Paradigm Shifts in Security Control
As modern security environments change at an unprecedentedly rapid rate, security administrators today find themselves facing an increasing number of issues. As we have witnessed through recent security incidents, such as the Interpark personal information data leak, these worries are fueled by the steadily increasing number of attackers who utilize never-before-seen sophisticated attack methods to expose weaknesses of infrastructures and organizations. These attacks take their time to look over every bit of information before leaking major information, such as personal information and patents, or disabling a company’s systems, thereby bringing about sizable waves to the management activities of corporations and institutes.
In order to counteract the steady appearance of these new and advanced security threats, corporations are also taking measures to change how they defend against and manage attacks. In particular, corporations and institutes have made rapid developments in security control to deal with the constantly shifting threats by observing internal IT infrastructures to ensure they are not exposed to security threats while reacting instantly to any detected risks. Therefore, my aim is to reflect on the progress of security control, which has developed in tandem with the evolution of security threats, from network boundary-based security control to AI-integrated security control.
Network Boundary-based Security Control
In the past, attackers focused on penetrating the boundaries of corporations or institutes to infiltrate the interior, so it is true that traditional security control methods put an emphasis on corporate boundary defense. Defenders concentrated on monitoring with network security equipment such as firewalls, IPS/IDS, DDoS equipment, L7 firewalls, and web firewalls, as well as employing vaccines to detect and stop any known attacks that attempted to go over the network boundary.
However, as centralized computing and isolated networks began to take on a more open and dispersive form, the traditional security management format, which focused on boundary-based methods, began to reach the limit of its capabilities. The steep incline in apps, infrastructure, and users connected to the internet meant that attackers had far more opportunities and potential venues to penetrate and infiltrate. A common example of such attacks can be seen in zero-day attacks, in which attackers discover and exploit software vulnerabilities before patches intended to make up for these vulnerabilities can even be announced.
Attackers are using more diverse tactics than ever to overpower defenders with a constant stream of attacks. These days, attackers are able to raise their chances of success at infiltration through various paths such as PCs, smartphones, E-mails, and websites or by abusing unpublicized vulnerabilities in IT systems to avoid automated detection. Once they have reached their target, they can move around the corporation's internal system and examine every bit of information there is before carrying out their attack and leaking specific pieces of information or disabling the company's system or security service.
Thus, with an increasing number of holes in security that attackers can break in through and the development of technology, defenders have come face-to-face with the necessity to monitor all user actions and events taking place not just on the network boundary but within the entire corporation as well, and to manage them comprehensively. Accordingly, this led to the rise of security control based on enterprise security management (ESM), which manages the security systems of heterogeneous networks in a singular control network, collects security data created from various security devices, and conducts linkage analysis on the collected data.
ESM-based Security Control…Maximizing the Interoperability, Management, and Security of Various Security Systems
The issue of security control can be compared to the story of the blind men and the elephant. Just as how the blind men were unable to identify what sort of animal the elephant was after touching only parts of its body, such as its legs, ears, and eyes, due to its sheer height, we must not make hasty judgements and treat speculations as truths when we only have a limited amount of information to go off of.
This is because relying solely on dispersed information instead of gathering and analyzing information created by countless infrastructures from a comprehensive perspective may lead to flawed judgements that bring about calamities to corporations.
As this shows, ESM-based security control is centered on faster and more accurate threat and irregularity detection through linkage analysis among the various security equipment. As the previous system's log-centered analysis had clear limitations in confirming what issues were occurring within a corporation's infrastructure, this method collects all information created by various security devices, such as systems and networks, in real-time and conducts linkage analysis using a wide array of statistics and pattern analysis tools to identify the action's significance more accurately without tripping over any false detections.
Once the threat or irregular activity has been detected, the next step is to actively sever the link of attack. In order to accomplish this, the security administrator requires every bit of information that will allow the risk to be systematically identified as well as a risk management process to make accurate judgement. Therefore, upon discovering a malicious code, the administrator must be backed up by valuable information that will allow for easy identification of the action, such as the nature of the data being transmitted and received by the malicious code and if any other systems have been infected by the code.
Under these circumstances, big data analysis platforms, which can link massive amounts of security data with the latest information on threats and effectively analyze the results rapidly, has come under the spotlight. This is because the quick analysis of massive amounts of security data, which include tens of thousands of cases a day, within limited time and budget constraints and accurate grasp of attack occurrences and activity based on information provided by the security system allows corporations to make the most optimal decision to maintain their security.
Big Data Log Analysis-based Security Control…Faster Linkage Analysis of Massive Security Data
Recently, big data is becoming a major talking point among those in the IT field. Big data refers to data sets so massive that they cannot feasibly be collected, saved, and analyzed via existing data management methods and tools. In the span of just 1 minute, over 2 million Google searches and 200,000 tweets take place, so these data sets are growing at a breakneck pace. Many corporations are accelerating their efforts to extract and use meaningful value from big data, and the security industry is no exception. Big data analysis technology that can conduct quicker and more accurate linkage analysis of massive amounts of security data is being actively welcomed and sought out.
