In this section, we take a look at hot technologies and tools making headlines in cyber security. Okay, what’s hot now is lukewarm tomorrow, but at least it’s a start.
We also figured you’d want to know which universities are doing cutting-edge research in new fields. Although we’ve cherry-picked a few of the best schools, there are plenty more. Ask around. Whatever area you’re interested in – from military robots to Smart Grid security – there is bound to be a group working on it.
Emerging Data Threats
The old IT world is dying. Let’s ignore the sh#$storm of aging computer systems for a moment – cyber security experts now have to deal with threats created by the Cloud, the Internet of Things, mobile/wireless and wearable technology. Data that were once contained within systems are traveling through a dizzying variety of routers, data centers and hosts.
- Man-in-the-Middle (MiM) attacks to eavesdrop on entire data conversations
- Spying software and Google Glass to track fingerprint movements on touch screens
- Memory-scraping malware on point-of-sale systems
- Bespoke attacks that steal specific data (instead of compromising an entire system)
In these scenarios, firewalls, anti-virus measures and tool-based security approaches no longer cut it. By 2020, a Gartner report predicts that “60 percent of digital businesses will suffer major service failures due to the inability of the IT security team to manage digital risk in new technology and use cases.”
New solutions are needed, and they’re needed now.
Context-Aware Behavioral Analytics
- Problem: Companies are being overwhelmed by meaningless security alerts.
- Solution: Use sophisticated behavioral analytics to monitor and identify suspicious behavior/transactions.
Context-aware behavioral analytics is founded on the premise that unusual behavior = nefarious doings. Snowden achieving super root privilege and downloading 1.7 million files to a USB stick after hours? That’s unusual behavior. Abnormal file movement and activity across Target’s point-of-sale infrastructure? That’s unusual behavior.
Here’s where analytics can be of help. As Avivah Litan, a vice president and Gartner analyst, noted in her briefing at the Raytheon Cyber Security Summit (see this December 2014 article in ThreatPost), companies should be examining the context in which data is being used.
Examples of this behavior-based analytics approach include:
- Bioprinting – How hard and fast employees type, how they use a mouse – these are bioprint markers. Companies are also using phone printing, which is analyzing acoustic information to identify spoof caller IDs.
- Mobile Location Tracking – Geo-location is an important indicator of behavior. Is a mobile device logging into several accounts from an unfamiliar city? Danger, Will Robinson.
- Behavioral Profiles – Since humans are creatures of habit, companies are now creating behavioral profiles of users, accounts, clients, contractors – even devices and peer groups. Then they are monitoring how that behavior changes from month to month and device to device. If past behavior differs from real-time behavior, the company could have a security issue.
- Third-Party Big Data – Say a criminal is setting up a fake clinic with fake doctors in order to get their hands on patient insurance IDs and bill for sham procedures. Big data analytics can alert companies to the fact that these so-called clinics are located in remote office malls with low populations.
- External Threat Intelligence – Are contractors and competitors being targeted? Are certain accounts associated with fraud? Are hackers using the same IP blocks across multiple attacks? Intelligence gathering is a key part of understanding criminal behavior.
The trick, of course, is bringing all this information together in a coherent picture. As the case of Snowden proves, the security industry is still working on that.
Next Generation Breach Detection
- Problem: Hackers are using “zero-day” exploits that allow them to establish a foothold and mine data in networks and systems for months (e.g. Target’s stolen credit card numbers).
- Solution: Develop technologies that combine machine learning and behavioral analytics to detect breaches and trace them to the source.
In the past few years, hackers have been employing bespoke attacks on systems. Instead of launching a battalion at a wall, they carefully analyze a system’s defenses and then, Odysseus-like, send in the Trojan Horse. Thanks to the volume, velocity and variety of big data, most companies are not even aware that their systems have been breached.
Instead of focusing on the first line of defense, next generation breach detection focuses on what happens once the criminal is inside the system. It takes behavioral analytics (see above) and adds even more tools to identify the breadcrumbs that a hacker leaves behind.
As the authors of a 2014 TechCrunch article explain:
“Rather than relying on detecting known signatures, these companies marry big-data techniques, such as machine learning, with deep cyber security expertise to profile and understand user and machine behavior patterns, enabling them to detect this new breed of attacks. And to avoid flooding security professionals in a sea of useless alerts, these companies try to minimize the number of alerts and provide rich user interfaces that enable interactive exploration and investigation.”
In other words, breach detection tools can pick out strange movements and changes in a sea of data and determine that something is very, very wrong.
Virtual Dispersive Networking (VDN)
- Problem: MiM attacks are cracking traditional encryption technologies and targeting intermediate nodes.
- Solution: Split the message into multiple parts, encrypt those parts and route them over different protocols on independent paths.
