Cybersecurity: Finding One Needle
in Many Haystacks

A greater risk, though, is that the non-centralized system itself will likely become a target.

that it is likely that attackers, especially state-sponsored attackers, will acquire these new chips. Those working on quantum encryption have already anticipated increasing horsepower being available to crack codes. So, that is not likely to be a problem. Other ways that innovative attackers might use the new architectures are not so clear; however, it would be prudent to assume that there will be attempts to do so.

Non-centralized security orchestration

Another approach to finding the needles is to not have haystacks in the first place. Don’t gather all the data about the network in a central site and then try to find the needles. Instead, put specially architected intelligence out in the network. Each location only looks at local data. Locations cooperate with each other in a simplified fashion to determine and track normal behavior and find deviations that indicate a breach. They also work together to determine the best way to stop the damage and repair it—and then do so. This approach has been designed, demonstrated, and patented but not yet productized.

Attackers and non-centralized security orchestration

Attackers have been quick to adopt the latest technology to automate attacks and so, they are likely to use orchestration technology internally. A greater risk, though, is that the non-centralized system itself will likely become a target. Recently, we have seen several very large, successful attacks based on compromise of a particular piece of infrastructure. The reason this has happened is that the infrastructure vendors did not understand and recognize the risk. Thus, from the beginning they did not design in adequate protection. In the case of this non-centralized orchestration, specific steps have been taken to strengthen its skin, and to quickly find and neutralize intrusions.

A combination is optimal

Each of these technologies has valuable strengths. But these strengths lie in different complementary areas—thus, combining them will create the optimal outcome.

Non-centralized orchestration can very quickly find attack symptoms that are localized in space and time. They also are well-positioned to execute remediation. This is because they focus on collecting data from their local area and not on holding large amounts of historical data. In addition, they have local access to control mechanisms.

Centralized systems collect data from the entire network and hold a lot of historical data. Because of this, they have trouble quickly finding attacks with localized symptoms. But they do well in finding attacks that are slow to develop, whose symptoms spread widely in the network. An example of such is ‘deny, deny, admit.’

For example:  In one type of a deny, deny, admit attack, an attacker attempts to log on in Berlin and is denied. Then, tries in London and is denied. Finally, tries in San Francisco, and is admitted. The San Francisco system doesn’t know that the attacker has attempted and failed in two other cities. 

Both a non-centralized and centralized system can find this pattern. A central site system with data from all three cities already has all the data necessary to find this kind of pattern. With hardware acceleration and frequent downloads of data from the field, it may be able to quickly find such an attack. A non-centralized orchestration system node in San Francisco has to ask for data from outside its locality. It can do this, but maybe not as efficiently as the central site system. On the other hand, the non-centralized orchestration system is in the best position to perform automated remediation.

Thus, an optimal implementation would be a combination of the two.

Cybersecurity technology innovation

The cybersecurity challenge doesn’t stand still. Attackers have been increasing the number, variety, and rate of change of attacks. Trying to find the attacks that get through our outer defenses has become a data overload problem—like finding a needle in a bunch of haystacks. Fortunately, technology available to counter these attacks has also been moving forward. An emerging class of semiconductor processors that can act as AI accelerators can be combined with non-centralized orchestration to quickly find these needles and remediate the attacks.

Disclosure: the authors have relationships in both the semiconductor and orchestration spaces.


Latest Updates

Subscribe to our YouTube Channel