hit the OPM in December, and the agency did not detect the intrusion until April. How bad the attack really was is still being analyzed.
WHAT ARE EINSTEIN AND CDM?
Einstein (also known as the EINSTEIN Program) is an intrusion detection systemthat monitors the network gateways of government departments and agencies in the United States for unauthorized traffic. The software was developed by the United States Computer Emergency Readiness Team (US-CERT), which is the operational arm of the National Cyber Security Division (NCSD) of the U.S. Department of Homeland Security (DHS). The program was originally developed to provide "situational awareness" for the civilian agencies. The first version examined network traffic while the expansion in development could look at content.
The CDM program provides IT security software and hardware tools and services for continuous protection of civilian agency networks and systems from cyberattack. This program is a dynamic approach to fortifying cybersecurity of government networks and systems. CDM provides federal departments and agencies with capabilities and tools that identify cybersecurity risks on an ongoing basis, prioritize these risks based on potential impacts, and enable cybersecurity personnel to mitigate the most significant problems first. Congress established the CDM program to provide adequate, risk-based and cost-effective cybersecurity, and more efficiently allocate cybersecurity resources. The CDM program lets government entities expand their continuous diagnostic capabilities by increasing their network sensor capacity, automating sensor collections and prioritizing risk alerts.
WHY EINSTEIN AND CDM FAILED
One of the biggest problems with federal system security is the magnitude of connected and interconnected information systems, databases and agencies. These are often some of the largest systems in the world, with security upgrades often at different points of deployment in different locations and departments. Unfortunately this widespread approach allows for breach points within the centralized system security, offering weakest link vulnerability that is capable of breaching the entire system.
The more the federal government attempts to centralize these information services, the greater the attack vector. This is a problem seen in many government entities, as in large companies that have used the efficiencies of centralized digital information for years while continually playing catch-up in securing the system digital processes.
Another big issue that I have previously covered (see video at left) is that today we are securing enterprise service applications at the utility service level by analyzing historical trace logs. This is why it took the OPM months to detect the breach of 4 million employees’ clearance records and related files. Our current Intrusion Prevention Systems (IPS) and Intrusion Detection Systems (IDS) today are focused on securing the information utility transport services. This massive aggregation of data in motion, data at rest and intermittent active data are sitting ducks for hackers. Larger information systems are then connected to additional utility transport services offering the potential of multiple points of beach. The bigger the system, the more complex the data repositories -- and the more difficult it is to find what data has been compromised.
After a cyberattack, a cybersecurity analyst is then faced with the unenviable task of finding the needle in the haystack and sorting though sometimes terabytes of system logs to discover the point of cyberbreach. This is why it takes so long to find the source of the cyberattack. In general, this is why large databases both in government and big corporations are being hacked: They react to system beaches rather than proactively stop cyberattacks. Until we change the way we view our information services in our current cybersecurity systems, we will not effectively stop cyberattacks.
NIST RESPONDS TO THE OPM ATTACKS
The National Institute of Standards and Technology (NIST) released guidelines for better security from government contractor covering 14 areas: access control, awareness and training, audit and accountability, configuration management, ID and authentication, incident response, maintenance, media protection, personnel security, physical protection, risk assessment, security assessment, system and communications protection, and system and information integrity.
The heart of all recommendations lie with the security system's audit and accountability and the time period it takes to complete this audit. If you cannot be reassured of what your workflow services are in real time, then none of the other recommendations really matter and your systems are susceptible to breach. Case in point: If a hacker has put in a hidden exploit in a system and has encrypted it, how would you stop this on demand real-time cyberattack? The only way an attack of this nature can be stopped is by knowing what the process workflow was supposed to do. Anything else -- even an authenticated encrypted hidden exploit -- could be considered an event anomaly and would be blocked. If utility machine events can occur in microseconds, then the cybersecurity solutions offered must be able to audit and block system exploits anomalies ahead of these microsecond worklflow process and machine actions. If this cannot be done, then the hacker will always have the first-to-strike advantage.
MOVING FROM ALGORITHMIC TO NON-ALGORITHMIC APPROACHES
Both software code and the algorithmic analytic approaches have the same problem. They are susceptible to code and algorithm exploits that can take control of the system process services. Our systems today are at best auditing historical actions of system utility events not the actual workflow process services. When you are talking about microsecond events that can turn on or off critical digital services, algorithmic formulas and code take too long to audit. Both are also susceptible to exploit manipulation through reverse engineering or code and algorithm manipulation.
