It's not as challenging as mapping the heavens, but the Cloud Security Alliance (CSA) has taken on how we think about cyber "intelligence," and is calling for wider adoption of data-driven security. (Read the full paper and comment here.)
The paper makes four points designed to initiate dialogue on how to break out of an unwinnable security tool race with adversaries.
First, we must redefine intelligence. Intelligence can't be seen only as external data on adversary tactics, techniques, and procedures. Rather it should be defined as the capacity of organizations to understand and extract actionable insight on data from both security tools focused on internal assets and architecture as well as external threat sources.
Second, we must move to a data-driven security model that leverages the output of tools through integration and automation. Both open APIs and data normalization capabilities are critical to success.
Third, rather than moving from one event to another we need to absorb what we learn from past events and build "cyber memory" with the ability to recall and connect event data gathered from across security systems. Creating a "virtual memory" will enable machine learning (ML) to more effectively and efficiently address evolving malicious activity.
Fourth, we must leverage the cloud to build "intelligent ecosystems" — secure, intelligent memory banks that seamlessly fuse and enrich data from internal security tools and external sources. Data from an individual ecosystem can be shared with other companies or organizations to form a more collaborative defense ecosystem.
CSA does not call for a singular product or standard but a new mindset to establish intelligence to understand, integrate, and automate data workflows. This approach does not require significant investment or more personnel. In fact, integration and automation data workflows should increase the efficiency of existing tools and personnel. The results should lead to measurable outcomes for boards of directors, chief information security officers, and analysts.
In developing the paper, CSA took a step back to examine our security challenges holistically and identified a critical gap: The absence of a capability to easily leverage and fuse data from security tools and threat intelligence providers, leaving humans to fill an insurmountable gap given that mounting data load. The gap is understandable given the challenges we have faced, including:
- The pace of new and emerging attacks.
- Desire in the vendor community to develop the "single pane of glass" that visually represents event data.
- The quest for a readily implementable exchange protocol.
- A security data tagging ontology.
- And finally, the inability to normalize and transform disparate data sets, until now.
Historically, the last problem has represented a black hole for vendors and enterprises. The integration and processing of data were difficult, given different formats and protocols, managing duplicates and redactions, and the importance of understanding context. A classic example is differentiating a software version number for an IP address. The task has been manual and tedious, requiring significant personnel resources. The addition of more readily accessible computing capabilities on cloud-based assets enabled computation and fusion around much larger data sets.
The CSA paper borrows from the autonomous vehicle industry's functional breakdown of "sense, understand, act," and goes on to explore how the paradigm shift will enable more efficient operations of SOAR tools and the application of ML, opening the door to technical ROI metrics for mean time to detection and mean time to response.
CSA further argues it is time for a paradigm shift. Nick Bostrom, in Superintelligence, when describing the development of a chess-playing algorithm, said it was assumed that for a computer to play at the grandmaster level, it would "have to be endowed with a high degree of general intelligence." It turned out to be achievable through a "surprising simple" algorithm. Bostrom states:
The fact that the best performance at one time is attained through a complicated mechanism does not mean that no simple mechanism could do the job as well or better. It might simply be that nobody found the simpler alternative. The Ptolemaic system (with the Earth in the center, orbited by the Sun, the Moon, planets, and stars) represented the state of the art for astronomy for over a thousand years, and its predictive accuracy was improved over the centuries by progressively complicating the model: adding epicycles upon epicycles to the postulated celestial motions. Then the entire system was overthrown by the heliocentric theory of Copernicus, which was simpler and — though only after further elaboration by Kepler — more predictively accurate.
Perhaps in cybersecurity, we are exiting the Ptolemaic era and are now someplace between Copernicus and Kepler. There is a less complicated model available that breaks down the challenges in cybersecurity more easily and understandably. Redefining intelligence and building secure, intelligent ecosystems helps us rethink how we see and utilize data from our existing tools and leverage ML. No longer should security operations revolve around tools alone, but instead data-driven security becomes the constant gravitational force at the center of our effort to achieve more predictable and autonomous security.