by Gary S. Miliefsky, Publisher, Author, Investor and Keynote Speaker
Here we are and most of us are thankful that 2020 is almost behind us, since the global panic has taken place as a result of the COVID-19 novel zoological corona virus bioweapon attack on humanity. Are you also wondering where all the time went? So much to do so little time. Time is of the essence. Time is the fire in which we burn. Ok, I’m sure you would agree that while time is a man-made concept, usually, it is completely out of our control. We can, for now at least, joke about time travel and time machines but understanding the importance of time, in specific regards to network security and breaches could change the dynamic dramatically. We could start winning again and stopping the breaches before they happen.
To understand my 2021 prediction, we first have to go back in time, the year is 1999. Enter the Einstein of cybersecurity, a genius, a mentor and a good friend – Winn Schwartau. Winn brings us time-based security. It’s hard to believe that over 20 years ago, Winn discovered and has written about this still very novel concept, in his book called “Time-based Security”, Winn must have been a time traveler because he wrote this book 20 years ahead of his time. He’s done an incredible update in his new book, entitled “Analogue Network Security” – and while no one really understood it back then, it’s time we do, today. However, without even truly understanding the concept, more and more vendors are on the scene creating innovative ways to manipulate the time equation in regards to breaches.
For example, deception-based technology vendors are succeeding at going on the offense to actually slow down breaches by creating dynamic honeypot-like environments for the cyber criminals to ensnare them long enough to stop their breach from being successful. They actually slow down the breach – they can affect the time it takes for a breach to occur, so they have manipulated ‘breach time.’
Take a look at these leading deception technology vendors to see what I’m talking about:
- Acalvio Technologies
On the other side of the equation, many vendors have bragging rights now about their artificial intelligence (a.i.) and machine learning systems coupled with crowdsourcing and cloud ‘big data’ so that they can analyze malware and cyber attacks in near real-time and even predict when and where then next threat will strike, hence they have sped up or reduced the time required to detect a threat, once again affecting ‘breach time’ but in this case making it so successful breaches have to go even faster. Both approaches can be leveraged together to dramatically improve network security.
Take a look at these leading predictive threat researchers to see what I’m talking about:
- Recorded Future
The Time-based Security Equation
So what is Time-based Security (TBS) and is there a formula we can use to quantifiably test and measure the effectiveness of these and other INFOSEC countermeasures? The answer is yes – TBS gives us a measurable foundation for stopping breaches – and here is the formula:
Protection(time) must be greater than Detection(time) + Response(time) or formulaically
Pt > Dt + Rt
A Real-world Example: Time Needed to Rob a Bank
Let’s look at a real-world example of TBS – Bank Robbers. They drive up to the bank. They enter the bank and hold a gun to the teller, informing the teller to ‘open the vault’ and help them fill up their bags. Let’s say the teller pressed the ‘red button’ silent alarm to call the local police. The police are on their way and will arrive in 11-12 minutes. Meanwhile the bank robbers fill their satchels in 9 minutes, hop in their getaway car and are gone on the 10th minute. A minute or two later, the police arrive, and of course it’s a minute or two too late.
So the Protection time for this bank needed to be 12 minutes or more, to give the police time to arrive and catch the robbers. If the safe/vault required two employees to bring two sets of keys or two passcodes and maybe one of them was upstairs and recently had a hip replacement, maybe it would take that second teller an extra few minutes to get the the vault to turn their key and enter their secret code. That would have increased the protection time by a few minutes.
Look at it this way, the Detection time (when the teller pressed the alarm) was less than 1 minute but the Response time, when the police finally arrived was 11 or 12 minutes, so in this case Pt < Dt + Rt and the robbers get away. What if you took my advice, added the second set of keys, a second passcode i.e. two factor authentication? What if you actually moved the bank branch closer to the local police department. A building near the police goes up for sale, you buy it and move the branch. Now your Response time has been moved from 12 minutes to 2 minutes. This makes it really hard for the bank robbers to get in and out with the ‘loot’ and in fact, they would rather go elsewhere where the risks of successful exploitation are much lower.
Putting TBS to Work for Cybersecurity
Now let’s think about our own cyber security posture from the cloud data to the firewall and throughout the intranet of our organization. Assuming we have the best training, techniques and tools in place – strong encryption, good key management, authentication, up to date firewall, patched and secured endpoints, a great Security Information Event Management (SIEM) system and the best threat feeds on the planet, can we begin to measure our Dt and Rt? The answer is yes. We can review our logs, leverage our SIEM or a great MSSP partner and take notes as follows:
- Time to detect an event
- Time to respond to an event
- How much damage can be done in Dt + Rt
So to begin understanding how to use TBS to beat the next attacker and defend against a breach, we need to look at one more variable in the TBS equation and that’s called Exposure(time) or Et. This is so important – Exposure time is the window of vulnerability or the crack in our armor which would allow an intruder to steal our crown jewels, in this case the important customer or confidential records and data sets we wish to protect. In the case of the bank being robbed, our Et was 12 minutes (ie how long before the police actually arrived on the scene from the moment the robbers entered the bank branch) or Dt+Rt (time the teller took to press the red button plus the time it took for the police to arrive).