In cybersecurity, an audit should tell what is accepted as a proper workflow event or security policy -- not that something unusual has occurred and was found by historically viewing system logs.
Getting back to the question of how to stop a hacker that has hidden the exploit and encrypted it for activation at any time, if you know the correct workflow services and correct system security policies, then an exploit that isn't part of the workflow event services can be alarmed or blocked ahead of the activated exploit. Doing this in microseconds requires the recognition of these correct workflow services in codeless fifth-generation programming language (5GL) patterns, not code or algorithms. Code and algorithmic formulas are too slow and can only offer code patching cybersecurity technologies. These cyberbreach corrections are made after historical viewing system logs, not in real-time pre-emptive methods of blocking of cyberattacks.
When you have data in motion, data at rest and data in use available for access without real-time audits of the access and use of the data, then why shouldn't this data be hacked? When you have code written on top of code, cloud computing connecting to enterprise computing, and the Internet of Things (IoT) without any security standards (and a projection of billions of connected devices), why would you expect cyberattacks to be stopped? We can't keep doing the same things and expect different results. It is only when you can proactively audit your real-time workflow events in microseconds ahead of a potential cyberattack that you can stop exploits and achieve true cybersecurity.
ADDRESSING HUMAN NATURE
People find change difficult even when it is greatly needed and can improve their lives. Technological change is even more difficult because people neither understand it nor have a vested interest in it, because they are employed in the use of inferior older technologies. A hacker makes new cyberattack technology every day and can activate these digital exploit breaching capabilities in microseconds. We are currently combating these attacks with published standards and guidelines that take years to develop, and are known to be ineffective in stopping a cyberattack after their release.
As the saying goes, necessity is the mother of invention. We are faced with an expanding use of connected services that if not secured, will stop the massive progress we currently have achieved in our current digital information systems while simultaneously halting technological innovations. When these information system technologies are continually breached and become too expensive and dangerous to operate, they will have to be stopped. This will put us back to the pre-digital age, which for most of us is incomprehensible.
We have not even touched the service capabilities that cloud computing and IoT services can offer us now and in the future. We can't depend on current IPS and IDS technologies in securing the billions of connected applications operating today and in the future. We can't keep thinking we can patch things, control cyberattacks or even win a cyberwar. Even power and money has shown its weaknesses in stopping the independent hacker (now groups of hackers) who are simply saying, "If you do, this then I can do that," while we slowly react to their daily ingenuity.
BECOME PART OF THE CYBERSECURITY CHANGE
Before there was software, people did things manually while watching and auditing their progress -- which is still a big part of today’s business processes. This means of oversight is not perfect and is sometimes subjective, leaving much room for error. Today's information system technologies and the workflow they automate are no different. We need to find ways of auditing these digital assisted processes to assure that the workflow services and security policies they run on are correct. We have greatly increased our automation through digital workflows, but have not put the proper auditing services in to assure that these microsecond workflow event services are actually correct.
Cybersecurity is about the audit of how we use information technologies (digital workflow) and doing things correctly, not the historical analysis of what went wrong. If we do not implement the correct auditing technologies within the digital workflow services, then connecting our ever-expanding information system services to the workflow processes means they will surely be breached. To do this, we must do things differently -- we must not depend on current cybersecurity technologies that continue to show fault. Please take a look at this YouTube presentation (also embedded above) and become part of this needed change that will secure our current digital technologies while simultaneously securing the exciting future connected digital capabilities we can now only dream of.
BY LARRY KARISNY / APRIL 15, 20152
If superior cybersecurity technologies exist, there is a responsibility beyond corporate profits or government compliance standards that must expedite their use.
From the new TV show CSI: Cyber, which offers a view of the complexities of cyber attack investigations, to the seeming insanity of a CEO talking to a CISO about a potential cyber breach, it seems today's cybersecurity approaches are more of a whodunit than a technological detection. Even the whodunit approaches are, at best, time consuming manual assumptions rather than technological real-time security detection of what has really happened.
