Blog posts by Alexei Balaganski
I’ve been working in IT my whole life and since I’ve joined KuppingerCole over ten years ago, cybersecurity has been my job. Needless to say, I like my job: even though we industry analysts are not directly involved in forensic investigations or cyberthreat mitigation, being up-to-date with the latest technological developments and sharing our expertise with both end users and security vendors is our daily life, which is always challenging and exciting at the same time.
However, occasionally I am having doubts about my career choice. Does everything I do even matter? Cybersecurity market is booming, predicted to reach nearly 250 billion USD within the next 5 years. However, do we notice any downward trend in the number of security breaches or financial losses due to cyberattacks? Not really…
Last time I was having these thoughts back in May after the notorious Wannacry incident: just as hundreds of top experts were discussing the most highbrowed cybersecurity problems at our European Identity and Cloud Conference, a primitive piece of malware exploiting a long-fixed problem in Windows operating system has disrupted hundreds of thousands computers around the world, affecting organizations from public hospitals to international telecom providers. How could this even have happened? All right, those poor underfunded and understaffed British hospitals at least have an (still questionable) excuse for not being able to maintain the most basic cybersecurity hygiene principles within their IT departments. But what excuse do large enterprises have for letting their users open phishing emails and not having proper backups of their servers?
“But users do not care about their security or privacy,” people say. This can’t be further from truth though! People care about not being killed very much, so they arm themselves with guns. People care about their finances, so they do not keep their money under mattresses. And people surely care about their privacy, so they buy curtains and lock their doors. However, many people still do not realize that having an antivirus on their mobile phone is just as important for their financial stability and sometimes even physical safety as having a gun on their night table. And even those who are already aware of that, are often sold security products like some kind of magical amulets that are supposed to solve their problems without any effort. But should users really be blamed for that?
With enterprises, the situation is often even worse. Apparently, a substantial percentage of security products purchased by companies never even gets deployed at all. And more often than not, even those that get deployed, will be actively sabotaged by users who see them as a nuisance hindering their business productivity. Add the “shadow IT” problem into the mix, and you’ll realize that many companies that spend millions on cybersecurity are not really getting any substantial return of their investments. This is a classical example of a cargo cult. Sometimes, after reading about another large-scale security breach I cannot completely suppress a mental image of a firewall made out of a cardboard box or a wooden backup appliance not connected to anything.
However, the exact reason for my today’s rant is somewhat different and, in my opinion, even more troubling. While reading the documentation for a security-related product of one reputable vendor, I’ve realized that it uses an external MySQL database to store its configuration. That got me thinking: a security product is sold with a promise to add a layer of protection around an existing business application with known vulnerabilities. However, this security product itself relies on another application with known vulnerabilities (MySQL isn’t exactly known for its security) to fulfill its basic functions. Is the resulting architecture even a tiny bit more secure? Not at all – due to added complexity it’s in fact even more open to malicious attacks.
Unfortunately, this approach towards secure software design is very common. The notorious Heartbleed vulnerability of the OpenSSL cryptographic library has affected millions of systems around the world back in 2014, and three years later at least 200.000 still have not been patched. Of course, software vendors have their reasons for not investing into security of their products: after all, just like any other business, they are struggling to bring their products to the market as quickly as possible, and often they have neither budgets nor enough qualified specialists to design a properly secured one.
Nowadays, this problem is especially evident in consumer IoT products, and this definitely needs a whole separate blog post to cover. However, security vendors not making their products sufficiently secure pose an even greater danger: as I mentioned earlier, for many individuals and organizations, a cybersecurity product is a modern equivalent of a safe. Or an armored car. Or an insulin pump. How can we trust a security product that in fact is about as reliable as a safe with plywood walls?
Well, if you’ve read my past blog posts, you probably know that I’m a strong proponent of government regulation of cybersecurity. I know that this idea isn’t exactly popular among software vendors, but is there really a viable alternative? After all, gunsmiths or medical equipment manufacturers have been under strict government control for ages, and even security guards and private investigators must obtain licenses first. Why not security vendors? For modern digital businesses, the reliability of cybersecurity products is at least as important as pick resistance of their door locks.
Unfortunately, this kind of government regulation isn’t probably going to happen anytime soon, so companies looking for security solutions are still stuck with the “Caveat Emptor” principle. Without enough own experience to judge whether a particular product is really capable of fulfilling its declared functionality, one, of course, should turn to an independent third party for a qualified advice. For example, to an analyst house like us :)
However, the next most useful thing to look for is probably certification according to government or industry standards. For example, when choosing an encryption solution, it’s wise to look for a FIPS 140-2 certification with level 2 or higher. There are appropriate security certifications for cloud service providers, financial institutions, industrial networks, etc.
