Protecting Networks via Automated Defense of Cyber Systems

Matthew Morin



This thesis examined if automated cyber defense promises to be more effective than current models to cope with the results of vulnerabilities introduced by the projected increase in Internet-enabled devices. The question was scoped to foresee cyberspace landscape evolution over the next 10 to 15 years. In particular, the author claims the anticipated exponential growth of Internet-of-Things (IoT) devices will open vulnerabilities at such a rate that current manual methods of detection, verification, and remediation will not be able to keep up. The thesis then explains why the automation of cyber defenses will be more effective than current models in performing methodical tasks, and that such automation will be required to handle the oncoming crush of IoT devices and associated vulnerabilities.

Current defensive models and efforts are not adequate to defend networks from the volume of vulnerabilities introduced through IoT devices. Three gaps contribute to this: 1) the expected exponential growth of IoT devices, 2) limited growth of IT security personnel and budgets, and 3) an increase in cyber attacks, to include machine-to-machine attacks. The mass proliferation of Internet-enabled devices has the potential to unravel traditional mechanisms of coping with cyber attacks. The Federal Bureau of Investigation (FBI) has warned of threats associated with the spread of IoT devices, and the number of attacks are increasing. The compromise of vulnerable devices connected to the Internet will foster malicious actor attempts to disrupt or gain access to all types of sensitive networks. Furthermore, the number of cybersecurity professionals will not grow at the same pace as the devices requiring protection. This will result in expanding gaps in cyber defenses.

The IoT wave began in earnest in the early part of the current decade, and there is no reason to believe it will abate from exponential growth. Additionally, the Internet has shown to be inherently insecure since inception, with new vulnerabilities introduced and identified on a regular basis. Terrorism, nation states, and organized crime will continue to be the primary malicious actors, and the level of associated threat may even grow as the cost to conduct offensive cyber operations drops while the cost to defend increases. Consequently, there will be a greater surface area with vulnerabilities exploitable by those motivated to attack.

Defensive models have evolved since the inception of the Internet, beginning with a simplistic exterior network defense, progressing to layered, ever-vigilant, and intelligence driven. Both industry and government have adapted to increasingly complex networks, setting frameworks for establishing defensive efforts, exchanging attack intelligence, and moving toward partial automation. However, broad use of external/offensive cyber operations is not viable, particularly by private industry, as it has high business and professional risks, introduces the potential for criminal liability, and may lead to unintended escalation between nation states.

Greater automation is viewed as the future of cyber defense. Numerous technological advantages are on the near-to-mid horizon to help perform many cybersecurity functions. They will take advantage of the same exponential growth curve as seen in the introduction of IoT devices, thereby allowing a slowly growing number of cybersecurity professionals to defend vastly larger and more complex networks. Three core technological components are identified as essential toward realizing what is proposed by the thesis as the automated defenses of cyber systems (ADCS): sensors, autonomic computing, and artificial intelligence (AI). Various technological advancements are cited as evidence of each component’s emergence.

The realization of ADCS will not take place overnight. It is much more likely it will arrive piecemeal, with incremental improvements to the sensor, autonomic, and AI components. National policy should continue to encourage investment in the broad use of defensive cyber automation. Such automation should be limited to activities contained within a defender’s network, and should not include offensive cyber measures in which the confidentiality, integrity, and availability triad is compromised without authorization. When considering incremental improvements from today’s cyber security environment, a logical first step is to provide the advantages of the Department of Homeland Security’s Continuous Diagnosis and Mitigation program to private industry. Further, private industry’s use and contribution to cyber vulnerability and threat information sharing is critical; barriers to participation in the Automated Indicator Sharing program should be aggressively removed, whether through incentives, regulatory control, or mitigation of civil liability. Finally, organizations should develop an investment strategy in building sensor networks that support business operations. This encompasses evaluation and iteration of data useful for collection. Likewise, they should invest in development and maturation of computational models that capture business functions. Rather than trying to model entire systems, such development should be incremental, focusing on the most critical business processes, data sets, or network segments. This, in turn, will feed into improvements in automation.



No Comments

Post a Comment