In the world of soccer, some players have a number of special skills that elevate their status from an average player to that of an eternal legend. One of these critical skills which allow players to transcend time is spatial intelligence or awareness. This is a dynamic skill which enables a soccer hero like Cristiano Ronaldo to be so acutely aware of his surroundings. He knows the exact placement of his teammates and the location of opposing players as he moves with the ball.
Spatial intelligence permits a player to instantly adapt to the changing environment and always be aware of the best strategy to create exciting scoring chances, whether it is with a nifty pass to another player or with a swift deke of an opponent. Legendary soccer players make such plays look entertaining in their simplicity, but they are lot easier said than done.
All the players, whether teammates or opponents, are doing their own computing and there is no network linking their brains so a player can never be too sure how others are going to react to his or her actions. Average players often get surprised by the speed of an opponent or pass the ball where they expected their teammate to be, but that player decides to go in a different direction. This environment is dynamic and it is difficult, to calculate all the permutations possible.
Superstar soccer players are able to map out all the movement in their mind because their spatial intelligence is so sophisticated. This allows them to score goals, complete accurate passes and make plays that other players find impossible to execute.
Now that we have explained spatial intelligence from a human perspective, we can switch gears and show you how this concept can be applied to information security monitoring.
Enhancing security monitoring with spatial intelligence
Practitioners in the information security world are well aware that Security Operation Centres (SOC) struggle to detect attacks by simply looking at Security Information and Event Management (SIEM) monitoring consoles. While monitoring events on a SIEM console, it is difficult to determine if the event under review is a real attack in progress.
To improve security monitoring, we need to enhance SOCs with spatial intelligence. Spatial intelligence with reference to information security is context information.
There is a lot of context information available within our IT infrastructure that can be used for evaluating an event. Just as the position of a defender is useful information for Ronaldo to determine his next move; asset information, user information, vulnerability information, and network information are all useful in determining if the event or alert showing in a SIEM console is an attack or not.
SIEM and context information
The idea of integrating context information within a SIEM console to help determine if an event is an attack is not a new concept. Current SIEMs have capabilities which allow them to integrate context information including asset profiles (asset value, location, services, and ports) and vulnerability information (CVE IDs, vulnerability name, and description). SIEMs have connectors to vulnerability scanners which allow the import of vulnerability information on a periodic basis. In spite of this, there are few success stories of SOCs using this type of integration in better evaluating an event and identifying attacks.
Lack of dynamic integration of context information
This lack of success makes one wonder why SOCs find it difficult to integrate context information and realise value. The key reason is that SIEMs have treated this kind of integration as “static” integration, while in reality all of this information is dynamic and deserves a different approach. We will try to understand this better by taking the example of vulnerability information integration.
Vulnerability information, for instance, is not static. It is changing all the time as new vulnerabilities are discovered in platforms every day. Similarly, asset components and services keep changing and corresponding vulnerabilities change accordingly. Hence, vulnerability information is a moving target.
In addition, organisations have different periodical cycles during which scanning occurs. Leading organisations might scan critical assets on a daily basis, while some others might scan every month or quarter. Non-critical assets might only get scanned annually. This essentially implies that vulnerability information corresponding to an asset might not be available for comparing with an event to further determine if it is an attack.
For instance, let us look at an event that is a Windows buffer overflow attack taking advantage of a specific vulnerability. If the SIEM does not have updated information on this vulnerability due to a sporadic scan cycle, it is difficult to compare the buffer overflow event with the on-existent vulnerability information in a SIEM to determine the impact of this attack on the asset. This also leads to weak or wasted countermeasure actions.
In short, the method in which SIEM technology is currently implemented, spatial intelligence fails to deliver proper information. Without this up-to-date data, no possibility exists of scoring your goal of stopping an attack.
Bridging the gap
To be able to solve this problem by increasing the ability to recognise an event that is an attack requires a different approach. The new approach needs to keep pace with the real world issue of evolving vulnerabilities, missing vulnerability information, and imperfect scanning cycles in organisations. It needs to integrate an element of dynamism in analysing context information.
In practice, this means that there should be a mechanism that enables the system (SIEM/supporting technology) to use available vulnerability information to predict if a specific vulnerability exists corresponding to the event that is being analysed.
Referring to our previous example, we should be able to use existing vulnerability information available across Windows assets in the organisation to predict if a specific vulnerability corresponding to the buffer overflow event exists or not.
Employing data science to adapt to the dynamic nature of context information
Data science provides mechanisms to achieve the type of dynamism needed, which leads to effective use of context information thus increasing the spatial intelligence of a security system.
Let us look at how data science can help us solve the dynamic nature of vulnerability information integration. Organisations tend to follow certain patterns while patching their systems. Patching decisions are mostly based on analysis of how critical an asset is in the system along with how severe is the vulnerability. The impact of system downtime and effort required to implement a patch update are also important variables in the decision.
The patch update schedule adopted by an organisation leads to a certain pattern of vulnerabilities in existing assets. This is like a fingerprint that is specific to an organisation. Applying a probability model to this pattern of vulnerability data across assets enables us to identify this fingerprint and predict the presence of vulnerability. This approach is successful even in the absence of information corresponding to a specific vulnerability from the last available scan. A similar approach can be used for other contextual information that is dynamic in nature.
Scoring goal by identifying attacks
There is a need to recognise the dynamic nature of context information and a willingness to capture this dynamism to increase security attack detection capabilities. Hence, the use of techniques that keep pace with the changing nature of context information is vital. We can only enable our SOC analysts to improve security attack detection if we adopt techniques which integrate dynamic “spatial intelligence”. These improvements should assist SOC analysts to effectively pierce through the noise of event data to identify those events which are attacks.