Man-in-the-Middle attacks (MiM) – times when a hacker can monitor, alter or inject messages into a communication channel – are becoming a thorny problem for companies. Data that was once securely encrypted can now be broken by parallel processing power. SSL and Virtual Private Networks (VPNs) can’t always protect messages as they travel across intermediary pathways.
That’s where Virtual Dispersive Networking (VDN) from Dispersive Technologies comes in.
According to a 2014 article in Forbes:
“[VDN] takes a page out of now-traditional military radio spread-spectrum security approaches, where radios rotate frequencies randomly or split up communications traffic into multiple streams, so that only the receiving radio can reassemble them properly. With Dispersive, however, the Internet (or any network) is now the underlying communications platform.”
VDN splits a message into multiple parts, encrypts each component separately and routes them over servers, computers and even mobile phones. Traditional bottlenecks can be completely avoided:
“The data also ‘roll’ dynamically to optimum paths – both randomizing the paths the messages take while simultaneously taking into account congestion or other network issues.”
Hackers are left scrambling to find data parts as they whip through data centers, the Cloud, the Internet and so on. To prevent cyber criminals from attacking the weak point of the technology – the place “where the two endpoints must connect to a switch in order to initiate their secure communications” – Dispersive has a hidden switch that also leverages VDN. This makes the switch very hard to find.
Smart Grid Technologies
- Problem: Smart meters and field devices have left critical infrastructures vulnerable to attack.
- Solution: Tackle the problem with a range of new security measures and standards.
A few points from the DOE’s 2014 Smart Grid System Report to chew over:
- By 2015, an estimated 65 million smart meters will be installed nationwide – more than 1/3 of electricity customers.
- Customer-based technologies (e.g. programmable communicating thermostats, building energy management systems, web portal, in-home displays, etc.) are becoming the new norm.
Modernization within the distribution system includes the deployment of sensor, communications and control technologies – these are integrated with field devices to enhance grid operations.
Each one of these technology advances creates a weak point in digital security. It’s no secret that cyber attackers would love to take down the infrastructures that supply the nation’s electricity, oil or gas.
In response, the DOE is working on a number of tools and strategies to protect the energy sector. Some of these include:
- Padlock – Developed by Schweitzer Engineering Laboratories, Padlock is a cyber security gateway that establishes encrypted communications between central stations and field devices. It’s designed to detect physical and digital tampering. Partners include the Tennessee Valley Authority and Sandia National Laboratories.
- Watchdog– Watchdog is another Schweitzer invention. It’s a Managed Switch that performs deep packet inspection for the control system local area network (LAN). It uses a white list configuration approach to determine a set of known and allowed communications.
- SIEGate – SIEGate stands for Secure Information Exchange Gateway. It’s an information protocol that provides cyber security protections for information sent over synchrophasor networks on transmission systems. It’s being developed by Grid Protection Alliance in partnership with the University of Illinois, Pacific Northwest National Laboratory, PJM, AREVA and T&D.
- NetAPT– NetAPT is the University of Illinois’s baby. It’s a software tool that enables utilities to map their control system communication paths. Vulnerability assessments and compliance audits can be completed in minutes.
DOE National Laboratories (e.g. Idaho, Oak Ridge, Pacific Northwest) have also been hard at work. They’ve been laboring on projects such as automated vulnerability detection, a tool suite for situational awareness, next generation secure and scalable communication networks and bio-inspired technologies.
SAML & The Cloud
- Problem: Cloud-based applications and BYODs are beyond the realm of firewalls and traditional security measures/policies.
- Solution: Combine SAML with encryption and intrusion detection technologies to regain control of corporate traffic.
Security Assertion Markup Language (SAML) is an XML-based open standard data format used for exchanging authentication and authorization data between parties. Although it’s not a measure of protection on its own, a number of companies are combining it with SSO, encryption and intrusion detection technologies to protect data in the Cloud.
One of these companies is BitGlass. It took a look at the rise of the BYOD (Bring Your Own Device) movement and the explosion of applications like Google Apps, Salesforce, etc. and decided to come up with a solution. As Frank Ohlhorst of Enterprise Networking Planet explains:
“With SAML in the picture, BitGlass designed a proxy-based system to redirect traffic to cloud service providers through BitGlass technology, which secures access and traffic, logs activity, and even “watermarks” files and information for further protection by embedding security tags into documents and other files to track their movement. Amazingly, all that happens without impacting the end user. No software to load on endpoints, no changes to be made to end user configurations.”
In this way, data in the Cloud is corralled. An alert system notifies companies of events like failed or unexpected log-ins, suspicious activity and the like. If an employee’s device is stolen, security administrators can immediately wipe all the corporate information without affecting the user’s personal data.
Active Defense Measures
- Problem: Cyber criminals are becoming increasingly aggressive.
- Solution: Fight fire with proverbial fire – use techniques that can track, or even attack, hackers.
