True Threat Intelligence

Honeybees have been dying in record numbers, threatening the continued production of many nutritious foods. Without bees to pollinate crops, the danger to our environmental ecosystem, and ultimately our health begins to increase dramatically.

Similarly, in the world of cyber-security, we are witnessing a record number of security events, attacks and breaches that are threatening the continued capabilities of our information systems to support business, research, healthcare, transportation, energy and virtually every other category of activity whose operations are completely dependent upon consistently functioning computer systems and Internet connectivity.

At a macro level, the two trends are progressing along a similar curve.

The question now is “Have we reached the tipping point, where our information systems infrastructure is due to collapse?” This was the question that physicists at Northeastern University recently addressed with respect not to information systems in particular, but rather to complex systems as a whole.

Using statistical physics, Northeastern network scientists have developed a tool to identify that tipping point—for everything from ecological systems such as bees and plants to technological systems such as power grids. It opens the door to planning and implementing preventive measures before its too late, as well as preparing for recovery after a disaster. Just like in cyber-security.

There has been no unifying theory that considered the complexity, parameters and components of the networks underlying complex systems which makes it very difficult to predict a systems’ resilience in the face of disturbances to those parameters and components.

Their tool, for the first time, enables those predictions.

A similar approach works well in the far less difficult though equally dangerous complexity problem of cyber-security analytics and threat intelligence.

Over the past twelve months we have analyzed the threat data we’ve collected from the tools that are embedded in our Securli Threat Defense platform and determined that we had a rich starting point for aggregating specific network and web related malware behavior, though the individual threat patterns differed greatly. We wanted to fold that data in with other indicators to develop a measure of predictive resilience in information systems networks.

We also wanted to create contextual relevance in the data, so we included data points from disparate sources like threat databases, dark web chatter, crowd-sourced threat repositories, social media sentiment, enterprise network media chatter and variants like geographical region and industry sector.

We believe the keys to actionable threat intelligence are context, relevance and correlated analytics.

Statistical physics often relies on phase transitions (the measurement of the external conditions at which a physical property transformation occurs) to describe many universal macroscopic observations encompassing systems of a profoundly distinct microscopic nature.

In order to arrive at a summarized macro view of each threat vector, we began by first characterizing the phase diagram for a given network system component, and then developed a single parameter that can be used to determine what phase a given system component is in. This approach allowed us to generally characterize, within a unified framework, threat indicators that are otherwise rather diverse.

Then, using (big-data) predicative and sentiment analytics and third generation machine learning, we were able to correlate those actual threat parameters that we collected from the normal operation of those Securli security tools with data we pulled from the dark web, crowd-sourced threat databases and social media crawls to assess where a client’s network resides on what we call the threat resistance curve.

The objective is to make an early determination as to whether a given network is on the desirable or undesirable side of the threat threshold or approaching a danger zone. What we are developing through this process is a single parameter reflecting the amalgamation of a broad set of measures to determine an individual tipping point in each client’s cyber-security defense system.

One way to think about this is to consider that 100 degrees Celsius is the approximate tipping point for water changing from liquid to vapor (a classic phase transition). Think of liquid as the desirable state for the system and vapor as the undesirable one, signifying collapse. Millions of parameters and components quantify what is going on within a pot of water on the boil, from the relationship of the water molecules to one another to their speed and the chemical bonds linking their elements.

As the water heats up, those parameters and components continually change, similar to the buildup of an organized attack on a corporate network. In the case of our water, we know with certainty it’s reaching the threshold that divides the desirable (liquid) state from the undesirable (vapor) state. We know this as the outcome of a lot of science that has resulted in a single parameter; aka temperature. When our pot water reaches 99 degrees Celsius, it is time to pull it off the heat.

What we are doing with Securli in cyber-security defense is essentially identical in theory, but instead of crunching millions of chemical and material parameters and components into a single number, we are crunching millions of correlated data points from multiple feeds originating in heterogeneous sources that share a common association. That association is a sort of aerosol composed of the client’s individual profile, industry sector, nationality, region, location, geo-politics, etc. All of this correlated data and these associations are ground through our analytics engine to arrive at a tipping point indicator.

The result is essentially, the ability to take our client’s network infrastructure “temperature” in order to determine its health, its resilience and to enable our threat management team to respond accordingly, manipulating the resistance to enhance or restore a positive outcome. When our metaphoric pot reaches 99 degrees Celsius, we sound alarms and our clients know that they have arrived in the danger zone.

No raw data feeds. Only actionable intelligence.

Predictive resilience will lead to the ability to create an adaptive network that will be able to respond earlier, better and in a more informed manner to increasingly complex threats in the future.

And, this is what we think true threat intelligence is all about.

The post True Threat Intelligence appeared first on Netswitch Technology Management.

*** This is a Security Bloggers Network syndicated blog from News and Views – Netswitch Technology Management authored by Steve King. Read the original post at: