There are still many folks out there wondering exactly how Semantic Technology can add value within mainstream solutions architectures and practices. This is something that I’ve spent the last three years working on, specifically developing a set of IT practices which leverages an underlying methodology that we’ve discussed here before called “Semantic Integration” (SI). SI can be applied to any functional or industry domain because what it really represents is the first philosophical breakthrough for enterprise integration in decades. Some people may feel that SOA represented a similar breakthrough, but in fact it hasn’t. The reason SOA has fallen short is because of continued misunderstanding as to where the application architecture began and the middleware and data architecture ended. Semantic Integration avoids this critical flaw by virtue of the fact that it supports every tier of the architecture and is relevant in both horizontal and vertical dimensions. One of the most exciting practices that we’ve built atop Semantic Integration is dedicated to improving Cyber Security through unification of the many IT security stovepipes.  

The Problem Space

For the past two decades, Enterprise IT security has focused primarily upon reactionary responses to a small set of well-defined security breaches or “exploits.” Determining whether an attack has occurred is a ‘Forensic’ rather than a real-time effort. It is often very difficult to distinguish between behaviors that represent potential threats and those which should represent normal system and network activities. The reason for this is that the context for such activities may change the interpretation of what’s really occurring with any given activity or set of activities. Thus examining activities out of relevant contexts can give security professionals misleading information – both as false negatives and false positives.

The goal of Computer Network Defense (CND) is to avoid attack – not to respond to it. Continuation of a reactionary defense paradigm allows our adversaries to enjoy a more or less permanent offensive advantage and leaves us vulnerable to novel attacks not previously experienced and thwarted within our current defensive structures. In other words, Situation Awareness without predictive and dynamic responsive capabilities will continue to leave us relatively unprepared for the scenarios we are likely to face in the near future. 

Another facet of the problem relates to the nature of Network Defense and attack as a collaborative activity. Network attack is and already has been collaborative in nature for more than a decade; however most network defense paradigms are still highly segmented. This also provides a significant advantage in information sharing and freedom of action to our ‘network adversaries.” This becomes particularly important when we consider the relative complexity required to support federated defensive collaboration as opposed to the relative simplicity required to mount a coordinated, distributed attack. The natural advantage again resides with our adversaries. This advantage is both technical and economic in nature, which is why Cyber warfare represents perhaps the lowest cost option for asymmetric attack (in relation to the cost of organizing an attack versus the potential cost in damage inflicted).

Meeting this challenge requires a recognition however of the potentially overwhelming nature of the task at hand. Securing a complex enterprise or an entire set of inter-dependent and inter-related enterprises is significantly more complicated than attacking such infrastructures. The reason for this complexity is due to two primary factors:

1. The inability to effectively exchange the right information in a timely fashion across a myriad of participants and systems.
2. The inability to effectively coordinate action across diverse organizations with heterogeneous systems architectures, processes and knowledge bases.

Both of the above factors are inter-dependent upon one another as well. The real question is whether the precise nature of all aspects of integration or interoperability need to be designed up front (the traditional approach) or whether much of it can occur dynamically based upon shared Rulesets and a common vocabulary as well as a simplified data exchange paradigm. It is our contention that a static and standardized integration approach tends to fail both due to its sheer inability to accommodate this level of complexity but also fails from a security perspective due to what becomes vulnerability through standardization predictability. 

Networks today represent more than transmission or transportation of data across traditional telecommunications infrastructures. It is in fact becoming ever more difficult to distinguish the nodes or network participants from the network itself. In some ways the medium and the message have merged and perhaps that’s the definition of “Cyber” in contrast to the previous paradigm of “Network” management. One of the reasons that it has taken us this long to recognize this symbiosis is the difficulty and expense that has been involved in achieving the basic goals of deploying perimeter defenses. While we move at speeds generally measured in fiscal years our adversaries often develop innovations from day to day.   

The old notion of single domain or enterprise focused defense simply fails to recognize our current environment and the likely scenarios which will be involved with cyber warfare (either as part of traditional conflicts or as separate Cyber-conflicts). The Cyber domain in fact now encompasses every other domain as the cross-dependencies with technology deepen. Once we accept the nature of the problem space, understanding that it is not limited to traditional IA or perimeter defense paradigms, it becomes easier for us to accurately identify emerging threats.

Reactionary Defense Architecture

It Begins with Patterns

One of the primary concepts behind the Cyber practice is the recognition of complex patterns both as a basis for understanding Cyber attack strategies and as a basis for Cyber Health mitigation or even offensive Cyber warfare. Cyber patterns are not only asymmetric; they are often asynchronous, which means that they are potentially multi-dimensional. A Cyber attack could occur across time, across geographic regions, across a diversity of targets using a variety of attack techniques and still support a single set of objectives. Cyber attacks can also be coordinated across locations or attack units and exhibit the same characteristics previously mentioned. The distribution of attack elements (or incidents – in this case the incident represents a component of the attack event) across time and across targets makes them very difficult to identify unless the results are immediately catastrophic.

Cyber Events are comprised of (one or more) patterns; those patterns are collections of related incidents. The key to mitigating this type of complex threat is the ability to discern what types of network or system behaviors constitute part or all of a specific event. These connections or contexts may not be evident from the perspective of any one node or enterprise domain which makes it even more important that the solution support any type of system environment with minimal integration impact.  

Cyber Attacks are becoming more complex

Semantics are Built atop Communities

There are several critical considerations in moving from the current enclave-based paradigm to a holistic Cyber Security solution across the enterprise:

• The distributed and heterogeneous nature of the organizations and architectures currently involved providing enterprise security.
• The need to make the transition to new paradigms incrementally.
• The need to move toward a proactive security stance.

These considerations point to the near-term opportunities for improved collaboration and Cyber Threat management or mitigation. The reason why these opportunity areas are so attractive at this point is the ability to graft them atop current solutions and infrastructures without having to redefine the entire security paradigm, yet.  They represent an abstraction layer upon which improved analytics and decision making can be established.

When we refer to “Layered Communities” it is a metaphor which captures the federated nature of Cyber environments – this federation moves both vertically and horizontally.

Semantic Integration requires community participation

This first part of our overview has described briefly how we’ve characterized the true problem-space associated with Cyber Security and how we’ve begun to build Semantic solutions around it. Part two will delve more deeply into the nature of using “patterns” as rules, policies and as a data exchange medium.  

copyright 2009, Stephen Lahanas