Facebook CSO Alex Stamos was the keynote speaker at Black Hat USA 2017 this week and, in his keynote, he has brought up a competition that is being put forward to all researchers in the CyberSecurity space. This competition is called the Internet Defence Price is in conjunction with USENIX and provides an award to researchers that come up with technical solutions that will improve the security of the Internet.
This competition gave out it’s first award back in 2014 of $50000. They increased that amount in 2015 to $100,000 and was awarded in each year, including this year. But now, Facebook has announced that they are awarding $1 Million for 2018. The award amount can be split amongst multiple winners if there is a tie. The participants need to provide a working prototype of what they are suggesting and the award is meant to promote the DIRECTION that the researchers are going rather than the work that they have done so far.
Just as an aside, when I went to look more into USENIX, it turns out that they have Security Conference in Vancouver from August 16 – 18 (with a couple of co-location events also happening that week). If you want to know more about that conference, go to the USENIX Security 2017 Conference site.
Anyway, it got me thinking about what I would pursue with regards to Internet security. And that typically goes to a thought process around what the issues are. I challenge you to come up with your own thoughts. Think ‘blue sky’ / I-wish-this-was-available type of thinking.
What I believe is that there is a gradual evolution of thinking rather than huge leaps and bounds. Sure, there are those occasional leaps but, by and large, progress comes from small steps. I also believe that alot of those small steps come from adapting current solutions for new problems. So let me start there.
My current belief, and I think you probably are in the same boat, is that security events happen so quickly that there isn’t really enough time to respond to them, assuming you had the right security personnel or even enough of them. I believe that the benefits of SIEMs are largely being missed simply because of the shear volume of events that go into them and the fact that no all IT devices have the ability to log security events appropriately. So, to that end, here is something I would propose (if I was a researcher working on this):
I would propose the development of a bus system, similar to middleware like an Enterprise System Bus (or ESB) that security devices connect to using XML. Because it’s XML based, there should be adequate APIs available from the various security solutions, whether they are Malware Protection or Firewalls, or network based security devices or anything else, that you could create standardized interfaces for these various security solutions.
Like an ESB, the communication between the different systems would be controlled by a Central Management System. This may be an adaption to a SIEM or, possibly even better, taking something like Splunk or AlienVault (which is Open Source as well) and then leverage it’s analytics capabilities. The Central Management system would have a ruleset for controlling the communication path from one security device to another, based on the message content.
Typically, we are used to thinking about a centralized system where all information goes to the center. All AV agents communicate with the center. All security logs go to the SIEM. But that topology makes a central location both a highly important component and also a potential bottleneck. Why not allow the messaging bus to carry an adapted message to some other component. For example, if an AV agent is communicating about a high severity issue on one of it’s protected system, why not have a message go straight to a Switch responsible for a VLAN and have the VLAN re-configured to isolate that machine? Or, if an IPS sees a certain type of network traffic, why not have an adapted message sent right to a Firewall for ACL correction?
Okay, remember I said to think ‘Blue Sky’. But if you don’t have a problem and a vision to correct that problem, how can you move forward?
Now, Mr. Zuckerberg, where do I collect my $1 Million dollars? 😉
Hope that helps …