Embracing Open Standards: Why We Must Work More Like Cyber Attackers to Beat Them
As IT and cybersecurity professionals, we spend a lot of time thinking about why our adversaries are frequently at least one step ahead of us. Here’s a simple explanation: They do a much better job at working together than we do.
They are true collaborators. As Deloitte describes in its report, “Black-Market Ecosystem: Estimating the Cost of ‘Ownership,’ ” hackers “participate as both producers and consumers” as they flock to dark web markets and forums to obtain capabilities while reducing expenses via low cost but broadly used common tools deployed at large scale. The tools may be available “as a service” to make them easier to acquire.
“This same concept is reflected in legitimate markets where businesses and economies focus their effort on the production of a limited scope of products or services to achieve production efficiencies, increase quality and reduce costs,” according to the report. “Unfortunately, in the criminal sphere, this means that threat actors who may otherwise be incapable of performing diversified tasks can instead purchase or partner to acquire the necessary capabilities to launch an attack.”
As for us? We take the opposite path, looking for answers as individual organizations– too often isolating ourselves instead of coming together as a community.
Learn More: How Endpoint Security Can Help Enterprises Tackle IT Strain
Then, within each organization, we often create additional, self-defeating silos: Fifty-five percent of companies use no less than 25 different security tools and nearly one of five uses at least 50, according to research from the Enterprise Strategy Group (ESG). This results in an abundance of different security and IT operations teams managing different security technologies for different infrastructures, according to ESG. Not surprisingly, this leads to frustrations and ineffective practices – including resource constraints, difficulties in prioritizing/investigating alerts, integration issues, costly professional services, capability gaps, scalability barriers and monitoring challenges. Speaking to the latter, nearly one-half of security and IT professionals say they lack visibility into the data that is processed within their enterprise, according to research from the SANS Institute.
In a positive light, we are beginning to recognize the futility of our scattered approaches. The Forum of Incident Response and Security Teams (FIRST) – which brings together teams from government, commercial and educational organizations to foster cooperation and coordination in incident prevention and rapid reaction – now has more than 500 global members. In October, IBM Security announced the creation of the Open Cybersecurity Alliance to encourage “cross-industry collaboration on common, open-source code and practices (while) fostering an open cybersecurity ecosystem and solving the interoperability problem. This would be done via commonly developed code and tooling, using mutually agreed-upon technologies, standards and procedures.”
This essentially describes a universal, open source community for cybersecurity – a concept that is well overdue. We’ve seen such initiatives produce significant advancements in the form of Zeek, an open-source, network monitoring project. Based on more than 20 years of research, Zeek bridges the gap between academia and operations, helping its members work flexibly and adaptively in establishing complete visibility of all network application behaviors.
By making a meaningful commitment to open source efforts like Zeek, we’d benefit greatly from the following improvements:
More Industry-Wide Standardization
We run into major challenges with all of these tools because they all try to solve the same problems in different ways and neither of them “talk to each other.” This forces us as teams within individual organizations to attempt to interpret what the tools are saying and how they work. But this, of course, introduces human error because people will inevitably get things wrong. If they invest in a machine to interpret, there will still be errors because the machine can only do what humans tell it to do.
Through open-source standardization, there is solely “one way” to develop and convey information about a solution. Thus, everyone who adopts it and even expands upon its potential for impact is using a common nomenclature, ensuring free-flowing interoperability and exchange of intelligence.
Learn More: The Challenges and Opportunities of Data Privacy Automation
Knowledge-Building
Open source participants tend to be more than simply “takers.” They are insatiably curious in exploring “what if?” possibilities and, therefore, they are contributors. They take pride in offering useful input about a product and/or intelligence about a new threat technique. This sort of “sharing culture” will fortify our collective enterprise far more swiftly and effectively than attempting to solve issues on our own.
Streamlining of Efforts
From a purely pragmatic perspective, we don’t want to reinvent the wheel every time we look to implement a solution. Through open-source, we don’t have to. In most cases, someone else in the community has “installed the plumbing” and now we just need to focus on integrating it into our cyber ecosystem, and making it better.
By uniting industry-wide as professionals on a broad open-source and common standards initiative, we can pave a more assured path toward highly impactful and less costly solutions and practices, and we’d arrive at them much more rapidly. Security teams throughout the world would leverage a cohesive, interoperable set of products and intelligence sources so they can consistently use them – and improve upon them – in the same way. As a result, we can finally position ourselves to not only match our adversaries move-for-move but advance far, far ahead of them.
Let us know if you liked this article on LinkedIn, Twitter, or Facebook. We would love to hear from you!
