mailing list archives
Algorithms are changing the face of situational awareness and online security
From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Fri, 3 Jan 2014 19:57:55 -0700
There's no doubt that the age of online information has created new
national security threats, which have made it a priority for enterprise and
governments to ensure the security of their network and IT infrastructure.
The use of anthropological techniques presents an alternative perspective
for researchers whose intent is to develop intuitive and multi-tiered
security as it relates to cyberspace.
A focal point of this research is what’s called ‘tacit knowledge’, or
knowledge of something that is implicit rather than formal knowledge that
characterizes the duties and tasks performed by security institutions. One
way to illustrate this kind of knowledge is the content of folk songs. We
are all familiar with the sayings and implications of the lyrics of folk
songs in our own culture, yet those of other cultures are foreign to
outsiders. You have to live it to understand it.
Primary to security analysts' concern is the fact that open-source and
commercially developed tools lack the intrinsic understanding of security
analysis, leaving the tools used by many analysts inadequate. This
subsequently results in labor-intensive resolutions to problems, such as
exactly what data has been compromised, and how did an attacker penetrate
Where human technical tasks may need several minutes to be performed, an
algorithm may only need a few seconds, freeing up intelligent minds to
concentrate on problems of greater complexity. Frequently, network attacks
are automated by software scripts called net bots. Network defenses would
be at a disadvantage when analysts on the other side don’t possess
streamlined processes to repel such attacks or minimize the damage that it
incurs. With more sophisticated tool support, researchers hope to automate
standard tasks that are traditionally performed by human beings.
Eradicating human error may improving the nation’s defense apparatus
Because a good number of cyber-attacks are automated, automation is central
to cyber security. However, professional analysts usually require a lot of
time to locate the system that has been breached by a virus or malware.
When we add in the element of human error, valuable time finding a
resolution and its deployment is lost, thus leaving even more data at risk.
Humans are prone to mistakes. While algorithms, are not entirely mistake
free, they can include quality control instructions that a human analyst
may fail to carry out because of fatigue or other reasons.
As a result, what we have is a numbers game when attempting to identify a
breach, but an automated attack has inherent advantages not including time
in its favor. If some defense mechanisms are automated, including matrix
processing, error-correction and other statistical techniques, the
potential for a faster problem resolution, along with a sharp reduction in
human error, can be accomplished.
Greater central standards and algorithms trigger mechanisms to combat
Algorithms translate processes that are performed by humans into
instructions that can be understood by computer systems on a sophisticated
level. At its core, an algorithm can ‘understand’ a problem, and based on
the available data and instructions produce a desirable result.
Well-designed algorithms are able to get at the heart of a process and
produce output on a computational level for a very large number of
scenarios. Defense mechanisms must gather and process large amounts of data
from a wide net, which presents difficulties for humans. But with the aid
of automation based on a framework, quicker deployment of an appropriate
response can be achieved. Macro components such as communication and power
are constantly under attack, and while system redundancy is one means of
protection, threats are advancing in their complexity and damage potential.
Algorithms could predict attacks and improve situational awareness
There are at least seven aspects related to situational awareness (SA)
which can impact the quality of cyber defense measures. It is most critical
to have a firm grasp of the current situation, or perception. This involves
recognition and identification, such as the type of the attack, the people
or organizations involved, and so on. This aspect, however, involves more
than merely detecting that an intrusion has taken place, but also precisely
the event that is occurring.
Implications and the impact of the attack must be ascertained so that the
defense mechanisms in place can focus efforts where they are needed and
respond appropriately. There are two components of primary concern here:
damage assessment and the future implications of the attack. It follows
that the analysts must have a keen awareness of how such situations evolve,
through an analysis of how the situation came to fruition.
At this point, questions begin to arise as to why such a situation has
arisen. This is where the detective work begins and is concentrated on
tracing the steps leading up to the attack, which will ultimately identify
vulnerabilities. Though a lesser priority, another crucial aspect is the
quality of the data collected on the previous events. Here we are concerned
with the soundness of the data that has been collected, its validity and
how recently it has been gathered.
From here, we can begin to make assessments of the plausibility or
likelihood of future attacks. The newly assessed information may provide us
a picture of the attackers, their capabilities and then help to filter all
possible scenarios to those that are likely to occur again. Arriving at a
plausible profile comes down to knowing the adversaries, as well as the
vulnerabilities in the defense systems that are in place.
Automation fosters better training, education and time to focus on unique
Directives that are concerned with security are manifested in defense
policy, standards and procedures, and the training needed to support those
initiatives. Training, though a critical necessity, is fraught with
possible stumbling blocks, monopolizing valuable resources such as
instructors and trainees. It is critical that the focus be on the cutting
edge training and techniques.
For some of the reasons mentioned in the preceding sections, analysts are
typically tasked with processing data that potentially can be performed
with the support of automated tool-sets. These tool-sets must not only
cover standard operational control methods, such as process control and
critical path analysis, but can also be applied to a defense posture that
evolves and quickly understands the nature of cyber threats. These tools
and the underlying algorithms should reflect the nature of the data being
processed, and must also take into consideration various cultural and
Training should involve a comprehensive approach, where procedures having
to do with situational awareness are automated, and analysts and consultant
efforts are focused on broader and more specific threats. Additionally,
awareness training should have a group focus, emphasizing the capabilities
of individuals. In this way, analysts and consultants are best equipped to
handle their specific responsibilities.
The cumulative effect of cyber security training should be a layered
approach that allows algorithms to take on a larger role in the
identification and recognition of a breach, the actors involved and the
defense measures that may be appropriate. Vulnerabilities and post-mortem
risk assessment should also be a focus of both awareness training and one
of the aspects of an automated tool-set.
Algorithms are seen by many as a key component to the technological
advancement of humanity and society. Effective cyber security is a primary
means of maintaining stability, the first line of which is a sound defense
against cyber attacks. Algorithms that are applied to cyber networks will
perform operations on ever larger data sets, employing highly advanced
knowledge discovery and forecasting/prediction techniques.
The future importance of algorithms revolves around our converting
mathematical and logical statements into process instructions that
increasingly understand the environmental and evolving situational aspects
of our defense networks, and the threats to its effectiveness and stability.
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
sales () riskbasedsecurity com
Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security offers security intelligence, risk management services and customized security solutions. The
YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk
mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.
- Algorithms are changing the face of situational awareness and online security Audrey McNeil (Jan 06)