In any case, do not take any vendor’s claims for granted. Ask for details regarding the architecture of their products, which security standards they implement or whether they rely on open source libraries or third-party products. The more pressure about secure design you put on vendors, the higher are the chances that in the future, they will see security by design as their unique selling proposition and not a waste of resources. And as always, when you don’t know where to start, just ask an expert!
Just as we have returned from our annual European Identity and Cloud Conference, where we’ve spent four days talking about cybersecurity, identity management and privacy protection with top experts from around the world, we faced the news from Great Britain, where the latest large-scale ransomware attack has nearly shut down IT systems in at least 16 hospitals. Medical workers have been completely locked out of their computers. Patient records, test results, blood banks were no longer available. Critical patients had been rushed to other hospitals for emergency surgeries, while doctors had to switch back to pen and paper to carry on their duties.
How could all this even happen? Sure, the media often present ransomware as some kind of a diabolically complex work of elite hacker groups, but in reality this is one of the least technologically advanced kinds of malware, barely more sophisticated that the proverbial Albanian virus. Typically, ransomware is spread via massive phishing campaigns, luring unsuspecting users to click an attachment and then let the malware exploit a known vulnerability to infect their computers. Finally, ransomware holds the victim’s computer hostage by encrypting their important files or locking access to the whole system, demanding a payment to restore it.
This kind of malware is nowhere new, with a first prototype developed over 20 years ago, but only recently, as the number of computers connected to the Internet has grown exponentially along with availability of online payment services, has it become a profitable business for cybercriminals. After all, there is no need to spend weeks planning a covert targeted attack or developing evasion technologies – one can easily utilize readily available spam networks and vulnerability exploits to start collecting bitcoins or even iTunes gift cards from poor home users mourning the loss of their vacation photos.
In the last couple of years, we’ve learned about several major ransomware types like CryptoLocker or CryptoWall, which have managed to collect millions of dollars in ransom before they were finally taken down by the authorities. Unfortunately, new strains constantly appear to evade antivirus detection and to target various groups of victims around the world. The WannaCry ransomware that affected the hospitals in Britain wasn’t in fact targeting the NHS specifically – within just a few hours after being initially identified, it has already spread around the world, affecting targets in nearly 100 countries including large telecommunications companies in Spain or government agencies in Russia.
Personally, I find it hard to believe that this was the original intention of the people behind this malware campaign. Rather, it looks like “a job done too well”, which led to the uncontrolled spread far beyond what was initially planned. A notable fact about this ransomware strain, however, is that it uses a particular vulnerability in Microsoft Windows that has been weaponized by the NSA and which became public in April after a leak by the Shadow Brokers group.
Although this exploit has been patched by Microsoft even before the leak, a huge number of computers around the world have not yet been updated. This, of course, includes the British hospitals, which still largely utilize extremely outdated computers running Windows XP. Without the budgets needed to upgrade and maintain their IT systems, without properly staffed IT departments and, last but not least, without properly educating the users, the whole IT infrastructure at the NHS was basically a huge ticking bomb, which finally went off today.
So, what can we do to avoid being hit by a ransomware like this? It is worth stressing again that resilience against ransomware attacks is a matter of the most basic “cybersecurity hygiene” practices. My colleague John Tolbert has outlined them in one of his blog posts a month ago. We are planning to publish additional reports on this topic in the near future, including a Leadership Compass on antimalware and endpoint security solutions, so watch this space for new announcements.
There is really nothing complicated about maintaining proper backups and not clicking on attachments in phishing mails, so if an organization was affected by ransomware, this is a strong indicator that its problems lie beyond the realm of technology. For several years, we’ve been talking about the similar divide in the approaches towards cybersecurity between IT and OT. However, where OT experts at least have their reasons for neglecting IT security in favor of safety and process continuity, the glaring disregard for the most basic security best practices in many public-sector institutions can only be attributed to insufficient funding and thus a massive lack of qualified personnel, which is needed not just to operate and secure IT infrastructures, but to continuously educate the users about the latest types of cyberthreats. Unfortunately, the recent cuts in NHS funding do not promise any positive changes for British hospitals.
There is the legal aspect of the problem as well. Whereas oil rigs, nuclear power plants or water supplies are rightfully classified as critical infrastructures, with special government programs created to protect them, hospitals are somehow not yet seen as critical, although many lives obviously depend on them. If an attack on a power plant can be rightfully considered an act of terrorism, why disrupting critical medical services still isn’t?