Although this makes for a highly-viewed TV show, in reality, the current approaches of how we address cybersecurity are more a part of the problem than of the solution. Today we are throwing known ineffective technologies, lots of money and people at reactionary cyberattack approaches that are almost shameful in an information technology industry that created the term, "good enough."
By definition, the "good enough" principle is a rule for software and systems design. It indicates that consumers will use products that are good enough for their requirements, despite the availability of more advanced technology.
Though this definition may technically work for the latest new gadget, perhaps we shouldn't be settling -- we don't want this "good enough" security technology in our cars, homes, banks, businesses, critical infrastructures or national defense systems. If superior cybersecurity technologies that greatly exceed current solutions exist, there is a responsibility beyond corporate profits or government compliance standards that must expedite their use.
THE CYBERSECURITY INDUSTRY: IS IT MOVING IN THE RIGHT DIRECTION?
A review of the top 10 young security companies to watch by Network World shares both intriguing and disturbing directions in which cybersecurity solutions could go.
The intriguing part: There's a general focus on technologies that detect cyberbreaches more quickly and accurately, which confirms the focus of both my previous articleand a recent article in Fortune. It's comforting to see that security companies are realizing their solutions must detect breaches more quickly, and that where detection should occur is in the processes and application workflow events. Sadly, however, intended cybersecurity spending is going toward security networks rather than securing application level events, which is where hackers are clearly focusing.
The disturbing part: Some of these new start-up cyber companies are using high-end encryption, but as explained in my previous articles, criminals are actually using encryption to hide their activities and protect their on-demand exploit hacking capabilities. This is such a concern that separately, the FBI, Europol and Britain's MI6 expressed misgivings about technology companies using this method. Encryption has been under the microscope since Prime Minister David Cameron inferred that encryption should be banned. Encryption used properly is a good first line of network defense. The problem, however, is that the majority of cyberexploits are now focused at the application level -- and few IT people secure or monitor activity at this level.
At the second annual Cybersecurity Workforce Summit in Arlington, Va., FCC CIO David Bray was quoted as saying, "We do a lot on signature detection, how can we also move to be much more about behavior, so we can deal with unknowns?" A good example of signature detection is the new collaboration between IBM and TI on an embedded secure device identity. The problem is that we continue trying to secure things at the centralized hardware and software integration layers when we are operating in a distributed network-computing environment where the applications rule.
Current enterprise security architecture serially analyzes historical output system data log traces to discover if the organization's policies and procedures are in compliance. This enterprise security architecture was designed for centralized computing and is vulnerable to cyberintrusion attacks in the distributed network-computing environment in which we mainly operate today. Hackers know this, and that's why 84 percent of all cyber attacks occur on the distributed network computing application layer. Unfortunately, we do little in securing or managing these critical application events -- events that are the heart of today’s distributed network-computing processes. We must be at the right place at the right time if we are to achieve true cybersecurity. Though today we are not doing this, there are ways to achieve it.
MONEY CAN NO LONGER TRUMP SECURITY
As an adviser to startups with often superior cybersecurity technologies, I have pushed through layers of lab tests and standards groups only to find that status quo big businesses and big government are still playing catch up when it comes to cybersecurity. There are good reasons for this, and we can't just throw technologies out there without some form of investment coordination or technology oversight.
We must keep in mind, however, that we are embarking on a new industry called the Internet of Things (IoT) that has multiple standards and seemingly a disregard for cybersecurity. In the past, cybersecurity has taken a back seat to the next big thing. But with the potential of a billion devices and seemingly endless amounts of big and small data, the fix it later approach in cybersecurity must change. This time around, I don't think even first-to-market money will trump security, and there is good reason.
The CEO of Kaspersky Lab is warning about the upcoming dangers, calling the Internet of Things the "Internet of Threats." Symantec also warns of known IoT security issues. And IDC noted that within two years, 90 percent of all IT networks will have an IoT-based security breach, although many will be considered "inconveniences."
If IoT wants to be the trillion dollar industry that is projected, it must now be forced to address cybersecurity or people will not trust the products in their cars, homes, workplaces or critical infrastructures. When breaches start getting personal, people will stop using the products that caused or were the source of the breach. Cybersecurity technologies must address today’s security needs; we must find new approaches to secure the billions of devices headed our way in the near future. We know the problems, so now is the time to define true solutions rather than use temporary patch-and-pray bandages.
