The Cyber Security Context Challenge

In my last blog, I spoke about the importance of thinking about cyber security as a resource problem rather than a technology problem. I challenged readers to think about speed and scale as a solution for the resource problem. This posting expands on that discussion by considering the importance, or lack thereof, of “Context.” My assertion is that while context may matter in some situations, it is one of the biggest impediments to implementing effective cyber security today.  

The cyber security community is primarily made up of geeks, technologists, and nerds that typically can’t help themselves from going down a rabbit hole when it comes to digging into a problem.  This growing community of men and women are on the front lines of protecting our payment systems, preserving our privacy, and keeping the valuable intellectual property from getting sucked out of the servers of companies of all sizes.  

One of the most important, but underappreciated, security roles in a security organization is that of an analyst.  A good analyst is supposed to be able to weed through a cacophony of noise and alerts to find an indication that something bad is happening. They are then tasked with pulling that thread, adding in additional information on the attack such as indicators of compromise, impact on the organization, TTPs (tactics, techniques, and procedures), and potentially affected systems.  

All of this information is critical to helping the organization stop the attack and protect their systems from further negative effects.  Plus, it would be nice if the analyst could accomplish all of this within minutes because that is typically how long it takes for an attacker to successfully compromise a system.  To help in this process, we have a whole technical community that has developed training, playbooks, automation and orchestration tools, threat intelligence, and a range of other tools all designed to help the analyst gain context faster.

Now, it is REALLY important that we stop right now and ask ourselves, “how many companies out there can really do all of this stuff effectively?”

IF a company MUST invest in analysis, resources, tools, and data in order to be successful in cyber security, THEN most companies might as well just give up now. Pack your bags, put on your tinfoil hats, head to your fallout shelters, and get used to eating MREs (meals ready to eat -- a delicacy our military members are quite fond of), because the world is going to end and it ain’t going to be pretty.

Believe it or not, there is actually another way, don’t despair!  
In order to begin to make progress in cyber security, we need to throw away the need for context as a starting point. We must ignore that impulse to ask “who” or “why” first.  The reason for this is quite simple: the volume of attacks is too great for us to spend time on context as a first step.The first step should actually be to block or otherwise stop the attack and then work together as a community to understand commonalities or differences in the attacks we are facing where such commonality exists. In order to highlight the benefit of such an approach, let me quickly introduce you to two fascinating systems: Spam blocking on Android Phones and the Google Safe Browsing Initiative.

Simple Design, Awesome Effect
If you aren’t aware, in recent years, a revolutionary new feature has been introduced into Android phones. This feature is known as “caller ID & spam” protection and is enabled by a single slider box in the phone settings.  The functionality is quite simple, but the effect is awesome.  Basically, if you get a spam call and hang up quickly, the phone will ask you if the call was spam.  You also have the ability to report calls as spam.  This information is quickly and easily reported by the user and is used to protect other users.  When you receive a phone call from a suspected spam caller, the phone screen turns red and you can choose to chance it and learn about the cruise you just won or you can ignore the call and go back to playing Clash of Clans.  Just think about the efficiency of this process.  It takes just a second to report a spam call and you don’t really even have to think about it.  It also saves users a significant amount of time and frustration by not picking up that call and having to deal with letting the other person on the phone know that you don’t really need your carpets cleaned today.  All of this is done without context from a user perspective and the analytics and complexity are all handled behind the scenes.

Highly Complex, Completely Transparent
A second example can be found in the Google Safe Browsing Initiative.  This is probably one of the most significant security advancements within Google and most people are completely unaware that it is even happening.  Google uses a combination of inputs ranging from their massive search engine database, links sent to or from users within their ecosystem, and reporting from the Chrome browser to continuously monitor and scan the Internet for malware and phishing sites.  As a sidebar, if you are looking to test the slick new phishing site you just created, then be careful about sending it to someone using Gmail because Google will flag it as a potentially malicious site very quickly.  Now, think for a minute about the complexity of the analytics that must be occurring behind the scenes to differentiate between a legitimate banking site and one that is not.  Also, think about the volume of analytics being performed given the fact that they are looking at “billions of URLs per day looking for unsafe websites” (https://www.google.com/transparencyreport/safebrowsing/) From a user perspective, however, it is quite simple.  If you are using Chrome as your browser and happen to click through that Facebook link to a fake news website that is hosting malware, you will be presented with a bright red warning screen telling you that death and destruction lie ahead if you visit the site.  If you are like me, your response is to just click the back button and move on.  You don’t ask, who posted the site, what malware did they use, why did they target me, what language do they speak, what type of car do they drive - did you?  No, of course not, because you don’t really care.  This is an incredible example of a situation where the broad population does not, nor should, care about context.

So, in closing, how can we learn from these examples above and start to think about implementing broad-based protection across companies of all sizes in a way that abstracts out complexity, removes context, and simply allows those organizations to go about their respective lives?  How can we build and design systems that allow the analytics to be performed across companies big and small without requiring significant investments in resources by the smaller companies, but can benefit from the context and deep research resources available to the largest companies? How can the seemingly unlimited investments in cyber security by organizations such as Bank of America, Wells Fargo, and JP Morgan Chase be used to protect the thousands of smaller banks that are lucky to have a single member of their IT staff that can spend time every day looking into cyber threats?  Certainly, organizations such as the Information Sharing and Analysis Centers (ISACs) are a start, so are efforts such as the Automated Indicator Sharing (AIS) by the Department of Homeland Security (https://www.us-cert.gov/ais).  But, these aren’t fast enough.  They just don’t scale fast enough.  They don’t work for the countless small and mid-sized companies that are facing the same level of cyber threat as the large companies with a just a fraction of the resources.  It is time for us as a community to design new approaches to solving this problem once and for all.  

Have a great idea on how to do this?  I would love to hear from you!