Quite frankly, I very much hope that, regardless of what the motives of the people behind this ransomware were, cybersecurity experts and international law enforcement agencies team up to find them as quickly as possible and come down on them like a ton of bricks if just for the sake of sending a final warning to other cybercriminals. Because if they don’t, we can only brace ourselves for more catastrophes in the future.
The ongoing Digital Transformation has already made a profound impact not just on enterprises, but our whole society. By adopting such technologies as cloud computing, mobile devices or the Internet of Things, enterprises strive to unlock new business models, open up new communication channels with their partners and customers and, of course, save on their capital investments.
For more and more companies, digital information is no longer just another means of improving business efficiency, but in fact their core competence and intellectual property.
Unfortunately, the Digital Transformation does not only enable a whole range of business prospects, it also exposes the company's most valuable assets to new security risks. Since those digital assets are nowadays often located somewhere in the cloud, with an increasing number of people and devices accessing them anywhere at any time, the traditional notion of security perimeter ceases to exist, and traditional security tools cannot keep up with the new sophisticated cyberattack methods.
In the recent years, the IT industry has been busy with developing various solutions to this massive challenge, however each new generation of security tools, be it Next Generation Firewalls (NGFW), Security Information and Event Management (SIEM) or Real-Time Security Intelligence (RTSI) solutions, has never entirely lived up to the expectations. Although they do offer significantly improved threat detection or automation capabilities, their “intelligence level” is still not even close to that of a human security analyst, who still has to operate these tools to perform forensic analysis and make informed decisions quickly and reliably.
All this has led to a massive lack of skilled workforce to man all those battle stations that comprise a modern enterprise’s cyber defense center. There are simply not nearly enough humans to cope with the vast amounts of security-related information generated daily. The fact that the majority of this information is unstructured and thus not available for automated analysis by computers makes the problem much more complicated.
Well, the next big breakthrough promising to overcome this seemingly unsolvable problem is coming from the realm of science fiction. Most people are familiar with the so called cognitive technologies from books or movies, where they are usually referred to as “Artificial Intelligence”. Although the true “strong AI” comparable to a human brain may still remain purely theoretical for quite some time, various practical applications of cognitive technologies (like speech recognition, natural language processing, computer vision or machine learning) have found practical uses in many fields already. From Siri and Alexa to market analysis and law enforcement: these technologies are already in use.
More relevant for us at KuppingerCole (and hopefully for you as well) are potential applications for identity management and cybersecurity.
A cognitive security solution can utilize natural language processing to analyze both structured and unstructured security information the way human analysts currently do. This won’t be limited just to pattern or anomaly recognition, but proper semantic interpretation and logical reasoning based on evidence. Potentially, this may save not days but months of work for an analyst, which would ideally only need to confirm the machine’s decision with a mouse click. Similarly, continuous learning, reasoning and interaction can provide significant improvement to existing dynamic policy-based access management solutions. Taking into account not just simple factors like geolocation and time of the day, but complex business-relevant cognitive decisions will increase operational efficiency, provide better resilience against cyber-threats and, last but not least, improve compliance.
Applications of cognitive technologies for Cybersecurity and IAM will be a significant part of this year’s European Identity & Cloud Conference. We hope to see you in Munich on May 9-12, 2017!
Security Intelligence Platforms (SIP) are universal and extensible security analytics solutions that offer a holistic approach towards maintaining complete visibility and management of the security posture across the whole organization. Only by correlating both real-time and historical security events from logs, network traffic, endpoint devices and even cloud services and enriching them with the latest threat intelligence data it becomes possible to identify previously unknown advanced security threats quickly and reliably, to be able to respond to them in time and thus minimize the damage.
They are in a sense “next generation SIEM solutions” based on RTSI technologies, which provide substantial improvements over traditional SIEMs both in functionality and efficiency:
- Performing real-time or near real-time detection of security threats without relying on predefined rules and policies;
- Correlating both real-time and historical data across multiple sources enables detecting malicious operations as whole events, not separate alerts;
- Dramatically decreasing the number of alarms by filtering out statistical noise, eliminating false positives and providing clear risk scores for each detected incident;
- Offering a high level of automation for typical analysis and remediation workflows, thus significantly improving the work efficiency for security analysts;
- Integrating with external Threat Intelligence feeds in industry standards like STIX/TAXII to incorporate the most recent security research into threat analysis.
Another key aspect of many SIP products is incorporation of Incident Response Platforms. Designed for orchestrating and automating incident response processes, these solutions not only dramatically improve a security analyst’s job analyzing and containing a breach, but also provide predefined and highly automated workflows for managing legal and even PR consequences of a security incident to reduce possible litigation costs, compliance fines and brand reputation losses. Modern SIP products either directly include incident response capabilities or integrate with 3rd party products, finally implementing a full end-to-end security operations and response solution.