In order for the security administrator to make the right call, there is a need to conduct linkage analysis on security data collected in real-time from various security equipment as well as long-term archived past data and data on the latest external threats. However, as it is nigh impossible for people to manually analyze all this data, security control has experienced a paradigm shift from the ESM-based format to the enhanced big data log analysis-based format.
Big data log analysis-based security control utilizes distribution-based data storage and processing technology for a quicker and more accurate linkage analysis with security data than the previous format. This format predicts threats and irregularities by conducting linkage analysis of information on the asset information and vulnerability information of corporations with security data created from the security equipment of heterogeneous networks based on parallel computing. Furthermore, even if a breach event occurs, it is possible to quickly react and sever the link of attack by quickly searching and analyzing comprehensive details such as the attack inflow path, range of attack, and damage conditions.
Artificial Intelligence(AI) and Security Control…Creating AI Technology-based Security Intelligence
A recent hot topic garnering interest from many people regardless of industry is that the issue of ‘AI.’ The most commonly noted examples of AI are AlphaGo, the AI Go program that defeated the 9-dan Go genius Sedol Lee, self-driving car technology based on AI, and IBM Watson, the AI doctor that can analyze massive amounts of patient information to diagnose diseases and suggest treatments.
In particular, attempts to use ‘machine learning’, a field in AI, stand out. Machine learning refers to an algorithm and technology in which computers learn how to imitate the cognition, inference, and learning abilities of humans to carry out actions that are not defined in their code as well as steadily develop their thinking abilities without any separate outer intervention.
If applied to the information security field, the AI would be left unsupervised to go through all sorts of security data that have been accumulated for months or years by the institute or corporation in order to learn how to recognize regular and irregular situations. Through this unsupervised study, the institutes or corporations would be able apply attack detection scenario that have been optimized and customized for them. Then, this attack detection scenario would consistently update itself while remaining optimized for its institute or corporation.
As such, the security control field is expected to actively implement the ‘machine learning’ algorithm in the near future. By allowing machines to learn the experience and knowledge of humans who have conducted linkage analysis on massive amounts of data for long periods of time through ESM and big data analysis platforms, it becomes possible to resolve the cumbersome issue of having to look into each and every piece of security data, as well as to more effectively detect new types of security threats that deviate from usual patterns.
For instance, if a machine learning-based system was able to take in the knowledge and experience of a security control expert to analyze logs collected from various equipment and filter out 90% of regular events, then the security control expert would only need to focus on the remaining 10% of events, allowing for increased efficiency in security control. Afterwards, the system could learn once more from the analysis of the security control expert, and repeating this process over and over would allow it to create results that equal or even exceed the expert’s intuition.
However, despite such expectations in machine learning, there have not been any noteworthy attempts to invest or make developments in Korea. In contrast with global corporations such as Google or IBM, who quickly integrated machine learning technology into the security field, Korean corporations are discussing the side effects of AI. Considering that security threats are becoming intelligent and expanding vastly in size with each passing day, I believe that there is a need to engage in-depth discussion regarding these changes and seek out methods of utilization.
Increasingly Intelligent Security Threats and the Future of Security Control
So far, we have looked into the development process of security control. Network boundary-based security control kept up in pace with next-generation IT development, which is represented by big data, cloud, mobile, and Internet of Things (IoT) by advancing into ESM-based security control, which conducts comprehensive linkage analysis on information created by countless types of infrastructure. This change was necessary to fight back against intelligent attackers who discretely infiltrate through various passages, take their time to thoroughly comb over every aspect of a corporation’s internal system, and leak specific information or disable key systems and services.
ESM-based security control also underwent change, this time into big data log analysis-based security control, which uses big data analysis platforms, due to the exponential increase in security data that security administrators were forced to gather, process, and conduct linkage analysis on. The new big data log analysis security system allowed security administrators to analyze massive amounts of security data, which numbered over tens of thousands of cases every day, more quickly while on a limited budget and time frame.
Big data log analysis-based security control is about to take yet another leap forward thanks to its combination with machine learning. IT systems that have studied through the machine learning algorithm are able to automatically process and analyze large amounts of security data while constantly learning and improving. This reduces the burden on security administrators suffering from time and resource constraints, and it is anticipated to develop even further to detect and react to new types of never-before-seen threats in advance.
As a result of emerging security threats with unprecedented detail and strategy, corporations today find themselves in more dangerous situation than ever. As more devices, infrastructure, and users are connected through the internet, security threats targeting corporations, institutes, and individual users will also increase in the future. As the types and attack methods of security threats evolve just as quickly as technology develops, it is my hope that corporations can enhance their security through the construction of a security control system that comprehensively analyzes large amounts of security data and preemptively takes action.