A few weeks ago, while attending Black Hat 2019, I was invited to participate in a Dark Reading technology panel hosted by editor Tim Wilson. The discussion focused on new types of technologies that can truly improve cybersecurity defenses.
My first instincts were to go with some of the product categories I research daily. For example, I could have described how machine learning algorithms can improve security analytics or vulnerability management. I might have expounded upon how SOAR (security orchestration, automation, and response) platforms can help organizations automate manual processes and streamline security operations. Similarly, I thought about breach and attack simulation tools that can help identify risk and lead to continuous assessment and security improvement.
Yup, these technologies show great promise, but there is also a lot of hype around each. Furthermore, while enterprise organizations are using them, processes and technologies themselves remain immature. CISOs can achieve benefits with these technologies, but most that I've talked to are proceeding slowly and cautiously.
Given this reality, I had to take a step back and really think about technologies I consider ground breaking. It wasn't easy, but I came up with three non-intuitive technologies that are truly making a difference to cybersecurity professionals.
Promising Technology 1: Apache Kafka. According to ESG research, 77% of enterprise organizations collect, process, and analyze more security data than they did two years ago. What kind of data? Everything: log data, network packets and flows, cyber threat intelligence, application data, cloud telemetry, and more. This makes sense for continuous security monitoring, but moving and processing real-time data streams requires a highly scalable data pipeline. Enter Apache Kafka, a community distributed event streaming platform (first developed by LinkedIn) capable of handling trillions of events a day.
Apache Kafka provides a publish/subscribe messaging bus for terabytes of security telemetry and then feeds it to numerous analytics engines in real time. Thus, Apache Kafka (and other tools, such as RabbitMQ) can help enable more rapid threat detection and response. When I first discovered Apache Kafka, it was being used in grassroots development efforts, but vendors have taken notice since then. In 2018, Splunk released a connector for Kafka to leverage the framework and other SIEM tools, and security analytics vendors are also getting involved. We can't collect, process, analyze, and act upon security telemetry without a high-performance, highly scalable, and well-managed data pipeline. Apache Kafka is making a real difference in this area.
Promising Technology 2: The MITRE ATT&CK Framework (MAF). Let's face it, MITRE has had some swings and misses over the years, producing complex technology frameworks that never gained acceptance outside of the US federal government. (FCAPS comes to mind.) Why is MAF different? As Sun Tzu stated, "If you know the enemy and know yourself, you need not fear the result of a hundred battles." In many cases, cybersecurity analysts knew a lot about themselves but not nearly as much about their enemy, so they tended to address each security incident individually rather than look for patterns of attack. Lockheed Martin helped change cybersecurity thinking in 2011 with its introduction of the "kill chain," but security teams needed advanced threat intelligence and security analysis skills to map security events into Lockheed's model.
MAF bridges this gap by acting as the "glue," allowing analysts to contextualize and visualize individual events along kill chains and giving them detailed instructions on where to look next to uncover broader cybersecurity attacks. With its growing user popularity, it's not surprising that MAF support is becoming ubiquitous across security analytics tools of all types. Following Sun Tzu's wisdom, MAF forces cybersecurity analysts to think like a cybersecurity adversary. No wonder it is having such a profound impact.
Promising Technology 3: OpenC2. This OASIS standard is a bit more esoteric than Apache Kafka or MAF, and in truth it really hasn't had an impact yet. However, in my humble opinion, it holds great potential. OpenC2 creates an abstraction layer for standardizing communications and instructions for security controls. For example, suppose an organization receives high-fidelity threat intelligence that a specific IP address is malicious. The immediate response would be to block this IP address across all security controls. With existing security technologies, this could mean translating this rule into vendor-specific syntax, which can get cumbersome in a large heterogeneous enterprise. This is why SIEM, SOAR, and TIP vendors (among others) spend so much time and effort developing connectors and building partner ecosystems.
OpenC2 could alleviate this translation problem through common standards. Rather than individual connectors, security controls such as endpoint security software, firewalls, proxies, DNS services, etc., would talk OpenC2, so analytics engines could issue a single rule for all relevant security controls. I believe this standardization could really help automate, accelerate, and scale data-driven security processes.
There's a common pattern with all three technologies: Each one acts as a force multiplier, adding value to every other security technology around it. This alone could make them extremely beneficial for CISOs and enterprise organizations.
Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "'It Saved Our Community': 16 Realistic Ransomware Defenses for Cities."