By dramatically reducing the number of incidents that require interaction with an analyst and by automating forensic analysis and decision making, next generation SIPs can help address the growing lack of skilled people in information security. As opposed to traditional SIEMs, next generation SIPs should not require a team of trained security experts to operate, relying instead on actionable alerts understandable even to business persons, thus making them accessible even for smaller companies, which previously could not afford operating their own SOC.
Now, what about the future developments in this area? First of all, it’s worth mentioning that the market continues to evolve, and we expect its further consolidation through mergers and acquisitions. New classes of security analytics solutions are emerging, targeting new markets like the cloud or the Internet of Things. On the other hand, many traditional security tools like endpoint or mobile security products are incorporating RTSI technologies to improve their efficiency. In fact, the biggest obstacle for wider adoption of these technologies is no longer the budget, but rather the lack of awareness that such products already exist.
However, the next disruptive technology that promises to change the way Security Operations Centers are operated seems to be Cognitive Security. Whereas Real-Time Security Intelligence can provide security analysts with better tools to improve their efficiency, it still relies on humans to perform the actual analysis and make informed decisions about each security incident. Applying cognitive technologies (the thing closest to the artificial intelligence as we know it from science fiction) to the field of cybersecurity promises to overcome this limitation.
Technologies for language processing and automated reasoning not only help to unlock vast amounts of unstructured “dark security data”, which until now were not available for automated analysis, they actually promise to let the AI to do most of the work that a human analyst must perform now: collect context information, define a research strategy, pull in external intelligence and finally make an expert decision on how to respond to the incident in the most appropriate way. Supposedly, the analyst would only have to confirm the decision with a click of a mouse.
Sounds too good to be true, but the first products incorporating cognitive security technologies are already appearing on the market. The future is now!
I have to admit that I find the very concept of a Security Operations Center extremely… cinematic. As soon as you mention it to somebody, they would probably imagine a large room reminiscent of the NASA Mission Control Center – with walls lined with large screens and dozens of security experts manning their battle stations. From time to time, a loud buzzer informs them that a new security incident has been discovered, and a heroic team starts running towards the viewer in slow motion…
Of course, in reality most SOCs are much more boring-looking, but still this cliché image from action movies captures the primary purpose of an SOC perfectly – it exists to respond to security breaches as quickly as possible in order to contain them and minimize the losses. Unfortunately, looking back at the last decade of SOC platform development, it becomes clear that many vendors have been focusing their efforts elsewhere.
Traditional Security Information and Event Management (SIEM) platforms, which have long been the core of security operations centers, have gone long way to become really good at aggregating security events from multiple sources across organizations and providing monitoring and alerting functions, but when it comes to analyzing a discovered incident, making an informed decision about it and finally mitigating the threat, security experts’ job is still largely manual and time-consuming, since traditional SIEM solutions offer few automation capabilities and usually do not support two-way integration with security devices like firewalls.
Another major problem is the sheer number of security events a typical SOC is receiving daily. The more deperimeterized and interconnected modern corporate networks become, the more open they are for new types of cyberthreats, both external and internal, and the number of events collected by a SIEM increases exponentially. Analysts no longer have nearly enough time to analyze and respond to each alert. The situation is further complicated by the fact that an overwhelming majority of these events are false positives, duplicates or otherwise irrelevant. However, a traditional SIEM offers no way to differentiate them from real threats, drowning analysts in noise and leaving them only minutes to make an informed decision about each incident.
All this leads to the fundamental problem IT industry is now facing: because of the immense complexity of setting up and operating a security operations center, which requires a large budget and a dedicated team of security experts, many companies simply cannot afford it, and even those who can are continuously struggling with the lack of skilled workforce to manage their SOC. In the end, even for the best-staffed security operations centers, the average response time to a security incident is measured in days if not weeks, not even close to the ultimate goal of dealing with them in real time.
In the recent years, this has led to the emergence of a new generation of security solutions based on Real-Time Security Intelligence. Such tools utilize Big Data analytics technologies and machine learning algorithms to correlate large amounts of security data, apply threat intelligence from external sources, detect anomalies in activity patterns and provide a small number of actionable alarms clearly ranked by their risk scores. Such tools promise to dramatically reduce the time to mitigate a breach by performing data analysis in real time, eliminating statistical noise and false positives and, last but not least, providing a high degree of automation to make the security analyst’s job easier.
