If we assume that security isn’t a security problem but really a resource problem, then how can we start to address it from a defensive perspective. The most important thing we can do is to develop actionable information that can be acted on in an automated fashion. There is some great thinking going into this concept within the IACD initiative at The Johns Hopkins University Applied Physics Laboratory (see here: https://www.iacdautomate.org/), but I think it is also important to talk about what we can change today—right now—to make a difference in cyber security.
Fixing the Imbalance
I often talk about the imbalance between what larger companies with larger budgets and more people can do versus the other 99% of companies—this disparity must be addressed immediately, and we can’t let perfect be the enemy of good. It is great in theory to say that we need to find a way to start forcing smaller companies to invest in cyber security, but that isn’t reality. Smaller banks, hospitals, doctor’s offices, investment firms, and electrical utilities just simply do not have the resources to approach cyber security in any form or fashion that is similar to their larger counterparts—and I would argue they never will. However, there is a shift in mindset that needs to occur around how those companies with the ability to invest can support those that can’t. While many of these companies are in fact competitors, having a business ecosystem that can maintain the trust and confidence of its consumers is a greater good. Further, pretending that the fortunes and futures of these companies are not linked in a number of ways (supply chains, vendors, partners, etc.) is like an ostrich sticking its head in the sand.
Making Information Actionable
So, the key question is how can we make information actionable and make a difference today?
There are two parts to this question: (1) What “information” are we talking about? (2) What does it mean to make that information “actionable”? First, when it comes to information, and as I stated in a previous blog posting, the information we are discussing has to do with the infrastructures being used by the “bad guys.” The purpose of sharing this information should be focused primarily on requiring more resources for the bad guys to be successful. Today, an attacker can set up a fake DocuSign phishing attack, hit a thousand companies over the course of a couple weeks, and have success compromising 20 of those companies. Such a small amount of resources were required here with a big payoff. The information in this case would be the domain name and URL of the phishing attack and the IP address of the server that houses it. When a phishing attack like this occurs, it is almost always due to a compromised host that can then be used for other purposes by the attacker.
So, how do we make this actionable? Actionable to me means that once anyone becomes aware of this phishing attempt, the infrastructure gets “burned” and anyone that comes into contact with that infrastructure is able to block communications to and from that infrastructure. Now, it is easy to say that much of this work has been accomplished with threat intelligence platforms, information sharing, and great sites such as PhishTank, VirusTotal, and a myriad of others—but here is where the rub occurs:
Most smaller companies (99% of the companies by our calculations) have no ability to benefit from these capabilities because they don’t have a team of security analysts that can consume the information. They don’t have Splunk or ArcSight or AlienVault or (name your SIEM) installed. They have no ability to purchase or consume threat intelligence. They have very limited firewalls or other security infrastructures installed. They are surely not logging network traffic or netflow and archiving it in any searchable form. Spoiler alert: Many of the largest companies aren’t doing most of this very well either.
Launching Something New
Dark Cubed is on a mission to change the world in cyber security by developing the capability to generate, share, and act on this information—all without assuming that our customers will have the time or ability to manually take action. We automate the sharing of real-time network information and make it fully anonymous to protect our customers. We have developed innovative algorithms and machine learning capabilities that identify threats in our customers’ networks in near real time, we integrate years of threat intelligence and lessons learned into our monitoring, and we allow for our customers to be automatically protected from threats that would previously have slipped in under the radar. 2018 is going to be a big year for Dark Cubed. We are getting ready to launch a new capability and it is going to be big. This new capability came out of discussions among our team about how we can better help companies of all sizes be successful in our mission of changing the future of cyber security.
Stay tuned for more information as we begin to announce what we have been working on!