WALKING SECURELY THROUGH MULTIPLE DIGITAL ECOSYSTEMS
In today's world, we secure cyberecosystems by giving employees authenticated access to the often-encrypted enterprise system. But most cyberbreaches are inside jobs. So an employee with authenticated access to the enterprise who walks into his or her place of business with a smartphone filled with thousands of apps that can, together or independently, connect to hundreds of other IoT devices is a danger. Some of the apps could be exploit tools he or she will use to breach the network.
Although these methods of cybersecurity are at times a deterrent to cyberbreaches, experienced hackers can use them to their advantage. There are many breach opportunities from this point thanks to the introduction of utility-integrated centralized networks and distributed network-computing environments. They, by design, offer hackers almost endless opportunities to initiate a breach. This is where today's cybersecurity technologies fail (and fail miserably), and where they will continue to fail by design. So where are we going wrong?
The point where security lies is where an organization's policy and procedure applications reside. Knowing this, all we must do is design and build cybersecurity applications that detect, manage and secure the events taking place in the distributed network-computing environment ecosystem.
Every ecosystem is different, as are the security policies and procedural applications that an ecosystem uses. We may have an IoT that does exactly the same thing from a software or hardware perspective, but will work or not work based on the ecosystem's policies and procedure workflows. By converting these workflow policies into an automated intrusion detection application, we can accept or reject event procedural workflow security policies as part (or not part) of the ecosystem. This must be done in microseconds if we are to beat the hacker while allowing billions of software, hardware and IoT devices to securely move seamlessly through multiple ecosystems. So how can we do this?
FOCUS ON POLICY-CENTRIC NOT DATA-CENTRIC
Most organizations already have defined their expected security policies and procedures on how, when and what data/information can be exchanged by people, systems, devices or applications in their business environment. In fact, organizations such as the National Institute of Standards and Technology (NIST) have mandated compliance of these policies and procedures in areas such as critical infrastructure. Organizations have done a good job of targeting security policies and procedures in their workplaces and digital control systems, they just haven't deployed the right technologies to audit, manage and secure these process events in real time.
Today’s cybersecurity crisis stems from the fact that current data-centric 3rd- and 4th-generation programming language-based security products cannot detect real-time cyberintrusions in distributed network-computing applications, security policies and workflows. When it comes to security, current software products only accumulate logs into databases to perform data analytics, discovering wrong policy patterns. The wrong data patterns are added to a knowledge base to implement system patches in an attempt to detect future offences.
Digital Process Management 5th Generation Programming Language (5GL) uses your policies to define the right event patterns (methods and constraints) for conducting business according to policy, accurately determining the relationship between a condition or variable and a particular consequence with one event leading to another. 5GL displays anomalies and normal event transactions at machine speeds, with consolidated audit trails providing deep insights into business transactions. This cybersecurity paradigm shift instantly identifies events that do not follow the right pattern so you can respond immediately to proactively prevent/mitigate the cause and/effect of business impacts in real time.
Fifth-generation code-free software allows organizations to rapidly customize their cybersecurity applications to automatically detect and manage intrusions or flawed operations in security policies, workflows, applications and mobile apps in real time in today’s distributed computing environment. To solve the cybersecurity crisis, organizations must deploy 5GL security applications that are policy-centric not data-centric to prevent cyberintrusions. This is how we can be at the right place at the right time with cybersecurity technologies that will be, at the very least, “good enough” to stop a hacker before the damage is done -- not after.
EXCEEDING 'GOOD ENOUGH'
How to achieve cybersecurity is baffling some of the world's most brilliant minds. Though there is much investment in cybersecurity, it's questionable whether they're for improvements to current methods or solid cybersolutions that will protect us today and prepare us for a much bigger digital connected future.
ADDITIONAL CYBERSECURITY RESOURCES
With cloud and IoT applications increasing by the billions, we must ready ourselves for all these applications while simultaneously playing catch-up with the current (and increasing) cyberattacks.
We have reached the point where current cybersecurity technologies cannot neither effectively nor rapidly address our increasingly connected world. The projected use of cloud and IoT applications exceeds all current Internet usage -- so we must build a security platform that can seamlessly allow the use of these technologies while protecting each and every other ecosystem within our digital communities.
Bottom line: We must exceed “good enough” security technologies and create completely new technologies -- that are ready and available today.