Although KuppingerCole has been promoting this concept for quite a few years already, the first real products have appeared a couple years ago, and since then the market has evolved and matured at an incredible rate. Back in 2015, when KuppingerCole attempted to produce a Leadership Compass on RTSI solutions, we failed to find enough vendors for a meaningful rating. In 2017, however, we could easily identify over 25 Security Intelligence Platform solutions offered by a variety of vendors, from large veteran players known for their SIEM products to newly established innovative startups.
To be continued...
Since the notion of a corporate security perimeter has all but disappeared in the recent years thanks to the growing adoption of cloud and mobile services, information security has experienced a profound paradigm shift from traditional perimeter protection tools towards monitoring and detecting malicious activities within corporate networks. Increasingly sophisticated attack methods used by cyber criminals and even more so, the growing role of malicious insiders in the recent large scale security breaches clearly indicate that traditional approaches to information security can no longer keep up.
As the security industry’s response to these challenges, a new generation of security analytics solutions has emerged in the recent years, which are able to collect, store and analyze huge amounts of security data across the whole enterprise in real time. These Real-Time Security Intelligence solutions are combining Big Data and advanced analytics to correlate security events across multiple data sources, providing early detection of suspicious activities, rich forensic analysis tools, and highly automated remediation workflows.
Industry analysts, ourselves included, have been covering this fundamental focus shift in the information security for a few years already. However, getting that message across to the general public is not an easy task. To find out how many organizations around the world are truly understanding the critical role of security analytics technology in their corporate security strategies, earlier this year KuppingerCole has teamed up with BARC – a leading enterprise software industry analyst and consulting firm specializing in areas including Data Management and Business Intelligence – to conduct a global survey on Big Data and Information Security. Our survey was focused on security-related aspects of Big Data analytics in cybersecurity and fraud detection and is based on contributions of over 330 participants from 50 countries representing enterprises of all sizes across various industries such as IT, Services, Manufacturing, Finance, Retail or Public Sector.
The study delivers insights into the level of awareness and current approaches in information security and fraud detection in organizations around the world. It measures importance, status quo and future plans of Big Data security analytics initiatives, presents an overview of various opportunities, benefits and challenges relating to those initiatives, as well as outlines the range of technologies currently available to address those challenges.
Here are a few highlights of the study results:
Information Security and Big Data are recognized as the two most important IT trends
Over a half of the survey respondents consider Big Data technology one of the cornerstones of the Digital Transformation and consider protecting their digital assets from security risks and compliance violation extremely important. The public awareness of the potential of security analytics solutions is very impressive as well: almost 90% of the participants believe that these solutions will play a critical role in their corporate security infrastructures.
Current implementations are still lagging behind
Unfortunately, only a quarter of the respondents have already implemented big data security analytics measures. Even fewer, just 13% consider themselves best-in-class in this field, believing to have a better understanding of the technology than their competitors.
Benefits from big data security analytics are high
The overwhelming majority of the best-on-class participants believe that security analytics can bring substantial profits for their companies. In fact, over 70% of all respondents, even those who do not yet have a budget or a strategy for security analytics, already consider potential benefits from implementing such a solution to be high or at least moderate.
Best-in-class companies use a wide range of technologies
The companies with deep understanding of current information security trends and technologies clearly realize that only multi-layered and well-integrated security architectures are capable of resisting modern sophisticated cyber-attacks. They are deploying multiple security tools not just for threat protection, but for identity and access governance, strong authentication, SIEM and user behavior analytics as well. Unfortunately, many of the “laggards” are not even aware that some of these technologies exist.
Automated security controls are a key differentiator
Identifying a security incident is just the first step of a complex remediation process, which is still largely manual and requires a skilled security expert to carry it out properly using a large number of security tools. New generation security analytics solutions therefore place a strong emphasis on automation, which helps to reduce the skill gap and ideally let even a non-technical person initiate an automated incident response process. 98% of the best-in-class respondents are already aware of these developments and consider automation a key aspect of security solutions.
You’ll find a short summary of our findings in the handy infographic above. The complete study can be downloaded from our website in English or German. Thanks to the generosity of MicroStrategy, Inc., we are able to make it available free of charge.
Last time we’ve devoted an issue of our monthly newsletter to the Internet of Things was almost a year ago. Looking back now, we can already spot a number of significant changes in this field that happened during the year 2016. Perhaps, the most profound one is that the industry has finally gone past the “peak of inflated expectations” and started thinking less about making everything smart and connected and more about such down-to-earth things as return of investment, industry standards or security concerns.