TBS Mission: Minimize our Exposure Time
We need to minimize Exposure time or at least make it smaller than the time it takes for the cybercriminals to complete the exploitation and steal our confidential data. There are two ways to minimize our Exposure time – one is to make Breaches go slower, for example using virtual machines and honeypots in deception-based security models, bandwidth limiting, data padding and stronger encryption throughout our organization.
For example, if our Dt = 12 minutes but we can get the cybercriminals to spend more than 12 minutes in our honeypot at the perimeter using deception-based security technologies, while they are busy attempting to steal fake but ‘juicy’ looking data, they are detected and stopped before they can breach the intranet and get at the real data. They can’t exfiltrate real data if we Detected them fast enough.
Another way to slow down the breach is called ‘data padding’. Imagine you could pad all the critical files on your network so their size exceeds the Exposure time (Et). An example would look something like this. Let’s say your Et is 10 minutes and your network bandwidth (Bw) is 6 Gigabytes (Gb) per hour. So Et =10 min, Bw = 6Gb / hr, now we know what we need to do to pad our files. File size = (1/6 hr) / (6 Gb / hr) = 1GB, therefore, all critical files should be padded to be larger than 1Gb. When hackers try to steal critical data, it will take them too long to get it, because the time to steal one file is larger than our Exposure time, our Et. Make sense?
Now let us look at the flip side, which I alluded to earlier, we could go faster – we could speed up our Detection time and/or our Response time. To do this, we need real-time analytics coupled with human intelligence, artificial intelligence and machine learning. We need this information tied into our SIEM and our EDR (endpoint detect and response) as well as our firewall, ids/ips and switches. This would allow us to detect malicious traffic or an infected system and more rapidly isolate or quarantine it so that no data theft can occur.
We must know all of our threats as quickly as possible. We must know all of our serious or critical vulnerabilities as quickly as possible and understand the correlation between an exploiter or threat and the vulnerability they are attempting to exploit. Finally, we must track, control, manage and value all of our network assets, especially those that host or manage critical and confidential data.
We can also reduce Detection time (Dt) by defending against exploitable holes. If we are not using a CVE (common vulnerability and exposure) auditing system from any of the well-known vendors or even the OpenVAS free and open-source solution, we’re at risk of too many open windows and doors. We need to patch, harden and reconfigure our systems to affect Dt, while we need next generation endpoint security solutions that can reduce our Response time (Rt) through detection, orchestration, automation and isolation. Some of the best methods for isolation include agent-based and agentless quarantine technology such as 802.1x as well as various methods of network access control (NAC) or what they are now calling IT & OT Security or IoT Security.
In summary, the smaller we can make the Detection time plus the Response time, ie, Dt+Rt should be as close to zero as possible, the higher probability we cannot easily be breached and if we are breached, the data cannot be exfiltrated fast enough to cause harm or require regulatory compliance reporting. It’s time we start asking our INFOSEC trusted MSSP partners and vendors – what are you doing in regards to Time-based Security? Can you slow down the breach? Do you offer any deception-based solutions? What can you do to speed up the Detection time and Response time? What threat intel and other tools do you offer? How fast is your EDR solution? Are we doing continuous/real-time backups known as Continuous Data Protection (CDP)? Have we tested and measured our Exposure time? By starting to focus on simple, measurements such as Protection time (Pt), Exposure time (Et), Detection time (Dt) and Response time (Rt), we can finally begin to understand our true breach prevention posture.
About the Author
Gary S. Miliefsky is the Publisher of Cyber Defense Magazine (CDM), investor, bestselling author and a frequent Keynote Speaker. Gary is a globally recognized cybersecurity expert, inventor and founder of numerous cybersecurity companies, is a frequent invited guest on national and international media commenting on mobile privacy, cyber security, cyber-crime and cyber terrorism, also covered in Forbes, Fortune and Inc Magazines. Miliefsky is a Founding Member of the US Department of Homeland Security (http://www.DHS.gov), the National Information Security Group (http://www.NAISG.org) and the OVAL advisory board of MITRE responsible for the CVE Program (http://CVE.mitre.org). Gary is a member of ISC2.org and is a CISSP®. Learn more about Gary at www.cyberdefensemagazine.com.