InfoSec should Shield the Business from Big Data

By Peter Rietveld and Diederik Perk.

The longstanding adage says it best: Generals prepare to fight the last war. Business leaders cannot be faulted for having similar pitfalls when it comes to information security. The domain itself fails to chart its course, while it should aim to navigate towards real-time mapping of the threat spectrum, cost-effective business integration and automated decision-making feeds.

Information security has always been a difficult concept. In theory, we protect the information assets of our organization, however in reality we secure the hardware, systems and networks (poorly). Protecting all but the actual information assets means we live in the world of CompuSec, not InfoSec.

In practice, we secure the information systems we suppose to hold the sensitive data, as a definable trust zone. It is InfoSec-by-Proxy. And in general this is done by restricting access to the inroads to these systems, on the network perimeter. This is the concept of the security ‘choke point’, sitting between the trusted internal zone and the evil lurking outside. [1]

The common opinion within the InfoSec-world is that over the next decade, information security will need to turn its eye to information and its relative value, more than looking for a quick technological fix. What is overlooked is, however, is that in the same next decade the most relevant and current information on a given organization will be gleaned from Big Data, most of it in the public sphere. The resulting information security must therefore be modeled after national intelligence outfits and feed directly into business decisions. It can no longer be modeled after the IT support departments as is the custom today.

On Guard 

A short lapse into the past contrasts established information security practices against its future form. Securing any grouping of assets requires taking stock of the inventory, ideally followed by classification and labelling. In practice, the costs and efforts of classification and labelling are prohibitive. Even with the very limited amounts of data we had in the 1980s and 1990s, it proved a task too great and the benefits too intangible, let alone trying the same today.

With the Jericho manifest the thought leaders in Information Security acknowledged in the early years of this century that the network perimeter is no longer an effective ‘choke point’ where we can keep the bad guys ‘out’ and the goods ‘in’. [2] They coined the cumbersome term ‘deperimeterization’ for this. The lesson of Jericho has yet to be digested by most people involved in security, while new developments are already at the doorstep. [3]

Already we are seeing the next steps in dismantling the traditional notions of security. One in which impact will go beyond deperimeterization. The developments in Big Data and OSINT will- when combined- completely change what we have to do, and who we have to do it with. Information handling inside both the corporate and public domain, will closely integrate the operations of security and the marketing department.

On Expedition

First, consider the impact of Big Data. Leveraging the exponentially growing pool of data by means of data-mining offers a competitive advantage. For publically traded businesses within the EU, annual or half-yearly financial reports are the current standard. Many organizations are seeking to know where they stand on a real-time basis as opposed to on a long cycle. Aggregating the financials over a period of time gives insight in patterns of resource allocation, strategic direction and capability.

Savvy researches may use the same tools and skills to surmise the risk profile a competitor maintains, and leverage it for benchmarking purposes. Or beating the competition at its own game: as such Big Data is a disruptive technology. The advances on the semantic web underline the importance of moving along by opening up data in various ways, to enable more usability by machines adding and understanding its meaning and accessibility. On the horizon lies a point that public data may become more readily accessible than internal corporate data.

From a security perspective, Big Data raises questions on how to detect and mitigate spillage of corporate information into the public domain, be it by incomplete configurations at the hands of its own employees or by acts deemed harmless today. One could easily find out by using LinkedIn, for instance, to find out what type of security technology an organization uses and whether the staff is trained sufficiently. It is a challenging new dimension to social engineering attacks. As yet, current industry frameworks are still grappling to provide guidance on big data’s potential blowback effects.

Industrial multinationals playing in the major league have long moved towards elaborate all-source analysis feeding the conduct of regular business, active surveillance and even preemptive strikes, and now the rest of the players on the pitch are to follow suit. This development will deeply impact the world of InfoSec. Information security will take up the task of reconnaissance: analyzing what third parties may gather connecting to the organization. Overlooking it is at the peril of the enterprise, which as a consequence risks an information deficit.

On Patrol

Secondly, internal competition for budgets is driving a renewed search for synergy. Directing the tools to data-mine both internal as external documentation, will lead to increased interest and interference from the Chief Marketing Officer.

