Cybersecurity
Spring 2010 • Volume 2 • Number 2
Enabling Cyber Defenders
By Jeff Erlichman, Editor, On The FrontLines
Government relies on a wide variety of approaches and tools to keep the bad bits out and let the good bits in. Here are three examples.
 The reality is there is more new bad code being developed than good code.
“There are 50,000 new, bad applications being developed per day,” explained Mike Carpenter, Senior Vice President for Public Sector at McAfee, during The Federal Executive Forum.
“I venture to say that there are probably not 50,000 good commercial applications being developed per day. So there is more bad code being developed than there is good code.”
According to Carpenter if you look at the current way that we defend our networks and our systems, it’s about identifying what malware is; it’s about preventing malware from coming in.
“We have over 450 researchers around the globe; their only job and their skill set is to identify malware and then be able to decode that malware protection back to our customers. We have a global footprint.”
That global footprint consists of over 150 million sensors around the globe that feed the McAfee Cloud, enabling analysts to provide intelligence and tools to help government defend against attacks.
But 50,000 new, bad applications is a staggering number. So, what Carpenter and his industry partners are grappling with is “how we can get ahead of that?”
“I believe the future in prevention is not about getting in front of the bad threat, it’s about identifying good code that should be executing on your systems,” Carpenter said.
He favors an approach that moves from blacklisting to more whitelisting and looking at what applications should be accessing what resources on your system and what IPs should be transversing your network.
“You are looking for good information rather than necessarily looking for bad information since there has been a major shift in global development of code.”
Identifying Chains of Attack
Whitelisting is sure to gain more traction in the future. Blacklisting has traction right now.
“About 80% of the cyber attacks that occur in technology that has been developed today have a signature that we recognize, we’ve blacklisted it. A Juniper system can shut it down,” Lee Holcomb, Lockheed Martin’s Vice President, Strategic Initiatives, explained during the Federal Executive Forum.
“But about 20% of the attacks today fall into this category that’s called ‘advanced persistence’. A lot of what we are focusing on is really looking at that 20% that is very hard to catch.”
Holcomb described the concept that Lockheed Martin’s developed through its own internal network which has about 120,000 people; so it looks very much like a large government agency to foreign adversaries.
“We look at a chain of attack. How does a bad guy come after you? They do reconnaissance, maybe on your network or maybe on social sites they go to,” Holcomb said. “They do reconnaissance; they do delivery of an attack; they do an exploit and compromise you; they then do command and control; and then they exfiltrate data from your site. We’ve watched that process.”
Lockheed has catalogued about 55 different campaigns and developed a database on how each behaves. They share that information.
“We’ve been able to identify the patterns, and we may miss the bad guys at one of these stages, but if we look at the whole pattern we’ve actually been able to catch folks in the pattern, even when we don’t know the signature of the attack,” said Holcomb.
“So we think this is a new paradigm; we think that this is a direction that needs to be taken to be more effective as a cyber defender. It’s a lot easier to be a cyber warrior, quite frankly. It’s more difficult to be a cyber defender. And so we are trying to make the cyber defender more effective.”
Cyber Cloud Computing
Imagine the Cloud as back hoe filled with 40 quadrillion bytes of data as the workhorse.
It contains the brute strength to perform the tremendous amount of analytics needed to cull “golden nuggets” from an ever growing massive amount of “Big Data” that can come at any time and in any format at a rate of 50,000-60,000 new cyber events per second.
Then it can pick the best set of data in real time and feed these “golden nuggets” to precision instruments (e.g. Oracle, PeopleSoft) analysts can use to make decisions in as close to real time as possible.
So, when analysts are defending against cyber threats, they can analyze data in close to real time—not 24 hours old—thus improving defense capabilities exponentially to thwart attacks.
The ultimate goal is real-time situational awareness.
Big Data allows better decision making through a more effective way to store, manage and analyze data said Josh Sullivan from Booz Allen Hamilton in a recent interview.
Hamilton explained how the Cloud was this back hoe that was the brute force workhorse that fed them golden nuggets. At the same time, they could still use their existing suite of visualization and analysis tools and keep all the capital they had built up around using these tools, but the source feeding those precision instruments was the Cloud.
The scalability of the Cloud allowed them to do tremendous amount of analytics and pick the best set of data in near real time to feed to those precision instruments instead of relying on the precision instruments to pick out the golden nuggets from an ever expanding sea of data said Sullivan.
Sullivan explained if there was a critical node they wanted to analyze; every hour we could compute everything we wanted to know about that node and store for later retrieval.
So, if there were 1,000 critical devices to constantly monitor, the Cloud would be used as the workhorse to continually pre-compute all available data for those devices and have the information ready for analysts or other machines to consume as needed in real time.
All of these experts agree that it is easier to be a cyber warrior; and much more difficult to be a cyber defender. Using blacklisting and whitelisting technologies along with the sheer computing power inherent in the Cloud are helping balance the scales making cyber defenders more effective.
###
|
|
Download PDF |
|
|
More Cybersecurity Articles
Welcome to Team Cyber!
The bottm line is everyone has to be responsible for their own cyber hygiene.
Steel Door On A Styrofoam House?
The more security is proactively “baked in’, the more “secure information sharing” will occur.
Wanted: Trained Cyber Defenders
DHS is hiring 1,000 new cyber defenders. When they need training, they can get it from The Defense Cyber Investigations Training Academy.
Enabling Cyber Defenders
Government relies on a wide variety of approaches and tools to keep the bad bits out and let the good bits in. Here are three examples.
Cyber Implementers
As threats rise, so do the efforts of industry to provide the cyber solutions government—and the rest of us—need. More
Cybersecurity Viewpoints
Getting Proactive—Viewpoint: Jim Flyzik
Jim Flyzik talks about why we all need to be proactive when it comes to cybersecurity.
Make It Easier, Bake It In—Viewpoint: Jeff Erlichman
Industry needs to make it easier for end users to practice cyber hygiene.
Published In Partnership With
OTFL Archives: Read/Download
|
OTFL Upcoming Issues |
|
|
July - Geospatial Trends In Government |
|
August - Government Cloud Computing |
|
August - Health IT In Government |
|
September -Cybersecurity |
|
October - DHS EAGLE/FirstSource Contract Report |
|
November - Greening of Government |
|
December - Government Cloud Computing |
On The FrontLines Publishers
Trezza Media Group
Tom Trezza
201-670-8153
www.TrezzaMediaGroup.com
TTrezza@TrezzaMediaGroup.com
Public Sector Communications, LLC
Jeff Erlichman
301-774-6660
www.PubSector.com
JeffErlichman@PublicSectorCommunications.com
The Flyzik Group
Jim Flyzik
301-365-4772
www.TheFlyzikGroup.com
JFlyzik@TheFlyzikGroup.com
© 2010 Trezza Media Group, Public Sector Communications, LLC
|