Active defense measures are a controversial topic in cyber security. The idea is pretty simple. Instead of sitting back and waiting for the hacker to come and get you, you take proactive measures to thwart them.
Examples of active defense measures include:
- Counterintelligence Gathering – This requires a cyber expert to go “undercover” to seek information about hackers and their tools and techniques. It might be as simple as reverse malware analysis; it might be as surreptitious as cloaking your identity and going into Internet malware storefronts.
- Sinkholing – Designed to impersonate the real thing, a sinkhole is a standard DNS server that hands out non-routeable addresses for all domains within the sinkhole. The goal is to intercept and block malicious or unwanted traffic so it can be captured and analyzed by experts. Read more in Brian Krebs’s posts on sinkholes.
- Honeypots – Honeypots take the bait and trap approach. A honeypot is an isolated computer, data or a network site that is set up to attract hackers. Cyber security analysts use honeypots to research Black Hat tactics, prevent attacks, catch spammers and so on. The concept has been around since 1999, but applications continue to grow in sophistication.
- Retaliatory Hacking – This may be the most dangerous of security measures (and usually considered unlawful). Hacking back raises all sorts of ethical questions – will you take down innocent third-party infrastructures in your mission? Will your hackers retaliate tenfold in revenge for your actions? Even with all the risks, the idea is gaining traction in certain circles. (see this October 2014 article in The Washington Post).
And then there’s MonsterMind. According to Edward Snowden, the NSA has been working on an automated program that would use algorithms to search repositories of metadata and identify and block malicious network traffic. It could also potentially strike back at the server launching the attacks.
Active defense measures can lead you into dangerous waters. For instance, say you want to infiltrate a hacker community. Like the mob, the group might want proof of your credentials. You may have to build a hacking reputation, participate in illegal projects and frequent illegal sites (e.g. ones that peddle child pornography). None of these things are legal.
Keep an eye on the debate over active defense measures. It’s only going to get more controversial.
Early Warning Systems
- Problem: Vulnerable websites and servers are increasingly being hacked.
- Solution: Create an algorithm to determine which sites and servers will be hacked in the future.
Although this idea is still in the early stages, we thought it worth noting. Using machine learning and data mining techniques, researchers at Carnegie Mellon have created a “classifier” algorithm that predicts which web servers are likely to become malicious in the future.
To test their tool, Kyle Soska and Nicolas Christin applied the classifier to 444,519 archived websites in the WayBack Machine. Over a one-year period, their algorithm was able to predict 66% of future hacks with a false positive rate of 17%.
The idea is built on the premise that vulnerable websites share similar characteristics. For example, the algorithm takes into account a website’s:
- Traffic statistics
- Filesystem structure
- Webpage structure
Plus a variety of other “signature features” to determine if it shares common denominators with known hacked and malicious websites. If it does, then steps can be taken to prevent an attack. Website operators can be notified. Search engines can exclude results.
What’s especially cool is that the classifier is designed to adapt to emerging threats. Although it doesn’t include vectors like bad passwords, it is growing in scope. As it absorbs more and more data, it should be able to improve its accuracy.
University Research Initiatives
Carnegie Mellon University
CMU is the home of:
- Software Engineering Institute (SEI) – The world-famous SEI is a federally funded research and development center (FFRDC) sponsored by the U.S. Department of Defense. It hosts the CERT Division, sponsors conferences and provides widely recognized training programs.
- Picoctf – Picoctf is a computer security contest targeted at middle and high school students. It’s a collaboration between Carnegie Mellon’s Plaid Parliament of Pwning (PPP) of Cylab and Team Daedalus of the Entertainment Technology Center. Both of these groups are student-run.
- Cylab – Cylab is a cross-disciplinary security initiative that seeks to establish public-private partnerships between university faculty and graduate students and industry partners. Together, these groups conduct important research and work on developing new security technologies.
CMU is an NSA CAE IA/CD institution and offers a number of undergraduate and graduate programs (including a PhD) in information assurance and cyber security.
George Washington University
GWU has two major security institutes:
- Cyber Security Policy and Research Institute (CSPRI) – CSPRI is designed to promote interdisciplinary technical research and policy analysis of cyber security issues. It works with both the government and private organizations. Current research projects include the Privacy and Civil Liberties Project, Creating a Building Code for Medical Software Security and PrEP: A Framework for Malware & Cyber Weapons.
- Homeland Security Policy Institute (HSPI) – HSPI is a nonpartisan institute that focuses on building bridges between the theory and practice of homeland security. It publishes regular policy reports and journal articles on cyber security issues and hosts a number of security conferences and symposiums.
GWU is an NSA CAE IA/CD institution and, in addition to a certificate, offers undergraduate and graduate degrees in cyber security.
