October 16, 2013 By Larry Karisny
While security clearance and authentication processes are essential to physical and other security, the physical DC Navy Yard breach by Aaron Alexis and the state secret breaches by Edward Snowden illustrate some disturbing weaknesses in personal validation and authentication. These clearance breaches were very different in nature but show a range of how a person’s calculated action can subvert basic security measures.
Neither top secret clearance, sophisticated authentication nor the most advanced encrypted information systems can necessarily stop an intended breach action. These security procedures are not designed to detect real-time actions and anomalous business processes from authorized personnel. These practices are just the "moat around the castle" approach upon which most current cybersecurity technologies are based. Current national security breaches clearly show we need to do more.
The highest percent of breaches occur inside an organization. When a criminal wants something specific he or she will choose the path of least resistance to obtain it. Cybercriminals don’t do this by breaking complex security algorithms. They normally do it by gaining access as a trusted insider, using and manipulating secured and authorized software and hardware to which they have access.
Corporate espionage has utilized this methodology for years and now entire countries are using software exploits to gain access to state secrets in this new cyberwar. Authenticated access is not the issue. The unknown enemy already has access. We need to quit focusing so much on allowing and disallowing access and instead watch the business system process tools and how people are using them.
As our organizational systems grow larger and our business process and control systems become more complex and connected, we begin to lose track of what we are doing, let alone securing what we are doing. We currently run business processes using layers of software, hardware and people all trying to achieve a certain departmental or subsystem task. Whether software, machine or human -- the actions of these process components are seldom if ever combined in a single understandable view of the entire process. By not allowing a total system action view, the breach of a single process action could greatly affect other connected process actions and potentially take down the whole system.
These process actions are the Achilles heel of cybersecurity and they cannot be defended by hardening physical, network or system information process security. We need to direct our attention more toward action viewing technologies vs. encrypted authorized actions. We need to assume the enemy is already in and needs to be watched.
While many people are very concerned about technical snooping capabilities, the fact is that we need better snooping capabilities in areas such as critical infrastructure, industrial control systems, intellectual property and national defense. We have created massive intelligence process capabilities through computer software, hardware and networks and have done a pretty good job securing the transport and storage of information but little in securing system processes. When we interconnect multiple actions to multiple processes without detection capabilities, we leave a wide open opportunity for breaches. Physical security in background checks, biometric authentication, RFID location based services and network encryption all have value, but they alone will not stop an authenticated breach. We are not even looking in the right place.
The recent national security breaches were recognized at the action output level after the breach action already occurred. These breaches demonstrate two very important requirements in security that we must be concerned with. One is that we need to add intelligence to physical, human and machine actions that view and even predict a physical breach like a person breaking barricades. We can’t just go back to the old days and think that getting rid of all this digital smart stuff will improve security. It won’t. These intelligent and connected technologies can greatly help both physical and digital security if properly implemented. There are a multitude of technologies that can give intelligence to our physical world.
The second important requirement is the timing of when a process action breach occurs versus when a process breach can be observed and blocked. This is where new technologies such as anomaly detection can be used to recognize, audit and block these process actions at the real-time data input level when seconds matter. The technologies exist and are called anomaly detection. Companies such as IBM and Decision Zone have so much belief in these technologies that they have both patented their solutions. When things aren’t working properly, demonstrated by the scale and magnitude of the cyber breaches we see today, we need to do something different and there are some security companies that are realizing this. So the big question is how much? The answer may surprise you.
One of the biggest concerns in security services is the initial cost in deploying these technologies, the continued cost in using them and how these costs can be justified. Even improvements in first-level authentication and IT security are not yet considered a cost of doing business although these opinions are changing. There are ROI calculators that are now at least trying to put a number on the cost of potential security breaches and attempts to reduce insurance policy premiums when cybersecurity defensive plans can be demonstrated.
Security is only the anomaly detection of an incorrect process action. More accurately viewing the process actions through anomaly detection can also improve the total process. Security is really only a byproduct of detecting anomaly actions that are not part of the process. People are not buying security because they can’t justify the cost. Both the public and private sectors can gain efficiencies through the use of anomaly detection resulting in service savings or profit that would justify the cost of security. The process efficiencies gained through anomaly detection technologies can absorb the cost of security while improving process actions.
Problems occur in business processes when someone or some technology does something wrong whether intentional, mistakenly or as part of a targeted attack. We can only achieve true security when multiple actions and process can be detected simultaneously and in real time. New technologies are offering these capabilities in a time when we are rapidly expanding interconnected humans to intelligent machines that have capabilities that are so large we are having trouble even viewing these processes.
We need to start recognizing that authentication of a person no matter how accurate the techniques used are only the first level of cybersecurity. True security can only be achieved when combining prevention and detection technologies at the real time business or process input action level. Most security breaches occur quickly and are themselves an input process action. Using technology than can focus on these input actions is where we need to focus our efforts.
True cybersecurity will be obtained when we can effectively view, audit, correct and block organizational process actions. If you could have a technology that does this, then why not?
Larry Karisny is the director of ProjectSafety.org, a cybersecurity expert, advisor, consultant, writer and industry speaker focusing on security solutions for mobility, the smart grid and critical infrastructure.