While security clearance and authentication processes are essential to physical and other security, the physical DC Navy Yard breach by Aaron Alexis and the state secret breaches by Edward Snowden illustrate some disturbing weaknesses in personal validation and authentication. These clearance breaches were very different in nature but show a range of how a person’s calculated action can subvert basic security measures.
Neither top secret clearance, sophisticated authentication nor the most advanced encrypted information systems can necessarily stop an intended breach action. These security procedures are not designed to detect real-time actions and anomalous business processes from authorized personnel. These practices are just the "moat around the castle" approach upon which most current cybersecurity technologies are based. Current national security breaches clearly show we need to do more.
The Enemy Within
The highest percent of breaches occur inside an organization. When a criminal wants something specific he or she will choose the path of least resistance to obtain it. Cybercriminals don’t do this by breaking complex security algorithms. They normally do it by gaining access as a trusted insider, using and manipulating secured and authorized software and hardware to which they have access.
Corporate espionage has utilized this methodology for years and now entire countries are using software exploits to gain access to state secrets in this new cyberwar. Authenticated access is not the issue. The unknown enemy already has access. We need to quit focusing so much on allowing and disallowing access and instead watch the business system process tools and how people are using them.
As our organizational systems grow larger and our business process and control systems become more complex and connected, we begin to lose track of what we are doing, let alone securing what we are doing. We currently run business processes using layers of software, hardware and people all trying to achieve a certain departmental or subsystem task. Whether software, machine or human -- the actions of these process components are seldom if ever combined in a single understandable view of the entire process. By not allowing a total system action view, the breach of a single process action could greatly affect other connected process actions and potentially take down the whole system.
These process actions are the Achilles heel of cybersecurity and they cannot be defended by hardening physical, network or system information process security. We need to direct our attention more toward action viewing technologies vs. encrypted authorized actions. We need to assume the enemy is already in and needs to be watched.
What We Don’t See Can Hurt Us
While many people are very concerned about technical snooping capabilities, the fact is that we need better snooping capabilities in areas such as critical infrastructure, industrial control systems, intellectual property and national defense. We have created massive intelligence process capabilities through computer software, hardware and networks and have done a pretty good job securing the transport and storage of information but little in securing system processes. When we interconnect multiple actions to multiple processes without detection capabilities, we leave a wide open opportunity for breaches. Physical security in background checks, biometric authentication, RFID location based services and network encryption all have value, but they alone will not stop an authenticated breach. We are not even looking in the right place.
The recent national security breaches were recognized at the action output level after the breach action already occurred. These breaches demonstrate two very important requirements in security that we must be concerned with. One is that we need to add intelligence to physical, human and machine actions that view and even predict a physical breach like a person breaking barricades. We can’t just go back to the old days and think that getting rid of all this digital smart stuff will improve security. It won’t. These intelligent and connected technologies can greatly help both physical and digital security if properly implemented. There are a multitude of technologies that can give intelligence to our physical world.
The second important requirement is the timing of when a process action breach occurs versus when a process breach can be observed and blocked. This is where new technologies such as anomaly detection can be used to recognize, audit and block these process actions at the real-time data input level when seconds matter. The technologies exist and are called anomaly detection. Companies such as IBM and Decision Zone have so much belief in these technologies that they have both patented their solutions. When things aren’t working properly, demonstrated by the scale and magnitude of the cyber breaches we see today, we need to do something different and there are some security companies that are realizing this. So the big question is how much? The answer may surprise you.
Cost Justifying Security Through Anomaly Detection Process Efficiencies
One of the biggest concerns in security services is the initial cost in deploying these technologies, the continued cost in using them and how these costs can be justified. Even improvements in first-level authentication and IT security are not yet considered a cost of doing business although these opinions are changing. There are ROI calculators that are now at least trying to put a number on the cost of potential security breaches and attempts to reduce insurance policy premiums when cybersecurity defensive plans can be demonstrated.
Security is only the anomaly detection of an incorrect process action. More accurately viewing the process actions through anomaly detection can also improve the total process. Security is really only a byproduct of detecting anomaly actions that are not part of the process. People are not buying security because they can’t justify the cost. Both the public and private sectors can gain efficiencies through the use of anomaly detection resulting in service savings or profit that would justify the cost of security. The process efficiencies gained through anomaly detection technologies can absorb the cost of security while improving process actions.
Conclusion
Problems occur in business processes when someone or some technology does something wrong whether intentional, mistakenly or as part of a targeted attack. We can only achieve true security when multiple actions and process can be detected simultaneously and in real time. New technologies are offering these capabilities in a time when we are rapidly expanding interconnected humans to intelligent machines that have capabilities that are so large we are having trouble even viewing these processes.
We need to start recognizing that authentication of a person no matter how accurate the techniques used are only the first level of cybersecurity. True security can only be achieved when combining prevention and detection technologies at the real time business or process input action level. Most security breaches occur quickly and are themselves an input process action. Using technology than can focus on these input actions is where we need to focus our efforts.
True cybersecurity will be obtained when we can effectively view, audit, correct and block organizational process actions. If you could have a technology that does this, then why not?
Comments
I believe you are touching on the "Data First" model of security. The operational loss of down time is dwarfed by the costs of lost gross profit or explosive liability from misrouted data. In this view, all security value builds up from the revenue minus liability of each transaction with data. Information Security then is a specialized form of Quality Assurance looking at Information Flow Defects.
The Return On Investment changes to the dynamic view:
ROI = 100 * (Profit/transaction - Security_Investment/transaction) / Security_Investment/transaction
To make this work, Security has to see each type of transaction and value it just as a business man rightly should. Does this transaction create more income than it costs? If not, either rid the business of the transaction, or use security investments to shrink the liability of the transaction.
From an nature metaphor, the data is Caribou profiting from migrating through the arctic regions. In this lifecycle, InfoSec asks were are the wolf packs and how to most Caribou survive? The business may ask, if the herd is healthier for it, should some data life cycles perish as acceptable losses. But, that decision is largely based on the business health of that transaction, whether pack protection will make a meaningful difference. As cold as this view is, it is sustainable in the presence of an attacker population that will not be deterred and cannot ultimately be stopped.
Oddly, business has not valued its transactions even though profiting from a business deal is the primary responsibility of business. Business has not showed InfoSec the gain vs liability of each of its transaction sets. Thus, InfoSec does not array defenses to limit liability and protect the gained value for each transactions.
In National Defense Terms: We refuse to value national secrets or to estimate liability for the loss of a national secret. Then, we ask InfoSec to provide proportionate security to the unknown net value or unknown liability of any process movement of those secrets. Then, since we do not know what is normal, good transactions, we cannot see the wolf until it moves due to camouflage.
We only forensically examine the eaten Caribou. Watching wolves is way too late in the process. Knowing where to be in the moment of danger makes the wolf late in the process. Asking why a Caribou is 3 standard deviations away from correct position to be safe tells InfoSec quite a lot.
If "process actions are the Achilles heel of cybersecurity" then we must design processes with security concerns built-in. For example - http://improving-bpm-systems.blogspot.ch/search/label/security
Thanks,
AS