Spatial intelligence, soccer, and security monitoring
In soccer, some players have several unique skills that elevate their status from an average player to an eternal legend. One of these critical skills which allow players to transcend time is spatial intelligence or awareness. This is a dynamic skill that enables a soccer hero like Ronaldo to be acutely aware of his surroundings. He knows his teammates' exact placement and the location of opponents as he moves with the ball.
Spatial intelligence permits a player to instantly adapt to the changing environment and always be aware of the best strategy to create exciting scoring chances, whether with a nifty pass to another player or with a swift deke of an opponent. Legendary soccer players make such plays look entertaining in their simplicity, but they are a lot easier said than done.
All the players, whether teammates or opponents, are doing their own computing, and there is no network linking their brains, so a player can never be too sure how others will react to his or her actions. Average players often get surprised by an opponent's speed or pass the ball where they expected their teammate to be, but that player decides to go in a different direction. This environment is dynamic, and it isn't easy to calculate all the permutations possible.
Superstar soccer players can map out all the movement in their minds because their spatial intelligence is sophisticated. This allows them to score goals, complete, accurate passes and make plays that other players find impossible to execute.
Now that we have explained spatial intelligence from a human perspective, we can switch gears and show you how this concept can be applied to information security monitoring.
Enhancing security monitoring with spatial intelligence
Practitioners in the cybersecurity world are well aware that Security Operation Centers (SOC) struggle to detect attacks by merely looking at Security Information and Event Management (SIEM) monitoring consoles. While monitoring events on a SIEM console, it is difficult to determine if the event under review is an actual attack in progress.
To improve security monitoring, we need to enhance SOCs with spatial intelligence. Spatial intelligence in cybersecurity is contextual information.
There is a lot of contextual information available within our IT infrastructure to evaluate an event. Just as a defender's position is valuable information for Ronaldo to determine his next move, asset information, user information, vulnerability information, and network information help determine if the event or alert showing in a SIEM console is an attack or not.
SIEM and contextual information
The idea of integrating contextual information within a SIEM console to help determine if an event is an attack is not a new concept. Current SIEMs have capabilities that allow them to integrate contextual information, including asset profiles (asset value, location, services, and ports) and vulnerability information (CVE IDs, vulnerability name, and description). SIEMs have connectors to vulnerability scanners which allow the import of vulnerability information periodically. Despite this, there are few success stories of SOCs using this type of integration in better evaluating an event and identifying attacks.
Lack of dynamic integration of context information
This lack of success makes one wonder why SOCs find it challenging to integrate contextual information and realize value. The key reason is that SIEMs have treated this kind of integration as "static" integration, while in reality, all of this information is dynamic and deserves a different approach. We will try to understand this better by taking the example of vulnerability information integration.
Vulnerability information, for instance, is not static. It is changing all the time as new vulnerabilities are discovered in platforms every day. Similarly, asset components and services keep changing and corresponding vulnerabilities change accordingly. Hence, vulnerability information is a moving target.
Also, organizations have different periodical cycles during which scanning occurs. Leading organizations might scan critical assets daily, while others might scan every month or quarter. Non-critical assets might only get scanned annually. This approach essentially implies that vulnerability information corresponding to an asset might not be available for comparison with an event to determine further if it is an attack.
For instance, let us look at an event that is a Windows buffer overflow attack taking advantage of a specific vulnerability. Suppose the SIEM does not have updated information on this vulnerability due to a sporadic scan cycle. In that case, it is difficult to compare the buffer overflow event with the non-existent vulnerability information in a SIEM to determine the impact of this attack on the asset. This also leads to weak or wasted countermeasure actions.
In short, the method in which SIEM technology is currently implemented, spatial intelligence fails to deliver pertinent information. Without this up-to-date data, no possibility exists of scoring your goal of stopping an attack.
Bridging the gap
To solve this problem by increasing the ability to recognize an event that is an attack requires a different approach. The new system needs to keep pace with the real-world issue of evolving vulnerabilities, missing vulnerability information, and imperfect scanning cycles in organizations. It needs to integrate an element of dynamism in analyzing contextual information.
In practice, this means that there should be a mechanism that enables the system (SIEM/supporting technology) to use available vulnerability information to predict if a specific vulnerability exists corresponding to the event that is being analyzed.
Referring to our previous example, we should be able to use existing vulnerability information available across Windows assets in the organization to predict if a specific vulnerability corresponding to the buffer overflow event exists or not.
Employing data science to adapt to the dynamic nature of contextual information
Data science provides mechanisms to achieve the type of dynamism needed, which leads to effective use of contextual information, thus increasing the spatial intelligence of a security system.
Let us look at how data science can help us solve the dynamic nature of vulnerability information integration. Organizations tend to follow specific patterns while patching their systems. Patching decisions are primarily based on analyzing how critical an asset is and how severe the vulnerability is. The impact of system downtime and the effort required to implement a patch update are also essential variables in the decision.
The patch update schedule adopted by an organization leads to a specific pattern of vulnerabilities in existing assets. This is like a fingerprint that is specific to an organization. Applying a probability model to this vulnerability data pattern across assets enables us to identify this fingerprint and predict the presence of vulnerability. This approach is successful even in the absence of information corresponding to a specific vulnerability from the last available scan. A similar approach can be used for other contextual information that is dynamic.
Scoring goals by identifying attacks
There is a need to recognize the dynamic nature of context information and a willingness to capture this dynamism to increase security attack detection capabilities. Hence, the use of techniques that keep pace with the changing nature of context information is vital. We can only enable our SOC analysts to improve security attack detection if we adopt techniques that integrate dynamic "spatial intelligence." These improvements should assist SOC analysts to effectively pierce through the noise of event data to identify those events which are attacks.