Missing The Big PictureEvery time I hear about cybersecurity efforts, the focus is on a single device, a given process, piece of malware, and so forth.  While people pay lip service to proliferation, the target is one user’s actions, one infection of one machine and so forth.  To understand why this is an issue, it is important, I think, to look at the real world without technology confusing things.

The Real World

In a soon-to-be released Forbes article, I talk about the importance of looking at the actions of a person in order to understand intent.  In that example, just looking at a person standing still makes determining that person as good or bad nearly impossible.  That example, while relevant to the article, is only half of the equation. Suppose you see somebody tackle somebody else to the ground – is that person mugging the other, playing with a friend, saving them from an explosion?  How do you figure that out? Humans are great at using contextual awareness of their environments to fill in the gaps and effortlessly determine the action of a given person within the context of their overall environment.  The other people in the scene, where the action occurs, and the interaction of other, independent, objects all aid in this process.  If a building is exploding, then the person is being a hero.  If it is night and the person being tackled screams for help, it is probably a mugger.  Looking just at the person taking an action is insufficient for us to perceive what is actually going on. Remember that we have quantum computers for brains and those are far beyond any cybersecurity software system… Within the scope of this argument, therefore, it appears to be impossible to appropriately determine the actions of any given component of a computer system by looking at it in isolation.  And yet, isolation is all most cybersecurity does and looking outside of, for example, a single device, is not part of the equation.

Use Cases

One of the best examples of this issue revolves around malware detection wherein heuristics are used to determine whether or not some process on a device is good or bad.  These simple profiles look for activity on a device based on past malware activity and attempt to pattern match.  If a process is behaving normally, then it is considered to be fine.  To this end, malware can grab data, transmit that data to another device and never be captured.  This process can continue until the end device is one that sits on the edge and normally connects to the outside world – and now the data is exfiltrated without ever being noticed. If the whole picture is being observed, these communication pathways become clear but, in isolation, there is no way to discern these activities. This issue extends beyond pure software systems and, as is often the case, humans can paly an important role that is often missed.  Take for example, a person going to an unusual location, logging into a machine that is not normal, and either installing software or grabbing data that is not normal.  That person might have access rights to the machine in question and thus just looking at the device in isolation is never going to catch that person.  Many people mistakenly think that their physical and cyber security systems work together but they almost never interact.  Again, the isolated manner of threat identification in cybersecurity leads to massive blind spots in detection. While it is clear that cybersecurity needs to start taking a more holistic view of systems, there are issues of scale that challenge these solutions even in the isolated manner in which they currently operate.  To move to a truly systemic detection paradigm will only exacerbate the situation…which is why a new approach is required… Which will be the topic of my next post!