As I was preparing to write this blog on the importance of interoperability across cyber defense systems, I read the following news article “Why America’s Two Best Fighter Jets Can’t Talk to Each Other”. One of the salient points in this article is that reportedly the communication systems in the newer model fighter jet is not integrated with an older model fighter jet.
Two article quotes drew my attention particularly:
“The U.S. fifth-generation jets are adept at disseminating a more detailed view of the battle space to older aircraft, increasing the former’s “survivability” in combat…”
“The thing that’s great about having Link 16 and MADL onboard and the sensor fusion is the amount of situational awareness the pilot has…”
An integrated communication system is a vital part of these fighter jets and the combined strength those fighters provide. A similar point can be made about the lack of interoperability and easy integration in cyber defense between cybersecurity systems.
The issues these fighter jets have illustrates the technical, business, and organizational challenges that can get in the way of technology integrations necessary for the effective use of technology intended to protect and defend. More importantly, the impact on the security of organizations can be significant when defensive systems are not integrated in meaningful and effective ways.
Recently, I had the opportunity to discuss the key challenges faced in cyber defense integration in a joint webinar with Jason Keirstead (IBM Security) and Henry Peltokangas (Cisco Systems) on Cyber Threat Intelligence Collaboration.
Why does interoperability matter?
Whether at a small-medium enterprise or the largest multi-national organization, most security deployments generally share these common characteristic:
No Single Vendor
- Typically, there is no single vendor that has deployed all of the systems that must exchange Cyber Threat Intelligence (CTI) and Security telemetry (e.g. events, logs).
- Many organizations choose best of breed for firewalls vs. identity authentication vs. Intrusion Detection Systems (IDS) vs. web proxies vs. threat analysis platforms.
- One of the primary reasons for having different products (from different vendors) in a security deployment is that each product performs vital tasks and functions and may not even be run or operated by the same security analysis and security operations teams.
- Teams and their respective products must work collaboratively to collect, analyze, refine, and ultimately operationalize CTI.
- The complexity involved in building security systems can be quite daunting but it becomes even more complex if those systems need to share data and actions to make security work successfully.
- Often times, real-time data may indicate a threat that must be acted upon quickly but without suitable interoperable systems working collaboratively it’s almost impossible to provide an effective real-time response.
Ultimately, the goals for interoperability are to drive ease of deployment, ease of maintenance, and ensure that complex systems tasks can be performed when they connect together.
Here’s a recent example that helps explain the challenge:
In the above scenario, a multi-national organization purchased a Threat Intelligence Platform (TIP) from one vendor and an Endpoint Protection system from a second vendor. Both vendors had developed their products to exchange OASIS STIX/TAXII Version 1 standards-based intelligence. Both vendors claimed their products supported the standard protocol and content.
When the multi-national organization came to connect those systems together the TIP and Endpoint Protection system failed to exchange intelligence correctly. After initially trying to debug the issue themselves, the organization escalated the integration challenges to both vendors to resolve the communication issues.
Fortunately, in this scenario both vendors were able to investigate and come up with a solution to integrate the CTI products successfully. However, the reality is that even with standards (as a basis for security integration), there remains ample opportunity for technology companies to miss important aspects that end up sabotaging off-the-shelf integration with other vendors.
The above example shows the negative consequences that integrating products from various vendors has on security. More specifically, the following areas are most impacted:
Expertise & Human Assets
- To understand technically what is working.
- Organizations have to learn a lot more about what technology is doing to share the content between systems.
- Takes time to either hire or train folks, as well as to learn about the different product interfaces instead of just expecting them to ‘work’.
Time & Costs
- Multiple days or weeks to make it ‘work’.
- Multiple organizations involved.
- Costs of people and systems time without operational benefits.
- Point products have limits to what features they provide as standalone solutions.
- Point products are limited to what they can detect and block when not an integrated system.
- Introducing CTI into deployments consisting of multiple point products results in the worst case where each product has its own blacklist or method of consuming the intelligence and the security team has to manually copy/paste the intelligence to each.
- It adds huge amounts of human error that can undermine protection.
- In many cases, the lack of coordinate capability can cause unexpected results and worse, could undermine protection.
As a result, the true winners are the adversaries.
What should we do?
There are a few ways to improve and implement interoperability in your organization. In my next blog, I’ll give you some best practices including:
- STIX Preferred program
- Interoperability key tenants
If you want to discuss this blog or integrated LookingGlass cyber defense solutions please reach to myself on Twitter (@tweet_a_t) or contact us. If you are going to RSA 2018 please come to the STIX and TAXII Meet-up on April 18, 2018 to chat with me more on this topic.