Advanced Cyber Security Center Helps Level the Cyber Playing FieldOctober 2012
Topics: Computer Security, Information Security Risk Management, Situation Awareness, Safeguard and Secure Cyberspace
Computer networks underpin almost every critical aspect of our lives—schools, banks, government systems, and power grids, as well as the military and intelligence systems that keep our country safe. Every day, attackers—working on their own, or with backing from organized crime syndicates, hostile governments, or others—seek new ways to infiltrate these networks, testing the cybersecurity systems in place. As the attackers grow craftier, the defenders must respond in kind.
From its offices at MITRE in Bedford, Mass., the Advanced Cyber Security Center (ACSC) is developing innovative ways to identify, analyze, and respond to cyber threats. The ACSC, the first cross-sector consortium in New England dedicated to addressing the complexities of cybersecurity, works with such members as Akamai Technologies, Biogen Idec, the Federal Reserve Bank of Boston, and Boston University to take a "neighborhood watch" approach to cyber defense.
This approach enables its 27 members to share with one another details about indicators of potential compromise from cyber attacks, as well as tactics, techniques, and procedures used by attackers and effective defense strategies to counter them. With enough information, the ACSC can detect patterns of malicious intent before they develop into large-scale attacks.
"Our experience tells us that with cyber threats, the success or failure of the attempt isn't as important as the details about the attempt itself," says Gary Gagnon, MITRE senior vice president and chief security officer. He refers to the neighborhood watch model to explain: For a homeowner, knowing about attempted break-ins in a neighborhood is in many ways more useful than knowing whether the intruders succeeded. The homeowner can use the information to ensure that his property is secure.
"We think these neighborhood watch-type programs are the future of cyber defense," Gagnon says. "They have the potential to balance the equation between attackers and defenders."
A Coordinated Effort Built on Trust
The first major hurdle for the ACSC was persuading members to open up about their cybersecurity challenges.
"Building trust was a key element in this," Gagnon says. "We realized that, as members, they were reluctant to expose what could be perceived as weaknesses within their companies." Recent high-profile hacking cases involving RSA, Google, and Sony—as well as the proliferation of increasingly sophisticated tactics cyber attackers employ—changed the mindset at many companies.
"A whole set of high-profile companies have been compromised. It changed the stigma around cyber attacks, and companies recognized that it's not a sign of weakness, it's inevitable."
After more than a year of face-to-face meetings, members are seeing the benefits of being open about their security challenges. Responding to a recent member survey, 84 percent said they were getting threat information they could use from the ACSC, and 67 percent said they had made changes in their companies based on what they learned.
"We're a young organization and weren't sure what kind of feedback we were going to get," says Rick Welch, ACSC executive director. "We were very pleased about that."
Welch, a former executive with RSA, the security division of EMC, sees progress in the way the center's twice-monthly meeting attendance has changed. "Over the last few months, the attendance has become more practitioner focused, rather than management," he says. "We're seeing security architects and engineers rather than chief security officers."
For all the value the meetings provide, Gagnon says, "the secret sauce" is having a way for companies who detect a threat indicator to immediately obtain an analysis and share the information quickly so other members can respond. "Right now, it's a manually intensive process," he explains. Someone sends an email or makes a phone call, which requires threat analysis and member response.
The next major step is deploying an ACSC platform that completes that process at Internet speeds. MITRE has been instrumental in helping build such a platform, which includes a standardized threat information repository, and put in place standards that provide a common language for identifying, analyzing, and sharing threats.
Spotting Attempted Intrusions Before They Become Attacks
Mass Insight Global Partnership, the Boston-based consultancy that incubated the ACSC, recognized around 2007 that the cyber threat was too complex and sophisticated for one company, organization, or government agency to battle alone. Mass Insight specializes in bringing together public/private coalitions to address big problems and saw the opportunity for an information security cluster in the Boston area.
MITRE experts had long recognized the potential catastrophe that cybercrime could cause to individuals, industry and government, says John P. L. Woodward, executive director of MITRE's Space, Intelligence and Information Operations Division. Woodward was among MITRE's first representatives on the fledgling consortium. He believes that MITRE has a responsibility, as a corporation working in the public interest, not just to inform organizations about the threat, but to help them defend against it.
"With Mass Insight as convener, our broad shoulders as a knowledge center, and a pay-for-play membership model that includes government, industry, and education, we can address the problem more efficiently," says Bruce Bakis, a systems engineer who specializes in information security. He serves, along with Woodward, as a lead MITRE strategist of the ACSC.
Today, ACSC membership includes industry leaders with broad enough reach that they may experience more frequent cyber attacks than other organizations. Because they are likely to spot malicious intent sooner, they can use their own experience and challenges to influence the cyber research agenda.
"The threats you haven't experienced yet are the ones most likely to damage your system," Bakis says. "By being willing to share the tools and information from our own threat repository, MITRE will help the ACSC and its membership to protect themselves."
Woodward says MITRE "suggested and catalyzed the threat-sharing working group by being the original key contributor and, early on, the most willing to share information about threats we were spotting to our own system."
A Model for a National Program
Bakis says the ACSC can serve as a proof-of-concept testbed and blueprint for the rest of the world and ultimately establish New England as a leader in cybersecurity defense, R&D, education, and policy development.
Gagnon agrees: "We would like to see this replicated. We think the model is a good one, and we have ongoing conversations with similar entities in other parts of the country. We're bringing our ACSC experience to them."
—by Molly Manchenton