An obvious consequence of this is the growing divide between the “consumer” and “industrial” segments of the IoT. Consumers are becoming increasingly disillusioned about the very concept of “smart home”, because the technology that has promised to make their lives easier simply does not live up to the expectations. Remember the guy who spent 11 hours fixing his Wi-Fi kettle? User experiences like that, combined with inconvenient mobile apps and a complete lack of security or privacy in those smart devices make more and more people want to go back to the good old “analog” teapots and light bulbs.
The industrial IoT segment, however, continues to grow steadily. With all the new companies rushing to the market, it’s quickly becoming crowded, which inevitably leads to mergers and acquisitions, forming partnerships and growing ecosystems – in other words, the IIoT market is finally showing the signs of maturity. By the way, let the term “industrial IoT” not confuse you: IIoT is not limited by just industrial applications; it is going to expand into various market sectors. In fact, we cannot even define a clear border between the “consumer" and “industrial” IoT just by looking at their applications: although your car is definitely a consumer device, many aspects of the technology that make it connected are undoubtedly industrial.
So nowadays, the divide between the consumer and industrial IoT is not between market segments and definitely not in hardware or protocols, but rather in the way those systems are handling the information they are collecting. IoT is no longer just about connecting things over the Internet, but about collecting, storing, analyzing and (last but not least) securing the data those things are producing. Because of the nature of information collected by smart consumer devices and industrial sensors is completely different, they require different technologies to manage them, to protect them from risks and to ensure their compliance.
Consumer IoT products like thermostats or fitness trackers tend to collect relatively small amounts of data, but this information is very personal and sensitive by nature. So, as soon as we sort out the basic security requirements and prevent hackers from building botnets from webcams, the biggest priority is compliance with data protection regulations. Industrial devices like sensors or controllers, on the other hand, usually produce massive streams of data, which must be collected, stored, processed and analyzed in real-time to provide better visibility into a manufacturing process, to make your car self-steering or to save a patient from hypoglycemic shock. These use cases, of course, demand completely different technologies, like cloud computing and Big Data analytics to efficiently handle such huge amounts of information quickly and reliably. And, of course, they face a completely different set of security risks.
As we once discussed in a webinar on industrial control system security, Operational Technology security experts have traditionally had completely different priorities with regards to cyber-security vs safety and process continuity, relying more on physical network isolation and proprietary protocols to protect their control and data acquisition systems. With IIoT, however, the situation changes completely – new smart industrial sensors are utilizing the same protocols or even the same hardware as consumer products. They are also communicating over the public Internet, wide open for potential hacking attacks. And although leaking sensor data probably does not constitute a serious security problem, manipulating the data or even the sensors themselves definitely does. By disrupting manufacturing process control, a hacking attack can not only lead to a loss of very real products, but also to equipment damage and even human casualties.
This is why, before embracing the new IIoT technologies for all the great business benefits they bring, OT specialists have to radically rethink their approaches towards cyber-security. The problem is further complicated by the fact that most industrial sensors do not have enough computing power to have any security functionality built into them – so existing OT security solutions developed for Windows-based SCADA environments won’t help much.
A popular approach nowadays is to use special IoT gateways to manage large numbers of devices centrally and to perform initial processing and protocol conversion before sending the collected data to the cloud. These gateways are the most obvious points to integrate security functions as well, providing services like identity and authentication, data integrity and threat protection. Many vendors are already taking the development of such secure gateways even further by offering complete platforms integrating device management and security with the possibility to run authorized third-party software and to integrate legacy devices into the IIoT.
However, traditional approaches like air gapping industrial networks by means of unidirectional gateways, deployment of endpoint protection solutions and, of course, real-time security analytics all have their place in a well-designed layered security infrastructure. After all, if done right, security is not a liability, but a valuable business opportunity.
The proverbial Computing Troika that KuppingerCole has been writing about for years does not show any signs of slowing down. The technological trio of Cloud, Mobile and Social computing, as well as their younger cousin, the Internet of Things, have profoundly changed the way our society works. Modern enterprises were quickly to adopt these technologies, which create great new business models, open up numerous communication paths to their partners and customers, and, last but not least, provide substantial cost savings. We are moving full speed ahead towards the Digital Era, and the future is full of promise. Or is it?
Unfortunately, the Digital Transformation does not only enable a whole range of business prospects, it also exposes the company’s most valuable assets to new security risks. Since those digital assets are nowadays often located somewhere in the cloud, with an increasing number of people and devices accessing them anywhere at any time, the traditional notion of security perimeter ceases to exist, and traditional security tools cannot keep up with the new sophisticated cyberattack methods.
