In the world of soccer, some players have a number of special skills that elevate their status from an average player to that of an eternal legend. One of these critical skills which allow players to transcend time is spatial intelligence or awareness. This is a dynamic skill which enables a soccer hero like Ronaldo to be so acutely aware of his surroundings. He knows the exact placement of his teammates and the location of opposing players as he moves with the ball.
Spatial intelligence permits a player to instantly adapt to the changing environment and always be aware of the best strategy to create exciting scoring chances, whether it is with a nifty pass to another player or with a swift deke of an opponent. Legendary soccer players make such plays look entertaining in their simplicity, but they are lot easier said than done.
All the players, whether teammates or opponents, are doing their own computing and there is no network linking their brains so a player can never be too sure how others are going to react to his or her actions. Average players often get surprised by the speed of an opponent or pass the ball where they expected their teammate to be, but that player decides to go in a different direction. This environment is dynamic and it is difficult, to calculate all the permutations possible.
Superstar soccer players are able to map out all the movement in their mind because their spatial intelligence is so sophisticated. This allows them to score goals, complete accurate passes and make plays that other players find impossible to execute.
Now that we have explained spatial intelligence from a human perspective, we can switch gears and show you how this concept can be applied to information security monitoring.
Enhancing Security Monitoring with Spatial Intelligence
Practitioners in the information security world are well aware that Security Operation Centers (SOC) struggle to detect attacks by simply looking at Security Information and Event Management (SIEM) monitoring consoles. While monitoring events on a SIEM console, it is difficult to determine if the event under review is a real attack in progress.
To improve security monitoring, we need to enhance SOCs with spatial intelligence. Spatial intelligence with reference to information security is context information.
There is a lot of context information available within our IT infrastructure that can be used for evaluating an event. Just as the position of a defender is useful information for Ronaldo to determine his next move; asset information, user information, vulnerability information, and network information are all useful in determining if the event or alert showing in a SIEM console is an attack or not.
SIEM and Context Information
The idea of integrating context information within a SIEM console to help determine if an event is an attack is not a new concept. Current SIEMs have capabilities which allow them to integrate context information including asset profiles (asset value, location, services, and ports) and vulnerability information (CVE IDs, vulnerability name, and description). SIEMs have connectors to vulnerability scanners which allow the import of vulnerability information on a periodic basis. In spite of this, there are few success stories of SOCs using this type of integration in better evaluating an event and identifying attacks.
Lack of dynamic integration of context information
This lack of success makes one wonder why SOCs find it difficult to integrate context information and realise value. The key reason is that SIEMs have treated this kind of integration as “static” integration, while in reality all of this information is dynamic and deserves a different approach. We will try to understand this better by taking the example of vulnerability information integration.
Vulnerability information, for instance, is not static. It is changing all the time as new vulnerabilities are discovered in platforms every day. Similarly, asset components and services keep changing and corresponding vulnerabilities change accordingly. Hence, vulnerability information is a moving target.
In addition, organizations have different periodical cycles during which scanning occurs. Leading organizations might scan critical assets on a daily basis, while some others might scan every month or quarter. Non-critical assets might only get scanned annually. This essentially implies that vulnerability information corresponding to an asset might not be available for comparing with an event to further determine if it is an attack.
For instance, let us look at an event that is a Windows buffer overflow attack taking advantage of a specific vulnerability. If the SIEM does not have updated information on this vulnerability due to a sporadic scan cycle, it is difficult to compare the buffer overflow event with the on-existent vulnerability information in a SIEM to determine the impact of this attack on the asset. This also leads to weak or wasted countermeasure actions.
In short, the method in which SIEM technology is currently implemented, spatial intelligence fails to deliver proper information. Without this up-to-date data, no possibility exists of scoring your goal of stopping an attack.
Bridging the Gap
To be able to solve this problem by increasing the ability to recognize an event that is an attack requires a different approach. The new approach needs to keep pace with the real world issue of evolving vulnerabilities, missing vulnerability information, and imperfect scanning cycles in organizations. It needs to integrate an element of dynamism in analyzing context information.
In practice, this means that there should be a mechanism that enables the system (SIEM/supporting technology) to use available vulnerability information to predict if a specific vulnerability exists corresponding to the event that is being analysed.
Referring to our previous example, we should be able to use existing vulnerability information available across Windows assets in the organization to predict if a specific vulnerability corresponding to the buffer overflow event exists or not.
Employing Data Science to Adapt to the Dynamic Nature of Context Information
Data science provides mechanisms to achieve the type of dynamism needed, which leads to effective use of context information thus increasing the spatial intelligence of a security system.
Let us look at how data science can help us solve the dynamic nature of vulnerability information integration. Organizations tend to follow certain patterns while patching their systems. Patching decisions are mostly based on analysis of how critical an asset is in the system along with how severe is the vulnerability. The impact of system downtime and effort required to implement a patch update are also important variables in the decision.
The patch update schedule adopted by an organization leads to a certain pattern of vulnerabilities in existing assets. This is like a fingerprint that is specific to an organization. Applying a probability model to this pattern of vulnerability data across assets enables us to identify this fingerprint and predict the presence of vulnerability. This approach is successful even in the absence of information corresponding to a specific vulnerability from the last available scan. A similar approach can be used for other contextual information that is dynamic in nature.
Scoring Goals by Identifying Attacks
There is a need to recognize the dynamic nature of context information and a willingness to capture this dynamism to increase security attack detection capabilities. Hence, the use of techniques that keep pace with the changing nature of context information is vital. We can only enable our SOC analysts to improve security attack detection if we adopt techniques which integrate dynamic “spatial intelligence”. These improvements should assist SOC analysts to effectively pierce through the noise of event data to identify those events which are attacks.
About the Author
Vinod Vasudevan is a co-founder and CTO of Paladion. He has over 20 years of experience in the technology and information risk management domain. He is responsible for establishing the company’s technology, services vision, and leading all aspects of the company’s technology development. As the CTO at Paladion, Vinod has serviced large enterprise organizations across the globe for setting up of integrated risk management systems and for stream lining system based operations.
He regularly presents in leading global forums and conferences. He sits on the expert panel of industry consortiums. He is the lead author of the book “Application Security in the ISO 27001 Environment” from IT Governance, UK. Vinod is also the co-author of "Enhancing Computer Security with Smart Technology" published by Auerbach. He is a CISSP and a PCI QSA.
Vinod Vasudevan is a co-founder of Paladion and has over 17 years of experience in technology and information risk management domain. As the CTO at Paladion, Vinod has serviced large enterprise organizations across the globe for setting up of integrated risk management systems and for stream lining system based operations. He has held key positions with global firms including Microsoft. He is the co-author of “Application Security in the ISO27001 Environment” and “Enhancing Computer Security with Smart Technology”. He has also authored several papers. He sits on the expert panel of industry consortiums.