Articles

Cybersecurity: Taking a Proactive Approach is Key

If we are to proactively defend our cybersecurity, we must move away from historical algorithm audit and analysis to real-time pattern recognition audit and analysis.

by / March 4, 2015

Given the Anthem data breach, which could rank among the largest identity theft breaches ever, and the 100-bank, $1 billion cyber heist, it's clear we're off to a bad start in 2015 when it comes to cybersecurity.  

In fact, Inga Beale, the CEO of British insurance company Lloyd's, estimates that cyber attacks will cost businesses as much as $400 billion a year, including the damage itself and subsequent disruption to the normal course of business. Beale also noted that the firms best prepared for cyberattacks buy insurance -- and 90 percent of cyberinsurance is purchased by U.S. firms, leaving other companies around the world exposed.

So why would companies best prepared for cyber attacks buy insurance? Perhaps it's because they've realized that their current cybersecurity technologies are focused primarily on reacting security breaches rather than proactively stopping cyberattacks. 

Patch-and-pray cybersecurity

Information sharing on cyber attacks is an insufficient method for fighting cybersecurity. As Arati Prabhakar, director of the Defense Advanced Research Projects Agency (DARPA) stated, "The attacks are happening in microseconds, so today all we can do is patch and pray, and keep throwing human beings at the problem. We are looking for a fundamentally different way to get faster than the pace of the growth of the threat." In November 2014, Prabhakar called for a change in how cybersecurity is approached.

CEOs, CIOs and CISOs pay billions for cybersecurity solutions only to discover that, at best, these technologies solely help in gathering information after an attack rather than stopping the attack from occurring. These c-level officials are now demanding for proactive cybersecurity solutions that will give them upfront protection -- not just historical evidence of the breach. They know that most breaches are inside jobs, that people are part of the problem and can, with authorization, attack in real time. To defend against this, cybersecurity professionals are looking for new real-time technologies that can audit people-to-machine and machine-to-machine digital actions and proactively protect their pre-designed security policies.    

Yes, people are a big part of cybersecurity breaches. But it's the digital extension of what  people do that must be technically audited -- and if we are truely going to proactively address cybersecurity, this must be done during data in motion. You can't beat cyberbreaches by simply offering manual human log audits and sharing historical breach information. If we are to defend ourselves, to offer true cybersecurity defense capabilities, we must be in front of these microsecond attacks -- not just historically analyzing and sharing the information post-attack. We must move from reactionary cybersecurity methodologies to real-time proactive technologies.

Will the cybersecurity bill help?

Information sharing when it comes to cyberattacks -- which is the brunt of the new cybersecurity bill -- will at least expose and share the vulnerabilities that will establish better security policies.

But as previously stated, this is not enough. It will help expose vulnerabilities, but it won't offer immediate technical correction to cyberattacks. To get a clear picture of where security policies should be put in place, take a look at this white paper that details the critical infrastructure protection (CIP) compliance for the North American Electric Reliability Corp. (NERC), a nonprofit designed to “ensure that the bulk electric system in North America is reliable, adequate and secure." This document gives industries a clear view of their business and control system processes and events.  

The problem with the compliance process is that it is audited by the historical collection of data logs that are then evaluated by people using a software-assisted program like analytics. This is the very same problem that we have with current cybersecurity technologies. We are analyzing historical logs in a historical static environment when we need to be proactively authenticating, viewing, auditing and analyzing the security policy logs in real time during data in motion. Even analytic algorithm technologies cannot offer these real-time capabilities. In order to do this, we must change the location and methodologies of how we view security policies.     

Understanding the how and where of data in motion

Data-in-motion is this: You have a database waiting to do something and an application that can activate an event process when needed or in microseconds with human- or machine-to-machine activation. We currently secure these processes using antivirus software or firewalls that weed out basic known threats. Now, as hackers routinely overwhelm such defenses, cybersecurity experts say that cybersecurity is overdue for an overhaul. (See also my January 2014 article Time for a Cybersecurity Overhaul.)

These same experts now realize the knowledge and logging of application activity is where new cybersecurity techniques must focus, and that attempts to protect networks and data perimeters are no longer effective. What they have not yet realized is that the where and how these of these event activities are the key to true cybersecurity. Even these new techniques are focused on the historical review of event logs and not the real-time dynamic work activities. We are always behind the hack. We should not be searching for the problem behind the historical event log, we should be recognizing the anomaly before it occurs. This is our problem; this what we need to correct. 

When the application in a digital process does something, it creates a log. This log is where cyberattacks are being detected in hours, months, sometimes even years later -- or not detected at all. If we are to proactively address cybersecurity, we must apply our technologies during data in motion -- prior to the historical log. A data-in-motion application used to be a simple message sent for a specific action or event, occurring from one end point to another.  Today, data in motion carries multiple application event actions that, if exploited, can greatly affect the security policies of a specific process if they are not audited. This point of audit must be done during data in motion, where a casual real-time event can be recognized prior to processes logging. This is where and how achieving true proactive cyberdefense resides.     

