To be effective, Security needs to be proactive — using cyber analytics and cognitive-based systems to ultimately achieve mission-oriented security intelligence
by John Lainhart & Christopher Ballister
No longer can security programs rely on “if it’s not broke, don’t fix it” — adversaries could already be inside systems, stealing data or probing to get in. Too many CIOs and CISOs have thought their systems and data were secure when in fact the opposite was true. Security programs need effective protection of valuable information and systems to prevent data breaches, and to comply with the ever increasing federal compliance requirements (such as the Federal Information Security Management Act (FISMA), the Privacy Act, policy and guidance from the Office of Management and Budget (OMB) and the National Institute for Standards and Technology (NIST), the General Services Administration’s FedRAMP program, and the Federal Acquisition Regulation (FAR), etc.). To be effective, CIOs and CISOs need timely cyber security insights to take proactive actions.
Security challenges are greater than ever
With massive increases in data, mobile devices and connections, security challenges are increasing in number and scope. The aftermath of a security breach can be devastating to an organization in terms of both reputational and monetary damages, and can be experienced through three major categories of security challenges: external threats, internal threats, and compliance requirements.
The Nation faces a proliferation of external attacks against major companies and government organizations. In the past, these threats have largely come from individuals working independently. However, these attacks have become increasingly more coordinated, and launched by groups ranging from criminal enterprises to organized collections of hackers to state-sponsored entities; attackers’ motivations can include profit, prestige, or espionage.
These attacks target ever-more critical organizational assets, including customer databases, intellectual property, and even physical assets that are driven by information systems. They have significant consequences, resulting in IT, legal and regulatory costs, not to mention loss of reputation. Many of these attacks take place slowly over time, masked as normal activity. The vector known as Advanced Persistent Threat (APT) requires specialized continuous monitoring methods to detect threats and vulnerabilities prior to breaches or loss of sensitive data.
In many situations, breaches in information security are not perpetuated by external parties, but by insiders. Insiders today can be employees, contractors, consultants and even partners and service providers. These breaches range from careless behavior and administrative mistakes (such as giving away passwords to others, losing back-up tapes or laptops, or inadvertently releasing sensitive information), to deliberate actions taken by disgruntled employees. These actions can lead to harm as or more dangerous than external attacks.
A strong security program must include capabilities to predict external and internal threats and assess their mission impacts, validated by cognitive technology and cybersecurity experts serving mission operators.
Compliance Requirements and Effective Protection
Public sector enterprises face a steadily increasing number of federal, industry and local mandates related to security, each of which have their own standards and reporting requirements. These many mandates include FISMA, Privacy Act, NIST standards and special publications, OMB mandates, FAR and Defense FAR clauses, and FedRAMP; in addition, they can include as sector-specific requirements like HIPAA/HITECH for health information and Sarbanes-Oxley for financial information, and other general mandates state privacy/data breach laws, COBIT®, and various international standards and privacy directives. Complying with these and similar requirements often takes a significant amount of time and effort to prioritize issues, develop appropriate policies and controls, and monitor compliance.
To address external, internal, and compliance challenges through a proactive approach, mission-oriented cognitive cybersecurity capability is needed. To achieve the capability, four key areas that must be addressed:
- Security architecture effectiveness
- Critical data protection
- Security compliance
- Holistic security program
Security Architecture Effectiveness – focuses on rapidly accessing vulnerabilities in the security architecture and developing a prioritized road map to strengthen cyber protection that plugs security gaps and meets policy expectations. Ensuring the identity of users and their access rights, and reducing the number of privileged users, is critically important to effective security architecture.
Critical Data Protection – focuses on rapidly accessing the data architecture, and shortfalls in tracking and protecting critical data. Prioritized action plans can reshape data architecture for more focused security protection and improved continuous monitoring.
Security Compliance – focuses on rapidly accessing compliance gaps and establishing a roadmap to prioritize issues, develop appropriate policies and controls, and achieve compliance.
Effectively implementing the first 3 areas above lays the foundation of a Holistic Security Program that addresses risk management and IT governance at the enterprise level:
■ Risk identifies critical business processes that are most import to an Agency’s mission success, as well as threats and vulnerabilities that can impact critical business processes.
■ Information Technology (IT) Governance is a key enabler of successful cybersecurity protection – it provides the “tone at the top,” emphasizing that ensuring security and privacy is the responsibility of all staff. In addition, consistent and standardized security and privacy processes and technology configurations support protection at a lower cost.
Making a Holistic Program Actionable
A holistic security program focuses on protection through continuous monitoring of systems and data. This involves moving from a more common defensive-reactive approach to a defensive-proactive (predictive) approach, using cyber analytics to foster “Security Intelligence” that also protects privacy.
Continuous monitoring is now required by OMB and NIST mandates – and it can be supplemented using cyber analytics to proactively highlight risks and identify, monitor and address threats. As enterprises bolster their security defenses, predictive analytics plays an increasingly important role. Enterprises can conduct sophisticated correlations to detect advanced persistent threats, while implementing IT governance and automated enterprise risk processes– critical building blocks for enabling security intelligence. This includes the ability to:
- identify previous breach patterns and outside threats to predict potential areas of attack,
- analyze insider behavior to identify patterns of potential misuse, and
- monitor the external environment for potential security threats.
Continuous monitoring combined with cyber analytics via security intelligence can provide key cybersecurity capabilities. Continuous monitoring, along with analysis of cyberthreat related data sources (e.g., through DNS, Netflow, or query results), provides the needed context for fusion of data — data that can be analyzed using tools that produce actionable, meaningful and timely information for CISOs and CIOs to address the most important issues affecting their Agency, to deter and prevent cyber threats.
Using cyber analytics to proactively highlight risks, and identify, monitor, and address threats and vulnerabilities, helps to achieve predictive and preventive cybersecurity capabilities. However, cyber analytics can be greatly enhanced, using cognitive-based systems to build knowledge and learn, understand natural language, and reason and interact more naturally with human beings. Cognitive-based systems can also put content into context with confidence-weighted responses and supporting evidence, and can quickly identify new patterns and insights.
Specifically, cognitive solutions have these three critical capabilities that are needed to achieve security intelligence:
- Engagement: These systems provide expert assistance by developing deep domain insights and presenting the information in a timely, natural and usable way.
- Decision: These systems have decision-making capabilities. Decisions made by cognitive systems are evidence-based and continually evolve based on new information, outcomes and actions.
- Discovery: These systems can discover insights that could not be discovered otherwise. Discovery involves finding insights and connections and understanding the vast amounts of information available.
Thus, Agency senior executives involved in cybersecurity can move from a basic to an optimized level of security intelligence as depicted below.
Achieving cybersecurity protection preserves mission success while achieving Agency key objectives for their security program. Government can move from a basic (manual and reactive) to an optimized (automated and proactive) posture to secure critical systems and valuable information through Security Intelligence.