In the recent years, the industry has come up with a new generation of security solutions, which KuppingerCole has dubbed “Real-Time Security Intelligence”. Thanks to a technological breakthrough that finally commoditized Big Data analytics technologies previously only affordable to large corporations, it became possible to collect, store, and analyze huge amounts of security data across multiple sources in real time. Various correlation algorithms have been implemented to find patterns in the data, as well as to detect anomalies, which in most cases indicate a certain kind of malicious activities.
Such security analytics solutions have been hailed (quite justifiably) by the media as the ultimate solution to most modern cybersecurity problems. Some even go as far as referring to these technologies as “machine learning” or even “artificial intelligence”. It should be noted however, that detecting patterns and anomalies in data sets has very little to do with true intelligence – in fact, if the “IQ level” of a traditional signature-based antivirus can be compared to that of an insect, then the correlation engine of a modern security analytics solution is about as “smart” as a frog catching flies.
Unfortunately, the strong artificial intelligence, comparable in skill and flexibility to a human, is still purely a subject of theoretical academic research. Its practical applications, however, are no longer a science fiction topic. To the contrary, these applied cognitive technologies have been actively developed for quite some time already, and the exponential growth of cloud computing has been a major boost for their further development in the recent years. Such technologies as computer vision, speech recognition, natural language processing or machine learning have found practical use in many industries, and cybersecurity is the most recent field where they promise to achieve a major breakthrough.
You see, the biggest problem information security is now facing has nothing to do with computers. In fact, the vast majority (over 80%) of security-related information in the world remains completely inaccessible to computers: it exists only in an unstructured form spread across tens of thousands of publications, conference presentations, forensic reports and other sources – spoken, written or visual.
Only a human can read and interpret those data sources, but we do not have nearly enough humans trained as security analysts to cope with the amount of new security information produced daily.
This is where Cognitive Security, a new practical application of existing cognitive technologies, comes into play. A cognitive security solution would be able to utilize natural language processing and machine learning methods to analyze both structured and unstructured security information the way humans do. It would be able to read texts (or even see pictures and listen to speeches) and not just recognize patterns within them, but be able to interpret and organize the information, explain its meaning, postulate hypotheses and provide reasoning based on evidence.
This may feel like science fiction to some, but the first practical cognitive security solutions are already appearing on the market. A major player and one of the pioneers in this field is undoubtedly IBM with their Watson platform. Originally created back in 2005 to compete with human players in the game of Jeopardy, over the years Watson has expanded significantly and found many practical applications in business analytics, government, legal and even healthcare services.
In May 2016, IBM has announced Watson for Cyber Security, a completely new field for their natural language processing and machine learning platform. However, IBM is definitely not a newcomer in cyber security. In fact, their own X-Force research library is being used as the primary source of security information to be fed into the specialized instance of the platform running in the cloud. Although the learning process is still in progress, the ultimate goal is to process all of those 80% of security intelligence data and make it available in structured form.
Of course, Watson for Cyber Security will never replace a human security analyst, but that is not its goal. First, making this “dark security data” accessible for automated processing by current security analytics solutions can greatly improve their efficiency as well as provide additional external threat intelligence. Second, cognitive security would provide analysts with powerful decision support tools, simplifying and speeding up their work and thus reducing the skills gap haunting the security industry today. In the future, the same cognitive technologies may be also applied to a company’s own digital assets to provide better analytics and information protection. Potentially, they may even make developing malware capable of evading detection too costly, thus turning the tide of the ongoing battle against cybercrime.
Last week, Microsoft has announced the general availability of the Azure Security Center – the company’s integrated solution for monitoring, threat detection and incident response for Azure cloud resources. Initially announced last year as a part of Microsoft’s new cross-company approach to information security, Azure Security Center has been available as a preview version since December 2015. According to Microsoft, the initial release has been used to monitor over 100 thousand cloud subscriptions and has identified over a million and a half of vulnerabilities and security threats.
So, what is it all about anyway? In short, Azure Security Center is a security intelligence service built directly into the Azure cloud platform.
- It provides security monitoring and event logging across Azure Cloud Services and Linux-based virtual machines, as well as various partner solutions;
- It enables centralized management of security policies for various resource groups, depending on business requirements or compliance regulations;
- It provides automated recommendations on addressing most common security problems, such as configuring network security groups, installing missing system updates or automatically deploying antimalware, web application firewall or other security tools in your cloud infrastructure;
- It analyzes and correlates various security events in near real-tome, fuses them with the latest threat intelligence from own and third party security intelligence feeds and generates prioritized security alerts when threats are detected;
- It provides a number of APIs, an interface to Microsoft Power BI and a SIEM connector to access and analyze security events from the Azure cloud using existing tools.