My article Will DPM 5GL Save Cybersecurity? focused on these needed corrections. Policies and business processes define the right set of dynamic work activities, which can be described in a causal event patterns. DPM 5GL -- Digital Process Management 5th Generation Programming Language -- monitors the critical causal patterns, and every other activity/event is an anomaly. It is used to monitor the correct activities, not characteristics. Even today’s data analytics examines frequency of data records attributes to discover a characteristic pattern or algorithm that is manually or machine-generated for profiling purposes. We must move forward from historical analysis to real-time 5GL event patterns if we are to successfully monitor data in motion activities. This is where and how we must deploy new cybersecurity technologies to truly defend ourselves against cyberattacks.

Moving from historical log analysis to real-time 5GL patterns

If you look at a hack's anatomy, you can see that the hacker not only has the real-time first strike advantage, but he can also manipulate the security policy to make the exploit look like a normal part of the process. Knowing these two critical attributes of a breach -- location and policy exploit -- defines where proactive defense mechanisms must be placed. The tricky part is how to put it in data in motion vs today’s end point input-to-output log analysis that is used in current cybersecurity technologies. The very definition of an algorithm shows how it analyzes and retrieves data from beginning to end while it processes and automates the data. This is the basis of how third generation programming language (3GL) and fourth generation programming language (4GL) work, and this is the window that hackers use to breach the system.

If we are to proactively defend our cybersecurity, we must move away from historical algorithm audit and analysis to real-time pattern recognition audit and analysis. 5GL can achieve this because it does not use algorithms and can audit in real time predefined event policies patterns in microseconds. Simply put, given the compliance or process requirement as explained in the NERC CIP automation suite, we can now view and audit in real time all policy applications pinpointed in the compliance requirements. This is how compliance can actually become cybersecurity, and we can move from historical event log cyber analysis to real-time data-in-motion policy analysis. 

5GL just makes sure the right stuff is connected to the right security policies by auditing the policy event action patterns in real time during data in motion. This is how we will at last offer proactive defenses to cyberbreaches. These real-time cybersecurity technologies will become increasingly important as we add billions of devices through the Internet of Things (IoT). These microchip devices connected to the IoT could actuate unwanted events or anomalies during data in motion if we do not defend our process event policies.

With potentially billions of these IoT devices out there, we can’t manually review historical log events to detect a potential breach activated by such a device, which in many cases today we can’t even see. It is imperative the we deploy proactionary real-time security solutions that can defend our digital process against a potential onslaught millions of IoT device actions that could quickly get out of control.  This graphic demonstration shows how proactive cybersecurity technologies actually work and my previous articles share companies actually deploying 5GL technologies to address this critical need.  

Fast track cybersecurity funding     

The federal government’s push of the $14 billion cybersecurity bill is at least a start to defending ourselves against cyberattacks. This recent funding has major research universities scrambling for a piece of the billion-dollar pie, and partnerships like the University of South Florida, Tampa and CENTCOM have established a Florida Center for Cybersecurity to attract this funding.  

Interestingly enough, a recent study by security company Enigma Software named Tampa the most-hacked city in America. This fact coupled with U.S. Central Command's location being in the Tampa Bay area may mean a perfect partnership and location for the new Center for Cybersecurity.  We should expect a continued growth of cybercenters and partnerships to be funded around the world.    

On the private-sector side, there is a lot of speculation and suggestion on how Apple should spend its remarkable profits -- and cybersecurity tops the list. Apple has always been known for superior security to competing operating systems, but it has shown that it, too, can be vulnerable to cyberattacks. Still, Apple is best positioned to be the leader in the IoT industry and should take the brunt of the responsibility in securing these new device technologies.

Dan Kaufman, who heads the software innovation division of DARPA, stated in a recent 60 Minutes interview that today, all devices that are on the Internet of Things are fundamentally insecure -- that there is no real security going on. With IoT projections in growth exceeding $1 trillion, securing the IoT could be Apple's greatest success. If not secured, it could be its greatest failure. 

Critical crossroads

With nearly $500 billion projected in cyberattack losses just this year, we are at critical crossroads of addressing cyberattacks. Both the public and private sectors are demanding proactive cybersecurity technologies versus today reactionary options. To achieve this, we must beat the hacker to the punch by deploying technologies that can authenticate, view, audit and analyze known digital policy events in real time during data in motion. 5GL allows us to audit policy event patterns in microsecond speeds during data in motion, which puts us ahead of the hacker.    

We can offer these proactive cybersecurity technologies while we keeping our algorithm bases and 3GL and 4GL technologies in place. These new 5GL technologies can now proactively offer the first defense advantage over the current first strike advantage of the hacker. If we do not do this, we will be overwhelmed by patch-and-pray reactionary cybersecurity approaches that by the sheer volume of cyberattacks will eventually overcome our digital processes. We must deploy new proactive cyberdefense technologies if we are two win the war on cyberattacks in our increasingly connected world. We have the money; we must now direct both public- and private-sector funding toward the right solutions to proactively defend ourselves against increasing cyberattacks.

Larry Karisny

Larry Karisny is the director of Project Safety.org, an advisor, consultant, speaker and writer supporting advanced cybersecurity technologies in both the public and private sectors.