The platform allows researchers to analyze cyberattacks without sensitive information being released.
Cyberattacks and data breaches are now such a daily occurrence that many no longer warrant extensive coverage. Out of a fear of releasing too much information and a desire to protect their image from further damage, most organizations limit the amount of reporting they do on attacks, leaving the next enterprise vulnerable to the same tactics.
SEE: Special report: A winning strategy for cybersecurity (free PDF) (TechRepublic)
But scientists from MIT’s Computer Science and Artificial Intelligence Lab have stepped up trying to change that with a newly built platform called SCRAM.
The acronym, which stands for “Secure Cyber Risk Aggregation and Measurement,” seeks to address this longstanding cybersecurity reporting issue by taking advantage of new cryptographic tools that can calculate aggregate statistics without needing organizations to disclose information about their own attacks and losses to anyone else—even to the scientists themselves.
“It’s really a nice gift that we’ve given to cybercriminals. In an ideal world these attacks wouldn’t happen over and over again, because companies would be able to use data from attacks to develop quantitative measurements of the security risk so that we could prevent such incidents in the future,” said Taylor Reynolds, technology policy director at MIT’s Internet Policy Research Initiative.
“The power of this platform is that it allows firms to contribute locked data that would otherwise be too sensitive or risky to share with a third party.”
SEE: Zero trust security: A cheat sheet (free PDF) (TechRepublic)
With SCRAM, researchers are able to aggregate encrypted sensitive data from multiple organizations, giving scientists a better understanding of what the most common attacks are, insight into how they are deployed and what defenses work best.
The long-term result of this standoff is that cyber attacks happen all the time, but we collectively learn very little about them because firms are reluctant to share what happened.
The platform was created with a team of cybersecurity experts, cryptographers, and data scientists and uses cryptographic techniques to ensure the privacy of all the organizations that submit information about their attacks. No one outside of the contributor is ever able to view the information.
Once the system goes through all the information, it can quantify the security risk of enterprises and help CISOs determine how secure they truly are in comparison to their peers. MIT researchers also said it will help organizations know if they’re spending the right amount of money on security systems and whether funds are being invested in the right places.
MIT released a study on the platform, in which it took internal data from seven billion-dollar companies and examined the security incidents they dealt with. Reynolds co-authored the paper with Leo de Castro, Andrew Lo, Fransisca Susan, Vinod Vaikuntanathan, Daniel Weitzner, and Nicolas Zhang.
In the study, the researchers said they found that three security vulnerabilities led to the largest total losses over $1 million, including a failure to prevent malware attacks like the one that hit Garmin last month, communication over unauthorized ports, and a failure in log management for security incidents.
“Losses can arise even when there are defenses that are well-developed and understood,” said Weitzner, who also serves as director of MIT IPRI. “It’s important to recognize that improving common existing defenses should not be neglected in favor of expanding into new areas of defense.”
SEE: Cybersecurity: Let’s get tactical (free PDF) (TechRepublic)
The study notes that SCRAM focuses primarily on two things: Penetrations and losses. For its first run-through test, the scientists used the cryptographic platform to look at benchmarks of the adoption rates of the Center for Internet Security’s 171 critical security measures across six large firms and links between monetary losses from 49 security incidents and the specific subcontrol failures implicated in the incident.
Researchers took data over a two-year period from companies with an average annual revenue of $24 billion and an average of 50,000 employees, putting it into the SCRAM platform and getting detailed aggregate information on adoption rate of defenses and defensive failures that led to the largest monetary losses. The companies were involved in healthcare, communications, retail service, and financial sectors.
For the next run, the MIT scientists are hoping to have a larger pool of data so that more companies can judge themselves against their peers when it comes to security sophistication.
“In 2015 and 2016, MIT held a series of sector-specific workshops focused on protecting critical infrastructure. The workshops included presentations by CISOs from four distinct economic sectors (electricity, oil and gas, finance, and communications) who discussed the challenges they faced securing and defending their networks,” the study said.
“A common theme began to emerge across all four sector-specific meetings. The CISOs stated that deploying security controls was akin to ‘investing in the dark,’ because they lacked the necessary illumination into the defensive postures and related losses of other firms that would only be available if firms shared information.”
SCRAM uses a cryptographic technique called multiparty computation that allows researchers to compute fixed functions of the input data without revealing the individual entries to anyone other than the participant who contributed them. The platform takes encrypted data and runs blind computations on it, giving users an encrypted result that can only be unlocked by each participant separately before anyone can see the answer.
In addition to data on how many of the Center for Internet Security’s 171 critical security measures were being implemented by each organization, the study also examined the individual monetary losses from each attack and asked enterprises to indicate which sub-control failures were responsible.
The six firms ended up submitting data on 49 incidents that resulted in a total loss of about $30 million, with each tallying about eight incidents a year. Log management issues, communications over unauthorized ports, problems with asset inventories, and a lack of well-functioning antimalware software were the common root causes for the incidents.
SEE: IoT: Major threats and security tips for devices (free PDF) (TechRepublic)
“There are 39 sub-controls that were only implicated once. On the other hand, some sub-controls were implicated in up to 10 different incidents. ‘Establish Secure Configurations’ was implicated 10 times, while ‘Monitor and Block Unauthorized Network Traffic’ and ‘Deploy Web Application Firewalls’ were both implicated seven times,” the study said.
“The controls focusing on awareness and training, boundary defenses, and data protection were the most commonly implicated in security incidents with financial losses. It is of interest to note that sub-controls related to security awareness and training had the highest number of identifications. Audit logs, boundary defenses, hardware inventory, and malware defenses had the largest total losses across the group.”
Central log management cost participating companies nearly $6 million while communication over unauthorized ports resulted in more than $4.5 million in losses. The lack of anti-malware software cost organizations about $4 million in the survey.
The study said the first run was meant as a proof of concept and that the next iterations will hopefully include more companies and more data on incidents to gain a better understanding of what major organizations are facing.
The MIT researchers also said larger studies may be able to examine attacks by industry or by sector, allowing similar companies to share information on what works best and what attacks they have faced so far.
“We were able to paint a really thorough picture in terms of which security failures were costing companies the most money,” Reynolds said.
“If you’re a chief information security officer at one of these organizations, it can be an overwhelming task to try to defend absolutely everything. They need to know where they should direct their attention.”