In the evolving cybersecurity arms race, the hottest front is the development of automated, high-speed systems to detect and defeat sophisticated, multi-layer cyber weapons designed to evade conventional firewall defenses.
Machine-to-machine sharing of cyberthreat information is a top priority of the Obama administration, and experts consider it essential to countering new, "zero day" cyberattacks.
But the trend may exacerbate a "cybersecurity divide" — a gap in defense capabilities based on the ability or willingness of enterprises to invest in the most sophisticated and costly protection systems, said Martin Libicki, senior management scientist at the Rand Corp., testifying to a congressional committee in March.
Automated threat identification programs, which search for telltale malware indicators in a target’s computer networks, are designed to be administered by clusters of companies in the same industry, or regional cyberdefense groups, set up under federal rules. They are known generically as information sharing and analysis organizations (ISAOs).
"ISAOs, laudable as they may be, are oriented toward organizations that can afford their membership fees; at $10,000 a year, most small- and medium-sized organizations are priced out of that market," Libicki said.
"Consider the likelihood that these ISAOs become the primary — or worse, exclusive — conduit for information-sharing between the government and private organizations. If so — and in the absence of other mechanisms to share information with the broader public — the smaller organizations are going to be left out," he said.
Simplifying threat detection
The issue may be highlighted by Soltra Edge, a state-of-the-art software program developed by cybersecurity officials in the U.S. financial industry, drawing on Department of Homeland Security technology.
Soltra Edge, using open-source technology created by DHS and the Mitre Corp., is free to users in its basic form, but users are charged for advanced versions with greater capabilities, said Soltra’s chief technology officer, Aharon Chernin.
The Financial Sector Information Sharing and Analysis Center (FS-ISAC), a federally recognized cyber defense coordinator for the banking and securities industry, and DTCC, the leading global clearinghouse for financial transactions, are offering Soltra Edge to other ISACs serving the energy, health and other industries that have their own ISAC organizations. FS-ISAC is considered the most advanced of the ISACs — an industry-specific form of ISAOs, Homeland Security officials say.
In the taxonomy of automated cyber defense, the threshold layer consists of two free programs developed by DHS, Mitre and industry participants. STIX, or Structured Threat Information eXpression, is a computer language that defines indicators such as attackers’ Internet addresses, tactics and other characteristics in a standard way. TAXII, or Trusted Automated eXchange of Indicator Information, provides a secure means of sharing the threat information.
The STIX program takes the human out of initial sharing of threat information, said Richard Struse, the DHS advanced cybersecurity technology chief. "Since the threat never sleeps, it’s really important that this very basic thing is automated," he said last year.
The same point was made recently by the National Security Agency director, Adm. Michael Rogers.
"The way we are doing this, in some ways, is: We are all trying to learn independently. That is a very painful way to go about gaining insights and experience," Rogers said. "It tends to be very resource-intensive, and we constantly repeat the same mistakes over and over again if each one of us learns them independently. I would like to see what we can do to try to bring it all together."
The strategy is taking hold rapidly, said David Melter, chief research officer of the information security firm Tripwire Inc.
"There are two trends that are pretty apparent from what’s happening today. The number of companies that are sharing data and threat intelligence is going to explode. That’s on the customer end. On the product side, the number of products that will inject and emit this intelligence will also explode," he added in an interview.
Instead of limiting a search to particular code signature on malware, which can easily be changed, automated systems look for characteristics that are much harder to conceal. "If intelligence says the malware is modifying a system file by adding a registry key, and embedding itself in a certain way, then we can detect the behavior of the malware. Now the intelligence can become far more valuable."
Soltra Edge, named after a network of signal fires used in Europe to warn of imminent attacks centuries ago, is intended to accelerate that trend by providing a software platform that simplifies the use of STIX and TAXII, Chernin said.
"We take STIX, interpret it and display it on a screen. It asks you a few questions" about a cyberthreat you have discovered, Chernin said. "Behind the scenes we’re creating STIX content for you." It’s no different conceptually from all the other operations that software performs to create functional applications for users, he said. "We want to hide all that difficult STIX and TAXII stuff and just make it work.
"Unless we continue the STIX, TAXII and Soltra Edge way, we’re going to continue with the manual way" of processing threats, he said, which takes hours. "For a threat to change its tactics takes milliseconds. We never win, unless we change tactics in milliseconds" too. "This definitely starts to move the ball back to the defense," Chernin added.
"We give you the software for free. Have at it. Join the community. It needed to be free — we’re trying to build a STIX and TAXII ecosystem," he said. "The way we make money is through support contracts. Our hope is that an organization wouldn’t put in a mission-critical piece of software without somebody behind it. The service contracts are how we survive.
"We’re commoditizing threat intelligence. Now, it is really difficult to determine how much value your cyber intelligence vendor is providing and difficult to measure your intelligence vendor against another," Chernin continued.
But if everyone starts speaking the same language about threats, the process becomes a cheaper commodity, he said. "That will help the little guys with less money.
"Right now, they can barely do anything. At least we do give them a fighting chance to do something about it automatically," Chernin said.
Chernin did not discuss the cost of Soltra Edge services: "I would prefer our pricing comes from a salesperson."
A wider gap?
A fair question is whether advanced and more costly new technologies, developed to match increasingly sophisticated threats, will widen or narrow the cyber capabilities of utilities and companies with large and small technology budgets, said Andrew Bochman, senior cybersecurity strategist at the Idaho National Laboratory, speaking at the Power Grid Resilience conference last month.
"There is a range of utilities in our country," Bochman said. "They have different levels of resources all the way from the largest, with some of best security operations in the country, all the way down to a 100 person co-op in Vermont that I interviewed that has one security guy whose other jobs are security and building maintenance."
Libicki said the cyber issues for the utility sector are unique in many respects. "Most of our cities get most of their power from utilities that are big enough to pay attention to cybersecurity. If you are a small rural electric co-op, you can’t. All of them are under increasing pressure from the federal government to get their cybersecurity house in order."
As a very rough rule of thumb, a company with fewer than 1,000 employees doesn’t have resources to employ a chief technology officer with cybersecurity expertise, Libicki said. "That’s a reason to go to the ISAC meetings, to listen to [colleagues] chatter at the bar on who’s good or who’s not."
"I think a lot of utilities now, if you gave them great stuff — there’s something coming at you expected in the next 24 hours, and it’s going to look like this, and it’s going to target these systems, some of them are going to go, ‘Well shoot, do we even have those systems?’" Bochman said.
"What we really need to do is help define and then support more utilities becoming competent consumers of cyberthreat information," Bochman said.
The capabilities and costs of state-of-the-art cyberdefenses continue to grow, said Larry Ponemon, chairman of the Ponemon Institute, a research and consulting firm on data security. Where spending on information security took about 5 percent of total information technology spending, that has now doubled and averages $25 million annually among the 2,000 largest global companies, his firm estimates.
"If you want to have good threat sharing capabilities, there normally is a price to play," Ponemon said. "If you don’t have the money, you’re probably not going to have great threat intelligence. That’s a great concern.
"There is an ecosystem in an industry," Ponemon said. "If a small organization becomes insecure, and it deals with a big organization, it can create havoc for the big one."