In other words, Microsoft Azure Security Center is a full-featured Real-Time Security Intelligence solution “in the cloud, for the cloud”. Sure, other SIEM and security analytics solutions provide integrations with cloud resources as well, but, being a native component of the Azure cloud infrastructure, Microsoft’s own solution has several obvious benefits, such as better integration with other Azure services, more efficient resource utilization and much lower deployment effort.
In fact, there is nothing to deploy at all – one can activate the Security Center directly in the Azure Portal. Moreover, basic security features and partner integrations are available for free; only advanced threat detection (like threat intelligence, behavior analysis, and anomaly detection) is priced per monitored resource.
With Azure Security Center now available for all Azure subscribers, offering new partner integrations (for example, vulnerability assessment by companies like Qualys) and new threat detection algorithms, there is really no reason why you should not immediately turn it on for your subscription. Even with the basic free functions, it provides a useful layer of security for the cloud infrastructure, but with the full range of behavior-based and anomaly-detection algorithms and a rich set of integration options, Azure Security Center can serve either as a center of your cloud security platform or as a means of extending your existing SIEM-based security operations center to the Azure cloud.
A couple weeks ago, just as we were busy running our European Identity & Cloud Conference, we’ve got news from IBM announcing the company’s foray into the area of Cognitive Security. And, although I’m yet to see their solution in action (closed beta starts this summer), I have to admit I rarely feel so excited about news from IT industry.
First of all, a quick reminder: the term “cognitive computing” broadly describes technologies based on machine learning and natural language processing that mimic the functions of human brains. Such systems are able to analyze vast amounts of unstructured data usually inaccessible to traditional computing platforms and not just search for answers, but create hypotheses, perform reasoning and support human decision making. This is really the closest we have come to Artificial Intelligence as seen in science fiction movies.
Although the exact definition of the term still causes much debate among scientists and marketing specialists around the world, cognitive computing solutions in the form of specialized hardware and software platforms have existed for quite some time, and the exponential growth of cloud computing has been a big boost for their further development. In fact, IBM has always been one of the leading players in this field with their Watson platform for natural language processing and machine learning.
IBM Watson was initially conceived in 2005 as a challenge to beat human players in the game of Jeopardy, and its eventual victory in a 2011 match is probably its best publicized achievement, but the platform has been used for a number of more practical applications for years, including business analytics, healthcare, legal and government services. The company continues to build an entire ecosystem around the platform, partnering with numerous companies to develop new solutions that depend on unstructured data analysis, understanding natural language and complex reasoning.
In the hindsight, the decision to utilize Watson’s cognitive capabilities for cyber security application seems completely reasonable. After all, with their QRadar Security Intelligence Platform, IBM is also one of the biggest players in this market, and expanding its scope to incorporate huge amounts of unstructured security intelligence makes a lot of sense. By tapping into various sources like analyst publications, conference presentations, forensic reports, blogs and so on, cognitive technology will provide security analysts with new powerful tools to support and augment their decision making. Providing access to the collective knowledge from tens of thousands sources constantly adapted and updated with the newest security intelligence, Watson for Cyber Security is supposed to solve the biggest problem IT security industry is currently facing – a dramatic lack of skilled workforce to cope with the ever growing number of security events.
Naturally, the primary source of knowledge for Watson is IBM’s own X-Force research library. However, the company is now teaming with multiple universities to expand the amount of collected security intelligence to feed into the specialized Watson instance running in the cloud. The ultimate goal is to unlock the estimated 80% of all security intelligence data, which is currently available only in an unstructured form.
It should be clear, of course, that this training process is still work in progress and by definition it will never end. There are also some issues to be solved, such as obvious concerns about privacy and data protection. Finally, it’s still not clear whether this new area of application will generate any substantial revenue for the company. But I’m very much looking forward to seeing Watson for Cyber Security in action!
By the way, I was somewhat disappointed to find out that Watson wasn’t actually named after Sherlock Holmes’ famous friend and assistant, but in fact after IBM’s first CEO Thomas Watson. Still, the parallels with “The Adventure of the Empty House” are too obvious to ignore :)
Get access to the whole body of KC PLUS research including Leadership Compass documents for only €800 a year
Register now for KuppingerCole Select and get your free 30-day access to a great selection of KuppingerCole research materials and to live trainings.
AI for the Future of your Business: Effective, Safe, Secure & Ethical Everything we admire, love, need to survive, and that brings us further in creating a better future with a human face is and will be a result of intelligence. Synthesizing and amplifying our human intelligence have therefore the potential of leading us into a new era of prosperity like we have not seen before, if we succeed keeping AI Safe, Secure and Ethical. Since the very beginning of industrialization, and even before, we have been striving at structuring our work in a way that it becomes accessible for [...]