Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

10:00 AM
Paul Kurtz
Paul Kurtz
Connect Directly
E-Mail vvv

CSA Moves to Redefine Cloud-Based Intelligence

The new paradigm seeks to understand, integrate, and automate data workflows, and better yet, doesn't require significant investment or more personnel.

It's not as challenging as mapping the heavens, but the Cloud Security Alliance (CSA) has taken on how we think about cyber "intelligence," and is calling for wider adoption of data-driven security. (Read the full paper and comment here.)  

The paper makes four points designed to initiate dialogue on how to break out of an unwinnable security tool race with adversaries.

Related Content:

Microsoft & Others Catalog Threats to Machine Learning Systems

The Changing Face of Threat Intelligence

Why Defense, Not Offense, Will Determine Global Cyber Powers

First, we must redefine intelligence. Intelligence can't be seen only as external data on adversary tactics, techniques, and procedures. Rather it should be defined as the capacity of organizations to understand and extract actionable insight on data from both security tools focused on internal assets and architecture as well as external threat sources.

Second, we must move to a data-driven security model that leverages the output of tools through integration and automation. Both open APIs and data normalization capabilities are critical to success. 

Third, rather than moving from one event to another we need to absorb what we learn from past events and build "cyber memory" with the ability to recall and connect event data gathered from across security systems. Creating a "virtual memory" will enable machine learning (ML) to more effectively and efficiently address evolving malicious activity. 

Fourth, we must leverage the cloud to build "intelligent ecosystems" — secure, intelligent memory banks that seamlessly fuse and enrich data from internal security tools and external sources. Data from an individual ecosystem can be shared with other companies or organizations to form a more collaborative defense ecosystem. 

CSA does not call for a singular product or standard but a new mindset to establish intelligence to understand, integrate, and automate data workflows. This approach does not require significant investment or more personnel. In fact, integration and automation data workflows should increase the efficiency of existing tools and personnel. The results should lead to measurable outcomes for boards of directors, chief information security officers, and analysts. 

In developing the paper, CSA took a step back to examine our security challenges holistically and identified a critical gap: The absence of a capability to easily leverage and fuse data from security tools and threat intelligence providers, leaving humans to fill an insurmountable gap given that mounting data load. The gap is understandable given the challenges we have faced, including:

  • The pace of new and emerging attacks.
  • Desire in the vendor community to develop the "single pane of glass" that visually represents event data.
  • The quest for a readily implementable exchange protocol.
  • A security data tagging ontology.
  • And finally, the inability to normalize and transform disparate data sets, until now.

Historically, the last problem has represented a black hole for vendors and enterprises. The integration and processing of data were difficult, given different formats and protocols, managing duplicates and redactions, and the importance of understanding context. A classic example is differentiating a software version number for an IP address. The task has been manual and tedious, requiring significant personnel resources. The addition of more readily accessible computing capabilities on cloud-based assets enabled computation and fusion around much larger data sets.

The CSA paper borrows from the autonomous vehicle industry's functional breakdown of "sense, understand, act," and goes on to explore how the paradigm shift will enable more efficient operations of SOAR tools and the application of ML, opening the door to technical ROI metrics for mean time to detection and mean time to response.

CSA further argues it is time for a paradigm shift. Nick Bostrom, in Superintelligence, when describing the development of a chess-playing algorithm, said it was assumed that for a computer to play at the grandmaster level, it would "have to be endowed with a high degree of general intelligence." It turned out to be achievable through a "surprising simple" algorithm. Bostrom states:

The fact that the best performance at one time is attained through a complicated mechanism does not mean that no simple mechanism could do the job as well or better. It might simply be that nobody found the simpler alternative. The Ptolemaic system (with the Earth in the center, orbited by the Sun, the Moon, planets, and stars) represented the state of the art for astronomy for over a thousand years, and its predictive accuracy was improved over the centuries by progressively complicating the model: adding epicycles upon epicycles to the postulated celestial motions. Then the entire system was overthrown by the heliocentric theory of Copernicus, which was simpler and  though only after further elaboration by Kepler  more predictively accurate.

Perhaps in cybersecurity, we are exiting the Ptolemaic era and are now someplace between Copernicus and Kepler. There is a less complicated model available that breaks down the challenges in cybersecurity more easily and understandably. Redefining intelligence and building secure, intelligent ecosystems helps us rethink how we see and utilize data from our existing tools and leverage ML. No longer should security operations revolve around tools alone, but instead data-driven security becomes the constant gravitational force at the center of our effort to achieve more predictable and autonomous security.

Paul Kurtz is Executive Chairman and Co-founder of TruSTAR Technology. Prior to TruSTAR, Paul was the CISO and chief strategy officer for CyberPoint International LLC where he built the US government and international business verticals. Prior to CyberPoint, Paul was the ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 11/19/2020
New Proposed DNS Security Features Released
Kelly Jackson Higgins, Executive Editor at Dark Reading,  11/19/2020
How to Identify Cobalt Strike on Your Network
Zohar Buber, Security Analyst,  11/18/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: A GONG is as good as a cyber attack.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-11-24
Matrix Synapse before 1.20.0 erroneously permits non-standard NaN, Infinity, and -Infinity JSON values in fields of m.room.member events, allowing remote attackers to execute a denial of service attack against the federation and common Matrix clients. If such a malformed event is accepted into the r...
PUBLISHED: 2020-11-24
HashiCorp Nomad and Nomad Enterprise 0.9.0 up to 0.12.7 client Docker file sandbox feature may be subverted when not explicitly disabled or when using a volume mount type. Fixed in 0.12.8, 0.11.7, and 0.10.8.
PUBLISHED: 2020-11-24
In Ortus TestBox 2.4.0 through 4.1.0, unvalidated query string parameters to test-browser/index.cfm allow directory traversal.
PUBLISHED: 2020-11-24
In Ortus TestBox 2.4.0 through 4.1.0, unvalidated query string parameters passed to system/runners/HTMLRunner.cfm allow an attacker to write an arbitrary CFM file (within the application's context) containing attacker-defined CFML tags, leading to Remote Code Execution.
PUBLISHED: 2020-11-24
Gitea 0.9.99 through 1.12.x before 1.12.6 does not prevent a git protocol path that specifies a TCP port number and also contains newlines (with URL encoding) in ParseRemoteAddr in modules/auth/repo_form.go.