Already, IT budgets are being usurped by digital marketing needs.[4] Knowing the customer by monitoring its actions, optimizing and controlling brand visibility and mitigating reputational damage is the exact purpose the marketing (and PR) branch serves.

When market competitors come snooping on our turf, security would like to be the first to browse through that report and seek out its intentions but it may be discovered by marketing tools. Conversely, having your security house in order is a major selling point in many sectors, which can be cultivated- discretely, no need to invite trouble- for promotional purposes.

It may come as a blessing in disguise when the gains sought from marketing expenditure are successfully aligned with business enabling security measures. They want to know the customer journey, the security department needs to know the competition’s journey.

On Tactics

That’s where the methods of OSINT enter the equation. OSINT is an acronym three-letter agencies introduced in the field of intelligence to label information they haven’t stolen, meaning Open-Source Intelligence. Traditional examples range from monitoring the cars in a parking lot to a thorough review of the trash container.

If Big Data is where you need to protect your information position, OSINT is the how to do it. It is best illustrated by how contemporary spies do their work: behind a huge computer. Search engines on the web are one such tool for mapping a target, which may reveal sensitive data such as passwords, open ports and e-mail ID’s, illustrated by a technique named Google Dorking.[5]

Other sources of input include local or national governments, where it is generally possible to- when appropriate- file a FOIA request (or its local equivalent), e.g. resulting in indications on city planning prospects that impact your disaster recovery planning.

Developing automated tools specifically purposed to mine, aggregate, and enrich useful information may seem like a quantum leap, however, workable models may be found in algorithmic trading used for today’s stock trading agents. [6] Similarly, businesses outside of the financial sector will intensify deployment of technology capable of translating complex landscapes into actionable outcomes.

On Top

Some, if not all, of these methods and tactics can and will be used for evil, therefore security practitioners better seize the initiative to apply them to good causes. Recognizing it isn’t total war out there, should scope a distinct vision of the arms race that is currently being lost every day. The basic commonsensical advice to target a level of security right above the one of your neighbors acknowledges that reality.

Collecting intelligence on the competition may raise some eyebrows at first, though once the business rationale settles that similarly drives establishing trust relationships for federations, or financial health checks surrounding corporate takeovers, a pool of data wealth is waiting to be interpreted.

The type of information position that shapes a competitive edge does not directly equate with more successful business integration. Given sufficient information, it is still courtesy of the Generalship to lead the mission to its optimal conclusions, and, quite plausibly, that’s where the process falters.

All the while, this is not an encouragement to abandon the basics of data security, as long as information systems operate, these need hardening. Alongside, building a roadmap that pitches the effort to get your house in order and the business assets in line with all the benefits it likely accrues, will in itself raise awareness and drive business needs.

Will this be the completion of the open-ended vision of the Jericho group? In its rigorous operationalization, it will yield the end of the primate of internal information. Even more so, it will elevate information security closer to the heart of the business, ultimately informing decision-making of its budget allocations, strategy and even operations.

Ahead lies rocky territory, and being a guide to the business avoids obstacles supremely better than getting dragged along by it.

 

Traxion is a unique and independent information security specialist in identity & access management based in Belgium and The Netherlands. With our strategic, tactical and operational consultancy and services, we work aligned with our clients towards robust and flexible security solutions. For further enquiries please visit http://www.Traxion.com. 

[1] http://www-01.ibm.com/support/knowledgecenter/ssw_ibm_i_71/rzaj4/rzaj4fwfirewallconcept.htm

[2] https://collaboration.opengroup.org/jericho/vision_wp.pdf

[3] http://www.zdnet.com/blog/threatchaos/de-perimeterization-is-dead/479

[4] http://www.forbes.com/sites/lisaarthur/2012/02/08/five-years-from-now-cmos-will-spend-more-on-it-than-cios-do/

[5] http://resources.infosecinstitute.com/google-hacking-for-fun-and-profit-i/

[6] http://www.investopedia.com/terms/a/algorithmictrading.asp