Are Cyber-Ontologies the Future of Cybersecurity?
The science of cybersecurity is starting to permeate the discussions of thought leaders in the cyber realm. After all, attacks based on APTs (advanced persistent threats), phishing and ransomware are on a growth trajectory, and seem to be getting more and more difficult to protect against.
It is a situation that has forced many cybersecurity professionals to invest in SOCs (security operations centers), as well as other technologies to try and get ahead of the latest threats. Cybersecurity vendors are also striving to rethink their approaches to securing systems and managing threats.
One area that is starting to garner a great deal of interest is the concept of establishing an ontology—or more specifically, a cyber-ontology. While some may be confused about what an ontology entails, especially since the primary definition of ontology is “the branch of metaphysics dealing with the nature of being,” those promoting the science of cybersecurity have adopted a more relevant definition of ontology, which is “a set of concepts and categories in a subject area or domain that shows their properties and the relations between them.”
Perhaps a better way of explaining cyber-ontology is it is a science of defining the relationships between elements. While cyber-ontology may be a term that very few cybersecurity professionals are familiar with, the concepts of building ontologies and taxonomies go back several years. Organizations such as Carnegie Mellon University’s CERT program have championed the idea of ontologies for some time. In August 2012, CERT staffers participated in the First International Workshop on Ontologies and Taxonomies for Security (SecOnt) conference and proposed the idea that the “science of cybersecurity” would require the construction of a common language and a set of basic concepts about which the security community can develop a shared understanding—or in other words, an ontology.
While cyber-scientists have extolled the virtues of ontologies, not everyone agrees on the potential value offered. “Ontologies are not used in our processes unfortunately, due to the fact that they are very static and do not allow update on the definition,” said Fatih Orhan, head of Threat Labs at Comodo. “But the closest to an ontology is the definition of malware family, malware type and especially the signature name we’re constantly creating to detect malware files.”
Orhan’s view is most likely tempered by the context of which an ontology would be used for endpoint security, where dealing with malware in real-time is a critical capability of any endpoint protection product. However, others have embraced the concepts offered by ontologies.
“As an emerging security focus area, Mobile Threat Defense has benefited from an ontological approach to describing the vulnerabilities and risks that impact mobile-enabled workers and organizations,” said Michael Covington, VP of Product at Wandera. “Within our own company, developing this ontology has, ultimately, led to new product capabilities. Previously, we looked at many threats in isolation. But with a more robust understanding of mobile risk, we’re now able to build models that track the development of a threat, from initial vulnerability through exploit and data compromise.”
San Francisco-based mobile security vendor Wandera is not the only company levering ontologies, Austin, Texas-based Brinqa, a cybersecurity risk management vendor, also embraces the scientific approach of using ontologies. “The study of data ontology provides an alternate, data-focused perspective of technology,” said Syed Abdur, director of Products at Brinqa. “By ‘following the data,’ professionals can understand how the various heterogenous components of IT and cybersecurity ecosystems interact to impact each other. This type of data ontology is typically undertaken by cyber risk management programs as they account for the technical infrastructure within an organization, the supporting cybersecurity tool ecosystem and the interdependency between the two.”
While the initial ontology-based definitions of cybersecurity were relatively static, the construction of ontologies has evolved into an active purveyor of data element relationships, which can use machine learning and artificial intelligence to adapt to changes in environments. Cyber-ontologies may prove to be the adaptive dictionary of data, application and user relationships that can enhance behavioral analysis and help to stop the spread of threats before widespread infections take place.