- The Computer Science and Artificial Intelligence Laboratory (CSAIL) – As the name would imply, this world-renowned laboratory is concerned with developing the future architectures and infrastructures of information technology (including security). Just as one example, CSAIL is responsible for developing the RSA cryptography algorithm that protects most online financial transactions. It’s the largest research laboratory at MIT.
- Lincoln Laboratory – Established in 1951, the Lincoln Laboratory is a Department of Defense Research and Development Laboratory and therefore conducts research and development aimed at solutions to problems critical to national security. It has a large number of cyber security projects in play.
- Geospatial Data Center – This group researches new technologies to enhance the security of the national information infrastructure. Current projects include large-scale simulation, cyber physical security, big data and holistic system data visualization.
In 2014, the Hewlett Foundation announced that it was giving 3 universities (Stanford, MIT and UC Berkeley) a grant of $45 million for research into cyber security challenges.
MIT has chosen to focus on immediate policy concerns (e.g. protecting financial and medical data) and emerging technologies (e.g. self-driving cars, drones, etc.). This new cyber security initiative will be led by CSAIL’s Daniel Weitzner, President Obama’s CTO from 2011-2012.
- Center for Internet and Society – This center is focused on cyber law – the emerging legal doctrines in technological innovation and civil rights. As anyone involved with the field will tell you, cyber security is right in the middle of the debate.
- Computer Science Security Lab – This is the group with the most stake in cyber security issues. Current research projects involve cryptographic primitives/protocols, web security and secure voting.
- Stanford Networking Research Center (SNRC) – SNRC is a partnership with IT corporations and Silicon Valley Industries. Its three research directions including wireless access, Internet technologies and information services.
It has also developed a cross-disciplinary effort with UC Berkeley and the University of Michigan on the Secure Internet of Things Project. Researchers will take a look at analytics, hardware/software systems and, most importantly, what security measures are needed to protect the new world.
Like MIT and UC Berkeley, Stanford was a 2014 recipient of $45 million from the Hewlett Foundation. It intends to use its $15 million on the Stanford Cyber Initiative. This will focus on a variety of concerns, including governance, trustworthiness and the interdisciplinary challenges that cyber security and networked information pose to humanity (e.g. Can we anticipate unexpected developments in IT that affect security, civil liberties and society?).
University of California Berkeley
- A Center for Correct, Usable, Reliable, Auditable, and Transparent Elections (ACCURATE) – ACCURATE is a multi-institution voting research center funded by the NSF. It conducts research, issues reports, develops educational materials and testifies to Congress.
- Center for Evidence-Based Security Research (CESR) – Geared towards key social and economic elements of cyber security, CESR is a joint project with UC San Diego, the International Computer Science Institute and George Mason University.
- Cyber-Defense Technology Experimental Research Laboratory (DETER) – DETER operates DeterLab, a controlled testbed facility where researchers can experiment with security solutions in a complex, real-world environment.
- Infiltration of Botnet Command & Control and Support Ecosystems – A joint project between UC San Diego and UC Berkeley, this project looks at the botnet problem from all angles.
- The Intel Science and Technology Center for Secure Computing (SCRUB) – Funded by Intel, SCRUB is focused on making computing technology safe and secure for users. It has a variety of projects on the go, including research into mobile computing, software/hardware architectures and analytics.
- Team for Research in Ubiquitous Secure Technology (TRUST) – Established as an NSF Science and Technology Center, TRUST is a well-known group with a number of cyber security interests (e.g. financial, health and physical infrastructures + the science of security). All projects are interdisciplinary.
UC Berkeley is the third university to benefit from the Hewlett Foundation grant in 2014. It plans to spend its $15 million on assessing the range of future paths that cyber security might take. The Center for Long-Term Cybersecurity will be an interdisciplinary research effort, drawing scholars from across the university.
University of Illinois at Urbana-Champaign
- The Cybersecurity Directorate at the National Center for Supercomputing Applications (NCSA) – Established in 1986, NCSA is a cutting-edge computational facility that serves scientists and engineers across the country. Researchers and specialists at The Cybersecurity Directorate focus on advanced cyber security applications, including incident response and production security at NCSA.
- Blue Waters – Blue Waters is one of the world’s most powerful supercomputers open for scientific research. It’s a joint effort of the NCSA, UI, Cray, Inc. and the Great Lakes Consortium for Petascale Computation.
- Coordinated Science Lab – Founded in 1951 as a classified defense laboratory, CSL has evolved into a supercharged innovation hub. In addition to building next generation IT technologies, researchers are also thinking about security issues.
And that’s not to mention the universitiy’s efforts in Cloud computing, universal parallel computing, multi-modal information access and more. (View a complete list of Illinois’s computer science research centers.)
Education plays a big part in their success. In 2013, UI received a four-year, $4.2 million grant from the NSF to renew the Illinois Cyber Security Scholars Program (ICSSP), which trains cyber security students in the latest systems and methodologies.