Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

10:00 AM
Paul Kurtz
Paul Kurtz
Connect Directly
E-Mail vvv

CSA Moves to Redefine Cloud-Based Intelligence

The new paradigm seeks to understand, integrate, and automate data workflows, and better yet, doesn't require significant investment or more personnel.

It's not as challenging as mapping the heavens, but the Cloud Security Alliance (CSA) has taken on how we think about cyber "intelligence," and is calling for wider adoption of data-driven security. (Read the full paper and comment here.)  

The paper makes four points designed to initiate dialogue on how to break out of an unwinnable security tool race with adversaries.

Related Content:

Microsoft & Others Catalog Threats to Machine Learning Systems

The Changing Face of Threat Intelligence

Why Defense, Not Offense, Will Determine Global Cyber Powers

First, we must redefine intelligence. Intelligence can't be seen only as external data on adversary tactics, techniques, and procedures. Rather it should be defined as the capacity of organizations to understand and extract actionable insight on data from both security tools focused on internal assets and architecture as well as external threat sources.

Second, we must move to a data-driven security model that leverages the output of tools through integration and automation. Both open APIs and data normalization capabilities are critical to success. 

Third, rather than moving from one event to another we need to absorb what we learn from past events and build "cyber memory" with the ability to recall and connect event data gathered from across security systems. Creating a "virtual memory" will enable machine learning (ML) to more effectively and efficiently address evolving malicious activity. 

Fourth, we must leverage the cloud to build "intelligent ecosystems" — secure, intelligent memory banks that seamlessly fuse and enrich data from internal security tools and external sources. Data from an individual ecosystem can be shared with other companies or organizations to form a more collaborative defense ecosystem. 

CSA does not call for a singular product or standard but a new mindset to establish intelligence to understand, integrate, and automate data workflows. This approach does not require significant investment or more personnel. In fact, integration and automation data workflows should increase the efficiency of existing tools and personnel. The results should lead to measurable outcomes for boards of directors, chief information security officers, and analysts. 

In developing the paper, CSA took a step back to examine our security challenges holistically and identified a critical gap: The absence of a capability to easily leverage and fuse data from security tools and threat intelligence providers, leaving humans to fill an insurmountable gap given that mounting data load. The gap is understandable given the challenges we have faced, including:

  • The pace of new and emerging attacks.
  • Desire in the vendor community to develop the "single pane of glass" that visually represents event data.
  • The quest for a readily implementable exchange protocol.
  • A security data tagging ontology.
  • And finally, the inability to normalize and transform disparate data sets, until now.

Historically, the last problem has represented a black hole for vendors and enterprises. The integration and processing of data were difficult, given different formats and protocols, managing duplicates and redactions, and the importance of understanding context. A classic example is differentiating a software version number for an IP address. The task has been manual and tedious, requiring significant personnel resources. The addition of more readily accessible computing capabilities on cloud-based assets enabled computation and fusion around much larger data sets.

The CSA paper borrows from the autonomous vehicle industry's functional breakdown of "sense, understand, act," and goes on to explore how the paradigm shift will enable more efficient operations of SOAR tools and the application of ML, opening the door to technical ROI metrics for mean time to detection and mean time to response.

CSA further argues it is time for a paradigm shift. Nick Bostrom, in Superintelligence, when describing the development of a chess-playing algorithm, said it was assumed that for a computer to play at the grandmaster level, it would "have to be endowed with a high degree of general intelligence." It turned out to be achievable through a "surprising simple" algorithm. Bostrom states:

The fact that the best performance at one time is attained through a complicated mechanism does not mean that no simple mechanism could do the job as well or better. It might simply be that nobody found the simpler alternative. The Ptolemaic system (with the Earth in the center, orbited by the Sun, the Moon, planets, and stars) represented the state of the art for astronomy for over a thousand years, and its predictive accuracy was improved over the centuries by progressively complicating the model: adding epicycles upon epicycles to the postulated celestial motions. Then the entire system was overthrown by the heliocentric theory of Copernicus, which was simpler and  though only after further elaboration by Kepler  more predictively accurate.

Perhaps in cybersecurity, we are exiting the Ptolemaic era and are now someplace between Copernicus and Kepler. There is a less complicated model available that breaks down the challenges in cybersecurity more easily and understandably. Redefining intelligence and building secure, intelligent ecosystems helps us rethink how we see and utilize data from our existing tools and leverage ML. No longer should security operations revolve around tools alone, but instead data-driven security becomes the constant gravitational force at the center of our effort to achieve more predictable and autonomous security.

Paul Kurtz is Executive Chairman and Co-founder of TruSTAR Technology. Prior to TruSTAR, Paul was the CISO and chief strategy officer for CyberPoint International LLC where he built the US government and international business verticals. Prior to CyberPoint, Paul was the ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-11
In the Linux kernel 5.11 through 5.12.2, isotp_setsockopt in net/can/isotp.c allows privilege escalation to root by leveraging a use-after-free. (This does not affect earlier versions that lack CAN ISOTP SF_BROADCAST support.)
PUBLISHED: 2021-05-11
A flaw was found in the hivex library in versions before 1.3.20. It is caused due to a lack of bounds check within the hivex_open function. An attacker could input a specially crafted Windows Registry (hive) file which would cause hivex to read memory beyond its normal bounds or cause the program to...
PUBLISHED: 2021-05-11
A flaw was found in ImageMagick in versions before 7.0.11 and before 6.9.12, where a division by zero in WaveImage() of MagickCore/visual-effects.c may trigger undefined behavior via a crafted image file submitted to an application using ImageMagick. The highest threat from this vulnerability is to ...
PUBLISHED: 2021-05-11
A flaw was found in ImageMagick in versions before 7.0.11, where a division by zero ConvertXYZToJzazbz() of MagickCore/colorspace.c may trigger undefined behavior via a crafted image file that is submitted by an attacker and processed by an application using ImageMagick. The highest threat from this...
PUBLISHED: 2021-05-11
A flaw was found in ImageMagick in versions before 7.0.11, where a division by zero in sRGBTransformImage() in the MagickCore/colorspace.c may trigger undefined behavior via a crafted image file that is submitted by an attacker processed by an application using ImageMagick. The highest threat from t...